break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 76; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 58 ? 4000 : 0) + (call == 66 ? 200 : 0) + (call == 68 ? 3000 : 0) + (call == 69 ? 3000 : 0) + (call == 70 ? 300 : 0) + (call == 71 ? 300 : 0) + (call == 72 ? 300 : 0) + (call == 73 ? 3000 : 0) + (call == 74 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); break; case 2: *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } break; case 3: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); break; case 4: memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; break; case 5: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); break; case 6: syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); break; case 7: *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); break; case 8: *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; break; case 9: *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); break; case 11: memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); break; case 13: memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; break; case 14: memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); break; case 17: memset((void*)0x200000000640, 255, 6); memset((void*)0x200000000646, 170, 5); *(uint8_t*)0x20000000064b = 0xbb; *(uint16_t*)0x20000000064c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x20000000064e, 0, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x20000000064e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x20000000064e, 1, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x20000000064e, 1, 31, 1); *(uint8_t*)0x200000000652 = 0x13; *(uint8_t*)0x200000000653 = 0; *(uint8_t*)0x200000000654 = 0; *(uint8_t*)0x200000000655 = 0; memcpy((void*)0x200000000656, "\x52\xba\x74\xa6\x8e\xf0\x63\x72\x5a\x23\x3b\x95\x09\xb8\xfd\x57\xd5\x8e\xe2\x64\xc3\x7d\x44\xcd\x7c\x1e\x10\x75\xf8\x3d\x41\x72\x0f\x37\x4e\x7e\x3c\x9c\x01\xb8\x6b\xfd\xba\x90\x77\xa2\xc5\xbd\x2b\x73\xeb\x43\x87\x47\x64\xa2\x53\x16\xbd\x3b\x28\x36\x8a\x77", 64); *(uint32_t*)0x2000000006c0 = 1; *(uint32_t*)0x2000000006c4 = 1; *(uint32_t*)0x2000000006c8 = 0x193; *(uint32_t*)0x2000000006cc = 0x6b4; *(uint32_t*)0x2000000006d0 = 0xfe9; *(uint32_t*)0x2000000006d4 = 0x1fd; syz_emit_ethernet(/*len=*/0x56, /*packet=*/0x200000000640, /*frags=*/0x2000000006c0); break; case 18: syz_extract_tcp_res(/*res=*/0x200000000c00, /*seq_inc=*/1, /*ack_inc=*/5); break; case 19: *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; break; case 20: memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; break; case 21: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; break; case 22: *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; break; case 23: *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } break; case 24: res = syscall(__NR_geteuid); if (res != -1) r[14] = res; break; case 25: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; break; case 26: *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } break; case 27: *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } break; case 28: *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; break; case 29: memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; break; case 30: res = syscall(__NR_getuid); if (res != -1) r[22] = res; break; case 31: res = syscall(__NR_getuid); if (res != -1) r[23] = res; break; case 32: memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; break; case 33: *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; break; case 34: *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; break; case 35: *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; break; case 36: *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; break; case 37: *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; break; case 38: memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); break; case 39: memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); break; case 40: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 41: *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } break; case 42: res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; break; case 43: res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; break; case 44: *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } break; case 45: syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); break; case 46: *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } break; case 47: *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); break; case 48: memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); break; case 49: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; break; case 50: *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; break; case 51: res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; break; case 52: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); break; case 53: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); break; case 54: *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; break; case 55: *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); break; case 56: syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); break; case 57: memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); break; case 58: memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); break; case 59: memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); break; case 60: res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; break; case 61: memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); break; case 62: syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); break; case 63: syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); break; case 64: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; break; case 65: syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); break; case 66: memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); break; case 67: syz_socket_connect_nvme_tcp(); break; case 68: *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; break; case 69: *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; break; case 70: *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); break; case 71: syz_usb_disconnect(/*fd=*/r[45]); break; case 72: syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); break; case 73: *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; break; case 74: memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); break; case 75: syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :7566:17: error: '__NR_socketcall' undeclared (first use in this function) :7566:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor1882575403 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/29 (0.41s) csource_test.go:161: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_io_uring_complete(0x0, 0x0) (fail_nth: 1) write$cgroup_type(r0, &(0x7f0000000000), 0x9) (async) cachestat(r0, &(0x7f0000000040)={0xffffffffffffffff}, &(0x7f0000000080), 0x0) (rerun: 4) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0xf503, 0x0) r1 = openat$bsg(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bsg/2:0:0:0\x00', 0x2000, 0x0) ioctl$AUTOFS_IOC_READY(r1, 0x9360, 0x76) setsockopt$pppl2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x0, 0x4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f0000000240)={0x6, 0xa, &(0x7f00000001c0)={0xfffffffffffffff7, 0x4, 0x7, 0x1, &(0x7f0000000100)=[0x4], 0xd8d, 0x40, 0x42, &(0x7f0000000140)="397015495b433e062b4ef549b056c6053006148248bee934bd6a208a2a61c79f4a49357e536538e086957c377ed1f5a646b74017e305842144812e9bba2901bf4411", 0x9, 0x1}, &(0x7f0000000200), 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f00000003c0)={0x6, 0xa, &(0x7f0000000340)={0x3, 0x72, 0x23, 0x8, &(0x7f0000000280)=[0x107c, 0x10001, 0x7, 0x5e, 0x50, 0x5, 0x4, 0x1], 0x80000000, 0x4000000, 0x7b, &(0x7f00000002c0)="318d74c326f1d0a1ddbde1b51264ef98bfda4fb69c29e7e26f55d00aa6bd2497e23c8495bbc94403a7cba75120bcaa832dd53aee8ea1a66a79dbbaf3f0e23210a900059df2ddaca7125bd90eb91fa2c9c8109eb62552e90a219ef966dcaa594c33a1e623bc0d18fe1db97c9eb7beab52ef03c21bf7e61449526687", 0x10, 0x80000000}, &(0x7f0000000380)={0x0}, 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_PVRTL_TLWRITEDATA(r0, 0xc0206440, &(0x7f0000000500)={0xf, 0x7, &(0x7f0000000480)={r2, 0x77, &(0x7f0000000400)="8e468e19aab047d4e00e0ed7fae1830e8eaa0f74bf5f1a071c66a6cd46197d7c22aa47147d723bee80238fd9e275b5c9ac9c8979f6fcbd068acc9469f561db806a720d53b1dc48320b365bad54f04e1acd0ad40862618d0e8953cd0202169e1549392bb2edd07d80fd37fce2f6f848013f383853951906"}, &(0x7f00000004c0), 0x14, 0x4}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x7, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1}, {0x3}, @device_a, @device_b, @from_mac=@broadcast, {0x9, 0x3}, "", @void, @value=@ver_80211n={0x0, 0x7ffe, 0x0, 0x3, 0x0, 0x3, 0x1, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x70, "387497a69841a2e528b4f29912f3dd10b50ba5a1e170cc5b6d1c7a78f57a5e0fcc9b2e9a5e87d25516580ea1f223f1317f86ecc39117cf0e535c2e2befcf11ff81999d1b87d9b198c803d72ad724e94c783ccac7763ad34e6f7491b3637ce2f46677a7612873ed0a3fb64c0b3d78503b"}]}, 0x9c) syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000140)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000180)='bpf_lsm_path_link\x00') r3 = syz_clone(0x40000000, &(0x7f00000001c0)="4998de6d85ea9e09841517b61ce22a88", 0x10, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)="b9662d100f99f4e91d1de2c980ce459994b046bfe06b9a28c60dea9680ab4bcc3f5d3397a5a251d7ba7693b7eb37177d030a2b3fce8a232e5b03f10a948052ee907fb32f575b2310fae99107f95ccab714722f59ecdb") r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000540)='./cgroup.net/syz1\x00', 0x200002, 0x0) r5 = syz_clone3(&(0x7f0000000580)={0x200, &(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)=0x0, {0x22}, &(0x7f00000003c0)=""/179, 0xb3, &(0x7f0000000480)=""/66, &(0x7f0000000500)=[r3], 0x1, {r4}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000600)='./file0\x00') syz_emit_ethernet(0x56, &(0x7f0000000640)={@broadcast, @remote, @void, {@canfd={0xd, {{0x0, 0x0, 0x1, 0x1}, 0x13, 0x0, 0x0, 0x0, "52ba74a68ef063725a233b9509b8fd57d58ee264c37d44cd7c1e1075f83d41720f374e7e3c9c01b86bfdba9077a2c5bd2b73eb43874764a25316bd3b28368a77"}}}}, &(0x7f00000006c0)={0x1, 0x1, [0x193, 0x6b4, 0xfe9, 0x1fd]}) syz_emit_vhci(&(0x7f0000000700)=@HCI_EVENT_PKT={0x4, @extended_inquiry_info={{0x2f, 0x4f7}, {0x5, [{@none, 0x0, 0x6, "d24446", 0x8, 0x5, "43ca60b9ed4eb6934c4457f2bc5aa0ae593beeed8a789aefcfb8ec83ec7529d54cba5b40db8e0bbc549bf2daad5883da0869b376fdc0e0cc708e0215c9ba10d54ce801346c9731123e8edc523098a8c4c4e09c8ca5afaa510b825705bfcb534ccb8161511b23c1ef7eac6690ff08a8b48fec50ca28d759369c7000689e8e5efa7d691c1c67b2d98dc9bce7fe04657d156d148fa4c0e8ed5df1b820ab6fbd4c2f10f692da5df9e9e9e7463f732b908fe70608b36c8d33664739b2fbd81806cff9b2a19fddeca0685d84a3b4fb6e4b2da14198bdccf86f6daabd361fe7a259ac83c1e9a1ae73429f5bd2465cab2487bdd0"}, {@none, 0x9, 0x6, "7aa2fc", 0x2, 0x5a, "052195f68d623e277339549cd0596ea8d93dcb3704365a1fe131001ddfc78677d59246b7163b2a857523bc03137c5e74d51f91c59eea5ec1c9003d000733a466a074866803d3394bea9a3b3d7e5d67755ff3abb6cf741dde943f2a053ad9b328d0c53cded27abd1cd237341fd89842736abc794f81576ed5b95189dd4794b90dfe6748ae5c405e0827a8439ca368fbd6ea5a49d147e5364c2ffe32013afa0b7b4017951cc96a1d5aab926c9a85ac3529020fc62b2b8faa56f674682b27d994bcb4746d7aa06ef430a6140eec740627569287c2abf99514a28751d16d3b7aec64c16a217bfe2b13bdaa911d976f481516"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x3, 0x5, "24b80f", 0x7, 0x7, "b3ada341371175469ded69ecf799e4a1194f89133c06019703d569cd1c29c53a302e49b159a78f22df58260ea65730f1d60ce2bffb5bb00da408a73ba94586b850c8bdc188017de780947019c1160e4de6a4bcff9679840ee2f1bec62851a512f73912564c278f8bcf11b2459af745c4e302f7542fb586c218df5d5d741dd3b331b090adf53a39e6d179f698937eaf1f296ed38be5f78009b5593fbad7ce8de3177e1b85401c9b10180116ab3dd2b79fb27cf6b781b02c10d92b9077231baff2d796bdd6a60934decbd4730b8cd3a7f5d73b9d56fd8fe4428a8ee6e9aab0f07a170ed8880da6937863d6e273a5a50847"}, {@none, 0x2, 0xc, "ea7fc4", 0x8df0, 0x6, "717a9cb0a4bb327cbcd40c45a41da58abafefc56db61d4de5f808e54dafa830d32821b9b3d09636dfb4f09884853b276996613006c4936095b667d41cadb7d45b307e434c15619b8d90319f2ffe145511dffdbe0c87aa2eea977359cba985c28336398cb6fe4939f4c70271bb9890a63ce61b91d2ff386c94b83c3fee9a43bb705eadc97907676652fe06cf8872966ee9d8cb21f242185448f0c688a9d0b6bb5923c37587850bae8b0438915fa4b062009eacb71d33909586de59d758a635e4e18f5c5fd4e4cd08134cf4af6e71c783cbc71ea85fbc2e67d8499622ac2460d44822b33339f122efe0f0b0c76b56c3473"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x10, 0x6, "c5ecb3", 0x7, 0x5, "230276296df7a839cdb0c698a3b6cebba6e7f8f843267597af962842e4a5f003617064f27e1db99a03c126776b86d3b4b4ba41356c681f7ba54c248e2ae9f43ef5aa08f30721c5fbb3d7a0fb95da303be2e2607d775877945e61f5c98b72e4bd3f5b92c3ebc55a167e4bab5f16468e5d14ce3c988f71872d0985a2f50374c672de1477f60bd549a28206d4100aab9c222ba3330476025534ba2faf03a5c7e8885fe8041fcc9bf6de815abf2e09175e1981f89551e9b5cb59bb493e950edfc5ea0036351e4978cd63c8a50646e7104756e20605773fbd3e7131b7a55d8b60086b4fceb02b3015ba49de2d541fb06a9d27"}]}}}, 0x4fa) syz_extract_tcp_res(&(0x7f0000000c00), 0x1, 0x5) msgctl$auto_MSG_STAT(0xab1, 0xb, &(0x7f0000002fc0)={{0x8001, 0xee00, 0xee00, 0xdaf9, 0xd56, 0x6, 0x7}, &(0x7f0000002f40)=0x6, &(0x7f0000002f80)=0x8, 0x9, 0x3, 0x6, 0x7, 0x101, 0x9, 0x3, 0x7, @inferred=r6, @raw}) stat$auto(&(0x7f0000003040)='./file0\x00', &(0x7f0000003080)={0xfffffffffffffffb, 0x2, 0x1, 0x7, 0xee01, 0xffffffffffffffff, 0x0, 0x74ff, 0x4, 0x9, 0x5, 0xc50, 0x3, 0xd, 0x5, 0x1650, 0x4}) fstat(r4, &(0x7f00000031c0)={0x0, 0x0, 0x0, 0x0, 0x0}) shmctl$auto_IPC_STAT(0x81, 0x2, &(0x7f0000003500)={{0x6, 0xee01, 0xffffffffffffffff, 0xe, 0x101, 0xf1, 0x40}, 0x287c, 0x6a1a, 0x2, 0x9, @inferred=r3, @inferred=r6, 0x0, 0x0, &(0x7f00000033c0)="056976a58633696b63367a4cb488b16ce85e89943e5f0928ec40d6d893807fa6c44c5d38daab118433a7e8f1c46e1f060f28165f41adb8e679cd9e46ac384774e56bca1880a690fc3f8ed5f124dd98467a33bb40cf191cfbb9590f59179bb611cce789225922a0ef4f2286f87f847214fe25618b989a0501e7eca7170a3913bc68b4539966e289ff94ac31e8823668bd0499d09b055c41410ba2f2101abaf7155399f97ee924e9277e6f54819f12fef3c5769378b344b6ff6409edc578c6c93accb0f08a5d8ffcab30cdbd713d1b93ee7b8eefdf77ea", &(0x7f00000034c0)="020c5a2af3"}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000004640)={{0x35cdee94, 0x0, 0xffffffffffffffff, 0x3, 0x6, 0x2, 0x80}, 0x3, 0x8, 0x7ff, 0x1, @inferred=r7, @inferred=r5, 0x9, 0x0, &(0x7f0000003580)="cd052c206f368b4a7d16e28cd36b1ea6d10dab7017b7d085ea27b3e3389d760d2277e20febc686f359d6083a629e7981089e0419c7b562dbbdc2e67c1e95104a390549c9371a4345f2aa7d8458094c6075b84d11486d27bf68233bb457eb106bab49a3fad299b590025e4fb5e43c712ad891f39138bdb922ea9d21b7cfc7c343f9a21496c66922cab8e66535337a89a717c354bf1846b506c234a3093d728c6baf272a6fa5153dc039f87e0a36744e1f80f2aac030e2f8ae6a7dbcd3f17bc68ad0b61ce31212c46edd615d571b338e22c0ed5d26f7bb2f365ecb2c432647a7c6d775b0e41db928f9e7b2af72d690acf8b2ad8c2e000505b6952c4ab9e2a8ecd07de44b2b48af7b894696ae567b6dd0a1f99b007a8fcf41db20827f58325a9e8812354425bdcc3f81f2d3863d7777fd80360eb8b9e77e47059a1d2265733c4a8a063b45ed0b8c2481e1cdeafddc5f42c931b3d3e710e4538bbad815479cd9afdc5cb44723026c4bc006e256f6f427042c6765a3b253e9356ca1ce45d9d83d5e111928b47a8ab8422b37e8c382436862c944e08ebbadd1a33686219ab8cf995c12a7ab7085a79a7d1ec3c6cd73a443cfceacbaca1d7fc0cf34d58c9277881f983746ff62fe41d0f4f7a12ff44f4ba5bf7d8935bf09a88ad98ea8a9124de178c28acdf1ba1a9734d6c225da591c229d313fcbda810b0f1057b0730a9572a807758defb579db3ad021ac316fb744a1582c16256ea1c6bfa26c73af1e2b6c4b8e7ef329e7cad7db91799dc044aecce5f06e803a4d85bcf5f45dc015d13e3f2c1892099ee653777ca5f6c92e41f4e30ba30f832703df08a416752b831b46c56563820fce5ed3421e9b2ed0a19c64e9b2bb8081ea08255fdad2f235e7bac68f946b3427a44a758e78dadd8e42a909a77851bf66b01e427c2fed94ffee1d65e21753b39bce8daac6d6f11696e003a5f3c21bf9d1cbf4bdb8f3cf5ae542fe7b255fb5ae7b184fb59db73550d293254277b4f94a71c93a909bbbfaf3df95c3e7c4170fe8b91f9ecb8673cb5492750edf45c76a20d94e21b0d3614d3a99f7c9e3978faf09e067f64926204cd090a9f115cbe7f727f5809976aabd337e8b2aee42a9bf68e2fccd4152b3d9831149d40c75469fd9b03fe1860dc1920ac7d869ed88d4148cb746f5eb32a2761eed4473c54315d0d91044b62a14537c825c8cf578fbd68cf8748d67722e27b81f9fbcc13271c23335057cabced862125f764f5321f59643514392b72e2de32b1a54e4096ef73d0692ec6a365c035d0cbfdf77ac650e7de4c3dcc5a2f60c4e08536e75ccd81a41425a1de44ea275baaa2a7cd16ef64b41cc71f856861217bf243e8f61c899f56f4c64e116e0bb020986eca1f2a0d8fe1ab5130b639a7db41b54fd262ac858452a2c79d82d99ae5979571701dbb30fc7aedf237dc785bea7576ede6cfe60c53d88db5e7db59b3214c8e7f081a61d3b699eeb802e6ef4e298b87ab22a20bb1f3e8e4f7fe56c318d4bfa3eb312b9f3e75957bf62647e309ca0a5f669cdedb2c309aa7245cc832077f641b2cece614f0938ec1d456600fa30064f249e2f8efbacbd9d2eb90e99fc0938edca24924edaed9fbc50b1292e6475a5b4f38bfd379401eeda87b2d17de03ceb23d788db69b548ae2456989b8a5189d3800203890eb9a0491a20f44603c881ffb0647e7ff291139e80a5c46aeb4322e59356d9fb1e6dd3dffefd4df3e35eac72f2921774771b8e288adb818c8560554a7ae3647ae49baa80776b747abc82dcf9e408e8fd14472d3a5d7ee014a7ba4374306a6eade2df580389cad9f548bc42769b27c8c4aefddbea9c3d89d9960551cfcbfe37c214cb5fb31d9835f1f8a8857e53b36e91bfe3a2e3559d3838050afd13bfc6924587c8d22c21c2df3cb2a0e06f01f23103c4b6955a985a7b26347a6a9d178e835e775365d41fe3443ae79970dac382a32a597c3d567d0511b5dcdb4ebd1271db6e675a4f343f9501f10ab4723738bebb6366241cd602673ff9c76912de6141c5cd4f2ef95e7efd66dd51b565dd50035f8f7e86b576d5129481ae75f7a9b7cf033a402502d5d1b5aa4115ba1b84f7f2cc284e3f636a234f40e0aa118c8f9d0ce6fb7ee613cc2f1cc7ecc2e264b2573ac3dc264aaa27643a483a1cb38e2b0237775ecaed626f7cb89bc563492ffe1e5ae6401cd82a9ad0fbc32f7b5bd3029bdab72a8d47f34b37011e9fba52075a56b89f2963edca796930a4998c755da0d251da985a1829cd10ce7665d2b364776bd6c76ef9978f800b453fa7c2704838dde05f2f6489f31e35f6d731c2678f3285070f297cb3bc03c0a012b22fca31295576acc3e679bbcba5fceb7ee7692749fcc58495614eb4a7f3a1fa7f21a655172da28ca916292dc7484834c31a3e5f54912f10271d5867e57bc46466d781bbb502ef32ed8b2b4452a58e212e7db8aee573dc6252142ec5bf2683ded9a58b60cf7883ef04bd502e3df2d621bec0e7fcaf6726e84fb1c6953722c7b8523d4cb6e4b55bc3d196c793c44858814b029eb23e8f80b66aefdd8be21541228608852fc354f75605aeefb828971defa68e28cdc694b24f2f461c707d27b98da4000f9c823ebb3384c50d6e41e5ddaa601b696f41a9ba4feee08852874bf0e31d20152895e1da84a94d529a194be53a886304e7e360a6a40d2d4074905bbfd06e3713375b31bcca23f4db67da9bf6920a5bb44885dcc3086ca7895c1069dd35f189e57ce60f8e0b0b5d337bd669d3deac1f0115570a5fa6505fac83c621c46f693d84dc77e2148e887a822d86c8c0ff4c00485c7f37a5198c69c881c158b744fd09cc76c0574f4acaad646204552774e98e17c3998e34e75628da2630a531cfe927d3c55ef02df3377eab25143589a50a07a32906e714ea42584b3d69d7ddda2fc0fa486a0e93baf78ff1b35d98c0823841230a26b52120a445115adb78d8fd99b71ab86bd27aaecd1659e89f99efa54f8764c2f4bc01975ace6f35d27c2d18c713a9947179211819dc42f7cf3fe6b546674f1446f0c81aa08277ec6b140e14b6e4360782bd17d03255208cac917a5f8ac03e6e8d13d0e62d11bf55d00b3f8f1e80b8551bd7b65b6284d1566cdfdf4307a5ee5ce8bdd6fd04a3edb4871ba97aa01d673af337698f0ada53cab9bdf9f631d0ccb7617ff13e0a3b3785ed26db722e163271b1f5e4690005249427bd44362c6631157286dbe4ac19620b55a64fa6958fe32ff13b1addfd7f56a16f79daf4e9278727578d0154118fe591a0d89af07d8bc3582cf51a01766d9c9ee3f8f80b58e86fdfbb4770e6cf2554b0d9e0769928c4a2f383aaa525ddf4734f4cb19996be80b4c91f91bbca6094ab910b665241e29b3d48784f80d32d2161347d2bfd791a66c6e824f2308b07f767250d11626dbdcc9613683e46cdc9903aa0848803b4a3dfb1fc9b350d47164ec59db3651e1f5f9a5cc1ad484654ac3a7f013badb6a0ab87effaffd526a53bead659a15dc2fd631dcd843ec341804a563d06ff6c5631dda5044b9a99dc77bc4a4fe326798d672d450727e81e491533e6a21121e3b8e5cde35fb84e74fe5011896235fe05f335bf12e317240191e742df9438752984fbc697a53b3950e26b3da9031dc234e843326d04fe096b1c89ce93bc6c5a60d7e6f0c5e8438fd10fa66b3eef5df79a3df515245e2f370b913b9333875906015460283f873b82b791fb4db71aa4f57d8182bd914613ba4d85f2490bb9bfc6940c5c4986c544308c3ac22b795fcb0b5a062d3a15ae30f6b7ac271bf9aac4bdcd949aaee1d7bdc8895eea12daea16185d869d6cbd971ccf16e4da5d70376437a20b6ea6c35c507eaee0a0221c70527d69c57eb3551c617320ed3f817ee2a69988120964b331137406dde202c243a91a0d810d1613ac8709b26a0eccddd7fc75a0d818276cb4953bb8057626f23b721d6073d76586397a8f05d060d4e2dfcf14de48fadaae6ecbd5fbfe958a2f931c531ea325182ed29872a3dfec469074bcdabb2a1a13fe24667efaaa26c50519aa9335d306fd23379939743a10ac90d3171b3bd06a5b463ad1b612ef3d54f53fddff55a8eaef0b6f78779d948f7aa4598a1dcf726aaa45b99da0bca196812f9c5998608489e80ddef13a4b8eb030c71742c304665e15a9f56a77679e7c4d70aa84a53466bc5f50d55a676eae3cdf862936c8b2f3451e2187b7ae8ae1446e090142cb89e4ee09e40cd4a0fe820ec28450ed7e7ae2e0e47a3d4054a4acf536e9a3efb8fbf5d0d6fbc69a51bad4a6723d62c8311ec224ecc71048bc16f9805d917a8a6294c038b2842d61de810db1b1a6f37720d3011f5e55803850b6aa0c4bab3c812cd7dbab18a732ac8e167c49ecc8359388a95080cb1d796c324f1a9c3795749a36682357601b260d85c710dd0c67173a8e4c1aa1e95ddb860e37c44c990ec5d11c0e71907c3e5e5fd247fa321de92db50684506e829447a8c85909d2397ec11bbe0613a4d8af44c209bc4570293e9cf7ba6f47754fd0506ec34af2f9ef20250edc01f97b8374d82c7509a231b0d5c9b085f9948efce68c5712f96afcf4f92a1eb34934b1d664344104337c2b5028c8c7d6d7e62e74cf283d61dac1ad8721505c4884a81cf692aa33f801cbc7eee1ae61bd4c96a4b1adb88f24b0a5e7815c537b25b8bc2ee283e4e05fa0f157f194f5b22d6d0267fb0fd5ab10be2230cd21f870e0e651b5747bb7f4593ef52c8a2e51d5093ee1405e49bba6b36cf97f0b2f7150a10ab7669478a4831f9c5ee6790e91e93b0e814bc314b062c68a3d36cf48da349b0223802722d76b8bde97982f78dddab064084b3eea0a335bd0dd8461b10581d4a9aa699d542dba4ca8464f62ad3b9cd7e82026a3fd15c2bdb3e30a7643e82f2c8e764498866989e2fe5a9e89c237404aad6b55c2be458e3f6547f727f0b2c9052de4839a6b5f03f5a788e5a14d8448ee25b3dff69002d5fda5cafe5bed8260285b61ce3c53c16288ef8af1759f631360aee3bdc5ebfc229b967d1937996553952409f5f5860820fdd2ed846dab931b2d19fdda50693a926a41e56060f2d6c13c125c0c4b08e475a992cce4b51e0f76ebc3c7362fb1bb0b9805332c162e1e09d1ff0eb73b24e40d6188136bbc6ef8a36f632ea32ea4c06199181dbb78f399f47dfb4633d0f0768ee3d33befdcc3c0fa089c2182d6a85b272135eae3436bfa09b18b1021f37097994ad71ac94c97448e2b252a758616c15f0966447de5d6487105fa408042c90a9a89ce90f0728d7d767c472f60a1740c77c0a64af3ad4f94544ebb3de794201d17d6399765e055a5b94d569c6618e114275cfe79c2636369424e01ca8b8e3a530b924316f43df7e43cd070d1b09e8cc184ac7ae979119aae40155a2a67329e18722c3dc72dee0049eb4c29b306dc81de1a1967cfe17e97ca476562cad43e84ab3ec6e76d358829baad982241d0db7445454f6a405405057b57fb93dfbdc8dae5b30c64cd220dc48fdb5667a3c065f4b308bd076f95c810e91d5b2b921126128520028a700e506da6c7617f624242a59b874d06040911d534a0e15a5195fd8d9cb465176275119540034892cc6e6aaf174b06435625f9bde8e699e28cbeed2b9ae0fc684cbd8c77bf838086450395f22cd025c70460394cc219789fc7568379df9856583f796c8a2944b857077bd29f5478e8b3bdf916e6d67963f8c039ba469b60d0a24edb6f9e00402b6f286d88a4fc10bf764d8c37252710cb47b5693708", &(0x7f0000004580)="820718733b49daf8ed80b0ed25772d57d77435ef1da1ca4f1930ad4e713b84d4c1a24c712f02e0b86d1842c164415aa9e490e6c8230a89e309faf07d239dd7cd35da5cb5f36919db06df51a5a9c5fc8049897d04bb731725ff5f5d98476e15b1dbab8cdc405c2c17365805e27a61a5f061e7ead100272fe2d9bd8cae4a261b451919ebb927204c1f63a8908147b99835ba994378a32f9f1103574a08934fbc79d31aaf13"}) r14 = geteuid() fstat(r4, &(0x7f00000046c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000004740)={0x600b, 0xf, {r3}, {0xee00}, 0x6, 0x3}) shmctl$auto(0x0, 0xb, &(0x7f00000048c0)={{0x1, 0x0, 0xee01, 0x3, 0x6, 0x10, 0x1}, 0xfffffffb, 0xffffffffffffffa8, 0x800100000, 0x0, @raw=0x6, @inferred=r5, 0x40, 0x0, &(0x7f0000004780)="1f8aa38b61938fb7299a96aee61f6cfc70190f9df301d40ccf557795fc00d7759efa4ad1661cbb0d54c310aabcc29285c2ce84fcbe97407d849edec2f598b205fa5ea2460d0f615ad87e7e2605e8101f58adb62e178c78c454580a55d63f5e1d11f932250d1fefd45195451588bf530d73d83076a93a289b613bc68b49905423d7d5ace8016292e80377fed1b58877d9c4d04ea05ba8", &(0x7f0000004840)="b7376d34b8a4cc32667d885991bbbc6828d08bd669e6af09fe1e55bb32d885d217afb95645976390dd7308c504c5d39953a783b065bd4f0a72bfaa176a0d2acee5c8e41ff9b692a41d010c7b3459f84c721cdc4c7dad40cdb171ae49a556c98b5eda14db8d4cdcc0b47fa75bc9faa171e68b700c4960222516f6d5"}) shmctl$auto_IPC_RMID(0xfff, 0x0, &(0x7f0000004a80)={{0x8, 0x0, 0xee00, 0x5c6, 0x1000, 0x2}, 0x326, 0x3, 0x3, 0x7, @raw=0x1, @inferred=r5, 0x300, 0x0, &(0x7f0000004940)="8d80000898d81f2a2a537fc21c52023bc6ee66954a12a93f2418cd8b0b69067e3ffbce8f5d7431e001ed255fb5ed784374aad30a67500f8f6c042bf9e6670660d425f7611c7ecdfc450c05ef9c0a65c62dc2215fec7c02b712de12f5053e2c3f60d780fafc4d1ac221ca0907542932889c", &(0x7f00000049c0)="9ccfda869deb661f5fc9ba8f62d29a4ea3be9286f77ef11178f96e25e8bd888ecc08d452e94731dc6e97d39ab9814eec357acbb7ad4232899315b74df9b4df71302a482e3c52fc988162d57139e691028753aa86b20cbc060ceaf9de31cfbdfadb2802232870090286f90b426c18866fb62bb4662ac9cf938b12c2b380a1324d8313575eadbcec1a33832733dc87a6f8ef25230fc815e2b6756e60144a41195769ee48e21d497f0eb19aa12419eb8045ac2cada387"}) lstat(&(0x7f0000004b00)='./file1\x00', &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r22 = getuid() r23 = getuid() stat$auto(&(0x7f0000004bc0)='./file0\x00', &(0x7f0000004c00)={0x2, 0x3, 0x5, 0x6, 0xee01, 0xee01, 0x0, 0x0, 0x1, 0x5f2b, 0xffff, 0x2, 0x8, 0x80000001, 0x5, 0xcc8, 0x6}) shmctl$auto_SHM_LOCK(0x6, 0xb, &(0x7f0000004dc0)={{0x2, 0xee00, 0xee00, 0x401, 0x9, 0x6, 0x8}, 0x0, 0x8, 0x101, 0x4, @raw=0xffffff46, @raw=0x8, 0x2, 0x0, &(0x7f0000004cc0)="00b8fcb8c51e1af15f5b1d2c15821bb8f4e846f20d662dad19a0e59429994859bb1d0b6c63ef694416acb494494c6618f98573d370cc435065ec4da9efd3f67626f44c18b96b", &(0x7f0000004d40)="23c6651878ddaa085ae0bdfb7ccbb08b71af34f9f1565e8ac77c5293baddfe69ea20aced26de58664b32ebf6f734d3f7f692065fe4f99ea283362b12f96cb972632e80273d014687"}) msgctl$auto_IPC_SET(0x1, 0x1, &(0x7f0000004ec0)={{0x0, 0xee00, 0x0, 0x19, 0x6, 0x7, 0x53}, &(0x7f0000004e40)=0x3, &(0x7f0000004e80)=0x5, 0x45, 0x38, 0x0, 0xffffffff80000000, 0x4, 0x42, 0x7, 0x2825, @raw=0xa21, @raw=0x1}) shmctl$auto_SHM_STAT_ANY(0x80, 0xf, &(0x7f0000005680)={{0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, 0x6, 0xa87, 0x6}, 0x5, 0x7, 0x6, 0x1, @inferred=r6, @raw=0x5, 0x4, 0x0, &(0x7f0000005480)="feedc6aeab06ac00e00a4726dffa893698621bfa7d41a1acc3b82488d27e0ad499d0f4717604496303a3c32eeeb44df079182f9c1f77ba86b5d75d3cfc32f45062e93e184cec890244b195f2cd11bb0a90f2a2d8f67cc5c0be21ff7a4f4d4a43b7fb2ba733040d26fae0fb332ccc405709c4b602936c96942a8eb5ae327c87db6f2f6f610f803cc6d8d2099ec2a87419cd0c206b74ac2497ac1f8b637cffd4427dae82e77beaf37ce6f5d2bddeb31944c36a67ec4346592b8b0a7f4f28c952c8f6bcbe0a5ec35aae354c1f9e66bfab1fa0f8fbe02e56af6ecce525617800b42e8cb5831e20ae90e73bdd29da4c8b8d1d00ad8e8e8d8f", &(0x7f0000005580)="48fe27d996540af39ee63ed5b8cfd8523c9eeea2a9f619601421c6140e3a984abc8a5f421ac2621ad09dcfe4b7038983e0e88240cf3dd61196976f836b58bc78e8d080446c8c46fa4d9a6b522942ef8d58f89f4010f6b62b5aff902753b62fb29fb8a8a3a475f3e0e445bc8a4fe018fb6a5e3c2d534aabd3b0915d7b065781ca8cdb3eb734016390638cde9640375b4dfc90c211603b5ea2bd44295750415067bc3f147a66d77dcfbf658480369e1d1f193dad08c00f36c99af5c1b52ff0a1f2e893841f1a2de097fb0e001abdb956f682de1ecfc1801ec9436f864d3abe6e7f9e332a32e9e5445d85ed613ba1d59a8ae483ad90"}) shmctl$auto_SHM_STAT_ANY(0x7ff, 0xf, &(0x7f0000005980)={{0x0, 0xee01, 0xee01, 0x80000001, 0xa, 0x9, 0x50f4}, 0x8, 0x8, 0x4, 0x7, @inferred=r6, @raw=0x8, 0x3, 0x0, &(0x7f0000005800)="db4118b7fc550b52eec4c59cf4b93c169cd2e4c6b1eb5a84e95bb2109386544d8185388c504c495c8ef8b3d196ce76844652a8d2eddb5eff1169a558d6e7c56d46aa70e6298fbfaf95fa39d53985944c382b26cb4ee51e021bebc6e6e80388", &(0x7f0000005880)="11d01feaa20648967b16d3e6cb0d4989e61fca36740792d8808f572be0b70dd4faaa5ece7385998367d7daf2350e52a74dde027c397711a18faa7b877c14e92f48636c7b021b50828c936f30bdec29c674139d1d64369d02d6df35bd75c54a729a1c28f94a00497c2912e4f73e55746dc437cfb64d826fb5dc13286f2d3dc8a354ee9576b8b37c407814e55241fd871608c599ddb5f980e7c01c23b02b738ce34dc1f4d5577f02c5537eec8d5c15f8c93a7d450b4701de03802241a34c3a07a378119cfbb34eebe8753a4851cae1a14a124749ed8caaec19d2220b21d71edd4085672238c4582dbe77ee258f7504e586845878a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f0000005a80)={{0x1d, 0xee00, 0xee01, 0x9, 0x7, 0x100, 0x1000}, 0x4, 0x400, 0x3, 0x9, @raw=0x9, @raw, 0x4c17, 0x0, &(0x7f0000005a00), &(0x7f0000005a40)="20fca2d9a84b149b22cc118629f244c8f9909cbe317ad4693e5c7ddacf6ff08ff96441b29c38fb9a6161aac42a96f4e5b9a9ed648ca3d600f7631486"}) syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000000c40)="555b078cdcafe3df82ab074500b854e053e9be2bdea67c3fdc61395f5bcf269a1a3db8dd7f3db0cbe3e9ee7f3fd773e57fb4f6aba53b0282ae6ab4f9b9d69d362ebd6f9917ffa585a5e2b1dd85afdc2e0b9fd07d2bb693d6871743b73eddf8e6cc6e58e502fb0d8d80fb48be00be3acfe35fd1fe21f97c598eca5e0546f3f6eec8f7e403e8a80b58fb34342e2fcf0eef3ba1644b262d0a877deba64622aeee38f1ef528cd836085fb4f8437ca36c3cc211980a6523fc6bd07c49747f5f9d6d79ca435f84f59af8bc5d7a76ad9a4d29e4c5eaf20cf5e373c2677a048b4a064b25c80e3c225aefc79861e39f8898dc749ed0432a3474299b350ffb0c53cf96ca64a127308b7a77f80ec1ad1ca74fc58f71803c787fc89820ce647e6eedc38451b70b1530cc7060d1b0727b74685e6adb3310cfa9ed5165e3d3e74a38a7b5f2502461b93d633693f3c9259d2fa0ad389f2496c5c2e3df9f85c1a8a858db4b7c5815fcbb656821e1844e7d6e0f3cfb64528f9662979ac9a8ec10eef0603b3d1d78d5d2a485486aa8cc310e490b9471ae127194151b732ed19d494ea63d2836519409a213425fe1005e46695f4b24be7b25829653e41c174b1bc69f108a076769c652405d436a7c698ac8e54a850c0ed0249a8250e5548869616b9a72f26cb97096cc66cbbf0317a17f96ee0bae08024d5b80dff8be40c822d850f749e7bf5433d252202b03583d8b87b5b707905e3c8461241fea66c5995a3de30ef8e33bf0c792f23a2643be67d8e077b16a84e52d80c3c3e8c3ba8e58d0683d00412b9f98732524113d24c89ebb020ba631c1618c7c1dedf18ee59c677e585299fc6bc060d5c3f57f9d529f93c37e086db0ed5993a05dabffbae7430f9e2060b0b6ce6b0b21fe6dcc4f4016d87a74d0fadd6f9f12b102f78ac94f2b846c2a7b9bc243c56b0fe4412f03af3372d356432cff83c2d7127fa0a972906d1674d7e55dac178901b661f1f1ef39e71725d89bc1e7ce8ac6a238a9b2115c6563f9c219934350cbff04bfed916653cdfd93c25ca0cfa1223bc85fd26dcb17e5302128fd819451d0b7f0854c7032849777d1828d483bc58b2b91f6e4eb2a902655a95b03fe2c86f0fba9fd2c677f6e5b6092179a5e84a67d881aab57dd2c3239a1db9b47f2b5f6ceeb79a58cd125e6147d2068ca21a0cac47b0c12f6683b7198f139f11206b28490f756e0bf1522195f14608d19ffb6a3ba85f0474431f71d1a38b492e386db9eb0dde55769c02f8757a4e14e93dc241f2dd5e6550e3d753c917bbc4e5b1a3385259163d664b0c72d85bf78354f18cb63f1fe0a337a07f2e78fd3f894ffeb85dace3f30277b5c0fdbb24f9bc354546de812ed5445f854888a038f0436c78b21230ca73e770b4d375ac60d302ad1629ed8c17a12765302add9819e9bdd1002ddf7d773d0d201e6af2bf8e58f68915dcdb80f4bdd731ca0544f9be29297219dd3422df4f2e436422f940d8fe072414e843894c01f43807c4dd4f7c5c1feb20d50f060ee1fe612229c2f49da21728952a0bef81b47fa85848f65ae3756706013095f1ff84e5e32216b94af2479eea8199710c015597b00a97be8b3ba52439b12e3f1948218e2816b75b684f3182b434e0ac0cb31a1a83f2c7bbddf280d1e4fd508c4b7a0fb0b664c613edb4c7ec7f48cdc9411a1af51c7f29564950417cacf4c848bc3c6c2ffb31759917a52510001afd9de6d6e9ddc26364353ea5070fc730b22d8f434ecc21247949f637d03d430a5fbc036bdaa3501d49d63df3238abc594a56443d05f53a557b1e04c54f5de091086a0cfe9f3707c74771d416cbd75c53e7456bac5adce640cd93c66c0ba2e59096c5e08cf2c9b96489e94f80652f905849e4f38997f0cd4e6cf1ad18a881e9e81ae732c284df254de3981606b021ef41da37176e9a0946ab80826dc7fb9e4b99bd9948bb0ee334a5db291ea58807cecd59f870c691385e27f18d74846d1eda220b9607aaf2e6fc0ae9eae57608e601df944d9ac45d62d796512903bff90d740ef9fcc40c3b3f273a2bdfa30143e90cda7116d8c68826e67ea0cf578f59231ca85f03f11b40d0631ab3473ca2ee53587dd4d8abc53c6069d56bd9bf7cc9f04d8982a4faeda89fbff8884251a1fcc5fef642a205299930ee6c9022223576888c491f796624d04d95a983e40b344e8f4c98eeb55e0ff116fcc8b4f296ddc2f11c9322786440e0ba622ed96dccb6bf682b97a2c7806474738e9cea364a22830235ca35c60ca4b0fd30f81c051b96c6798217c7985e7fdfb4fd804093266f0d3947bc1d5b3bd535cbd34bf07a3096f16da818cde06887e94257579f2c020cbcac1cb700d34472bac930130530f9d094483faf311194f9a9641925cdee88879d218b3beb83df4f33f5cb109cac0c7926ff1eb494ebfc58f22e513de376d1ea903e7aa65b8d182e5e38217e2d2c0b0cb392d44ad7684c229968e71a761b967e25a2883929e19bb5dfb053218139dc304eaeed9e15de1f0a9e6f04761c75f7299e6c0eccbf93cc101eb5b017c2d97273b2238d4481cbb5d244db8f1b329b8930545eaa4a36d59c37ddb37a610de3a79ddd8a31deb0b1bbb31d01eeeb78cf95acf3f2727b53b6236b07d490d86318297dad4f6b80107a031299fb52ac0610da5af4b71a8a71c486eda6e77c350224a9e246599d2f01790796a21c1c90dfb6e64c49d6fe4eeebe6d6b5192b6e130eeac673c4cf4669c046cec7388079d14b25992528e205a8663d429d8cea1fccdd3e538b97c635562f2e269588aa14b930a7408076298cc4deda70b3c26c42c67022c59e26f0bc4aecc43a956ac60230ba1b0681b8db4efd0ef133f099563d0f55b919f6437722c86b4a5f928a756b45a84f9c54dc2bdd79ae9da5a39b5993055bf774b129b468fd3885a5447052460d71a68cb96dedbdc4882e6f6a2b7f642627f3e7783accc8f22d29ac8a83788e64abd60619e2b13c483bb9f6442cd0a672dca719262f2e8b52d58efccabe63120fa955da00629888b0986aee3503f94d690115528ea414ff93fcfc487f4a3b0213798f27ce362eccfa775c9f841144ae5fe9c7d95b4657ea1067f12d1dee02f91178b113f7962073a3c98b91de9b47023a22059201bd495e7e2e4d3b3dec65ef29fe442e271f13870b0aed818352bc691b5d3917565bf8b66acb665805d937e6358791ed9060f261ca7e34f0e7286cf7563f57254a05b3ce5f175d8bca322cb31bf8de32eb0ef636da055f3e9eee3b7e36066fe10c45c7742c39732cc789af38cb737aa17898d31a20ceba6a89c7883519ce2171c6e7b19b34494a5806f99c26c5df8fd641a1be5e660ce887a78fb691a1016fdbf107bc92992a2b62dc3474316dd24f40ffe61bfa848f9790e725c0df3fa6d090fd3837e1a46bf58f3beef4ad7721951a977948b86cedc07a24b7f04be14df36dff71531ad715328d70a2fffb3b59439619826e0c26729da1aa66fb892b940f8be7ee4f227b43fbb43094c5086447c8b4dd7266f07bc79c28a9b4b0b511739d6894c0f2049f9b8357a2451bc96489c2fdb4c63fe6a151a11c7230474bf51f4d04b160a65c22104dfc2968a23e427bd97c4d2c0a5b359d59fb17b551f8905a4b6acab2444d66082cf5c64803f5afdd46f05735d18b5207a927ef34cc76a8ed3819c869541e06e50950d550c9b8f034d4a329a135afaa257d3bf25d36ac7c7ff9851ab9c386c9b16b7b111cfbfc39f19ec3b71ce4354036cfcffe36c87a8d6547006ab44f19320a35db003a6cce51e5338afdeaf6fb6ad3db60babb521ad56b080e5564413be596994afe9d4555f7b7530c4fb1ad9b55900c76ba404971d8e2726ac6480ec1e1b56f68600e790a32806f10ee8076ffbbe63130b72ae22f0a799a5658f272faed770f1c72e4b6c32fa19b6b9ec28cec7bfb3b0869e7f47bb32b631d440bb1504e927fbf0a752959c4a633459bd2d34926ada22b97716adc61470eda3a968b898982d896e77da47af7d489728ade3950575389af4883b21f53e9f49d4b4fec3c56b95fae00271b01fd3adac979baca1f9c3bd6f078424720f747591ea8dc7094c608b1476d1e1051a55bb1e59410ef9d8c29f00a6a4d9b3103a8d2aa087e91116fb3639758ad6f93ed0706bf993ece70e8ed75bea28970859c7256f972af862b45b42be15957e218fa65424aaf13c2a847ce1d40dab52ee757669245140c4346c581f2e9ab2e72b64428237250e14293517845568d20edb8b103106c4826621b6bb0756c1facd859509f9331d0a1aadee7adf134d463309811220e9bddf1dc6302ad89abab68e32fd5f7c27ca0b217d8c2ec342a2605fe54eed4321b34eaf54f8c2162d3bf5d7ace2429fbeb4ca187065026aa814a9833b6ee943d1d337de2d9ecdaab2cf4634c16a915e6a9648b368d8df8d6d2de477211214b3e8c291f16ed30ea38ff581b81899cd1c4a74bb338a6322003c9fcbf16a0acf0c67b97d85d55a6b81fb7536d434a0e499929e0da0ae31818da52cc252418802621cf28ee5cd555f13d4a0f6c4160b97016809ba75f3050c2ef1d3f90045e97f4ea5d03739a8c5ab3492f5dd5b167d8f5294961f942847d9550f11f73a8ff1b8b288d27a0fb759d86544691f9ee3f9ee48d0e573f21ccef4610302871c7aec559ade89511dd907580f8f0d119b8274f652f5e4c8a8d32f30f2443ebf4d9bc12486188c5af74f98d315495389f1030d45de4219caaeab035bd511afea18c8448bf8054debe9c747e60431d66015c62578a00dbdfc06a5dd527e31413e8df00420c332bb416db84200cb7e14708a137b75490d95ffd693c9bd215cf71c3f8e2d1aaabff3dd63cc2280ab6ea46a0390e7535635059d128b5a92f68673a058d963303e7e579cc16619d78c6db79e82621525aef9a8af30df9112ce2b68d568c39a8138ebe5d0c3c263802095c3c4fe2a9ba48d97f6df31126b64abdb37cf806b410aa9f32c8f20ab137e12da99f8f069607224ac1ccf610e3621245f7cf017f8bb1f5de00bedd6a66811b286a870a89c11308a35dfc58ba245e93c1d3a5ff010f8de2aa446a90d153b3e6f8d0725dab1ee435bab26a0842c572d388e2b62657c133e5ca2d47fec65561ab2a71c6d7fbdd24dbf050f6889d83227094178096996d856625ddcdbc236c0b5ed28e7cf718b4f80589d3deccee9e705436dde6455d8f0bea6fc4c3544df55dfda6d52deb921c0bcd96f8a0c5dd8ce9d38c00837a5628a3b25297cd3baa1490545b5ccb871c36ac1aac4c70b05aa459734aa523ecf9476d90e719baa1e03de3492c3bd10ee0290a6cbada7296b26f463bcb051b53f08e9a80c47157cb49b7ded5021121c04315fea9d4800dd2d623c91234f9cec3a787bc28f273b029cb66d5a05d5463116138fbc87579a71e0dbb29703867fa8b6921b6fe65a7d196e514d8a8c21ea85666da05b72c0b3dac144fe904d818431b5dc7a90cc3e252667de04bc61a19dca565f5a5c1f4216c69cbb59c71db52e28d85c137d2c48662d31813041b60653139bde9d2b5c472685bef177c2fa2bd8256b32afd598e4f8252c57cd0c4ea6f7df77631ecf00b0b6fae0582b3af17a577ba6fdadb8c2274b63c3a5cec2cf0f302dfdcaeb2a38e32573799803b73686f45ab885f43df4561624c347ab1115591aec423b09bfd69461723de7b10f9189dfec9f0b2d3b66cf8b1ae59db79fc2611a6556165c3fdd11e438081f2e7473d3c16ae567619e58e4e4d2433749b90eeaee1f4e5f9e2acc37c67bd22dd92b856ebabf04b094b8a87d386e44446bd32cd75b6dc352469907dd39ae2bd9c5f965c3f17af0b7785a5eaf4fe485d4c3116ae77a74ab165eaf4ce8fd8634adff390bee91b5b3017ea83c1b2ffd7d04dd0c4db625d6c4f99cadb2fc1df1df877a6c5ee056433494bcc7df92f0239afa2fe75ff141b2e74975fb80cf957c517375059a6a095d4b8a917b71d520a3603662dde20de7c739794b6ccdd18fd54c05ccc814471899c4d6214d8805bef7ba4a4de0e02e5675d5f8065ccb2242d51eba5cfe8ef3cd70b532f9a0bc22d9b64193c79b6ce468890e6fc7f69ae0cbd8e3a42ae06fda98bfc7e041716959e5aee95114643a308c433e40291c532fffea7c88de8e536119ada3c5289c9c57d1d47fa0626bef327fa8c1956760664f96a38538a818837e9c8a66acfa42e01d59fe39a9c7261a77dff5ac509205a25f7c7d56b275f65107c3a4fd26e8edc677eb9a4c9208051e521fb7c932bdf60fd69d10c92f9be092bd6eec68d05972f820058c531d12068e4975ccb0d4f03f88937dc178998a7d68d433079f51da4239a5f5fd4a563fe6a738245fbca5e6b0bd88abbd6eb9fd80931036b0234cf667a5340ec1667c5782de675ab47862018d94ae8b7de9320d381cb843b1a885ddaf31c3576f2cebb6ab9576c334d3d401fa61632dba1e6ccec915c4500f86ac289a1de6549f7ea276f9ff9008968ab31a7a648ecd6f36ed185afb3e9b34c9228e2d726944c33227a9e3d77e4d5be8bd850f310dda0fbc30aff3f5bf2f1ea3eed0ce2ff15a7c313cd87a79add3e290c2ecd764c455520d581e3af9ebe2c56d1deefafa8731bfb4906b74d13f2712048b41a5158cf3cdb815cd8d63c90124686dfb56734834e15534f2b8b7ee2b224eaf79515021de3156191677ca7fb47674292f4eded887f3a63baaf564e358ee2dfdf1273b373c3aab499f4bc548ede7512b5e22cbed7618b23bc64b46c8e6fba9bfeaa963b335de58d0d8b66324ba8f592529d12094d2266819296d395e7b3b0b2e715e7ed73fa8e2a1e151159ed41ecf754f73cf82168df0814aa0c6fd8b9988d208f66badbb90a54b7a9b311839cd6cbbf09280137677a984ddf87951a4713cdf7f494fb54e537d8f1628d794eef29ed26e31321ac41b9373dc1cd85e482d7e7bd56baefbda3e205c2d4855126dabd2e24446214a633eb311cc487b863f1115963a421afa61ae48832ebed5eaecdae72d27de0ce761736e1a71bccfd361c2c9dfce619609ebca1a0d4d8637546891df38f2597eaa1007db2d3f20ef9a6560c7163ed1ae4b55dea61c31fbfd2888460506dbb7af26c178cca34ead9de4f0b71a0f216df958fe4f385e2c5908a5a55fdc0322e2d9793f88fb6ad766ffe8e17b644964b2749e564abfe28692416c661a8ce570baf464d47a0f1288888949ee80b4a6260d0c6b4f7547fe01ddc10dadaed67f39be2a7a6f121cfcce49029bcca23f7e4985411b816fb9b6bceab0cd135cf71a7eb10c97146b3f342aabafaac9c2c690dcdfa46fc4d288623ce1d1385dded99715f351f39b58e0a7561ce85da8e85eed6ca8d4eeb9aa2bcb7cc77716caf84393b3acbb6fbd93d5e266f62d2346d5886c3c58ebd6f71da40e1e677beef215b19a9dfe52e0862d06f287c7240b470954cc00571dc40c2d6fe958291cd26fc28ea6013958d00b0a7f0191033b244a9cd146bbe14492e4799e9a20a2769f096915155594a63e3a53743b06e44723d7f40f45647314a7ba959201d2a1d6b45f65a49398338afc820c765ad7fb759a4a84088e0cabe2209f7fc39e5e5dc177213fbc12c8f1fa828401b10e394896a809576ec118ad715048c7f2f5a3317dbd2b25d7595f6a1a1331f978d313f6492bf81e7b7868ed984c40071d2085403a83b9894816149c61bafdb553c31303df5cd1e6a0e28d81a10d9430946b329725122b15a45f8ffccc5b66632ef9b3e6291b8807d7c2ecf361f9c33b22ec1b4e9b1c15d5b7f69d7e63afe29a91802af6c5b40c609197063cea2d2eb679244adcd981b719fb991231a18102bf4f3c31d3af4be37568b8e82c33ca8e438d9dc076fe17ff21b9f924c8d8a60652941046f085d861d338d376fbae91f85460c1b13e38bfc5b72cf19ed32d34bf85b2c132c23c4c25167be365368ee0cb3818a856d5140de04f9ae445abc2a3a96c23023bec32b22e3b3eed70c25af8c1bc5fdd6731fe4bf7d56a81a3f226a0e94422da5ca31a6f389f7f3c1bc3f8705de1dc0f656552af4684f3ec235d526cb64f19a5a91e8a29147e3f7e131107a13035b365a0d4018d0ba855da90b7fc001fa12d62a43522f1c45a93ede4c1084dbb1019ebd464b33c788f124683f99a8665026f5d87bae954eeec7684c631de38826afcde61fc3f2382e607a78a583075761f5ddf41233a727a15f75831e7206b3b2e8abc03a8ea7a3437091c55938bf16e5435f483fd9a34ed879df652009fcfc3ba60a287b2df77fe136dc6d1c9dc24beff56e888e5497fb91a733d58bca739521f7f1afa4f94ac1ea3bc8d2cce1689eb3a39b9bb81f96e9ac19646c58a4eb72d47f653b4a28b4c2b4340947226f0854c45f766c1ae65d630071acf04b899d1467b46057c335769c4dd23077fa6b08a7cd44cb3fadaffad334f030098158df1ec89dd77f36a95ab58c080f8601d939bb2e143ecae478c0ae46a797e88121844d81296d09421f25e27abb3e357fed43a4733e33dd21d90ab4af3f77b341c35ea8d7222f49dc24e92ee26f28b2127fccbfdd63e1fe24159010a23c885292b55c4b61a7a9066664555982e657744fe4286ce5a183ea22cc462721bf9e61fc78d5f2c814041331f09a01a958e2b64c5a0826a553a8b994d66dbe89faa6403bbe70adb3823a1b55276f089b4b3857f0a4db9e8915ba0fea98b8811775ca4b9508894dd78d80a20a9a9f89054babb1fae304509c1584d444a8aed1f5426c78010c8e8e9ad17b894fa5e3b8d6cf8a9a231fd5967094c78c7b88f8c7040b0984dfe878bb2958ca3991ed8effcce2348bc6ab9375e0f8c1954362cb3e697ae01cabb06655812ceab2eac9383e04efc1d60bec2f188faecf373ae812aeda6e7cfb7407f322c1333589334bcd7204ee02ad89678fc299717cc1317eb53112d95159c38d92d01a13beee3e3ce64a9500e694d253b7575d37d2ed5996809b02c1c4a485d4c0da6e845eca355593cf184627ddfba4df2519beed80c2c73f89c811a446d32fe22fd5733ac77c870f9c1e03734bc44316d1a390764c4ffd4f106811cf57c9f6578d8734d5f49d913cfbf2a83b2483541e6f9136d6bf7baee87702e4b1cbbaf7df3ff6a73eff013c289008d2af8816c3577e8409590adee6a174600aa5166596b4f68d61436b85c549e203ccded56548862c5fc4f3825927d63a18314f8d2fb11e67f545340cbef8247f7373c2028bb4052bb4f7980498472d38afb1e00d60a80096cdf005926cb18560810ae576667dafc0678d72e2392e1e026335f783056885576070f0b36a8c344139225f5332fc49c1e458dea366ffeb2cf12de967b556a13880ca41140d7e79fb5641f64491c8793319a2627fa4400a420e90fa69a1594cb6474907c9a4acf622f9f0c4b7c5a0eec093b6715edd0c97b2d9a7560601218e77784c97ddb1a457d1f6bf851f3bf2623d2f0b1ff7c1e4b85dba900a379d5846e783964a08b016af92cfe59bfd26c31d85939f60d3d66ffab18baf13ea4786710b00be25af314def3cc0996196ba40353d0c47702d033d466158cd1773ddef965db9df67fe1cf8b1db86c3e24a713402ba7d791979b46dca1ac2dfebc30f1a43a0fc3081e8aa7c0004083a4b032c353e702a947c801a6579896c8a8fc55edf38d81831c703d0c82debe598c0bd2f99de66502106341636ca9ebc1a3e0b039851caeece0bc96c9e3eef1cb303f454e46e30e650017cfc202d5369d23c6a4b85eb3a664e2b95cb71b20e31113d83d1301ce527c40a39485add09fb4b498745587009d452a5b09bc3572db3bf3b285ab978ebaf4a3af073323f5992bb630bf4fbccd1c18ed5544c55b3d1a3e26e05db7c7e60a570170cd0ef9f77a4742c6e2c08f3f2f8cd66dd5ae60b19b5fefbd72d5e57149c760b74ac805e574d8ff12a8c12cebc72e13c0ebe3f39380a93f29bc7fb5e28948f9ee2ac056fb4c0378f9d415173f961bb791ab5ddfdd2ed716802876698c7a9553a5fce4bf1610ead50b199e02ccbd26e00024564477c554a5ff50ee50b979d0cb4202ba603461d3426f06f4d00d4ab842dc52c3bb63e117e1cc9bf09c406c186d3a4109ad7eda0fcc1649c547b3b20ebe26e2d8180ae5e4f48a2e7fa4552c8d83165c3ea741643289543ec56877c56187775c67d9c172b5b9e7c838e195562b2f50bb086ef495a9c27f07ffbf1f9b6f05e476fec2d969a88fff5d36d2ee673230d79945798c2619d4b0f5e2732c5a9ad3abcb9c6119867682bf20f1bc987a9692b43eaf198e4c00b05fcf9bbd6d0613353bc1904515516d3af2d1cef4ffec791d9fdf2779df4c914cb8ff40ee2e1bedf974ef95b973f9a5b35b5615ed60798c28f4f8ab08e8881015baf88f9729985ce056badbd88b1fa6f440af1cf1e3812439b04408cc59f4a6dbe3ce4a443c476040ad018dd828a0aff7f972472087e4dc5fde232f655781dfc422ce402a9c036436f7e20119edf27ec00ed99dbc5a6d09d6bfdd3a60aed38ed14a78120d35e848fdc012ef1d559ae04e6c4dccabdd79e5d4c8dab901b58316966a215d45807246d7b62aaee760cfc5d907bd4ee2cd749b86d5b679c409668d7f34a7abfa895349fb9d9eb4765c9d39f201c407b0d5a89b3e6821696d00de3b1ef714a7f259dd94e1ac707421e4ba4fb345fb571a7851b9b24c7ee585de4107adea328e9c0118c9ce62652a64940d63819a70b726e8851d5eb673e98d33bb3c6ca62be5551cfd4ffa0e93595ca43877cd8890ee00d0e109143b2eb0c14d541eb9ad11cc08b91194f515a4479c4cf333c09853842cdd75414e7b7d6889142c2999dc0e8986b6a3ac6e0b3c030c943e985feca927dc9531670a23dc91172ac8d779d9acec6a79714d0a0b1611b23603797e2228c8db7706b38b008a83237f28ed4f45612dd9e685ccc2279c862ce2cd74e3326abd9db1a8ef7118cfc82db1609bec22dd0502a4dc32c269bdde84a9ee5b17adb45c012706e66047dc3605da9f169e20c73c7f764720129ac00b2aefb69812d72ff64d5874fce5aca4df68b78e7ccecb35aa76b5e767ae394b41beff86d1070b21157cf34359a167b7dea68abdd224878ce3d3818358b92a52e4f313ba3dfb8d97d87dcfb39ff438bdacd7a8a4f8c79d245e4b16f42634d5cb63d612ba9f019b6c06cbe5223f24c44d2e16d8ee4fecbfd941b248bb6eb63e0136dc82b9df74eff1ebf9f042dc9166a644eb84b44453587c405164f221bdc4ffb51c26d1cd1828f69edfebadbafd5e03d26bb6dcef5d4c6c7cf512e757609c9e52abc42f20d6b18c81b5bec2d5aaf546f1edaec291a7a18285499115dfd75319e9b6102030aab5c0995f6faea2f29fa41e7d5828bfa59fbfb181f96004a67336f98ba0badd72dbed7319f96c1bf8fd43d1c0bdf65cf244247586bf9f4cb3105b8c30388d67848c1a2867fb416e4d54b30f4b258cf605aeb72b9ed04d3ee7302c2e2b33c4afe3f88f3dc97c1cb1b0ea83cfe5d14ec93510359a324b54a53c74acdf9191f8684ec2f43ec6acc0b672b3bb5132172a6879441", 0x2000, &(0x7f0000005c40)={&(0x7f0000002c40)={0x50, 0x0, 0x3, {0x7, 0x2d, 0x9, 0xa, 0x6, 0x0, 0x9, 0x57b, 0x0, 0x0, 0x2, 0x7}}, &(0x7f0000002cc0)={0x18, 0x0, 0x8, {0x6}}, &(0x7f0000002d00)={0x18, 0x0, 0xa, {0x1}}, &(0x7f0000002d40)={0x18, 0x0, 0xffffffffffffffff, {0x6}}, &(0x7f0000002d80)={0x18, 0x0, 0x80000001, {0x3}}, &(0x7f0000002dc0)={0x28, 0xfffffffffffffffe, 0x6, {{0x9, 0x1, 0x2, r5}}}, &(0x7f0000002e00)={0x60, 0xffffffffffffffda, 0xfff, {{0x5, 0x0, 0x3, 0x1, 0x100, 0x8, 0x4, 0x4}}}, &(0x7f0000002e80)={0x18, 0x0, 0x5, {0x1}}, &(0x7f0000002ec0)={0x12, 0x0, 0x93, {'-\x00'}}, &(0x7f0000002f00)={0x20, 0x0, 0x3, {0x0, 0x5}}, &(0x7f0000003140)={0x78, 0xffffffffffffffda, 0x2, {0x5, 0x30c, 0x0, {0x3, 0x1ff, 0x6, 0x8, 0x3, 0x0, 0x400, 0x400, 0x362b, 0x2000, 0x5, r8, r9, 0x0, 0x2}}}, &(0x7f0000003240)={0x90, 0x0, 0x8001, {0x2, 0x1, 0x7fffffff, 0x9, 0xc0, 0x7, {0x1, 0xffffffff, 0x8, 0x7, 0xfffffffffffff801, 0x2, 0x8, 0x1ee, 0xff, 0xc000, 0xf, r10, 0x0, 0xac, 0x4}}}, &(0x7f0000003300)={0xb8, 0x0, 0x4, [{0x1, 0x2, 0x1, 0x101, '{'}, {0x6, 0x8, 0x12, 0xffd, './cgroup.net/syz1\x00'}, {0x2, 0x2, 0x4, 0x0, '!\']!'}, {0x2}, {0x6, 0x400, 0x4, 0x3006bd82, '\xd2}$/'}]}, &(0x7f0000004f40)={0x538, 0x0, 0x200, [{{0x4, 0x0, 0x8, 0xe9, 0x8, 0x8f62, {0x6, 0x9, 0xffffffff, 0x9b, 0x0, 0x8000, 0x0, 0x400, 0xef0, 0xa000, 0x10, r11, r13, 0x3, 0x3}}, {0x2, 0x9f3, 0x5, 0x4, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x4, 0x1, 0x1, 0x2, 0x100, 0xdde0, {0x3, 0x401, 0x5, 0xef, 0x4, 0xff, 0xf, 0x94, 0x4, 0x6000, 0x4a, r14, r15, 0x40, 0x81}}, {0x0, 0x2, 0x6, 0xf, '\x01\x01\x01\x01\x01\x01'}}, {{0x3, 0x2, 0x3, 0x7b, 0x3, 0x0, {0x4, 0x9, 0x692c, 0x7, 0x3, 0x0, 0x80000000, 0x2, 0x6, 0x6000, 0x0, r17, r18, 0xfffffbff}}, {0x1, 0x100000000, 0x12, 0x0, 'bpf_lsm_path_link\x00'}}, {{0x6, 0x1, 0x80000000, 0x1, 0x9, 0x9, {0x4, 0x400, 0x9, 0x9, 0x4c4, 0xc, 0x8000, 0x0, 0xf, 0xc000, 0x6, r20, r21, 0x99df, 0x2}}, {0x5, 0x8, 0x12, 0x2, 'bpf_lsm_path_link\x00'}}, {{0x5, 0x1, 0x4, 0xffffffff, 0x0, 0x6, {0x3, 0x0, 0x9, 0x2c3d, 0x6, 0x479, 0x6, 0x5, 0x7aa, 0x2000, 0x4a0b, r22, 0x0, 0xffff, 0x8}}, {0x3, 0x9, 0x1, 0x1ff, '$'}}, {{0x5, 0x1, 0x10000, 0xd, 0x1, 0x5, {0x3, 0xa967, 0x3, 0x0, 0x200, 0x8b8, 0x8, 0x1, 0x6, 0x4000, 0x8, 0xee00, 0x0, 0x2, 0x1}}, {0x3, 0x0, 0x12, 0x5, 'bpf_lsm_path_link\x00'}}, {{0x3, 0x3, 0x2, 0x3d5, 0x0, 0x1000, {0x4, 0x5, 0x0, 0x2, 0x7f, 0xd, 0xfffffffa, 0x117, 0x6, 0x2000, 0x3ff, r23, r24, 0xb737, 0xd}}, {0x5, 0xfffffffffffffff8, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}}, {{0x5, 0x3, 0x8, 0xd, 0x8000, 0x7ff, {0x1, 0x5, 0x4, 0xfffffffffffffffd, 0x0, 0xd, 0x7, 0x4, 0xef, 0x8000, 0x7, r25, r26, 0x8, 0x3}}, {0x2, 0x1, 0x0, 0x7}}]}, &(0x7f0000005700)={0xa0, 0x0, 0x73f5b767, {{0x5, 0x2, 0x5, 0x8001, 0x4c3, 0x2, {0x5, 0x7, 0x800, 0x5, 0xa, 0x1000, 0x7f, 0x9, 0x6, 0x1000, 0x0, r27, 0xffffffffffffffff, 0x8, 0x18}}, {0x0, 0xb}}}, &(0x7f00000057c0)={0x20, 0xfffffffffffffff5, 0x100000001, {0x1, 0x0, 0x9, 0x40000000}}, &(0x7f0000005b00)={0x130, 0x0, 0xffffffffffffff98, {0x2, 0xa, 0x0, '\x00', {0x200, 0x9, 0x400, 0x200, r28, r29, 0x8000, '\x00', 0x3, 0x9, 0x5, 0x6, {0xefac, 0x9}, {0x8, 0x7f}, {0x635, 0x5}, {0xf, 0x9}, 0x8001, 0xb, 0xd, 0x4dc9}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000005d00), r4) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r30 = syz_io_uring_setup(0x2407, &(0x7f0000005d40)={0x0, 0xf86d, 0x4, 0x0, 0x11b}, &(0x7f0000005dc0)=0x0, &(0x7f0000005e00), &(0x7f0000005e40)) r32 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x1000009, 0x8000, 0xffffffffffffffff, 0x0) r33 = syz_io_uring_complete(r31, r32) syz_io_uring_setup(0x29b9, &(0x7f0000005e80)={0x0, 0x64a3, 0x2006, 0x1, 0x3e2, 0x0, r30}, &(0x7f0000005f00)=0x0, &(0x7f0000005f40), &(0x7f0000005f80)=0x0) syz_io_uring_modify_offsets$flags(r34, r32, 0x38, 0x0) syz_io_uring_setup(0x48a, &(0x7f0000005fc0)={0x0, 0x1e2b, 0x800, 0x1, 0x2ab}, &(0x7f0000006040)=0x0, &(0x7f0000006080)=0x0, &(0x7f00000060c0)) syz_io_uring_submit(r36, r37, r35, &(0x7f0000006140)=@IORING_OP_ACCEPT={0xd, 0x24, 0x0, r33, &(0x7f0000006100), 0x0, 0x0, 0x81000, 0x1}) syz_kfuzztest_run(&(0x7f0000006180)='$', &(0x7f00000061c0)="a0bdfd577d9b7197f566393b228cca01c4385baa7bb418fa8f4f4d373fe58fb157b45a06ce1aa0aab1292a2a289ec83463278644d9a5c3b2419acc6bf9ff6dedd36c7c838e89a72a34ade91f58e37d884bf0cbc40df6eb8ad546eab730f20beba1d21deda9c9e181c8d866bff996c8563886c1e04f002fcc9415cbc094ac5b1a442980b176bff5d75d345e0a9aed8990a646d0c92e001a91a339a2304c26c5c0", 0xa0, &(0x7f0000006280)="3c31d6b003151438b96612be04a2bed8bea9be0bbaabbf63c2834fd7d23a61dfcc500a8f27028ff650839bf58b0558fcbd8f622167ed30faf626053a0298c9938199a79a9645e045d4381e8ecbe1f25d1e8141a6866bebeb104d7d1eaf9eb5830ddd952c26edc01118ee54afc9219c8ee67ac984b3bf34f659db3e896f8524bde94c7e22e6b01ad57f9edda0c017242686d911c5e75e0d60ac4508fb853e549065cd83eaf67aef8a89f5669d036ed9c63f09c5a94da9edaaf0582d73f29ec44592cbf969879b5f5eca1ec27b9ff3e426861ae8123c57cc9dde5713d5a37d552a83059ff0f0b4fa2f0ab66e426dd572415f1156e38f02b9d849c7bb9f8cfb6337bb5494addf226efad9d61dd3b407de131e140b4b8a2039aa09ac8a117bafb62261b6a07a06a04f68c5b3fda4ab7234ec1d890b9053282e252f2f475e7c8b0710834a30907ed1a79e0738ec3dbea0b36e78c835772d267b51969e3600d7af1d5d12ac96c0d16e9037e49c97c6b8ea8c00015aeb2c44070eac5c125ea5113227e242ad3c50c58d00f1d80809f62c64cb6898d0570fb51c5da14ccc27fb3804a24338ec5fcea02235dc77d304cbacd3ecb03a662d23e1c7ba46adb595075a01c65661b1a1ba0f86e50f36bb59f1ab4e483ffaaac688b8d4d29e445acf1930f9f9b34127c59a3b6682f53ba78b76fc2ac22ed046b7e08abc20f42f78a341afe95800ca073c8b90782112bcc64f078f58bf702da6de6af3c9da9fede5c1bfa5d1f488dd0095d324f0e03240d103c3973d8f05229182358fd160e41520cd42cd2c24abac126068c5b132c913b8c0eda44d5435119ddcd3ca2102f4c4cdf99c67ef97ef9f4f79398d415f35b7a95d3aa29588dc07d0b8516b91d153bb33736a011ac958500cea122ed4fe5e2ff807eaab692fe471a4cfa33ef687f718de420c8ef6f84c02406bee55966231da6b5bf3dd2a61c0c47a92e6398c0d452af5f1b46a6157f98ed0935411a2d9d33401655e28f68facd02b365479447c3eeb7545c977d00c328c78ccac39d2aa523d21fa90305420808c53edacf949c72f3a43a210b450bb27fc5330ad5b7a46aae99515a7b088af980a90b089357d23126aea3942a5539e513c261065055327a4bdaf6161b289f87ba2c513d22bf08dbe8953a6a740ec68130ac28173ea8a016b9a84633a17406d83bc02f6f06b7e8a7b90ce574de90884108aa54abbf6391cdbcae2a0aea44503b504aa9a0359c6eb68e242bad9e959b7ea93a74bbef1bafa9607b8d81edd3507e6e15b9d3e3a5df92d8e77568475b279b22fa1354e75e5948f2f051b01ad4164711537b79815d0e7f9d0106c32a2fb88746d5a3b6454cac3f1e1c1bcaa9ef662595479fcd75b204e35e593a776914fd9d25a0d7cfbe17a355547f56b712e4238a402e48881c99774f71f651c3394d398596dec218dce2e253e023f0f4fe4a001f58e2977127516c0f35f7e9c70a877de114aab4bbf0f1a8d5acec4dce590ee9398fc02afc83ad8f26bff8dc9915aac3d3aa267604e38ade6c96615caa3d1021b3859c1a20c2f0a7f30e33ec512247041388af88e86698c904642dfd6e6a5a878b1b668103e85d0d809c18ca2457f99cee0b69a7ebef439f82c3ae5055216795fd97b16dddb8f529e10b7d4faa64a01e1b3f942c462f06d260ce64f65fbd2cae88a4f0b75006f77da595c29a282f0443104c08e7144da74069fa22e4b0fc72bd78f4425aba6f5261d7e25552bbdc4674fb3653f8c2bac5a7e7e2ded7d52e0c0344b7629b0baf268714d338901fa68268f3be46ed2dd172bc84f627a58f95ef5945dd3ffd25b1adc744f33f3f37ab13b9a8fc5227d88b54ee9f5f5c4dcc5673823af3d80ffc5048c5978d0138e53b59d202011c8afe89be42b2f8dfa1dfae67b2dc98e9014599800dc200c09267ff48c2a178c8a6ffe8676b468c5f9e5769ad4094bc93b82c3048c9ffb317b227c3a43fab5d8c6ce1591ac7596b922ed54cf781470a5c96ca9af82f8827fe08c453f7e8c699bfd89c76591be39941b0f12e7b8849eb6ef322fe17ae8b6db3d9c4e0357da73309ac66c3a8c53a43cfcd746c8f3f936ae5b92ca0ac6dce8e15d0735687e166a3790e39d61efbd2437fe7308f3cb4e300f037dc688a5880df58472f305597263edac7726a086f8a1534e8aae3ccd98a4729c07e8aeff24995fceadfbf4e66901b80e632625ddcd5611ef9e91701394ee09c2fad9a80384ce899d3b6e14400a7ebcb97ce03f39e1a06d3c85bc96ee412304994a797f0fdb4b94a92db2cd7fd49ab6af1de388bd3ede5f1b580a1ff582b840039ce414476914e762698eed79e553f614fb92dd92e76dbf0d61b26acddcf6b7878f08ee8418742482b448000cb3b7d80618a556954b5e974a845e485ab6e62b3e09b8d2e5c1a177592d338328f10f9644769cbc72c12a96b12441f77c0891db41d84b3c13961431de4257df96d3b0d02c19870403f216cee6af1daec7589280146b73f000ff74f932a4be09d47f4773d3666d33aeb16e5c5b8044beeee4c26e62ade79d7adf54cbf5d17af26dd15833e4e0e15cb49ec7c8abdd7426cb75ae2664b5594d435cf2ab3cad63f9c0c6fa2d95eda6332782b2bc06f01b2e498c81a76d736e49b18714296f36eee325292691d77761a5485f3dc6eca28ba861dca79a880b37bffd0d72d253950946ba8548dbbe8b5233fd3d5fd9c428d1c7112923d3f6d9ff1e370ab7814e60164f8aededbe676f2aed19b3a56e427c9bc42dd64147ed60b0a533b65767bdc978eb737243709a3d902e874d879b5dcfc8078c73ba4b19087b285b6df2a6b82e5e85f131e158aa576af8b2a94f371f3211d0f40779793dd6c909fd8572f75a2cef9c3b31f48f09dcd104ae3a939008458b778e723537a60247e71c658dacf9a9849b9961155d35cee773f01f1b51a33b9a6deca480b4c5aeeba7389d7f24cfe046f33d36ac3e0a0116490a6893f01f45a02f47f0d5fdab5c764bbb3478372efaf575a0ad792e1e9413f44253da63b41d72bb7bc99cc298bf2560cae2be0c73e79772126394b6feaf31158d531e6271e4061ddaa88f0bd5983355b7ccc6fc14323c12d18fe6dc50d71939ffd778f4060af60591adf28708e0ef3ac865484f9cf4491a98c88df165d0e96ee4111573c0c8e86d6e2bb3460d7f51d7989c35ea05ebbd42ede06acf46abe60d10c92dff086b982c61e8e968e8b345ef1126ced1ec68331e83abe07f91e22d5e545b1dbc7bb9754a53215d3398c2aeb6c64fb1edbd3cc8b4689e0979ad42beb9a847fc3ed03aa001a42b3d5636810bfb0a0550f993fa1a31419c74adcd4cb3ee9a4f6b65d4ed8f0e4bcfb7c1aa7ef117487f62c595dd4f75ae8f64a964188f25fd2a91d3b773b8e459631bdcdb05318ed4961ed0352f10e08dd4fc80a37a1bdafe91aa6aeae70e63e7c089f86b57fc757280fe5b0fd4dec6e4d5d625f97bcb5ad86a89cdec3060869e53365350be21cbc01401e72af4ee1b2eb83fc9fe6a853799062b35f2289cabf7406216fc9d90e67b57e46909c90ea2f3b70772d15fb34f15f775f912d6b3ce6b10b360a945c91d18c84a7b601ebb231a4fa751d812a05fa2b795104e872c61f5c5f3cde042886015abc3db85f4a5e8bc9691f87029f135044deb0fbd8644552723e92282286b1a279bedb56c2fc092328583e7aea07abda5593c702ca4cb0e39ba16b2839756b0740c46c692c389ca40405fc19d7b839f51dc0f6b0b2155dee7e4c60aacabffac8a8ad68a7d3c0e52456fc051abc37922adf0e7c10bcf9dfd850d88c22f8e2154777eb57a4a30db4b9994ff94fa82a007dd05711da0af0426b7bad381816fc7878f51a1b7c8e2a50133178255e864b3631e9b77b5059db069e5ca7ad88924cb4f1a58129e1c899aae0e8bf760c52db31d399ab9554d10e7e94b82c2dc0a05b56b1cdbf48a2b4ee8845d51ed0438c27ec9f490bc518557234dd00cd6b031c74d69c4eb06320498a2c52982b6599ec9b06d722b1f83a36e62131470dc9e78c20089d13937f0fb7ac8313591f22fce68357be3549af620055c217a1cee6b9af48f8be4732b29d960c34eba193aa894b0f6aa0c91c8c27f070ddceb9d73f8834b3249ef03c9cca7d3d5bd7cf15e734c6a65a8f387c9a7c51e3db37d82c6f6d3b6be8328feea7bbc2601de9af9ba560ee27cbba3e2e38967d93f261b5155aa12eb9ae98640cb06fbf024b3b51b6337991194c5b12024592a81c6ff644ff35d5b19f287fa3c6bace4167e3d3ee14a1d52a4fecae1c4c2fd862bec826f988462b8c2a2259d37f5c8292bd6cbbe22a7bb58d5608dd5a5a9e1bb8cd586d894a53dc2598e3fdef678e7467372520510d6d41ab7ffe76ff020f85aa14399068c98b2f62eaf2cc45694284db21155ca1be2aefd2b121681473249c6ae483342e9f29b7597854e432ecffa14dc287670216dc67e3a5332437a837ab006c1b814aee71aea1d110b56d06d4db725f0ca737c95e32174813696da128753ec29fde16514e09cb7858c43e13c36d785b07038016974974e7463dd656e162087353a99b0ab3eed6493f1c8eaa8764cf1a37f667a12f326968bebc595abd62850ce0c977c260fe399bd1f4f88aba29539d30c6f25a19f21d53c9f77e1fe777c8113034bc6a37aac74f97648963e0d2e617786176f2d7ee559c9802b0f5596782e518e8592a3282a1f5defde775d71c3608d089e5ae98da176bcacdb55ab7e85f6dd571c80e95ff8e6071940828e3c81f5505224feed5ee0aa4ce8c67eabe138359b5cd88df7ecb3b3962ef175d25e98af33a5852fed2b5ef4617ade008055523829f98347d19f8ecca3181d49ac881252cceb3aca0786e39b8a8336755311bb1938043a4f1b0da621fe5370ceca0d011b1d5e8fd395e248d23368e0ded75d3c33a72a8c276d046927da59d7098e4776e3d6f054d35940efe40f9f8290ad287e5acd8e1dda73953e58df7bef8f6252aafe0e4bfef5ef727a4842b0a6192f70c0d3ec508e351c7455e059649d615dba9d7d60aefd061db25c28309d582c20a6e66d8792d76d19406a7f4250c0f61550869de107aae9c93d3abfe40f1003d088f28a60f25892b844a794feb7e94602909403341b39679e3b04f7b0e8de037f14686e78bfeba960a62183cfe920bc46d50d0f005a7f7f4850c213406cd49b578dea6d350b392b6cb084ec343f7056e7c6c9c48b2e095a1bec578eb413083d41072a55ebd278d37dfeb493c74fdaca9da1c3cc6e03201dfe1939b8377f9ba21791bc494f6048826f0b7ace207797b0d9ec3964aa184cfaeeec3fbc5a1dd35a833e4d389cea9e3ced435e00ef656ff0de644d6e25410bb2bd940ac08f76550116b53ed4fbefb112d58c2affd58692e35006f670432551f8aab3c2ca4336c90c787d41d2b7f95ea9440b17f019f88701a26c978aedee0de9603fd6f56b08e56bcd3ea055aa7883d0f8acd7f7de3498bba566c2c696cf17f931da1ae3347599e8be7e12a8067fe2dce14ab0fd6df97f1d10ad76dff5902e182746ffea03faf97552bf035f9e86ec23a8736f20031fe3310d1bee7876d36623b80e2641990f951cd56dbda61ca8aef2ba14d35fa8f495977ac3fd7aa810d065315ea8007c8ecd85acd6d65f2946911709b1ccd0e629f56e01b040efefd58f35adcd00dc49ff7717062b24635d2e5f1e9a7db8e3d5786680e396911924d6b5a6c2d1dfe98425dac3019a7d8673609027c064b60814ff45200f18d05c328bc346f41e5f5d68b66569418c3a9d9bd04cbffd13db9d231a405754ef6017c30cccb7e934ef268f9c89352920c765190ac8817f9f98b6715a9847be783cafa0a86d734373f51aa8854ec72c6539ae162504336e87ba7347d2d7f6a25bfc72560485008f3e73e09bc6259fc3f61bfd72cdfe475891c5423ac4f10fc5d95ce567486fb661e232542f1323b4ba00a54e6ace661f685fa324f8835697ac6970f1c2560f4c2ebe0c834887f715ace332763993b9310b52e178ea9c4a145bbae5d7baa9c6d968ccc50d3cbac54cfbec1d76fa2900fce631ba341bba565fdecff0b09167887b0bf10b6cf6deb6a8870eeb7dec9ca932a57764a6385ef07865c467ec89937d8e40f91cee87afa25cb2cb6220bd7b0d32526fec7fd4ff663e557bf0e4b6e8ca3bab3cd035baf775c495a127fc026248bafb4735df8cff8d6799778feca624bd86158960272dc75caffcfd4c389e51ba43ff6d72caa03a699ece23d67dd4681dafe73151feaa10de5073e32eb46bb5adca0ba62e8dd922c8c80c5a8008ec80b75e872f87314b202fbe4d662f065eea19686338da1189c8cfc91b7cc63c1d82c797f98243d79a916b1416be117771a533f197dfbc7a7dc7a407c322c2280668abe1770b3de472e3129dd35f19835da7cc6f4dd7ecc82d20ecd267ea64944a614cb80b0c735444b1d62bcc9b760d58405a438fde50b4608c75306b8588948dbd02db904e77e13406e49c4e3b2491331bab87400dc903187d1da30df2ba51f54cb1ba00534b367e4b176c6a7ade4e12150665b8631fa6ad2077595a27bb4cd3b7080b8cda31b90566c38e0217fd024c374c7eeacb92742772e86cc7cd5a7fc36198af615fcadb8105a4aa2a08c1724d21271ac3c2ce7518ea67323fd3fbf1c0386c97fefbcdbe2a6258f1e9d3c09a13b50136fe1fe5f98be367ee368a15cfafcb5d5ddc58538396d78ffc2e542add6122b6351eb3f58aaa72870e701231677bf6a5c2300abf5740a26668fede2034f504b004733d4d78a963f2d877304481cccd5d2d51802c1cdc50d5a6d30d39cf62b080b418ae316cd89b4983943d8d3863678d89029b61993b58a221139efbc22747ee0e2d71c6627d7f1a3f573413de3af9f51353061a06beddc9198f2a68b57af54997ecba8867f0d4abf53c5a2a70b69b901156c3d0168463c8ff6746a4a7e87de9ae82f0816918f5df295369038795cac58d7707ba1a23c9cf9a3829ed17fad094ea1f4ede9fdbe844fa251bed775a185cd25793f8886d8eaffdd467d0fd5409f268de34da59beb7caf16878c066bfd13b16c05e4712c0e89264eb83c2b420690f5dca4f23f3beff755e1f05d2ff467fd29e6770b19f9b89c3fbf29ec69d1c29c1b1695f97997a086a73c27fe70cb4ac633733fb6e9898d822403ea637a26be636c0662c91b5e4ab19f022994957522a4779375c86ccfd44af5f42a6b4fede96592468be15de60df5f6544d6c6012bd32866196a5638468f1dee9e70b87085066942eb40ce4727aab03003f4bfb216c7ae54a45f0fcc18c7007791b26782b110de1fefa77831a3fa943484f0db3265ea587afcfad2b66ffc922d6577fa36a24151069a410ad297416ddc8cf27be264ab8b943d6a855debf254ae75046a008c607d14367739a6a8e5e80a2490b3a4b45d147e4310eedfc08245cc08667b0d9d0b4f26e252d36e85a8545a3146028616b91971bc952aa4f962aaa067e0771f206e9a956135e5ca8a02bb02cfed9087d589c0c0ac361ec1fcd2fa54478319fbc1b6e3625719f4fa7cffc759ca5476e66ec9431219b9af288c74a748454d77ab790960652c2ce6313e85522072730e30f483598a2f28165681c7475e44640bbb06dbd89ca467e2ff9c3968941ee3f1853ee334bac3175dab98fc51833e3cc32262967cc703d5cbe768614a94b51eebcbea3f99e1bb5140b389451ca8d280b3027954f986ecc35d4f368a3ce962785534309754a50cb548c8b0605afc07f5a8f6d8ad42774fc6d2753296e89109a075209c1c72d4d8068ebe0971e45050c9379c219e0b966fc47906d59fab98360bed11d76398c72d9c6df63854428c841e5dfd57aaa438bf9b35058c3e5dd0bb5457d1387c41f12959bd53583900906a9febe491c8f29ff48690dc78c6c463cc07e9d8ccfdcca4c19f2bb4e20f64b3dc8d0897507d270e613cad6e2802d2c74d174cbd2a4ca7c7d5decb81ba028144be39102b59b634c2e9c7c1915fec3a0add2c71bf686a120b9712007bd8be7aa63b55855d6b75a49ae754cc4156b1ec741d8793154daa10b3238aa2c92b18c18c3a691cc9624464019fd130a193e9ab607f9981ded6a2ba12f043fba3df5378da5a1be9da3b99da3fe6dbfd6f7360915df1c6a8bfbd8602e7d75e92ea3d320e7a43712326317b3c627c503731b99ea669402cfb9d877a190890427ae90367cd100f30428f5228693308376e0437a530cf7fff01c2a8e23ee2a345f820f8e1edd2d52654e332b690776863006638414425201e43a041a54735afe266505fbe93ccc9481487e31b23aef7940eb15c366995f9df141e5069efe4a48be1a7d0d3a239a7c5366d2bc4e209fdbba85584760450324fc1e5b41976e1f90788be645940828df62732754ccc6a248b0c7c7ba01745fbb13cf426af87bd54977d59b6fefa32c294320d1fad0f3ddf09bbe14f7e3834ff4999114dbbce932ab628b269db47efc58a5588b9af3e5e7ad34398dd47e797be4ca027be70549d564386956cc4e4cf9ab4e80a56394d05bda246fa4c87c7c3982f3c0e65ca5cf8b3bd03c177d54779e9f42e74f1800006cbee91b07440512f8964657327a6ce76e851ff1e6592a238c427f5d96feb5a8da875bb2bb6e172f6724a46f000a58a687ef7220ad71d9195ee58bb653f4d3cb7f928e93bef0a56c9d8b659ecea7ce2514b648a46059fc3edb457dc6bc9f4a1ae7fd9916de52ea35e8efe966fe96cb60c63ba0e018f85066fef1e3452aea7b86a6889e4018528bd0d8977cef33042f08d09503fee8cdf53f3d303488c724ebde9fa0105a65b89c547490f515c5ac675e51bab8b75e3d0c3f76d1074f3c7827db85aeb48879ea3e6241b3649bdf2ccbbd5717a4e1c5657ee22ec43a90c9d620a3cf22385dd47593902572eca35b566ed70905f6c72120e14022db5f99f52c9ccfccae45e97aa2236c6126bd20517ac93f049c7917104ec1bab4a723fa00c01e5b451e6c1737ff6ef93fe6ce7b35f71d231ec3b60f85dc45bb6679671776b3c0707b8b628dba87e87d2c1e9f542df5855cdf97412eda3bc1b66fa1b46ab1454afeb88b968c2ec366e42edb519844e07d644f378f9894fd2007884e2e2c92579e41f6f63204742d3aa278e33bf76f7f6dc674dced943bf18f586559efeb20f54f1e72117019c25f5744dd2e72298f561326175dba9d679fdc26c0c807c7c213cd072a0c4010fece820f6462ef6280c3e6476c0e3a9ace1de26741b4269bf0abf36df607df7c9bc6d9de9d42937d0bb241f5fd36f7c3bdb418bfb96893be9e3c4a3cc7a4b40bcf04b43144bc6c7475a215df6b2f296c772f111fb5067f48cb5550a0dc48c5f6fb9eb83d9f8eb9afd10619e3cf7d87b2e3864c68a48e7773decad778fd43336ad802488f3e6a4a4d642c835bbc4bc779fb1f0f770c6f05ee6c2df5e21bb8b25862df4eca4cb5f8e6d52e2ca983c88d8cd548f6e336ae38e8970a8957fbaaea4b06ac1c973c3cad3e26eb0e26216926df865d368997f4998fec334add690370ac94e16e2cd3dae8ae92ff1a53c4cac5e073ce8e328a4ae53eb8d9710b23b06488e041c5b506ba3ef65e9d848332dafc59195f35710147a81a4cfc4a9cc00a4e42ed49eecb0ebe9369902fa4c4030a06c83a8106170ed1cb5aa1f780e1961d815d7c4a189d40ae8e696b059aabf7805c1238db442b024bfb98ec9d8dab7e2fa7a356b58162c319a25e758702b7c8813a9b5c7a70e701ca2f7375f1b9d905f7cb5c38771661db8131d2ca4da1e08ef41a548bb9426b5a9df43f6a00fc4ff9f225322c1e7b609dc99f5759256d0a8e84dfc2973489f37170a009b6e37971c7efefb57c444236d9f5196eefb43da82ba1aa70175c678300934423f1f75b79b193e6d1676eca62982758b78571901a74aa325ad866a7cdce8835a9f3ddedd2ef6b56f4a3daa2bd1debe33a2f363dc042b349097610595df334d6d15dfcdf7b8964df708643f1ae644d3f1789aac2cf69bdae8a447c925414fea9c45eef3e26e57323c92791d5d335710b4ab0b51da83f40aae8ed4870e9655876508d280cc4b837915ae0caeaa88df1ae8c6cd2d4f9a9a8ca75c1491cc316f9a5a2fa68f508bf980dc65236491e3995472b25c7f7a70ffdbb89104136cfca7f4fc01f147a698542ffd9694fea9717c70269d18fd0577f236eac614d2e20771d026aacb9d63943548bcb515f6219722b10811fd0c748ef5fa2c33bb8acf6c55178f839c72d3aeb5f0c72726fdb95ed5ad0a840754307b5791de1e066e5c6c1ae15c4e57b63abc32702952a1720f473b77f0ac82087719b7ce82c3daacde95b46d47a44a89e296b3cfe5fb592a7858aa0730dbc5c1300e4b04465cdccdd89a2fddd2b4ad4882bd2ea5a337ba299762f0d9d3cb3793302f1ab639797a5d4602e2abfc41431b04158a3d99b2ab30d8793944ec4ee01bb3f9fb490aaaa164bebf0361bfb88b76fa4f3e7fbb7bfa0042b81ba6335c29f2d0802c6604857684d47fff4ffe922b6a98dc4915b37d338de877e48d8aad5b9b071e9e16538a4ad6afcd3136fff076f2b5e8726c6b561f2aff14a296b77f1bf619eca7defe845d24673e3919e8682c9a9cd40babbeb4a521a8877f7243335dba7bc2ef5a3983bc4db3633e18a4ab93cc53d09eabb39f06bd7839060f56efa4285e22092f999c9b41a926523c125ee41925f618b3264708fd1a7de74a5c42e7240b9db15ad15ac1d15b828cec474f517c5c494cb91abd4882f75b0fbb552acdaeefcd60535229a1370680e54a7911aa14c226e489007723a62f24c1164defa51f1f2f4a1ad5fbb8410f0bc7a759cb1bd8d44a47f2516feabb4a0393f4d95a64b76d9529272303451f4191a2b7ec214f0c6027b369f87da3d4b82c8fb4fb0ae305ed8de6f7a4870441243dfe49965d2d27e68a98b4c45f38f55e8fe819fccc1ec58c4f7519c87fe8eb5b6faefcc65d0e6b81136c844421e8ef070193accc45e7a70b9cb0c33cc2c7121e4f7c7c74347a0453cff1ecf1cd8265bf2fd364b6bda8994345068972c772e9c5e90a2cba218d08bd946bc6e5af93bdd9cbd75b4d106b58a81bf144e7e2d2d7696f9476cef8b5bad3c08d7881f7577b30303097704ea382f8b4da2bd8202ba5ef113d6c0aade0076b213d89a6f49cb17f42f7d5f7fc1a222e79f5664dda24023ce39108ba987988b6d2fe2f162f26319aba13f7831e8d4ce6204e8e4e2d3dc35679e065a986a2e6759b3bcd5fdd2ddc82326b768323b57f3b7bddede273dbe9d69bd88bf63e25e81b77cb80aa50b8ddbb5e81eb987679e121e1d3a25f65c3f7b462f0a7d188421814cbce3195c37f2aa47615e258f050deebad7a700abaa6bd6e0651923ef7af808454b263417050af8903dd0729cfd08222f1e545773ca33132f065d2552caf5d82b5b272df91f172fd6780c1abd517a7f46572694a42d3fbfc12e5c0c37aaa082cb3c6aff88c047a5fe8e1d8a92bb3307cc21bc6fc3e440ade6e49d542041af75397608dcbdedea4dff521935bafd53f2a7550d726423545d7d17e0a34db154019462c1cae55d83e7f232eed4ba2bd8425682dcf89d70181b326a65a47d49bea9533d9684b97b0351f66353590763591b4d5ef8ef70014335d677de4872d3877a61f05de65061a0a0d97b1267b9c5e45176592a17b6291c8e98305dbb7b44f4e2b69d4251249210dfa4757ca013540b0ae3ef3f134dae3c1bb462e0204a8fcb1069f1673eead8e5feafdbb4c9c22fc9d0e6a4c56eb46b174ed884c736557f7b60cbba6a9a4b03102c11b09629f74f13cadf7ce7bf2c77d4de2ab63461fba4199ba61eab68b3331dafd8fbfb105ab21b6a5dd770372c09e23cadb64560c242f06006eaf0d937ea3043ab2d30092eb9d5e3d5a20d2553ec7a38de922dcb5e8b893d3953b3586baff0f11af2dcb1aa034be5b0a8b14ff802c41ad149afce5015d9045b3e1afc7e15231b2e4be17a9eb57949e6f5eb189773d9f465cd23fe2707ea0b2f15f968293b29475543d74e0a25067f19b8652b9890856ee9fa06cbef42415181695a8d0a1932b82fc7a88fa4500356e7af723534f0d7787daad0051a31cb54be90b52cf61b765f426bcb126b928382de48cf9e7c99765fac289b18ac20a1815daebf7a6a3236dd26f74e4eadf391898e05e050f68a7e564b2c2daeae18d06077c28633e72f121c3f88dbc3670992d4735d1f47131f09fe14e21fea8b52ba60b5740b873c3702826a7e38e25dca652f8e5b4274936b0d6f49f84282c42491f13f0cc006347b0c40a0eaacdb2cd8facf845fe86785ab6fb22f770f045c5a8617221ba84a003fa8b2a8fec44289932d9536179dded0cec31a0fbb9011bc4e2aa2bfefd298f681b1c9568f02eefb8afa91503c985d8b8d98966f45f7250f6e269ae1eb835a791c8877a1d8ceb0e7b794a7d45e51f80d22347522956c25c962f956847e243ba03842cddbd103d778735d08a3b770353e49514cc710a44de5e31cf5832c3f1ff01d4a5fcace8054de807227da77b665a386b0cf0d74a2c99392d65826c05704f3076a22dbc7dc4102a923b45fb6e5d3e2133ad68f1fa91653322a0cc5ea8bfa2ff90db9d9c9abe21a5523a1057ad2bfe25375db1721b48e61d93b30d9e8f59d77a3871f1fd02249c1e7ef717e16bbec7e194926f6e55ca88f3674a0de2fc8ab9a935b38ae1a8769c677b4d3ee9242c443f26c4678fe5f969589f3248036e0c5b901026e373fb4cecb92220044bd05267570ba905b745a517a74b833e51384f40d7c7ea3993bf791285b53d733932b7b5d4d2759c141a72ed6b0cbefd5ef4ad00d303d52c104000adb42acd04c6f96cbaf7a3cb88affdf2aef627e8c2e9d1fa9605780b690ae6ebe62fc6236bde847c7b0757c3449d18a7fa72fe1f3813504c08ee64ed086b604571996e9cdf798f59c05ca7fe7cdbbdce682cdfde25514d3ebef68728d325a2204b8e6b4f845957908939648b9d274e24802cbd6714fb4f54cf22920acc265705281f352b946ca49ec17f609d24b4d8ec05292586733f45a930b903578afd2b8b3a2120ae80dfd76dbbaa491601ace0512bc80d86a47fa297efb5684d6c4a1d0bd60faa9818fc2ab7430b6604c6689c288e36d93510d04c3499181b16b7b085f772a75444c93dd7b1a9f6d2e9e1a984053fbae7275e2dbed3bab060fc058958420b1f45601f773be1b9ec04a4d1e6125cc4905e55cb02f089d4d513393478ddecab5e9f3deb8b6fa9b36f8edeffc87c37e2c898744123132c0d438fd1e0d089272373bd7b651e32d11e2b35b7175f2dbddba02ed7e4c2bd4a5c458884bb8c1834559efd6a199d54a022530b5399de69817f7d5dc381484b56915ede6137862c9b0d884e3b0f9062a98d3a2e83e21752f03f5684b89899dcf3ce38218d5aa179e81798656a81e29c84cb64676b49858f91bf5cc1ed0d299e796c4c85e7b39c6b01f77e021ede52aaa1bd271219bf879304286ac3b836a75501327c7d5802c88c39470d2df0177c8f13162dab8b850c7a0eebdaf16126c5c7915adfaa5dcb8a1f206dba082511835a0312e175c78cea82c19aab518e638e849772ca13e717cd32fe15e6b062a19c5457e0e07e19f0791ef493f7e1dd8e24dbb0817b5ac872be428ebc98060bae73dac900e0b92be6fa4376932f32bbda59cb33a4220062c7575fda71056d339ddd2e774200101134b87fc72b7d86c053eb97eaa59b5e745d80ca50b045a0c8a206c4c65ee82122ff502d260e0ba8864e5fdd6a98f12836ee425cc389aef2633228f39d4f76369d69176fe115f7768abbce205b7b528c3a90eca5da1f2aac464665b928b2d1d8230e02c1eb2db4e5171a2ea77ac34f32df40178dbc235e955724da451780921aa10cdab492636c93a1305d26c0cd19853689b098b52f0b887241fe32833ca4f6ab0aabdb4be87a41aca4b31a4ab87b2ee112a9f659d14543698b8d45c8a2d8ced94fb4f5c134ee1cc133edd1ee70fcf636c97670919be73baa1b66d585a754643b71f6c48148a3bf65396c47957961ddbeb43f3d4f95d98f5132153b8520a8c6d148d9b4236acf5b39358e67034d5639448a12a42b25caba714cc3954b5a347a5e3ddab7ad1949bae1ebb632d20aedba02f38878509acb870da58131fc95cda93f951b003763b885d726ef7250e2d8fbf22a814cc58013618f28106f43af86a62619fa6e24587dee2d8f91bb4a8691330faa3b9dce747cf0f4a87dd735b4f1d214f79208cc12a7162ef101ce144fa220744286c3cc2ac8d61583cde2f2253484cfbb18425712f1f8969bdf779fcfc28ca94775add2c9eb9920ff4f55d872cb95ee69a6ae1ec394fd7910e08f77441f31d0a1dbed3ccf62df333dc301e71b1b877c4343845c6b8d496270e2f7306451b130c69116313c51c9d0e8946f5977ee2969a93701d7fae768f3dfb6adad4f3390de9f7bd8ca091b32fdd68ae647e3cc6f2abea807382206a84996287316c6b4fcec1c7f6873451f546855c67f33b3c318a1fc37fe0c80cc86616670b4d51e96307197f5f6713dd1eb23b55466b450f3e92faaaa49774206d3b57bbffa14df0efb04a6e34a1f6af845903354571933a8b43260d762abda1c033e5485e76f27dd28c1575355927b050b4856e49e1d8a8640898bb168d8c3a05392e4a4285d44b26f15bb60f36182be383ffb54082a71a8e59aab0861db87af02b34ea6c91927a4abd506f662d17c59ec215456f8100a5ec13eab566e50a863030f916383cf00a151102ddbf8b468f4008a60a26634d55afdbcdca2ddffab7efd6e8403de28d5a6cf3c139f90d21c3d51f380257e4f861e0cdf93943d0db926dc65eba8785643da0238a02f39a31f5eb1c3af6bad1a6a2af06ee2e001b11704858ed59c5bf8949182cde0398694e6101eb977a1f6d47de568784a4b186041980b21b11c58b40a893873424fd56e41fd781f79100b5549596c38de5e90646824da314666266107eeaaa8bad928fc776229a8bf85817d3dd01dbedc578bb94a00dc3137c93480f585786b0bd777e8eb25307ba253e8d8e4ebd8880f2a854bde70ecc8d0b79f8ebca5b790d649d7d55777a4ab3126dc7e0bfab9a2670fc374799387dd22226a48b22ad303c46e2298197f7887dc7355a90485700c296f330ba6618a9b6ad84236f6610444318975a7eb459efdbed9db51f36a9538e2c1be53671ab762d4109dc36fb7eeaebb80d10c6f98591a29ec8f9472cb56467b258ba53168c021a6a79c126c1c5bb600f9123d02e0d56d2345f6d2e7befb2b05e111807b4e03fe70244e45070dc407f32315227b7396e2ab97633b8079b4f61c4987f775e9460e47ec26d109464589b847d1d684bd8d30f7c699da25208fa6dfb9e6a9c9fdc38f19745aa0136e41b5b3d2c9c98b362492869e7e8573dfb42315544fbaeebfdaab3b9d68c7e6dff07f6c5a49f0432401201c27d1d23670d7186838f5b2f15bb6f9301896035c34bc10f6bda13e7a85dcdec1c140f4cef3b35eb52c46e5386d125c2c04d19a5b739a2c6d1cd0b5c9dfa085f07202b4dedcfcb04d9265fc56edf9eda488f303f59f3f9b2f45933aad543c0cb8cc21a72230f59a0429d17a6f73a7ea7eacbc9035c3db832174daf39931f321c40cdb716d69d83758ddf9bdbb004f5970026ecb78b7fa0ecb95b42ebdcd428423ef74d56314ed579b3031ce4858d9818a23eda71583b2552556eca75526acf679f50790fcf9b4286ab9f9e9db094c63cc53be2e6ba7ed70e0654eccb9e7b73b310f48d8857be68c00cc330a629757d5aede52890fab53f772eac290b766df53bb46f3b1205318ceddfcbfb2151e5548864389d8c0e11892f290356d141a03767eb295d4d37af299688277ec3f56b614a8f641357a475ebe362c14320a68e8b5af14ddb58634fca956f367af25b6a7703c8f01be59966cd2fa2567bd74fa992a148007fefeae41a6aaf3ba0cce34315f2e2314d3d1f533b90827c1ebf9e7fb835ed455c015a6d004f25480805423cc5df90742d1d271ad09c1cd84e4035afd0d334b5361360df0ddd089e91c48752f1695c0b2e48c52c3a9d86d3da167a272026e19b75f726cc92e7ab0fb1d101648529d150773ad57b0b4227cf6fbc9b0766fa9c326a6ec66d3f351f2e6ca1bbde52760805550e64a82daaf16efae7ef879036d121ad303c3a26f40fae2377afe742640e117fcf766dcd016afd3436fa24e4d0e201daff85087f84cd839fe6bd8aa1cead952a942142fa66b314b032364e93db2267bb5152f6a731285e602f1e513235317dcc39476b36804a0e3abd327d6c3980d61382f31aed40bf0d758182af3c942aa836332babf38644c313491aa13f3206f18e3c68553e8e64f0dfa580c4427882f6fb134b0d33e21c30a495ff4a9bcd0fbbb20adce22fb9c27cadbd2fc48a195274f480075a91f2264c496708481e8e3b668d41482ecc8d2aae7ac140e8df0af2aaaed234ef0eba355a4944f03370c5f788775dc858e09921c3ab2fb180ae771178f9f5de6759e890620a4975e420916d455b965d3a11e0be0e53807577903265ab93056b518c7c62da1385e26f4ee1c487213f6ac8f46890f98ae4dbc061ba1cd4f8957e6c0685d9aa5f3e62213db2c33b2d82529a030739f3cad9a7b39971c05af8b606826dd5ed5159e69d039ce6a46c9fd16ad459165c352f8ca296f5d0622e6221947c3a064415deb731ca0727bd87f56dd255327badb39718b48bebbea61a5922a24438a15fa82176241c1f43c65e4f5e5305a2931897230000764e64bd2ba15b61aa11c2004e43ed66b265c219c254df7421c5412dd7092cba2e3b00bf88a39ca483cf5ef9495e1941092ebc505ebbf93f452e24023d5f8b81c613014a14a59e78a8f50d617013d0df9263e33c479c5ad4dc4462772236819c674d7cac8b8e20b287d7a8b48824cdb795ae71ddeba2c9d20e39378c24bb24fa679910424bc1f6ba761b2c3800a625fc32bafdec7733bf02ad9125a4464c0b0cb49735c81839822a8035046634ebaa5147ea6aa37d8b24e03d866d7410c8f9cddf77ab08142c163f37d5b413807c29b18767e7d23d1de72a13f10799e40c8c41d388b4cce82c16b0cccbf5906de5cd5748671e16616bac19498560ffbfd73fd7664140c1829796b99985eca15344657d6cafcf3ad0ae94665eead0df85cfd69c9356907a5005807b77b80a14411023cde95031f23db51bf1d312244fc8feeedd8381a1b34b61f6f663274a64a6d35ed61d8312ccfc1f82809852b77a1f2d339559bbb65820d793b566de6aaeb0994ed9aae588e329dcd64f8f0502472f4965b686a0a12c7cbde7a8d0b86e81c569ab586b3d80a8b9998a5fab0f3cefd33067b69ab9dc66e66d12265c862197ae8fb1ef3d55f48b13ae86cc4c60e312c9b55111f17a40164682f6867ca9f9379796bb690cc14c22395396df33a066adae7547ea133174bccad28c533099daa1e9226ead7f965befea6a7eb0b3c3f5e95b378d70f0ca27691f17722e871f62b259966443645cf5ad5154026b02afd221d0dff6fc733d01edacf24310a0653ee6ae3d0190a3cb14286fbdd7e5adf365bdab69d4afb9a8065c4b6057502a8461cc614f22fafcc747fff299c4fca9064fd197a6d3c51472403e7e47812ca26a62f5ce0c83f60b2bc588bcf05bc57ab7fc41b7dd536d04aba50186c6715a1ede0e5ba5488a7ed542f0ffd875ed2cd704ba9be150fb616b7c77a54e58023344a870acf3a4000a1a8de623f34131ee7acefd53ce302c293ca9f2801944611ea3e5256b37976cf6c063582bc90054f4bfa4361df2bc8123022d0387e4300e0cea5fd87753c4618aa5112dfbf089d529f4564e20fdf43f2334b55e64297c84fee5b83a2ac4f598c55b6b7da4f443f7afb4e493738b536433cb1f5509d967933a30b6c3629dfa817e645b1f4f0b942c5711a7ff22f33a8ed5295887fc44866ea4a1a383c39368b11d16c7be67c7e789a0e58b7421a3a116894c3d88da9799435e8285b79325fd143074e3bd20ed02bdd0077339e8c594a9274c9ba6158e3d7bc37d74cc4d51dbab3ccd469de2b692b8547c332dc74a94161df076f63c61cf7c50541169516f302708f48e4973c4c0e8aa960c228fda374969b5d0d606fb96f6a8bcd57dbdfd0d09d71eb58d1c5cef93f023a63c54a4ad5df397618fd4e9a0b925bd2e260b879e14fc5092c5cd217e8fa90c274faba7cb8b0c347178145902b021b015edfcb0afe36c7929306212b048c16fc8db03e026178a4fab71b427eaca6459ae2c3b1a36cc610507319e6d7046c6daa76461d7d5e4a4bfe917da1187e76cf0fc49e84551d7fe6b75487256b3372278a78cef0b20e9b1d73e20dd7f3a1600c0483dddc807f48ad631eaea3e99f4560e64b788731cf9977d76d15a2320135e354669e825c7254ce250c405d3662329b6d33267a7268b64d4c392e9531df2d2d8de0f9f166d8f02e54876e8c626cc1566a3e3010843054b8b44ccb7cb45ed8b050901e09c5e2d44958b598307576c7160b927259b407a1e82b3c713e2de49a2de21f1e19d3f1c23369861585ad6dd802a67ca075c730f8078d848042533b1d4518cd4435fb7c5a58a2a957b559af12af0bd79bc2cdcd920167ba949b683ceeca6853402ab4d1cd7fda7d74ac47cdf8a188fbc1ef7ab59de8e189f25ce6b8d3126b31eb836495089b5ddd51863e6b1dbb33f1d37dc74851cb3b9e961fedba22ceab2d251d493f6351d44e3151176e9caf553cbb9212c4bbf9a3b4bc451d1c4351cc1d74582f49b6de28cc5ecee5f7724f634695d12a49c5ea57a5d089c421ac4cd4aa6c5d06843922c933b5ac0dcbed86e5cffa3403ce6db406e130e8219755eab1e37190e2c737a3f3865b9ca7925f50e4ee1c775357579e03ba0e7c0731ae9e62cf67901368d376510a68da69b22b5e60be93c75b34d0caa2cc4c327c72731a193c93947837bf41ec25c0cd50dde47d0740cae7a99117b76502191125c43be006e6b66c936a3f7e5a38806394a73e292e2e9d8aff930b4498d7cb0fb7d928ca84e8b33bd0ca7ba6153e5b0a44e149968665ec673b145950b3df23e2b141871f1a12bcde7cfd10e35e42bfc1247ad11f5b5b6b287ec2e45e09f090b0fdbeb4379219ed5ffed9d40c6dbc9a93498a8aeec7133af2b67a94b470a56e774d5bc6811401caebeeaa307c3edfca3bbd374837c5a29a1f6ba1a2ad05d60aa94d6ed8f20ac2ab7bb34c7cd0d3b585198867f83b35296aa25f7b3e0f1109288d9edc75b3b7827179eaa7267daa441844de39cd1cd2894adaf8c9b620af809f99b997e0b93f59affaa04c6224521159af9f3ec8dd58494c17c4ccef738db8a1752b298e340d254a8fca7edb6f6dfe338e87edda4672783f6b7335526abacb76ad482ed520484c47717bc1c774caae5d787c90dccf46245e7b6bc9d1092a9580ae4561266163cb9ae7e3956dfbf90a957d92c4f192f7b5d589ac0eff779ef3dd28fe124539729c8520f94c42bedb7d9dd77df55f3d33540868159bc1b5956018814b1d9cf51fb3969f87bf15f292c12cace26b16fa73e77f92333f756b1ad5feb8f6e005f464eabfe45ecff277fb37272118ea1e2d2ec655be3f6e45208490faa236cbb8c459a9829aeb155966db6fd80d85102bd9fa4d549bc3af927e227bcedc668b86a1c63ee7505f32ec7f53652cad65a71dc6893a8db3c80d00690683f97b47f4297ac1c9d92edffc70e3fae85448078b7a7223299d9de7211dde2a7b7a3bc0358c3d16da0953d347aba47522a5e060738d35dfdc14a3a64c8c694016e0daeaefaaf50bdab9d6b22a0abe2eeb63d18c2ade2da22db24479fb4dd3fe131cba41cda5f778ad2269f4eb8d59b01f5772d03d3b7368102684b40490da96a68c55b1a6c0e326e790d9329042d7f3f16a5d6294b3235b0c1ad2b3e10fc8d1b5a4deee6a8a310d2fc6fc904323d4aeda962232c7ff614fcf123ea7432dfb688ce725e0cc22b0471c255497137ab3dc1f23442dc0b980d7939c39157fcaca0c49e625694c923fdac5384346f32cd05dedb78c13aec24b43605e52f201dff1565e0f7a1b3d99288835b540ff45ddd41e8c9d81e23f305ea42c6c39a91e0b81ec2376f2257d3f31f594a387450e9fc82242c059758e515ec761b5011d89675b2414bc5f77412ccc8e8fd6b4ef0971df7b9ac67f18b3cd033f58f17ea3a29e9776d0608ffa1a5fec53ecbd7cc2546bbad131a2a3a71c141770b819959e4756472426cd9fa1a55e84c0af81a2467b785a88f31e09e58e7607088462fba2049a6d6d74a0b0bf89f616eef5f3fe6721dc09d3663236a2dffc81e7e2b9730b8fbbc2c88b039535770171fdd5f00c8be90109790564651b3f0955054f853aef59c91013f5a06f62cab6d9336e3223f82a725c8c39f6c9907f4606275a576c83bb5f46a55ca5ae6c19a327350345bc22e578db297e7f27653a6bc8eeddf3f4af44656264192fd44d9b03890826c6584f0384e6f1c431fb035156397f4a306637d78cc243f01e26e4fb2f189caeb114340909bbc051c222069507b5061c429fc1f072776274150d74422e8ecd1887d07a14869980ca19671a758d8316f08aa49ee03295364c6c62d9345a2bf2790becdc49ebcb6aca062d122eda3e60d45327efd3e5b97169cd09f9908482e1c25b1526acc2c958d0452cdb9eb69844a13a6cfab5f4da1cef21740348d7742f094bae5e98e86be11ffdd3d271eb6981245aa4111cc398af055a150cdb232f3d9528b7cb3230bd017e53020415ed11e54e40e60508f343123017e4331bb15335ee56e7b0a78f0d213c7fd8766b7bf3f74842ecff50e1e06711a35ff387ebb2e513318a082af84281885e5c94071cdb1da45fdcd819ce9130d8ea9a47969131feb78d765963a8eaaffb7c32d5a7467379fb01a41614fb6019cfcbdd60a0bd90eabc5c41e49fc49104fff6f84ca4a0d2ba395131ee859672bcf6bd3ee559a78317b978cfb23da854d8f6a6e2f02b92228ca77b287644a410e027297e6f3ffb69cd3688423160b2605437e8e6bdc693c3dad240ffb7c5443899b95f40473a8a0a84011efdc1666fc60cbe93c991185f472c489eeaf5b5e00c92aebe9e7831f5ab1902c7a12089764c8cce0f40a482e22bb49f91cabb65a09d31a22e128bfb2cdc07d94da808e112c7aa4566bac4309c9836ef6161766b69579924d1b55077dc78c8e755cdd501595ae6cb76bf9ffdddf0026a4d21e3d13a0b3721f8c0264be0504950c858074a765acb27a27a1a8d9cb88b55231032b8aa4d4655a9e84c78ce7c77beb824898fef25de99f73017cc69ab6ddeb00c86490229ab33d34394502ea9f88191a134736c8737edf1c08f3b9326cd481fb0a73f00ec45f71c8add20432fd03ebcaf327fff6561a24a301376f5018510d54a32a3d814d56a455d29eb5460dc61a3ba133e5ec403b2217ab5d4bda0fb0fa6bcddf3fca51379216cfdec4351c138357b33e1804ad699dcd1cd526f557f6c2ab6740543e8b55ad808d02804c3ed0fb4b7777d2ff96d77ce09b04293717e4146485dfdbc2fb6cbba6a029ba5cca1819dc0fa5fd64b7797f7a4263be15e9d238c66ea999a096041e1839ac22d1b862b211954148f3c8a8a24fcd6145cc69f8937ce61fa8d898ae20cd695cbe1d1a7e23dd3b7c2c5cc8ac62d1f54c76bc5c5baaab8746a70573682f9ebb8037f4ebe9f68b8367e8b84b10990684ab12b4b4e585d69ba03059c6022873956216c91de5abf79144f29afe7c129f1322394bc2ad2e2d2c42ddf19352d80aad0d106e0bde251baeaf735dc14cb639102c9be0f9a2e93913fa9b01abbc0f106d35d57d55a73df58fa8648d49cb95b12988f0ecff93c60abbfd8f1617200174b11c8bb3c8c08af5b16276698209e4196ce64ecdf952d0e6c7dbbb5c8b2cdb716443a4c18729c3e07aecdc3c8ee4a944c8262e2d115406b9375da6b68fa363570d61be6fb6164c5adf060e626d86f8185057ceee1ba17f5dd7ff4b1c0deb89caff703f164a0ed313faf74c137cef19cd006326317c10944b33f211a5ff15c7b7d97314034ad1a8880b9cec55623ac4198e895f381b90cc14c8a718ac3a5a9cab6b42b01759b17b164b4315dd0c3029ca1c6f3daf8e6016bf131bf9d700490aa766a01a00c7ae2f66b61b452beb22c5d9876397c74bf6eeed803ec20e110e80ef7e23073b6902ccfc705ab30e808ad8181426683241d79248698fa738dcbb9443833dbbedf0eb5ec922bbf3d5304bc302bc207ca414d6153e2ffee3b3b0265fb6a8123c5c84138e821aadb80b87bd3476dea01db482718591cfaab73d74110b69138c6b4a40a4abb9f74f6254202d70703c3457166688c1a3ab233499b80b07852ae0a3fdcf16fcf6d5aaeed1f38adc24df28b746fa5e6358f3c6ba37803895c9f6babfe05995fc93e12166d91f6e901a1b9788fdd583980721a54d725970530db5b15b079acdb26156019ae144ecaa6a0cb10f2a0ffd2e5125f42bae8b2d0d9326da8c581db24d522b4f78b273632b0ff3dd5c665c6259a6bd6d10b8941ab17159bf6883b14272725578f71d1eba05159a80d7bc20fee968acb0a48910a90e6d8a2aff8627fdcf338d6c1aa5a4ff5aa765cc898e8b2f088b0c00bd87280856600fcc9e788239e1b3dd935cb500665f7fd343f335ff7d4ca27cb5bf63b796cda1bca42d735bb067154a3437f0f919d224f214796ade16af67b7766579742192219cb7f82fe6f17e8316119cc6939c24647b79bead50a00dc4c2810779fecefc306883fa3e60ce4ede45c003492c298d5df014e7d134505f23e197e7f67c72c59d7bd9f73f1421de670d3007ab095198b355849f76b91a2b8a50912da8dcdeb7a9ea3bc75928d31129586217a89da4fa0df65d0bf868a20d71544ce577d83b1af47307e0a747f4ea6543a9b282f35824400ab8f774147d574b196e253167bb5560585aa8317dac0524abb28db0c93a732adcb7ca7df63eace24f77332afebfa6b1577fcd413cba95ce96513ca8a9fde1edd3a783ea6f611771f2af916db39155dd92da7f6c38cc69ccfd3fc44fee9faed1c824e67f4afe08d094f16d04bc8d5d6562bdf27a463cdfd223bb5ba5c537245e52095c0cf60c2f9e71f9d54cecf352cc86b7c632b0ef2218727a8c9f273335dae076387cbff6601e88fcfd876a279290ea6b5f3875e01a467343ec1813ecf2f1c1c2f06db7d5d5799a41c9cfb600d6c39409826e8db600f1253f731123a8f386c2a172c1a78c3c04e012a9a7d1337ef0c8b63d658e5545fea2bb1604d66845368bfc05c62ad00c0c1a812c0c034655e9f165c09241c6dead5cb45f7a1e022552216774a82eabfd3b28c76118edc6cda9f5590fd8303390d821c839b68e19cf9a9ea3e629b39651432bb709c0b36b7f4b9d3c2b452ce1d37ceaf9bcb017b8b6f06e7a96a06b2225167da1c8d4f8fcfd290cb7ab0e6d1a21863cbf9702040734c321ec3c8d994eb7ebd2e13273ae1b97341af081ee36e7bffd31deaed5a33c73360089edc5bffd91aede31de4425e4d4f27f1df9943d171baa42b0fde6913c5c94b563c62d4f2557d1ccd8cd5039b61e9fb9b9f2d75f3658eb8b27086d6bda75423d42a6e30e8b8ac3823cb961e02fe95c0abcdfe39ff65a81c4f35bd5d15e916f05b09771b5dd8927869aa192879bf5c110833b19e7f947093c122c256d9bf9bb7e90dc89ac6d413f4e8a6d2c48c5bc0f9df8b09d8b3fc5459d30600ebdd7d4c3f70151788a3db4f515073001f1a91e32a27f5b2e1e9e0b94ecee3a0d28e7ab7a0494b03fb2743cfceb102b247b7d290f4b06ac144c6056d0d90b52820f6c17d9e0c735914d09fc710d7fda95c1bac88c42ff3d79382f1d4e3d0f89ec618ff97adbaeeaf14f5e59b2acd34c5277091a06108ff6168229ca8ede9271ccd3d4c6ad17658d349235f7b09bafc5ba63ee91cf42b7de0c6a2ef77b8d187e82876e0470a915c6e8d38ec4dae55073e560be970bf9f38567c230a3fd4e1ecbd0a525fad9d243399fe9f004e38eb27ab5fd63ff7bca64e91d61d023fc7b62a2c57f8a8dc78410f0f2efbd62e15b05e1e236345f9dc500ff5a4fbd6e767eb1ab90c54c5c7ea110ca6819c744b55846d841322cd89d8a3466efddc02c67a03b1c166a46efaa3ea835760e2aaa162608fa3d438ed1acdfd526f206912199b13a8a493690cf4a76bfbedab0399b7fa83a143058dd060d32e0af65c4edd22e49472668bf814567302918e10f8972490546d04d47d0cb96b6f6e407e322cb44bc5983641b2df97870a7205148b7303830a7676ab9d0fdc354b273fa5ec3cc246032b1c9c1a8b1c3ab7f35775b121ada5cbf8c2cae2ea21f612af40dc0937c06a994362721d3e49785d7c9455563df722f2c52f1c58a1879f7cbd766b6f5aa57947ca90bf259f8a4ef90822832b9b1e0d538c2ec7b9e1a378186e8502948a8fe1853634dbcab869ce06be40dd5ca80e0b328238bc0be98573b81045a5e744909a8b41ca9afc39bde4e11a62cbd56f7b2f251cd93a26008003d69c22d6f5523e638523e57d93d3a403dac5ed36f57d060142e56d31ee2a06d43374d3a1a858f38a01848d2182da0fd1e846939a389d2f73589492801cdb3e7d68b57378f0b2e6f273f43f924f35ad03b6736a68c202fa664e78e0ed1343d347f2ccb7cc19f880943833976d6d1baee9a9a53c1045b34d9a44ad883849a24f4c2e8f87d96686047d9e6abfdbc97a97dce5c2c435c2a5628d9f5f6ad204bd9f5278bfe4b6f2fe2be04a0f936c69c272fef750079acaea645f75a371cfa94194b5cbd9cfc472a353ef953cb5a5a700eb34d486fcbdefe238e4e8c48c3fc53a7709065c3b63e89b7ceff7ef8c8b1bb987aaa7510ee5a6357c7cc137a1a1d9f4f6633372f180ce1536325a5174d1e30279c112e5ca1ead2368eec1a34649c28daff413d069e90cdce4f11bfbf1c1f6b51517e0d9f66f15f3ae78f88597b0ee0cb2b21757436f9dfe18332419fb37ef177f2901bf1655229114468217c9777f6902aa562693d47bdb9d0d0ef30b4af908ea3f43df77bb66d0f204357c38243dceeedcf49f028aed6798e10daa38804c9f1552debc9f80708b1659eba23e3de883e5074a2640f66277f02826d5a01cb29b45aac47ed3702af6813556c0bb317c46f8be2537f5f3d78c31688b923f8b5ac67c4ba9234f80e520491fe85706978fc9f7fee4146305f5af4cd2284b37a97e0fb3d5859bb291a1dfbe6fb5270ce52ca35804681dbc7e3f4bafc44651f6c6416443ef6c55f51d1bec228abe89192db2877a912f98e85fa83c05ed25f57f10012c5bb6b354aec5911ae8177454b8fdaa7c29cd28267fdeb4a68d3ab9c31f94eaacf193cd7a2318de182e3e4ffd5421376f1a55c523960ba860f5996a68945d4b246ddd6f435c885182dde0f37b24f97400dc1eb3178120135a5bf388c29ebbff4d9fd723873a3a281ddaf0769f2b555c8b1d7e0852359032567e894e2a358e7395869c7bb58f02f95ddd3fa006c2b45f86e337767c4aec68aa8aba68ee2d284c2a2fa16361473aa72426761513ca882ea912aadb30fcb506ea9de889a832d01226a5dcc0a84a26ab573cec31921d3b671e612b956a51a490cdc0087e489375a89fa24f546fb88669a4ab2567b721a008d51a0ec93b1a68c06edcb7c7742ec02d9ebc4f182c55d841e121eeb2b134444b79356213eeb896610e09df0600dfd4b63227d01f370c261330234f715a64f989e0102406befaf12d154b8990c3ce3724b1302d3b9042442f104fb63db0b157eafa1981add92c68653673f9dce53c1baf8918bcf8aa869713c2d2537920738cc8b1ffb72e66f6d7384150fe0a72d61b6cdbb41e3d1ea85722479d00a017a1b4f7763fdcc30f890ade976bec32ab50bcbc4ac52617ee37b1bd5bafbf37a1136bf63b07234165ec35a13f0533214d94172744fcf0677ab06d401c44898ac7e61a54f82ef002009eac9e9c7f62c1d2afd0d7acc826aa69da7b9a120217c8397a0fbba15ec7874a638f139b0c36b7a6437b668421c43218bc00880a8dc40ece0cbd8a259ca0637c324b878eb34939ea5bb354ff4fbafdc57f59761f7dbe0713e60c770e368feedbb64b71c3f469a16821a65dccd07d79fbdc15de50a00a12a9f181be9f4360c523efea8134fe74abbcc1b28346b1ccd55c9fbe824d4de84d94e2e798d95640e377883b3da1fc8b1698b55d39b945cd31517fd5f0677fa0fc5e940e8a86317a42d42950b817e107683474ecd96553ae201f98db8cbb775e6857a5c4bc9868793d980e4a0b184f3882d55d12b895132aab7ca015527c307cd34ca3f0a344c204429c0be3c4bfa692b3bf5659afdb94a9a69103980a7bdb206983860f57bbe43fa2f456432625cc6b05f662c73aea43c229ce840ab33a112149822f7125782ffcf42ecec2eb26f2166d419e1ee42f015c48ada2dda2c47ae5dc5726c3d1b52be5244f6a10263627fc079a888eac195e8affa6621ff01ce85b21c208297b78db9ab894649d83ba07677e40691e207bee5c8c1afc31cca222b126e0010c2cb8a8c4bb8df301cc8c2d53e92d68991abfaa7678ef9e9c6b60f16ee67b913e3e49dd4b8c2b43adeb3cf01064ca96b8bfbbb36c0a8418596107cd1eb8198c5fe7f2e601884d88fd1100b45343a572554ed5556123c42f220ddd6bc858f66125c3b84d4290a153d956a37b3beeaa680fcc58630023eaf42d2b62bf47aa55744dcfeeb857b82f9ce12f75680eccb940425a1de2fb2dd9a5139fd5e4030d18615802410e84281603264ab96e336fdd9a56b521699677a59c0fdf2faf7dde535bf3161220045de75a407922273cb78c27fe7099dcd54effca0522294ef03681aa43300ae1e5d4623676bbfc53a002653d6eae9d3c0db37594eda7117f16358afef343bc1b51d8bf6683bf7fec5c9c8193550c7c72a6893be769204a4b3466cf3adfa8504f98522e3b0f5f5fca92d60821ef0a0fc65747684021fd8b4602b9554c5457031c7990fa6f998e607c78db79cc0fa598bfbc5e280b0a4b5ee802e7258c0a2ea41638d9acff6dc40a6982610d539bde09857e940f774440d644779982b8f296fdd2a6d44c3bad450c6a277b1f414db3239dd877510a289da6d3d065727efcdac3961f943c24b02bee0e67d86a2b19ee166bb901c82c56a37b36428012ce3d9b7726ab33828960ce85c2633c34ac0bceabbcc695617f64bc554390bf3d9c7fb954d97fcaa442f02aee9554e69948e42e73cd0bb4596ceab1cd1e9d2231d663e6de9a303b813780139a28ec57d4a9e223451964ff7a9c09483a65c9b3c245640b376197f5f44b0ea0484752cfef5ee6f906db4e3fb54d2b2c47bbec54de329d67e5a97febab05c4dc05f2c54323746cd0465fa9938c2b3c3cb111a259dc86f9c74d5d7a4a5129d79779b2d1304fbfa6cad81b8e2777486bceb5784ffdf34c91e4bb5411a9d7bc628030e7a842303b78ae496add2beda69db5132b2241087e29409a242625ff4f1c2952f91675d7c7ccd23024bae4c45f328e96b7665d3a90efd13b59fb5b55a183f91eb624ece8229a95ff78499628b0b4c28dcc6db8b1827cfa860375f63143aed924630f4a007ff69c9b5006596fb7e1c60ff2a26c47f14b253df8f522b780b7a320008d7bbd888c84507511d6d89116afc3170740b3c8bff54449774c5abb162b6f761c56dbc0b5fee80daf96bff96d37ee387dd379328ef1dbecb0b0752b092780e7bd51924de13aa4f25df48098acd55b1b28504117b829eb983768fa10ebbb290dad24ec3292753af4e7b532ba4922e2ae19a16a2f67f719716dbc6387a7cb98474e581ee256a1ab139c79eaf9baeec733a0fd8f84937bcac2fad79b8634fd318c079b0e1723c2ff56834e310a9b7a1154e13c02e2f671e868fd67e431233cf7181874b1d56ef857baed0bd399e1593d9550a7a4dbb89867a64c96d2d5f6c12cb5488cf9ff369f985f7ac6015ae055adf5c881c8fc5aba32bbe4437e20e3d0d477cb0d9861e06290f7f9bd4e0d2332d96280a049fa2404abfba8945f385f9c7226543bedbe966bb20bdfd8ccbe786b6f003659f25a7a0ad767d754d9b0245bcc421e171c5e6101bee7a0091d60ddd6451d0aef28f533bfd4d42edf2c00ac47fe4873fdf9243afd435098b20403592521f2c07069503ecad6d1e9db00405b9269357e08ff51296dd268b1220a8eb3ef86859c2d8abb4a3c4b2afe477faed5bfe08c76c371fc55d9db73568703d7c3e50fd4e5e42107de711f7aa1d47708a1142ce38530fba9adcf8c769074af4fffd8b447160bc043ba2a4d6864c5c8351a1241e6d780e21c89020244d1393c6f8b09ec4ff7500a233fd0c4be8479151d83334fc46ba04995cf8adeed9fa9a2b0ae7a873bd4059d87321cbb8c524e5ed10741e9fe4e68c2e490237cf492d14513fbed68dfde05be69b91d6e2701101b7b989dce7e4a36d9e9f6155adec0470cba77334e6faf660868839ef9b309588ad403fdd6d398c777b47a8434e6ab077043b06f5e058826c5b9197f47ba9cf26e1a2fc89c3d489c311f4f26d78568a9d56e784acae708f83b8d43045a8218264e13b633d744d62f7a6bf6ee2fa81f7fe02c8430db09dcb7da2925407112dc5098ee93ecf3bdf8d116b47c19650730d38ec12a84c34684ef6063a1c741f932f3fb571a9820039f34ee17e4653de9e24ebf8223e245e1e36605769854c5fd1c6dc0716dbd95f4ea05672ee53f27470cb584b097958730016d824006b7f3dc5484dac5eda6939fb086db0c7f89d6a99825e7402b45d73aa5f3437a7df8cac98b65a73bd428a3b16bd805f409517ce8ee036bfcd046929700133334a329d03f213e67ef8b4caa197c48c7e9ca1495f2715866ad07dd605673e2c29cb8257fdd7b0a3fcfdf2396b34175e55c24cb8a269368b1e6869ec9d2973bf6ab29268dafda4159f9ca448de9fe25569c8f01ecfb8c36872be9fb51e133ff24ae2bcac35e874b808c7382794e07d6db152769910ac5e054f114b4dfb32d6222557f53ea4fe23013ea5394b9414e844189d1732ff21c3d82af46a11dbc302aef39532f903c3162fd9442046fbca555625a4f73c81c851f4483567c917ad80c0c46a005bac81b84be25c5c4780d61fd172f0f932d845004d4da9ea1eda9ab71c99536ccf23b6e605b02536c2cafbb8810cd7c7f3d9b02c8d43245c1779a0176fb45c5ce0f01620420ee2f1f0afd3749a802bf811670e8c4ef166912887f1f1acffa0685a1e840d0296eeff1dcafbf36c752bf351a12aec01e3bbd480374b8ffdf9e7992f38b37afe34983541d13097124edc084054ef6e6fcd12c18b43d50078dda3b88b5f554160b8b29c0cfeaa9abb39f325fb16e65f78f31fcd1880174cc8ff5946e242efc33fb83bab1f228505e81717b56d853f8b89e8b341d7bc23a8a11848e2bf648196a5038e31ee6f4ebaa96e62882d8b0bb118e82c51d0e4c73807f889bc186a46d1d0ed770493a894cefc18960060cea9caa45e9aa890afdfcc260b8f6508d60784c5bef72bea58ddd9a89adfb74b6d5892ee37fe4994e0f15c0fea821417d5909c33942efdab662a069a5e184ec151cb7e6b5b883b7500b6bb989afb9b25e6bf5c389dcbdfdb23905fa264e84dd2e390e281055b4c62b82a202b1444a89fea67755fcf36360fa6f4cbef4e8f0f67be28ea2acb49016eb1d273ca5c71691c4268d5ed5871dd732318518f057efd17b264ebac412688a1743cc6b476cc4b23c2c79a4c76f549284c9775a29b3c11e94b797ad19812183848963470aab980905b39452b168d0c10779e79026a0867a27837ea0963a3334ff1af31058c1b0ece060fc3c9e01053e6b15224f95a6f12dcb4b85c10e238c4ffd67eb6e4440dc4a55ef1bb094987e63cb59813d4b312c2643a99dfafca290907bd5b8cdd3dcdd8cb0e73787c226835455f365781b4e1ce95d02794d4790be80558e6eacb045e63fb531a0760c7b7cfcc4b10983e99942e737ae6fc99d287eaba65eaace905d1b77189d9a692b64c2e075e60ab2cf2dc48725016e4c8741b4dbfbfce54803bab6fff7dee6af90dcd39a142367cf3f64492d02acea7c753f9aa656514b5412f6dd90b9bbf77728b3044539d67994bd07a1dfc4ebed97e085b757073dc956f9a246b5aacb677bf79dd63e978dfa8834cb2f9d58fc999123de8185fe5780756b62293b707b9a892bc0fb031fa8c6a7af8a21625a45578b6d9bd38d40e0e2b1452a14165bc87f8044c9d47e774ec66de0bf97b59e4da7ba3cc9b6f92605e393c1da5c226e5c13ee32dfc0778567804eb3fc5fb63c6cf9c509884492a0c973e401b710a38eca1f8725b7daf90aa17e2f36104cf22952dce65fb70487f9c173693be0eacf47affbcbb810e6233884f8337c8bd1d24ca1cb7ee810fd10f08ba7095bf16f41e02ec4a78e771c6b3d9b658b2988a6cc1cafc59c67149324a67fdcf17ff917a798f7707459323c4cdf5b4c72a397d40bcac7e408cddd7a2fc7dbd82ad80791a0853c40e98a44e6b2c654fcbd3fe999c297396d132f87b3c25bbeca9f4f4b5cf3c4e55a6f1841b5b3b6836f71cc5a33a462be355e9c944a1246eb140d13743c5d8ed4ea1ffac12e5856b73b0b650649a9cdf2769802654c5808db95d01879c99c6832a059230c8abe730d960a33485484a6ecfca9286614c0917878d91064e8401638a898c60ec7afa7c218098bf3e4dcee138c2eabb106d860f50fc270135ba1e14502717edd1acfe17affbf9a67062d79e4a9f76d49a162f9f052cc10591881b983288ea56c6452045504c25878dbcd435a7c0b384df871f9ac4816d00fc75cfebd25d217e41058d5af03c68bc1e04e5608c00e9cd7dde2ab8a2adccfbf0eeca965310f6c8fbdef16d28ea8589c8eb7a1f389c82b3f1fe1aeac9cff77f5e990a17ee9feef0322c7e5c38e0a0499785fa0af62cfaeb3e80c0502d78268a9ebed605a365e12a0d983e8bf80d115b55301497b6bcaa5b2193596200e34adabbbf475346d6d35d9a3e4e60363ca9b4817219902c3c437a4918815f482016c5d83c5ff4076276924693369571f276431c643866ec415339a9c079089735d349f093fa46d94d0f77f307e262763f08207c9f9ef89ff3e3a35d740d4c50dc199f78a74898cd2dbd72ec026c97a3f06c8701054eeb3493216e9fe041b7839057a681b699862e1a1c21246021278dc7f271d02f1afdba385891b6c091949193ea6759127fe51d3791e83fb1567a3bea668a1915a8d74e4192069a0ad7bbddbea9ac8dd6fe6669b183f47aa5d7d1337c5871ec2053f661a50128327c847c2b40d031b4011561124bc01eb00c76851747a1a3cb5b6b44462033b8cd0a15fc1e958d9a755d93e8965f60f8b64e08992dd4d1d466e532de3489df5e99cffa3b1a3b215f83cdb07f371dc05ed58480c85654f5ca001e683359f13bcb436af1f7d65339ca08f5517708dbfd761f2f2bfcb95d9647d49d7321b06973543d83959bcf87b694ca4312c90e2234bc5f34a4e6acf4109ee7b30618636fb41ebef519e41534f6ab1b0268d964b1040dd99a6c63481c4f85e440a7d24908c53c9eaa7f8223a4c9283bee436b14d2263a4eb4d841809b3a6ada30a0ca74941c2c0e5f406b970cf0080234bdeb603898684bca4027f803363769620c96271d36637b8a409c52a08d54f7bc1c26438313522dbfd784a8840cfe36a9719171fc193deceab52922d443a28285e1ce654ce93f87ce673ee6a42f5685ff7cdc75290352e6d128c2591554306d70fd117e137a018b182c331bba74c8e57dc8b6ac21f90edf95d4ae408cef9488d6240b993b1b496371f6e9f4f7be9f0a2d8d0833b3372f1978812cd0042842071be0ca0883c70d928bf3cbc8694c4816d3d34f05419c8dd4e093fd16c3c9e8db47b71d8aea020ab1e58a8be69b78031f4369451ac7eaadce5292f3a92b564029ee97811f5870c844711cf5b12bd535b7cae6d36f087583ae4bf1392d9a2ab30222d97df83206f82e6af6f45bf393f10d511fe27e819738489d81c3c85fa9c7edf2e83ab0434e6ad3acb1ce6445125d8402a9c66eac24da22cf54791892fb5600b68e9ed903e448ef4354e103896e5cb83b6d30100743833a6f7a34fd8040ad2d7455d68df92d8e08bea26c4eb1974050c1775eb68f4bbc8e0f945783fbec38d9faeedb026c40b90b561aebf5f220baefe42a6a2bdcf3d843797e058f828223fc9e06136794abfd7d1201af01a1d89f3739fa2543d7e260dd9cb70e06f9b8c005d7530a5cd590720255a8fa520c8dda07437b010ec6a55565a3ed60ef206580f860ca7221183e09ccfa4f5c413f633aed9d1047ea92acbe4bda0cdc7d77c09f88da93e4f593b4d4b85332ae2d3e391276184b3cedac50b5ed485f1c2942aeaf03662a7493829f70c2a4f0c9e017e59e1895d53133858fdd05432ed5733d7d4e4bc77dce9884d6638f0b00d50452fdc596b170f322e53fe2a83fbeebfe039160816626dd68b86f9f5d8a87723833c7aa0f3a1a8cf3c45ca918495b051ccc168f0c7ce7cae1d9d1796c55943cdb80ea22d24b9c60d71b9a3d93b08f4dc04994b340d1b28fb7151c8ba6baa854b9aed90823697a8b4c6af792ce95e46ab465d24610244b6838cde96d7909cfd2b87bb29e4dde8dff3c55d47017d703e98731a106a02b4f144c1a0008c76c9dd2589dcf6fbe85790e35583747724e272f5079816a46de5718dbb1a04f3a3fa5c535b9bfe7735c19a926921189b55c404971f727045a3d25c626efb702ab77d435b7a155bdf26cbb453c8e206dd365a8a9f546680f8cb016f489b44dc45e1248d00158732519229adcc71e0874af80342e7f3f160fe8602f693539ed5e4daf340aef81f49eb19158a56f0fe0b82cdf5e5fc1e1fba5acf764dac0322f2045ca07cf5a3f299a81b643566706b3f438b0deacdfd6e6fae950da7564bb648980e8a192c72e964ceeae11c2870aa856eb10ef95e50a4c068c794ff87469f8f0517102232c4bb63307978301e7847a677d0d5143cea4b48c992cb9805b8d0edfd632c2f9dba7ec90fada957af13ff2537245721d54eac1bc0db4a8d0a2e145a46983fd38c13918b8a440f39ae0ce127ddbe14dacbeee89c5bec666767ec70423ef6e569255ffd12e47d53e349ccc351ca698d8b3661d325e2ebceedc5d7a87fd6822c1f9e95871459c9d080187366299ae5afeb647c1e7fc0fbd1790708be2c0d7d23e616cb8518c2823ad0d1585ffdaa69ccb6d5d8e20f804ec15ec27fe80b36d2da93e67a770143b8228a850401f3473649f8afcc77d6561ff84ebdb3d6a32ff4995d30fdd9c7dbc5a540d5a949e1cc93fd49f96589f27b3058b8a7ae6a9f5d1728327d9acb45b30a6f633ccd1030149bc861eff32cac2afff5264ebc8fde6cd114a2cc4b8d786c8258d80abf5ba929055709333706b2d62ad5a5c900dbb991e2aaa2bcc3df2e525784fe54b9a74144a4deeb1aea37f38ecffa92c68da3b8b779bc40628718cc7944cc5a2cc53471bfae347ddd3f706715996f97a4eacd50c79346b3141257ce0d397bb142494c20a3b9f4222736ac2c813f3a5d3c32775acd95420247007a96b4819563e228215a81d182ba05883bcabb95df9c3fccc88ab427ad2730ea34c1364b021526a486c541905c79e74cfa70cc45276b25cae146d56bc34a0d36ffc9697fcdc4bf9e3b219c32378150215dd84dddbc3994747f2dbbbfd4ab4118af750c91bbaea8a6b9ec6c52fc25519c5525142a571c675ec0148cb517bd04e28dd5c78f345c97b9fcd26a79bce1a03abb3b0e7a29af23c008f4b8b31e847b1d9cd49db847fd1573854a6ba0dc09f2618348f5e6560b44f349ac5855c711b0d64e676c06ff190a0e331a898c8df82badcfe15f44ddd112fcb232d4ecded2385b087f14bff11faba40f05751eb51c02c02d18aa57c785df57a392b8e38c8135b9c237709079e96a1d5a5518e16f0ef12f9cd6831be8fd50536a5f50673ba719039b1f480f782869031e93f342b3e389030f16ad0438c8eccf235c476eb0fb0f6f6154399cc63fdf8bf37b2c845728c72cb6bfc53af9d4cd7eca489fbf194e4cd53a205b88ae8e91f3712a968875a98424282fc3cdef7d2e91b1f0bf47e6e39fc99e99de37b4dd216951084ad6adc6897cb9e3f5bfddf10f6d5d2bc703d6ecde79019601b3bbff596ca1d487b5fd18ea05101705f571efac7f12e36193d359a4bda63752654993d954235e4720b6b704dd827967622c4ed59aeca0eb9d2f5a44b8263c63b81de7916ea6dc372cf512093e0edfaaea64ba20865da0e81fc171e0e1ef7f6f2e551b3f8698e83797cea76c6dad50066a233f760dd612ced521d29509fb161a4f7515c284c52a0d85e418e78a6ab1b8b8a61d123654e6273af6c7f6e1d21d5029b67b1138efc7163c90d831bb9be29374fa027257e5c1116f879e2842c26b415a9edcfdeed84c1a21791ed688a0f6b53a24ee5b5a7d265144afa694b9e55f7bc6e21622b456f2801cc0ce3099396ade05a3d9a802b027740e21bbfd89462263c2849d8f4b8ffa5efe85270d3c524f74bdec4f73d9995d945b613e30997a1ca9c1a41995666c7f355eb924f6f9e3ba61aa82b1f19968b0135fdebb9992b249089bbec408d16c5619a77fcf9500f434b78d6840a799625e9056b0712fa613ac98f2e87a2ea5d1c841c428b3d26329e566c63a990e8933f13dfea87e7dbad5195606842e4daa275f9e5ccd4d8065ea5b5bf721871274b69a17ec571c74ef097f70a9d751c1223cc905dc57f88824f97c7417ae95d3b5cba8aba3bdc591f4f30b730c5d641fccacfea3807d78cdc51846862957ef30684d28b355c9932172a7e9052e638df279ee7169052739a9a4d09263b38ecfe645119e603117cf3d91ee7207a44582659b7edcabcb36e8e7b4480b5d5c97511b5a932eb9774cd2fc485cadd7224c7e42e50330e50905e66259c93eea983ed2ab46562bc61c4158ee9493c1f21688a31a43a2b387c12668385275a809e58cce3266fd345af0945d499696f5e7728cc1ad496eea148d6e9a773fbe19a109e195f94089325c141ecc71799b7c4baf5913ee32e77b11f4b5ad5bff333c7b835459c8394b13fdceb71205a6a14e1378dfb2f5b851eec60dfe615a83cfb46ad464f7d81fc324e9c64e37da77a468aaca33ee1c6b9e023f794a29333e44f976974bd471f6de7bd3c4531281c9db3295fb3f1973f5935bae976eb01d8c2460a1ac4b76c3466015ab60cc1e1a7cc120bb192fa007d60d28daf109488bd97481e601a7b7da4b5d8f4b326a5f2aaa1f8966fc399540f4a6ae503296235a9c3e12e8fc11a7d9c00c557495af999f48b84404cdaf60870139d74787ea72f227ff71c695f030a6ca6a16c1a87d23f17f74d86a8e821c19c1605c33df17a29a9ce60bb3d4c1009b47a7024676cc9f33f15c67da462376fb66c0be90153814c65434fc27cd614aad56e3fbdaefb04e3f0e493bd73a475d2b359065bb7c9e4c12fada58db7bb9864c5817e145767e2e076e2f67a6524e929da9e804e8117a219b045d0a2ee4644177505ddb00e8f8c7e308589afffac5997f99567dd7a111d3786c24362ab682518e2a8fab4705b4e2a0260c940a79fe0d98001065f20359554213f836386aaf0256d27eb8cb98b79b3c7ee4e88d4465c684864a0010c9aa372442f0a5b3beeb69fd8d1d59031ac5b896028643404c890321c731765a9cce593d6fdb1cf8929c95a6999f99095e562703e09a06160c1855cc25a716e1f89064d8398bd23502df9e77adf019d480b214eaf749be2eff5303e69e788c0c4b5c2ff9fd2f46ff1818cebc529187dbd26e26a959152613af717b8e4f0a6abc0057e9a0b4b65321640879c32969ea554fdae8e3a9f0c2ca683d66d0ba422c6eb410f56ec587d17087e748d326dc451806deeb9a3680a8ba87f852735fcb6ed0b69553c71744d41e54548dd2caac534c8fb3177919ba38ae0969780adf1855b846670f656fdb76696f71d62d5c24f92c403a33cde67ba3006b59cc6ef4d5be3215c2ead981775b7fd919d7bd63011ec564dc2c01007586a0f2d85f5e91e9cbf172cae245ba6327ef8cc24d4a81ddddd627bae9d5ff9097362833a46bb3c17a8b12a7e20178628107bdc4f2a129b4f3484c57bb0ff7c3f1ce6e971f921d5b404c6ba40cb1280932ba3fa72cc4f2f4ec22bbe5fc77b1423413af799fcff52ad90ec545604ea8cbdcbc03e01746f866cb133a244968158d21e1a381213b24869cc96df17484c9b4a3978c69d8ae77bd88a23b5344e7ca2d611793fde3af93e56d5b511ba43fce33a8751bd2a6a9575aa65e8005d56211521c0e65b180c3622f68cfeadbc612547295b36890b6d021c15ecc37746f7d95d681c9b8010e8015600d0ba661d6372af0aa8864add01ccbd0d6a72adda5f2321c77564472997013e1d9bfd73754982536a03d23446689ee3c31d1a5546a09524f6da1ee9a5a4d5ae7cfe02f7dfcfcce35c902e52b8976ea6c8c1242ade460e660f0c56d844979eb2ac5bdf3847cfdff9c77b0bad795adaf775f5a12233a0e376c4a7e4342c8f4f5694f89f115236b53cd3ac6b0451f386f8f333864ed4941e8aee2e9d459ac3cee0e48c3a49efc83f4e8c223c142f8ce2b3d5a1d7c81dc6bce88e2a3ea9050772604c9d3ff6a4d4117102c792f61ba35411ac040c978c4fd55f54657e79760f5b3c117a6b669a68a1864738016df75aa2c4d85b8a9d2be6f02163dfef1ce6171124e2f12dd2ce23504674609b001d4355d5b7914ea92fc0cb8d3aa3280b7212fe83aa08c3c7ea5bd37063acbaad245631d672d6873efb16e525de5aaa69c4e46a244f47738b5bad9e5c9b9dd12c4c7b6715414101b634be3787135345bb2997d4ca99ea1d42c8765d841dfc9df4442ac7b09ef29991f857c73853d6a88193627977b69d125f569f5725f5cd740918c4ad2d33f7643daeb22fcea0363fa54b0d3f9ea1a45e046eec1a36ab69fadc7fad6f1e257941b5faef346e6b730bbe1d415296c8ac5c1883305750042214b1754426c132785b9fbe2fe834b24dcf3cf31b0601a2886852ac66dc932b14a38fede595c7fd551caffd2bc1739461701381a9930c917f3aa1e568823a6adc968c97dd92e9bf06a662114ad62657ed90794b0681bcab6ca2f8ed2cb406048c5042661788a8e99209212e0b60f5314a07d2b95a893853717443a0106e0e8114d3a5d6c6f0700102beca83250af679272de2045dd177f5fbb72f19b76d323f99ae22cce644d2250c87f7a1fb9824f97243c78b5558d55c9c661edb8abb213c361aeefa22463c84c0f268ffebb45df004a719bdee731a1b36ff440d7b957c5ede98e83cb9b4085fd5cf3c5a7d422932f2424f640e500b79f4a18975dad90be967108518e848d89c69ce9fb976a71c07f8664130b4aacbb9c189adc6735ccbe12d4211208a13f93538d73ce6baf1bab1b86a3e53bcc68a44279f0c782c6a4d95d0759fa0645d78ae69375868a2410054a9859b841a3ddf86ff0d5b3632bbe8fdfae3bc1caf183dc0a8043f48c28c187b8305c651c1439a1354f8a389cf81b83d42b7ff2d5c2f6193de0ea02a9031c1de6021c9cce7fbd3712ed58cfdd36b7f6704373b356a2389093494d6ffe53497e557a52035cb79feeae8c46243756bfbc1b42f682dcd3bdbabd3db5135c0a0998bd69fdfc354568584085c4e169e484ffbd120f3952503b45b2ced23f244f2b8dfa489b27011744de27d2897a2b8015015d0f6967a3bbeff0e1396a9d14d033ce281e8b3e7926fff65aec9153f109c9cd97c017f15ddd1deb32e0f385fe6420d0220c28d2e6028b5ad933d4628f0e19d24bc94d9dbb2dafbf385dd99ebbc9ac5c0a19e82e1030b26250a71ba88bff25532795afaefbadb6057d28ecb7b1e777e26bd27e6c712a0cac628faa0961555a72d1f02e3bbe78930ff3ff4f5cf4b332619bd6639a8c058c0d0ce8ff418accaacae74fcc9975fd1aaea2780f6c7c409b36cf77d7241c716def5bc3d81f3a3eb4924359a0b37be645380e419f27da47aad45c986d8c2b6f58f4d20277b7193cf31ae5f8c7696c3d4578842d2df631194b17719b3354166acf9b0024bf6db5f7722428dc746a8c4f3994a7a64ca834add0ad259a871ebd3010b8b742262348c6e3f62fd70d2e62ddee4c05817c900f37e9c917095bf6d88f7fd05b2621ca3f56290dbab090f36d268789b6ccf97c36b1a249f66fc08d83bce54f0a51f5364c4b8842ce136b76b39db979fe3aa3b312fdc0a4d98ba8bbf8a768531e170454ed7ea689b78de5860eb1bd5f39d55e15b97d0076f975d56a07261dd689e3c7d222998d9068f4d069e0649072a0816e89669bd2f46340070d3d53f5899f772b73983ad07be40b39a2159f4d786f9eb76547fcc66cc2a0bfbdc8b5877b8798793b1ff6ca7effdc8b434e218996d5bd0421bb365ada1d019496e92a755766dcfc0b2ce80fbb5be54f89f74ffb62e54e93bec1fe75c89f7adfd0222b3de821eeca84fff369ebef1c1d63f17aebcef66d55832e525ea1602cd34373ca352fd1ca62e5749436a6dc2642ae4714d5329f2d65451a6ae3245656d7910bb205af5b3f4724fc4cb300585fd7634972acc68875ee09067f1ab1615951e49db3941465908d95bddcca5865f17c069915929a33119d03b80e4ec896e05fcb889a0b96930e37ed24d24f4c4046129198b7e655346281829ccff597aa5023e09a92c6e01abc29fa898beef98a13ee02bbf45873b28b2fdd5a0f1c3b4d6377abcc224caf0719a819bba26e975df1db7d365cc47a7bd7f56eee5257655562761848da2e957ed4fe8fee65004129ea9b0a9304d917d07649784cc81edf3333096cfb653e5625be6dcefc7590b921402d5bb768634c29c015a5cca9c8c5845da848d34a6ebdd06d246ebf216c449a28964081b843ba5dffc093fec0aba7420f7b581816b0d5565f9b1b3d8c8f0b01cbc064e14447ad56a8e87bd1ccf9d99ae07e9494592a6308af9837d0ea7649886f87b3c28cff9a95e1219ccca6a6e261c0e8559519e6edc155dbdc59e21b097826d4cdf21023c2638c8a6e9fc61c46bb00d4954e7d06f1a62999cdce2411c4ab15c7d67e530bc51abd6f3cf74930c88433cee7a92347768ab7e01c5b0199d4c832e9855d8a828585662e6196bc19680d335be3a453324e5e42a918087ce2c05a25cc567cd84dcf17ed5d642ac05a648230f8d85d898e788efbe9e2b31c4303ea6dd51f0c48ddadf5dd23b5cac3e2525ae1fdf6103ee3ebe5a3fc359b9728c7a20fa0f76a5ce1437ad58edfa51afb8a452ebe806af610aa97590aed7c0e7b068d929873a813799524ea1d5d19b2542e86e19be2901f2c689b202ce76f3ab7e9f5b744700e7f2820d05e32c6892f8cd7765cb2fb7ef7bbd064f7c69630024d8209a36f2f696a4b851b279af6473d06725f50b7df7ff7bf7e02abb086bb53c774a592641d07fa438e669533a04de8d5721dfcfa648913677055a8522c19c1a195ba013968fd3bbe7b8828bb982aaac92fb528fe721f69211594bd545334e60859ae1fc4f49a8ba967b0dfc445e7fe148c117e0666e843b9678b40e7e6f019bae4777132b3ccb5fc4004bdd844f2d05791666219a14158f8e5c69ef6de58395b3f43365f3452d5b95ec3da11ea87f3fc7d2a1827e8d199f2601879657c45a55b2574e0385284440de020e0d256b59bedaf3996fe93d8e66a9f5392b91ad2aa6c766eb33c524af46b5529b1c6f89137003c469e0018ba7d3df98ef5ccf1e8f67326ff0d9c34b4c2b219cf248ac556dcaa909185fc87461a40a2e5b742d782d649083d1fb59923c7a41526ea268253b52c61552427f877325e4c3dffcd048bc4325de1a5b0bcf188adfc5176441fd3bfa40256a257cf81e3297fd06405157b46b3425589f5f082432b84a21e2cf31a502cc35a82b51272a17c4f9149ac936af8c2bfa2d85485baf308d425fa7dde3020e13f174558dbd7142c87f7e5da34458ba420c450e8762bc4dd7e4bf5008c9a71a168729f1a0387852318a06cf31a666ab357a3f76ea4c11e68094d76dd8f3da00ade556cb996db12bc9cdc09c38572f99fd71d0fb60adcb594607c774784ddb4fdc7586caa4d912ddf51f825e6628fbaffa24be7956a749cc0b8ce1dd4710ce481b955bd8d062ac46c4972da1107d3d2e237222af8a59bc0af648c02145b8ad705cfe9d80245b8502f403653d296bd0b9e2218999435789f532faa70c55733179ba9ba94a12fb4ac5911f3180d75212141ada6c6d2c139cc6945a76a5a4c5282b812930d6875e842c12e2f53a5e747e1c5d256bfa0bd0db52fe3e5c4eafa7b406be0bb9d3dde9821635e7c782796a0d1b69b4051ae5617958fb5b0b27d04de0fba5949c3c208e04cd9713b9f493472a2cb50873794b58f30ecd4f765b2da187bf7c4d5aa5e56e77b86f34a355dcda8f785814f8820854cd852c15ab44db555ca8b063a36b0f862d59a5bfe7355a0be38f441fdb7a0fc224b8ba32c0a106e558c382abb73d0660467fcd93133991a176809f59a8e10124b38a58c294531c7a2c1811cce21bed18b056003f6461ce706f74e7483252b4d3923a559f1fd4c64cebd47e5c119b14eb2b599e2247762ad4da73e9bb656c855f166c529367ede6351cbb1d332a34d19db7a6f4efde942dd239b8af53248a68c3c8c58e81856d5f99c74421af67eb817f06c016de2b2c875beae9e4d856c5a2e66451eb5d4c197fa5544d40d3e97202f3941156019b5c7f94b925110e33fb4454b0bd17c90679363849f6626d33d4a06560b807d1ea4f81dd3da3a999d2a2f184aef50abeec7138dee8a369dc7a864f79979604aa634e99340faeb4f5622addcbc4053e550ff00f01160a066e118bb278246632c0f1f2477d808e4db22291891856c704a4f0ec3d7ba22465f625324ec2407d48196edcba4c141999f2b842c9b861f66dd7a3ecafa9b03bea6e02d72bd7b19749e7fd85fdc1ece6093cc568426ea736d67fff9e96e91cf609459445df3195db038044885b2353302d4fd2b49e9da8adffb511145ccb4296a73ce358d5fdc6ccd8f3bebec92043b965bb48ab330b7449babdda709fc8d595758e2269b0edbc05711cee236b81c97f17bd310585afca387bcca73021a7b03a5e41d4cb49c870c3900cf364fda444a71bde673fa58bc86ee6542089e745d3fbbf536db08c739ae4dcd24155eb35fa52576ee75ff7b8d292e10fd2439c8a2fb543513192a8e2996b28e859a337393ddb0289e75cd4a586e1b5b91c2f93df2d0cdba868080ff0d0b5fba7facdc6cce40a396e782d870c477c92e36e4a2216f4c47d3d6dc7c8e70217a6550d0de89328f44bc5e802a950907bca1a98f47b46956f81b069cbd888ee74c9e9b991401d69bc4fb226956a82bbeeada7e350f2873b750d0f5bbfcd4ef3a8ed6426ef84bc3039ded99fa82c68282c5be8c874fbb504c20587566d966e55026c0223f5557a3cbf50eaeab7c8c75a1ea8d90ad458784cd6a241f212a34d56bf284a50c5026b605f9d72cc4d8f129dff55257a52feb4e8764673b9e8bebc4bdf4d0180b7d5c22fb8d4062900a6f0d5763228fbb10b3f734b2640e0fa538bda28947c6c51e845af30b3774c75e7599fa1243f618fdb812f9048466e97c2356d8ec39ff89e0cc182c696ae4b598caef5eb74d829239cbf604dd6a3f4b7a72e925c270631f77e31c5b9c9ef584b939cfc307cb6450c0f0e9d3f625d419a8acdc6d33ccc0ce0720bd4d321a451e2e43f4fe319bad5e70cf231cfa274e47557bb0003f81c749dad0690d567c55215683f4551709140d68944e81aa7e1b0cb8fddff7214497eb646e89b1dfedaef98dc4d953b826b90caee626045f4e530c9e95ea26daeed6165f7abb87a2674f680a04beb4674495ebd905502079c80cba23b55df66f303e44373326e5e319f2efce432f6069d27822080bb67a536f67fd9fe52f64693204c5742c4be9af8574676aa2dc445f54bac9e09988ffd829832863e682d3fbe17945f3420283b7eaf7604138aa453e2f429dfe3d0cd322a046ec7dd2793d2bdb63e04699701c7bcbe03ec7079b1836bf959ce71ade7090afb82012e2cf81528c6597c354ce9afb949ba164011af7c8c58eb90bf9f08a08b89bc61e3c4e54b9b0488aca3f0fc6b3e1aa27b81af27a2f7565696b491db1e02c59d2b0c7a46fba68d9f3969b24923e09ff45a1c1049c98cad4de9fcdc582cde68a6c811bab26f153bfcd0d8482eb0082b7a9b4ca54d5005824e63ed3320c5897234b3df93e4d8aaab28e369c08ed0e12c28e80a63823b5fbb88eff8880473d587fcb55b49455208c12cd79acd6ac88021ae38a15871af2fadf4a4df9fab50dcfa69f9b3f0ecfc805610af0969f81d705ed5c1a8cc677265386a83142ca67ebf388834b06f69e16573bc0fa203999148431505c8a2adc60ba9773943ecd23808adb857784aa255ffc85b320420eeaa704761695acdde1c449a56350d64dd21e617e17c5bada0730c74e6f8624265af5ec6e33910d9a06a13b438255c143ec31f22d2499a23fb4ea9295dd4d87a5b950d6b1120b7f8bab3b1fb89ae37f6e1ab81322a7f17d2e38685999dbfe5d1af79d1305b9af7619ddc29fb2309d30a07c134eca0d2464ca9456c7a2ffb6a8e08988adb97ace314f55569fb71b23841eb36b2a1e7b8c609e59684de61cfc89395f35ec520d8f2f074c7bda98c0b4a0b136fadb0eb979753b6208c8103ec509809c1c5d38b1a35af476135ef03a1040b7194ae3bf1111778335a86497bedc5728ad81dde257c67a665f708e7943cbb19a8d087c82d1368bef930f64800ca0df287da9f5f2452853c8097919c6654da842e6132b2dd9fd177fd9c33d8e98a6535905bd16c2bf4f6f00193672654dac93f748fa3bd9ec050a4bc5e2051c8a1bc6debfb81130f42b35ba7574802e7df72bf7356808f6c3f4db01dd38a1b77ceeb2196aaf53b486a90c74f7fdf713a4d5eee823b038d923f5fecad38e0a297d6facf6545ebd75822717dff90abc300e49d35ac1b6e1806a4173a10abd30924db647175cbc6a6fc03c91fc37243d2b86e9c10c0746bf59d3283b55f9a03ba8a544368bb1b9b285c383cd4a3bbb2dae4f12f716d83440a875aae1a77f20c5ec26d7192dc62c0d723fb74a9b383060f297465c9f660601a9370b5bd087ec825cf2efa15d238f235f0ce7bda6e28eeeafcd069a94364c4f948d843622900fda24b6fced2a19eb01874766c38fa62c4ae6bfdb70bb44f845990ec5450e16707232606de62c0bcd2c8c35772fe7ab807a78b1c8e8ea5e4a9497a878d65a1972fa344fbf06169f39de1f8c6fd2bcc626de0407523c8438cc2d6a7a418313a5bf4c6699c8fb49dd0f1f6c6a3190056c0fd28c7f3eb39927468be20f2467cbc98c9f997e95ee8caa9867f48beacc1fdc2976ca76cd2562d06fdf12603e6bc96590bd182ae304b9a91a4b79084942191798526b45d5e5b39fff83bfaa284d62a1035d2c65f8f3819f86eeba77a7fa37fe1ed7e110abf5cc99f04b88ffa056a40485177def2080bcd553580e396613a74b6185421193a0d857ff9edcd9812320aeab9f2d74d78637b193840037e879ac36ee001535f6b30675fdaa1399bfe9f9370bc308c217031e3c22db9d60892ca57ea5e9b5fd11087335874ffdc2c166c3f61000871891f16693543cd9bffc41e0d333396081f802ec2aca66b71ca3efab8004b576aa5bac42424e8fedbaea419d4a182599132dc0444319e90b71757c56e7712b5ca8461c73513977800e44dfdd404abb1c91a98d23f4b38e2ae967ebaa577de0f3b929e79012232466bc6cb362c75ca362ee19cc2769e2f36e6f061315a722c2cfdbf1cc39115c7505e7c107476c5e346c753952b537800658fcea4804f52eb1259857c35289035f0bc5909d8dc841b19d67b02c870295ac2c3774bc0c48870a2a87481f52920a85625fa7cc5fdbdc5aef3f6ced5f6bf13bfaab1990f8ccfbdb27ec4e247932826feacbe35a222998fd5b4f1fb769253dcb12a8bb5ab3910101dca59f6f2c0358e75be580674851e4bfce8db32627b2e3e8ca5ef51fd1efae58ef5c6e231bd82c51ad1de03395d7caea75521b16f13a87e89eb300f8580dbd4a8507f959cc1170a61e82a15c27d661e9dd2590307bbde5d120f8e49ff9503a7e0adc97c02c5cd3d31a9abb24b2d13582e846f6ae1f5d408e9fa74080582213c23d2be962aa37894e5ea0ff0b802579ae420e8f8af4809c3f842a4e8dd1d40bf7b20163c6fd4d9e759242c809252d6cf928f2beba93c26816c049305a021e865adc816b6ad6a14d0eb475798ed3a59af24f006cfbbe5115ca2f8aad096e623908c0e733ed8ce659acb3a1a5508e17a4ddebd3e21abd697d0a6e8b21875ea84115ed7cd0db8cbc7d4c0479bb63a5151744136f4678c72ca235c1dd08a016f4f11134a614ead7ba37e420b2d7a255c0f0c48de510759819823fea6c07d96aa09bd3ad8d553a531315254827dfa577fdf7724897106c8e54606e68e0e8655237d7e9026e16f6c4cffabf901c3ac4722c899b0003de84eaf7c38aefbe8966a4b686ac2d43f238f06ded2d4889e9ddcb7147add56aeb2da6c32094c0d31c55f3f151d556882a02dc2ef81c4dc9092cce1b8f27895c8f87bbb1dbc95ef92e7361a20e5fb352da4eccb7e6cfd22dfd93215ec1e948f54d93d3b995bc7dbb898f35f5676ace41cda50c1bc61bb2f192f575cc96a57ef93ae8240decb2a89deaa946bdc9c975439634a4c1c989cfff28af50a05ade7c9da957dd2169aa837936c8ab2c1f42cb5b8f980ad1b1049568aa677bf24ee051a0937356c9f6328f3942d06e519c17b0db0a89a71b886d0acec72903029ef723cc44bf5f91df28cd0481933778ffd317e8063c6fe73bbc53e94831b736f7a576b6943da9a7b8c41d863b0bb4218578f76f26f95c164971a8d0f11f3e6fa0fbfe485ae47378558be1488142ea88bbccb4cec4b73f166a3f16622f442c55db2efbe7b9a6c0c2ff18153268027c099a9a04211cbce48e84f663191ee0449624f6a5a900f9ac0d45867612ad56b53421ff143257f7cb5d07f45c7cc70ab4afa4a9785dccc126a85a4b46007e63c981c448a7e1c03835c3827ff471a70fd7b2b7f1bc33fe29f60dd889d300592bcdd7fa3660e8087ff92b301d20fd07096d461f6f4237564de9209ce08e427119c9b5fb0ec7848e2059b076a9d4358ad1e7132e87ea93f6c7f32525f7f82c5526d244188c73f3a7d17cdddde3a2896827a94ebc12435e60cd68121cfc9a5b8a5e26a8482b4c8aa06cf8e18bd876f52890cca4e5125e07e4bf13df5633deafaa5cc0da424e895482adf8889d9eb3c1eef93fe1fb0464c43b520ca084d320ffc7827b033edd9c11de7d75ba818f344ff7db2f05a49b9de2a506b3a71974b5ed80c296cb43513a98e2f067993b8e0f60f079c7fce2f76a005ffdbbecf1c8c779d2bbfb0585fb32a35fa9ef1ec5a814502c4d7f59a94ea436687ce9118ce17922e408b2e6116a439682cbe0dddcaab6d0937a898fc0432bad7cdb388fe7add9aa8c3cffd5b1edb010dd6268b03b4ed12038e6e5605a7908026db22e46621e47bedfd18fb0dda3cb80c79b88bdaef5f721dba6c62c2395291c4b85f3e587605dd8521454c890876dd2f66b9f1a16b16545c3065174889acbe0fef736ee131b12b8c597e168bc96ee68918cda9c4d6002a6d9ae5f5fd1661acd14e23ed7b16aa3355425713fb513ec6a01ab3a475dd7bc68317eb973a9b494314f88242d7e9f166f5babfcb47d9b0ac3dc021dfc19c144a70cbe3237c6429a957c5568bc241cd791a3da0282c996c62eb89f13252c082af7bdff10d63480e3eb491f6bef36dadb7d53a9561af3ad6fc1f24c0a6e08f0fa9703299fd7dcb71444902ed8266353bd642649afab8ed57583a547394083432aa0b441eba37f2a4a7dd2030bc3fc824e50840268aaa8015bc83aa276b1c65790eeceb78346a299d7c9aabea8604682f6504ca87dc162837d319c45b02303a75e64e2bf5b7437d3bfc41fe08b3bfaa5f4d65e8dbb4c82501f5a0057a7ac97e7509c8aadaa10f0a629e52f85b20093458c57ccacf377eb4559c29f91bf1cbb54f40b5dfd742e51f8714d386abd5644f73347c75726019ef53f359e4769b006f4943e002750e2c7dca3ef82efe27430f771ef03cd99758550971d4275de055bd8ddc58ae2bcfd872d5b0180c43f98f84c07f17939024fb4d192c268bfd9ec7e6b2ad25882aefab5908f15c7a5f424e2bddd7a5a99f4e2281750f634f7c713b573b4addeed4691a2f8d6d58060342a084abcfd5cb047709fb1cdaa26c221d06c11d27b9d035c11f84d37c44424b303923f7a75f6809d95b1e63059948b9c840bfd5289cbd6373e058d31fa0dd5d498d1dc52eaa1e1950c62e8e39c268891c789ccc62dbd43ed15c58a528c0d2e9e0acbdfa62f6d195d87b4bc27f180b84261f68b6768fe93d8160c1561a5489276477d182c4620b2c605b6bfcb67b9d884d407aa3cf64d18cbaf9c6ad63d2cd4367dcb18ad5ad5e2900c79b645347c5d8b2fd4329d4b9d632c6adba01dabff814c8f70fe0d31ebfc22711174985cadba0c9c6fb5b5396f32acac034802e14a8ded588c94da857e55372c96c0546b18e5a20de62764ea398cd1bb25c3accd4b9db4ec2f8c045788e0700f2868268e749486603232427afc6c867bf1829c17c991b158ab488e2525f31e4fbe680e29114f92bcf38cd77d9e9657794dc52ac0876db200d7c96179d37b81c6137a10d642461557dbfc7d062c8d851436ac65b6a0314c8d49d81d4a2f25ee961720528d2e83df64615bcd74e6f15f00218b85d2b0281989e3ecdbb3107b553a9a8a47feeaf9b67aefdb7c0e067b26fed87683eb4745137f79fc809b8409644effbcc4d695d480ce651bb5370780f280b3a39b75b92e5d1f75618a6af791da17af3563bd3cbf9e07e3650a6a2f602b736a82c2d1c66a115194a3fc7c9196344aa2437ea029b43ef34c20d3dbadcf37ff0839afd75afa59d205581668b7d302570bbce1ef4229a30fc40c528f3945def73d836aa752b42d7fad3a24bbb3ffbb3b4c834405d7a37e2fc3d51be6a8d3eed3df4d7dd6cf05737579d1073216937980919dbb5eb84f8067748b774066190d24bfea50913776711ea298f9d9b674fe24c504578c78c202b99f1c54bb4e8c36e6e44ee597b1e28671a4dbd0c4f5838610e651e41a5e4dad25863576a78948ba5ac8cc8455d3be91885641c61df09b8888e7bc13aa73d90d9d4c3f293edf721e2ad85248d10534de4bad0b4b23506407a63cdb951b2dfc8f53aadcc988fed0a7e72c11daab50b3061b1f10ac2a1cf665e13335e97ba94b3e19fbd19a4a955c45d0b47880aa756032090cfa7aa9bd3ddcb1b54d6e2b34e6292e04a3a3b4cbe33eddf72967e0718fb9140ed23e3e8b5bb7ef6cd6e017625e509c34637393ed5facbf844f658f93c4fb0ac49e5b9a3be0ff849334b996bc71135a9ddebc41bfe84e9e443d6a07fc6c3baff479e2ff21d729358de678c426bed7a351e413f6463df0efa7621c201e291bad012d4179af6cdbf44ef278f6e7449e7afe7c586f5a4cfdd3d610126b87104e85eee8af49220b0eced5d9a2c69ce9166d84d448f3aa75b0be354d73b3dbc066567569895963cd08354b2bdf7754e5983fa77b7f3214b0652832c2ad45444785723f8690da04530a4271730fc4a5062df6f69c1fb2a643f53e58b62031c0bccab7157b6c1e53f9ab458c794f167ef52e9725c1318229b0bd8f5450c3275992059e908e0d9b45a6fbee125be6a4a00f969d79193d6e9eb7cf21722ea7a78273b0e54031e0042922aa4f0202f08f44d1b8482b9879086973df08bd430b1390164418b2b4467414c13f595b252cad319f7c00bc46081c45ffcf67b9f78dca78533d85de75a0c6f601793d73eb68f3c49c59de831c14ea4c9d40bb42ccc948fc5bb9184c06af6f02d4cd8f71916fcbbb0878c210652815632f2fceb8256bda3d0d08b9057eadff67a89a75c38cd9eb76de790573ca24d8e59ab3ed8430c3915adb573d1b773f75b69bc14b7a16dc0b93f16d0ca8b52d1922beaed20ef6c8e383368e8338bdba0f4e2eccdcfb6b60940acd5a16f73fb94b9072248497d54a544a5d41dba271e482e73157fa6ae96cf124e9e5af7b5a170b6bed8d27ffed073657a72ab6ae25435a64049902575ca951f2c08dabb6da7b75616ff35fc783ad65ef76dbc442a6413745452495562b6e3ff9b94448bc56681258529f3783c3059d3cebb38ad3fb859478fcef3b3d990ef029c9f072e852098e26a2c0fd8cd87bfcb8c0a71d7ddfb650ca4c21d3effb6285ba0fb557f609486e57507211ccdc996b37f6b86c3bf3654aec8c65bcb430ea919914b1599d1974f33c579841d8dfadf714918c7a33b543d444c18f02dffd26aad5f95655ba73e79ac1b46f975c8d82641ce1765bf457ff4f25318d83acb1bd64cd99a3135780b06485feed02296e1f3c557124cf8081991d1999a86faf774c9e39e39ce85722a3f9334c5a89bc182fb038a95c25350b341b5f7630ff9b0fb1ac3d849d2153cdd8ea9d5942f1b9788e6a0ebc78a22722f8cf6f0db480d817992b5b1e0d008573286ae803d579e51953c8d1ff58d5d7c9f2aeb85340b1926967a6add3882da3106a234b481e6269e5409064d9ae31a4c85633b0d1f1c3007d68bfcd7008d2b5f6e71fc4a955df16fa0ff39bfe28680b3d7d5c3096aacd36f989ca0bb3f774b34410aa4abcf31eb441fb62e5d7998fcf3edf6af5b5940b2d41d272946d6f0f97489f9071847cd1cfa94523058f11a35c69e3e96e8e43e029cb583d6c94a487c11d6d627f55ff45a8178cfa72d552a991057f170d1f74b08e0359951bcf779799a5597eb7cc862c9f7308a77a9021b86096975a95f497d5a09923c2a1a5b504db622557da0d493ff664f334e2cc08d5de0ddd26186a363d5c1a0d983768d370e2e06e894193914b55226ce3899dfab0716af60f9c3ffd4062520a77b1b7aed42feed55d9c467b409f9aa0be4dd78a3653e76acf28e44a76be13363351f185640b203eb8a2a330b947ade25735a8344a78f72e2d65e83eac0b853a09ade046e4be744fd5afcfce2e913c97c5b5bf3eca7038d889a63af730b8c232252cd64982e1d8cc060db6b321e3a83d8a323c8becee4d9869dd93586ccd322eff33bbe608aca4d83b3ae1a010bcc23790342501df7b26675aefe411b37693a9250e232ff0c206f9bb6ea6614c8f3cfb6e26a74aab4ddd799e3f47cf6629c61ddea0d1e6db2b4831590e048bf36222fe40a41801aa5cdbb24a896791f5f1b3c9c0ce86df60568e726224056c5fac7b57630a5c3753f17bfe8723e90341c3a2c1a5c7258651d31564295bf6c9ba58910243210ddce4df640a34d4cc4617505046de43ebf8dd042bd208296ad504ee4c7d44f0ca94ac8704efaec6562309d0e0d93e7543a9babea16116303b6224c55e4d0c0806b51eaeb1220729f0816098f8e244993eece2dbda5c24d1c59c6115f85396ffdb07ee4a380c7cd7fe79b49e4b670afb3a0e41e3d66d5c1333726f66dd25cafd5b23f145290108d1e5afd60a458d43442b99b4238bd1b116e202c6f571f68efca8b3fe2ea271ee7103b18e8d62ae8fdc96b7e1f3ec6eea22bc199f0f6ee9236db27442450f32a0e852e5b4bfbb606bd4489fc2c7ca3d31a088ac3a0c7dad3b96202f7165d5a57f8299b6fb630510723281f3d1f84afab654a915a2b4cb493c36e8dde7e86b6ff91df2cb69537c54a4e9d612b84705bbe4421d0c3c7b438529aa4bc1d7eae152ea725fa8321ffce5b4acc33a768df68e304157a2792b3cc462db6ff41a25b5b0fe562e7bc476d0d6ffc3b7dae40c830fbf4ea43020fa38b7301c23753fca45a984081c3b5a744c2ba587843f130e89f1ae1f08b8c16281a39db3308587381203d34552df7df4a1e6d2aa4440e26594ffb0d7a0134012a20b420282f60aedfc1478eb0e13bb8927972265462a95d7fba87ea425249536caede0cb6783a62e8b554c7d7b28e6d13e6e1cde54ba20e71d4a6c818862a177f74b9490d6281ae92f242c16b23c22cdb5a3bc5fc511f1775f911426e3e545375e74371a7c2c40af71e93afd240f3f69d2a9e90d1dc3092f19c57efda9e62e8c52bcf9bcea806f93f950444bd413fdf0440453b08aac17655c4477f0debf54ae7660ef10e4172bf28b7db11a4498651bede28b8862c0c83089de0bf420e9d4567914f70da09bba4816b8e38c94bb81704117fa1b1500796b9c4ed2efde202aa7f1901c6f1b30c717fd37b705431189a13cc019e15ceb44289a29340ea876a5dc42adefd86062ef93889c28a05901ab38f4e6a480ee65d1e44920e53d886f29b3dcbd96fd6d3575cde377807d1ed9c3e19ed5e81bdaa9677c9ce8697ff0ea8fc3f7086c780246ff4ae8261c52315f6de7043a8fc02a8a4ca5bbe13b0f19783194c344a06412c44094e94d0317d77173a7e6ee50ced15e202d1e5c0cf616c31fae53f5179c8160091961b9aed1e25ea5eaecbd91425cad4839d12bf0cdf80e1f7a9e809a74dffb12ec0bdcc610a6d9225abee9927104b61076ec42d25a30e74d30652919746649a933a082fcfec0893c50aa1efdce1f58e2bf04fbfb0198d137c4f56bc146dcecea5bbd87c03197113f278da63cdfaa92bebda52e790fa7bc3dc6669e9c88d57710f9d99880638a6ced75b24270a7b3456f73a247eacdd179fce4f02403c7f62e2f178ece290179e2e475df82451b3d8043febf92978835df3b44843c8919a162e179806f2ebb5e6edf30aacab3b0b9e4ab944998febc6571710ff3473d12b7347748ba34cc4923d401592be6aae78ea79c3b3c67f2283c6da83e95c7b9b751778cac836ad9871ffd955d1c6fd46b56a1472763ce3b363484d59d35804d676a7697785efd41a2091adcd51e5adf5f85d173717d1f02a9f6ec1180cef6030f9e45658160263ff66a6f501fda4f3737377079c2f91f80a6e5ef168f0da3dbe74f8fecdc0f4946cf1495c17cc8491b4bf2f352469f34779ff1ecbfb6877cb721f7d684493b5649bea70cd72aa9f227fe499da899d8e48da04c5ec26789aa4f11426d8e862c86d37e8952ea3dfbea4018c86f99cc6561bd0722a38ad506fbf1604c049841367797da9abe8177049e1de504e58a7ca3b57ed631034a21de9aa31413a9773430723957bd10aa66f698c82c778819c169a07154b94c88dd16c2e3171c037580b3bce41002ff4e47137de29461b9f42995ece9ca71aec18d6689e8d6b155ec2f4d7f206c96a16cdad7c54177f2b71c5259990d5a1a3baf9f1abebff124c6655cbe8037da1b6993f76f1ec4d56dbe7284de6c1d56ba8a1ea414f1ebb8974189da7ca7f063048bd9024c9ee5379597c8bd07ff163fde33105ffc63bdfb4704df5d2365451e7913467da019eebcd7074d708b0eb179a6f43d3c54c2668e48f3d1481cd4e34e2a89ae6d8587786f6a252c928127876c4fc017e0a9bc311c05b2cb57532693541862ca177c43db9cf20ac23d70b0863e97d784e816a027f35d14df6314231808431f79fd634e415659831c1a7c1a3f0bd0b9f59a8bf960be5aa7a0a89092a2eb379dc267605cdd21985f0234124a451af03d43d3839c9684f642327598c4a7473851df6c571a3aa2ba5de935c84b3b85de07b05f2115d8f8ab6a00d68626e3302f1b94db85c4a54e99c001a2c4b1a97347c3a728be28d6164dfa6af6eeb7f33c5450e83b14e95d415adf68eca9b8de24e7da280f83990550ad2c0f26bb49a11f5aba092ebadbc342ccba765d7c250f3b0a8b941474a3288d023d89ad97cb051ce9f714188b8bfa9effc1b5ca679c7bc83d4018bb11616fc8fe56023cdbc8f79b01113ce029c408240f57f96a8ccbc58441d71951943464d3727754fe94b96e2d4b6f022edb3e9f719005aeb748a2c36466068703a8b36084c4e70a48a05099c85ebbf7f085cb12282df47305094d9ac48ec273c86352bc292630a138acaa25dfd972b54871a1829a6981bed62a169ad94b8372bd06fb2e4d4b329219a702a2f996896ea6f8e9414f81c52b6977f87b9d7db7f9ab9d69dcc1520e41b55fa9c1ab72960bbba6a1bd37cf412300e2d78265ea16de4ec4fcbf0e97460fb56cc92474c554b500d4c411f708ca7f69c0c9a4bb5a095a23ec79cde709321734deb3ff2aa49e8203333878964c75c16719b422bfa6089b290a764492df889c327158007f531742645af798045fc613093bf107d5cf11713843e6bf5028efb41cd0d1e93f988755b96b82f03bdabfe7df0c4633142289ab56f041cde764624ecb8c2cf0edee15730c8a2122caa9f17a8c7028bce989769ba0adb7e818daf94bc72b9ca2b22759d9f00b3feeaf34e86e11e832e8bdb65e5acce99894e0af49e5d3f9421fdef8c480d60c475287d1684d0e34e70d73b28b23faa058a79bf7216dbcfc19e3b23a401f59077a8a742154435300a4c3b2e9b6698f583d25b37a02b7bcc4891fbab6c9823668fe9f7a6c807cd800a84f037c75b4d615adbcbd6108a1068fa4f9d3d7eee4dfe892c766a80bd4dbe5872747ed4cc7412c0a4fc690b66baf1f0df077108e43af1267b89e71487545ea4f7ce85a7b26c5fe5f4846316fedcf53dd11618fd83f2b1407298b0a9e4d3141df0cf3ca2d9cc95d9410f279636c7fab11621d0c36a237e2ebe0cca8192cb66807f42e2d06d1856ef9e92021ab2d565467c3bdfac556c464b5dbf86fd363d793f121e38a41aa6e247012602788e702ca5760342cb98c350b880925e65e002e76bca785e480c7298a6ccc166fdbb0ee5ecdb06c2fa97ba9c5b280d5906b26760996de7275ae0983abc4a4b0a5c28deffd25839d249fffdb30dad88f3439d8e1d35f636b3d29878931974cebacfe9a24daa3a1e58cea1cacc056fc3d828d7218fe0a41778ad0998149c4541a75e9c03384a7339addf9076de2e9421e08b3b74d87a172db8deedd08acd1764fe581fde10f0fc4423c0f7cfb8a0f575010b0d8ae98f7996b6be9fc2ca5e1ee32be22d32be54109b1924d30d002d62a5c673acb8633ced10925a760acae277dc054444c9e0e68874845706b2b7d06fe49e734b569485c3d92cf6bfe9aab230504e824ef33a87d30b96bdffa15f115abed200f68f349fe6c83bed8107d77d8706e8834298d5a66aa969b588c524aac377508ea6720161bb639e2ca492961aeca5bcedb335213ac4806cb4f9e15c29974d89914d37622e6e33afb7e6be874c5ba87d81a0dd124f23d5c2fbe0093d1831f1e53f90ccf0be8175471afe4bc0568f2f45ef0496e31e2bd7cb8aa2aa1fcd339766eb93dc0d8485a1c5147885fab089dbc20bf6f7bd7a75c29a50f2446074b4be2cf6159fe895e1240b8f1e691a846ccb959b1b6685292ca705a4fc9e4bf6d48973d92fdb9b30c88f7fd598e5dda529cba13d3eaea932445e2976956721366c5ef08ca8a36ee8b50e1c46b356a8bc54c2fb8d504084659becd6b0f9713a1d4af10a335553112b570fbe607a957a9010825518d8e1305ab1b78ba600ff26858a41888b4ea91954f95d89d6cdefa4b33cd58213540bc88d9d9b1ff398faedf3ca63a2f32b3c6433490d34775bdc285d5fa9b6080179ece821b0ff387b477717eeaa0e6d948838ecc7721dcf7e78aff9d9a8efa04e86b9cbb5446fded59aa6f863e825f856753040f54322ac12dd565a184df38fca93be65be57ebb5022b83a8397d2f6f8a042da3a1299522c9956dd5437f8e06a8534a22b449e2ad49da6e8a5844f47cbc9b57294095540f4d112a81387be81fdc68261e6a765f005c671471c70a46dca20728c0500d2d07572024489b5ab7106ab9945b2cd8df14067bf79e3165cdf91839cffdfc529b7673c3df590066e3277613b721c66034817d8ac2dd45d705f1c13c2e1d7b4411f1a0cbe19e618f95dd453f9f91c97da4808985b01497cb58cd69e8819c56ca81dfdd33ad2e4408e5f1f665c4374edfbb3418baed831c31baac974609d3a05d9e703042b4fe1ec73d50f66a2ea3862137a694932373613a2786125fe8653f436114716ba583ae10c5e92d87aff4d151f81c8d6f06fd97a1df30c73cb22c996e0fd2739967df50b6fec03cac5351797425853c06adafc728af2ed39911cb97fb54e0f90a30eda99e33f9039fb973010c1ff6a95cee6e28af678bfbd9ecbbb03f8ac78657279e4d99163dd45f819e82fa6e2f5bb794e906c850cca0535f757f2867ed7d20f06469c6f0e95fad62eca4f1f79804bfbaa3e28430130301548fb13645cd675b2ffc98e70434907a7e626b94cab768c1f25dfd521c3e80b41844afe5c457d7224204d78358a91dfe5e2d792d7b7b410750e81f5e3c4b5507912b470d4035d9835afe05614a938dc790bb9b3bf3af7f66d83f3fa7427c0a0fcf17f10ff7f58649565048e34d8b91eadd75f04f46fa0f6f5f7ff74113f12581caf90205d953e8b5bc56a75db9d0aab414e3ed88a68b19eaa156896f14934865891ac39733a40ddbf08758b6d8eda59d64d71007ca3a7baff294d5cf869a6e43e0beb623b832d40fa6f6ac1c2f322faa4fab039be48cf309ff510b6cf8904201f322c8282d27b4c99cd85884cf092ffa7603cf51d5a1c7ebab48a95e43ad84a6c6a382090134b93f40f32fca940c7b292fcef6103692347bccf6f6efc3a64bb93ade7f98ac21d79d0a9db8a47286f8150f352d7f09cad3dec0736aa58c70e2edfc4a701493ef3f1060614ef285b25f0c39578b7b8ebdb0ac6090d51b531bcfbbe50c0fad3d946b510539ced58497bb99a198959590818b365dfe2ba1b0b77413773430821f143dac8da378ed430a56e9c909d8bd39e21ed648d89851fa4116a487c5418c08d6cdced8c01db6b00b0d77191f4bfb3dc837215f61b1703ceb3d8e02a42a711c4b96213390b59bb8b4121e48b210be403591dafd4e987b4ce66ee1d6d919137e68166ae940180a3d254ca5537ca6fdad592e6269540107b3a2a231c61dff1432cebbf8d944d6ed57574d3e29c7bfa20fba9197ad699287568fe667d4dffe70e7bcf95c1a1a800d2da805cd57cdc8ddb7f7d96c860156197122da479a8e6d955c76ebc4432a4a6b9eec1e45da914c77bca89ef9c442e58f1588b3a38bfa8dd138f618e098f987d94ff3864e2e5090da6496666dbf029beb04054bc3ee417e59fd67b3cd4b3581744adea5c230f051bbfd602b8e94ad01b5289811e805001718f3037579c44e39d2e58808b76012f1452b784d960e18676032ba1acc8f0a2f43f0c4119d81a854ff0bced61b0402f3617b2baaf5912ae1c99cde35dd074ac7ea1238fb5e31a49c425bf7aa83c5b461bfae8842c7b172bf2c9d759ad5c02703da91bb352ee9b20ad9f569401718d615c95ebe7ebe8daf146d77b59b3deceffb67e4d3ca489e4975c1c9763a3612e87be30ddac6e8ad158778ad7fb9f8f02fe5e6057cc17644de962512911d404b59e033371452871cfc889e191382d4f95caa5dbc65e7dfece40d798b80b1d372720ab4736d71d5e78fe94b8f8bbcc11c9de94cfc3c23610b67a70e61fc2a5b091bc07824c1467440b5eb0de53dbca21cb114f59b3c808befd39f876777945b3f908b95d6a3afd61a99599ceeb533fdc36fc02ed996d942dfccedfbf7ee53cc5524afbfd58c0a6f8bad4a15b67fe25d4f44851275b8c828a91a0824c3f3b80ee6dff7f1cc210f3426c9f6969372ac225917306a967c572b87cf396f379aeca3f51c2241a2d8dc84909b3247c522e742bb33473204e4efa25f334add1199d3d3effd9e3bad76aeb78736c4c2a83858111f2c0bea4b2435a038b52fb4adfa151d75971d933f23df2aca55e649d7b4d2d35e4a7e2301f31d2bdbe3d9dfe55641bcaca90eaa084e0d95398f7b640971f886b360f2f2716cc98bf0679d06e38549148ed56ba144c598a962617128213c33b4d976a11cff009589ae9b1179ea037387435928c1ae2a2644ced552b5002b2b1045cd61b49bef9438df9272a99074f3524e543a24c53ff488556ba7f1f133b2320dd38ead27895945a50d1194e46c32234d90f08272a1375cc5aadf30bcd5dbcd0efdf8fb0531aad382609cec2e9c2a0c455a5c6be2d4025533ff3f7c2952577bbe14502315b4665e2ce59a3e16ab4dfb55ae94c25dbfea70cd310cd7ab5766db2ea7d7a07498d4d06c238920ca52bc2dd570dbaa729debf722f7e1bd3a38cfd5347971af4e6452b8ecd53fdba317dbfba97403ccd170a19acaf051519570943e9ca800e37dc286abeebf4134da43b80b7f3f53f0dd385566a177e04a769d8e493474cb611e063bed87f88693c93e7c8f1ec9a9e8314197a27627292a8d7cd86ce3eda6d537960a1338dc5eee35c20e9d925081d5220dc57bc8b8edf2354d461ff037a12650f8a10ff00c6a09fe1b8ecb5dce4ba37e7e0da9fb801b06c2910e4ed462968bcf033d2730652246a851311b6d9a93cf9ea517b57cec0d8ba15299ed6c057925f2bc26e22221eb276a8d1ebca05dd425af1023f1fb66fb50ae08f88d4feab11a7b15e8839ad565c0cb63564dbb26a9a3d173cd0b9a52ca1c936675153505eb7216c9b963c65c57295816ecb4f166cb14782af8e3541f2d050e9a6a872ef0a618b1c112f0de05cd62eb6954843c3ae3ae6a1c8a1dd2a381f96d2264c7377b29af1512e89e2bc12c9e348bbaf3d042180a94ed2106337e426e58ac11dac99cecbbdb4e7d739650070e80df298505e287bf23352b3392a43058603e48c20e9542f341eb89b5e365bfd1878e51c4f55be8e5fbf9a2036171249b4631d06831feeb4ab403f7ac351d09f50a361841a80d2444b5f5480c0c931a3261d36176e8cf5f2fbf32ede757ef859e00a4b4e841a63a4e65e7447c4dda23dc6b1cbf2c802f0b0bbf0855c8ff1cfbdfbcd02c462e307d33cbb272be2e6a0622a6a730654ba411aee57c575f6c374ee8b8cd62ba6f8161de46291efd62f5c8807bbf929ad94189d0d8de8915d8ee5d43a04c95c025c3c2f3d8ac31e031daed68ca4244732c13db58374efce6416bd45c4c29403a4813259c3d010a0b861d8e56d70460ef7d41e1667ef7a61deb7349f5862497bb4edd69ce3c8ce94863e7a19c8f150dc62d16d5f581a9d109f2e3d91aac1849c8016286102b97523b2dc3a0367f15c79649b0ccf6ec37e72a0bf804edc9b2b0ff21ebd72c8c4ba67dc36e478761e2a2fc2f4ee25bdab00880e85b815ff4707103c76aa4813d74aeb69035e1caeb46b4a51fe2dc9b3706f73478b7e411f7e9e81ceacbc27979bca251591a23be60cb2f00a8b4cc3c36f8e9b32350b0be73d7c29e0fdf63b053fd21c43b69c2e04b42badecfd8a7548a7d0b311f4e1d230d8a6c32f8bd7738e10cc0748cc44efb4ca8c9d5aae6de3e19b12fdcc597abb8dc209fffa9d5b7acdc044a97490b7877b2b13e754023853c55e674c067ed36d67db3b952563866698167eafa2d1878588ff0abb6bbe4e61b8f4f7db75e315a9cf5e39949f110b540120bc7b3bd84dd463d00df71332b01ab3304358dfc5a51d4b22a0997d851cb61e41d4e1a985e565d99eb8d8a8c1ea7b26b09cf3cddda7cc8669b77b8eeb70e0590f5f3ab2528b3e19e4d428f991a5df66cc73a821c501769494d1bba0108c8c894d91a58a59d432a43d8521a0bd616767d7158d77e530f3df4890cc71ddd0972318f04e6464d832291e55eab5d5f0f22e341e489a3c107c384f03b0c850a271d4bcee9591b332a884fccb6ec51f3b9363146d5cf918893fbdb78fef806181aa9f09c7f5e36cbca52500c85eb93bb84ad292363a6ce87e43145257b9df6a1f1db5574d3d7c6207da286105e92a3e0094f480a8db3e87a5c289525b0d18a7ee8bec7c13fbf923b9a14df4a66c55ddc68fc8f0ef2091f81d1296f8d4b278458c73ebc3d1fbb9b7ab138e9231986e9c9b83a599a2b399de243dc822196dc57e5ecd43f545233147f66fbed7451a4cfc4bc8faf720fe69efe335009d80543e22f3a898dcef26855bc86867f00d3556addffb5007c032640ba8b1cdd04d78405e2f2a2c213ef2c45b5ea711097753c15f028d4324a0fed31d7ad879302e9260601d03c9781f884cf858be31a49a55aef51955e1433036200ff55226227d991b8246d22e2e3a82ed9c54704b6fa8997bcd25451a2da4f92aef78a3e3a129a85cb076be89a5ae79f1081782f83f0044b76ae068c4860b5f315e3537b3ce24357402b18fa4c188f1a782775a8c16efb6bc868bd027fe79df5574df476357f3a00ab05894500c9964b14980983ea9e028b4b19951d25210d77a8c2513eec92856fbf402349a234944842063ad3cd2de842b14e016c13bd1ba0647f0c6cdf76be52b58504ce9b7725bd7b6c447060e949486ee3da6d9dc34ceeb2b79148a088a8abb7363fe3c25e96ab74970814f86a8f6392ad956dac9150ccf6b27e410c885053e313f5c9da25f52515f5b93bc4d592823063f84cf3d21404d4d6fed52025f3b653b82a3a273e9bb90f441998fac441e577ceaada944bbb1671e8f33b8dc3c19764b64485e0a7c095d0321a1c1388cdf7e4ca2a4f2a7ed49b6018550d2fbefc89559dbb525b31b9c136406ba347e3cea54af9515a3111d820931c234111c0570183e302ad9eef35d4c111904472cb5addbc2fb2a268747064d2f8c94eb9563bf93d4ce4fa91f908c3a81674d74f4b35394fc88f6b542fe87cc2ae3edff98e0f62c1aa0cc92d536cadec0e83eba7364c0c2f1e8193dd9d70454f4c95a3fdac00dda1362286aaad8ed86973e07a7bba0f92657f60997ded88248dc8738a468f36e7597f71d4b1fec4653c6dae5bc56e3d10289fa3a53bda1c84234945c303da1974a17aed860be63a69c16b5d7de6038b6e94437d3aa63a54dc639a60f69dd24857d86a617cfe837800cc6c5a03d3030fd7879d9a76cfe094f27d7db9bd2f0caed3f9b506c1d112f39410ec0b6f46d509ebeaeafbdf956e93cab08b62dddb118586d9b81c443dd930b1e5da20ea4b9b5803d3d834a577ee71e4cc5b4fca671d5125d528084cfd500380f64b284d3ebda1a2a733d92d6b47fc2ea6fb91b1c98292756468c2db73d33a60a43847003ee4e9c7cb7eac7cb0cb48b3ebd074c96ad146e711a863926d73d884dd48d0703200275be7365347b7a81527aabaa2dd1cf119ced298c902de0235ca3ac89c40b83ed1f8255aeb9581cdaf28e448ca8dd283b0e2a53d6e3f1c619787f067c9b6ac5d1288688be87b4948d4fd2152a40df68eaf4294c4273f893cd5d9737bbf59512d35eaf56dc80e0e4f406eb34abd669c2366f2eb8d5764acb515aae836b98e82c18eef37f1f1fa93e527d87b1fc13b853a9b5da40525131e2117931eda246d921d06fd457492b09ff8ffb2aad915aebe0d32ccca186e254d38845216d6676343250535f00f6722cbd1eb73a94b4857fc3b36f7406296345f1509226f12aed9959837ed7ec5b303ed5c03cd7cd78968c095e66dbade1c4b5bf69019d58c14f794c5bef306c44acc06dde8ab8d969789d67df964a8cc30e540b07bbd4e1f91e218422a699761f41d32b68f0878699895cec791a392222418e8ee7b8b27683471c42e8fe00126c14bcc9ca6e6c4861bc762ad2ac3be8b028328d8214e6101dd1fb8062114b1f56da52d015163a1e705f5e898148f6a77428a0cc2b48cdc61a672d4d9438f928f22934eb94948f43df9cd58ac36306a2577fde0ce5ee933c88da73f10992f91114fcb5d62fd7b2d7fc0c23fda74df67a6f1914407f9bc1ef4ecf8a1cde4ca6a549f3e05e23af1dfd083966ff2090efaf6c14845cf660c6fa4ba8f2cf62711e23c322b92f2efc9bdc1e079fb2b1f01958b09f0dd2e1de9a79db1d50428a9ca45ef739429dddb6c6515468c04f5eb841b1f11481c1a6edee6a5e3c6377810a0a871f99c2d3cdf22b8dfc16b74aac79ec25a3d77e06d272340bf69d78ab89f6d124eaee4d431a2675b9c319f530b05a18864c93ebfa521842f94f65dc799f911fa01c2ba3b3dffcc0903eeea10d1c4f3bd7b083ba762db8c2c3e37be24ca8039ea461cc447abfb98d596ef88f685bbe8bd00ce4ef4e63139b0bdf4961a7b349ebc42a0c146c5bb804be7c68435ee532df3c850c8f8234c60f6ecc921ef65c57a4d3fb4ffd08466bd06cc6b892c18b0c047c1b93bf32b8d2338995f1657eee140f0ecf1652d7d97e11c20e04fc9c843cb27074f405caa95fe93d23f7296f2285486384b99f9dcd0b8c2cd4c7fe236f563d2b414c0ccbe3fe242dc7899b11a3bdb838241ed1a078e082a3f0dd0017e7f51033ea648b1366f3e3557a966f3ac983654855e2ac3e43aa40ada283a6d71164a3b3e8a0adb745b77e37093c655020e1c75d330c00c9840af2ac72ecccbc0fe91ee3af7036ab6fb3deb9af5f73c4b4b5c65a1883af2267b43f5b4d3f685c66e226c1e6f05b2b33713010a18a3a78665bd1f8e4c9adbabccf5bfcc755743453ef319bed5c99978042c9229078e8a57030523517d8dda4986ee57fcd2a1ba03f52fe18fb9b1c29511331ead4f30527f98535f6a5507f53c6471612256a7c29e1f4b6678eae2238c66dba9a9c81f5052e7e4ec76c2acb34a25b36e64a46f5d0bc1800b77c98f91e398ffadafc5fe3dc6f15fb871e21ab307b01fb2d672e89bba1926c254ca97ac8013edbce4be2ad62890518d456a494b91002d0015d1a48212be2dc15e763b48d1dde231ccaf2c53073b6c39bec2b3e8b6e0b09d3a0c98cc4086192b971b4cda7b7737550e8d6634dc619713d7c7244049d9b41dacf67aa1f3da0db6a32978a81959bc036f8c5eaf153380611af34337551a82bf42a96bbead37fe21d8bcfc4ffd2ffc9aa61a3cf14c573904ec79110799440d30710328604f5ab0803b8d14e0b5d5a32c9fbb076c3a4ddf75fe43f16dbe3de6d9fe2635c60e5845542da959ee2676252f55c86123072ccb9e173a31a7ef0cb2b3702dfe0da380dbbd4d3fcac00fbb2ca0378693d512761ebfb077aa1408a09fcc1938e206ee87391171bde546302ae8a911fccac77cfb1a13c3b9f8053461300e9d2477e329f3c768dc95b6f3d18f940f3f886896aa7734560cf86008198a90af8e3c8163486b1e104e8f9f6228a9238d15d3bda2f81c19ab7d7435546873916652ee9ed4b43d64d5ca20785aaf880f0bb713fa273a2a2e8304cded6ce2bd64862b99f9cfc55f7ebefb15deb782dd0e0343190e6dbcc9adc152a8b99480ac4ab3c962e5fdffde4563fbefe3c7f2c72fa826784f63ababb06218768f4b6c09cb68008630cdda6cb9ede503f6b494d14ef0e2a1cdcc3bcb77c390c884f5bb2c25e194bd0bb651fa468a63e0d3a9bc0baedbcb0ea84500b8b43d2acb1a1456fe131972e93097ca42679e69723a3f254bbf4d0b498b519f41e6a37689a321bab19c0affc9bf68e6c861830ea5ed846c101ad9c6bc84dadb1ed03e3b7949011994fdf8a3aed564683a72bc2f9c9a53a1093840657c7a5854a8238ff269329722386bf9fffe7f77cc2eee6e660510b568563076248db4b77505baaa30036c195acc8824dd5ba61cd567eb8d094006cf4ac4ff213557fcf0fb21892d71af0e85a8437a380febd54ef3d5e544ecaf83250bc80159412fa7b25f86f21d3b10202d91a6d4dcaea11a334db952638b911e9895180d3af45f3555f15addc4e1283b5bcf2780819a5e607af429ed50709d087225b7c6dc0bd1be480d9b0f230384e86cfdc94c1feee37ef79fb148efba4fbbcfe9fa1aa2d48a557ad5a9b865e26aeff87d0c15bd73410f99b9e496145cc077d997dfe0e1d360ecb695b25688cd305ddc912ed38af7c4ba286bb6dc1d6df64958bc4635357f3773f7ea76fa3323c9a092f430c55179578368ef9dc9954de7af72c20ad17df6cac5ec72d632a2286e0a55269854ddaaac70eeab3c7e974fe6f73da8fecbc7bd45f2508419cdf87569481059db747d6dc6bb356c0931d7bd0111272ecbd0801bcd9ecd6b0d7152b921f3eba8ad2e6437d0045bffc45cbc3da37adfa5a0b29be0a8c8546d7c4c6721790df155f9ae38c4ee2f0aa56009c8eabfefce38dd3ad39a98bc1d34a1fb3ff93a21892e706b803ef1cfae2652ff0b12e74ceb341d7172882e571aa350236156498b17c9b5621b3905482fd78f979d69e91f74d9bbfd086f310d3b6521b826dcd1c622f5bdc185aeef174eb0dc4cca6990ea09e83ffa9e99a009cae11fe406e8880a9046df5fb81ebfdf4e3a421553b56e08c5eeb38dd09af4a912aac641301ef1095a245e15d137a633acb4e469315805e2766531722b8a2f875bfd8b6aaa0098e810c296e77f6682aa6a8b06c5ed850fcce929921be9f9d81f1fed8f993430efa8335f8ac5d08e8b355afc597be757c9d76c31e92352f1fc877961aa7e8ccfa9bcc5ac3dc59ff796b59dbc58f945a7283848b6552ae380b1df1a3c3e9d8b67e9458811b3053abf6fe7bff329e6e7df7c6f3d513fc9bcbfe6b42f2528602a1b4314ee9218fa1013a25194d405b3aef274d2203fd6f0567a7e5b498aa55478c5a544eeac6a3d9756cfbc0165427238b3d553ebdabc99dd575d3724d9c00f405f41fdd7d3244fd9820897a97c3a0fae469447f48a61822432643aa4e7f2a7f7be956675d1f460f111aa9e630730da9e0096caa13a054fe932146cc95f1b6d2671a5d2739538cc69f03457e302d998d89059e1a45707cc66a6ea8a94e17539e9a735a2c129fee395317d30feada724e72bd0527a3e30f8bc9b4477b8312efb9445622f0df496b6ce0f62db32b5e041be73b6d765c477f572e5f9e739a77a417ebeff4892243ac288aa3bf74b236e064a9c89106453e24311084e3d42cd748ca009d35817da8f93f18cb442a3e381d49ddd9622ca8f54a4eac8dbf6cf01106cd51800663829ee0fb534997900b9847e3f38a5637dbbd73dd83012ece0b350826b62e56e726c464cd8cf26fb5d77c8cb22379c2d21f54496d807d9234af9af9b65e7d1bc11b9fc7cbb398a9402347f8001d0de1a3031df0cc0322ed5f384bf57b76fc6b9c05f0b8aeec849632da59be5c6c75bbfbaa39fd76619f9ff3902e6d07160aaea2883b6bfeb267628b4d6f6d8ff47affb8174a7cf8e99ea9fdbc4fed743d8253a86d854123062dee12c9caa6053aa37d8844f76c230fd86ced8be208a52476bd7a9fcbbe76c05805462307d67d67e7be872244014cc50c94bd4cacca2473a44bc6fff19b2c1ac4da9299c396be479e13f99f10dd285fe143db45e621e94479a6bcf0854e4ac717e79b3180a56140d50492c8d44c1907713b3b54f571fe6287e2d7530b111fd4817c2d01aaa3861e7d212bfa225f2fcbf73462075d7f2e6654c7acf3aef64ba7a697df740ad4e9ddac9f1ebe8aa42f73994c41eb788f855a715bcb69a6f66538fee204b4606e81b8cc3b2947cf8d8d24bff7e3ceda4ec3508c53392def369596eb1937b7302952715a8af748a05dae24f512b10b78eee9784be25dd85d598e129284d971caf8cd7daa2c6648c183d4454df984047f9d0d2097cab7dbd1bd0b2754569c1b257092aac39103ea1c9229e46901535e77a570f0c214d026117d5464991c7f97bffa3ce179cbefaa0f7d65e0613f5ea5897dda14698ef3430a7dbd1f8c956f3949010925b1ef020370dc7ca9658b8213d6979151355e26d675fcd7bcc6e5ee72355a1ac6f38e2716773d21a4b856a8044974a32454ff9fd3f46278fb1021739b25a75d07c88170a13efda2d8671288f17bd82669e40f21bc9f86f8780b2958da335b820fb1a93689dd84796766cded39bd8725af0eb361eeac9c1a7f9475ce605a8c713d135e728d775db713291fc9d1b0e687cf8c1ba696106c1146cd3635f904780cf65aeee57ac82a5cb000f2bc2566456fcae946325600707059db7fd3dec2db0983dc9375f0d8471eabc748e6cb882d869d5865193e561a449147f44fc2cb069aebf07a2b1ba30966f20d97d8ce843337bf35213874ec328392cf7408284c8fb77e92f1d2eaaf2e8c968b7a205142ee267fe32c8fcdc2e69dd5aeacaf89e953ff790fbc816bd7c2c2e45183329a3c59cebe12ba8d19b1a358e67f4bf06c9b07bb41384d9eafb11cc1593feb6759bc0febd6ad8571f5ef88c4bac003430897dc19fb6d77d8f609b88d6ab4467e4e4b31bd0af289fc429afc58fbe394ce97dd44a5a3d03aae844ddb6711b4f67d2bdf88f3c604bf522184c2055daa0893d4a699c4336eabda303b3fdfaa930e22ae8989d37d5226588c712e635b9204a61d93e7fd3b06128e01e48e943050be4eae2d852c95d615c065276edd09c5ffff17f4da9ee0274faeba9c043f39a3f9ffc7b1b57fe5ce4d538974311cf876e708a2c752b0e1ec9c69f9f8c177d08b547888c659af4f4849cda3a8bb55e1ec279545c2d498e911e617ab5febcb06d7020a262f5944c18de0e392e82c265b00d11bf194793b478a02649c961784b925ddf07aea751b24d02c91a92d6f3c4eeeaf25b05bc5359dc6b088e1d26c322a45421619a0282d4e59944d4ef2e0755350a2b8b3a866f7b198199f7380bca110528c99170c8168f9a26f0da2e6c5d778332791a3d33d90bc487561911e269b6c6f33fa0eadcc02a943906779b734b8ead4ebe855090c98852788af3510eb95c928803e64a4b9970cef67003a9dfe0e28a61f1ea93b9ec240f449a338c2de8107298ed1b0fd7ba92bfccde6bf26ad4b0c70d9f30440beacdad4b3c81cb4d1e21ceb330c6ee8361d99281ef36a6a681a53505f333a64cfdd8ce2be3aa6ebc7661d29d3f31e724871f14f2a256dc6a47c13fb27c5d62dca45353cb9fb879c4e1e33f2d89fa025cc387068c37650ce1aa9542d2e063c09a2f4ae16a31640d7b905c7c80f00679f814518c9557e4bc87042e1d6f4ccff6d9fa13d0bdaff2510b5c4c6d7833df50d76250a6b25335117d8a3205b42f8341ec7c3a047401fbfbfa71f17639a804eb2be133e41ba6b511ae3e05b6fb33c91ebc6c870201c867131449e6d30523a3486c7168a0e23cb4a3268e6795ef6181ca84a5c67479eec4e160510c21f234afe322e65c700476a27fac73b2c0fbc627749c2af18d6d7fe21ff0558de1b92877c8d133bfe002c3f394a172c75219251a056e67223acb620d7f9fe996b119f0d60c09165b3a1a3236114c9d12b1c29eae7f911299940fee5c17205de200dfbee768cadb013838f4270b8b847951afb7b67f2d5ae240cd2bc6f1146eb35a9a6b7cc96b9f13cf7e346bffc2d9af2ef5e55c23b386a56ffe101dd3694771ae3e01bfc59b2602e1dee6de8513611c497f374d26e48bdaf0cd0c1c9689c92c9fe4cbde3aa3aec93ccd8ea4c2efcf50ec6894bdb14e75cd9eeca9b3ebd4c0d269e85cddcb9191521056e6a7951a698ef10e906e29a7e79aea4ae974b07d3793905f70e249d1044ffd75441d213ed7d44e9b1c71e3bc2ebad3d61d8894d9534ab5f0acb10444c6bf3a83e50b555b8f02cca04e7918825986386b0615024e0e155f560f6f659eef2618badf0bed607273f8a304848ff83d159fd44dbe54096d0fabaedd9e863a33d266726bd0b6fbd124ef900ff2e34388784c64babf6429bd533c9276a639d106fd643ff3d27d82c993b94dce11b9c7345d3fb328a3187624ac4c6e27dc70bad29ba81244ec782b3a77241a8b748c69ee79ce718760937706a049d3793999ea7b82672832190e311f0c0f70589c7859ee80236e319c10634c4be1dc6f0eb5c5900262e6c1564af002ee31a6a853a7b5a5620fc05937b2e166d70724dde1358bf89e4d4d7ffae23aaf4d57bfe2c2deb60b08b40f71400793304e1df69ff7add4f002c67a9b2f26c2ef0a35e9b9bb7d60cbc8c102eaf82faf425207f04386e599fafa78751fa94b90b593f4c0e7c9e40b65539ff77fb06c3e6c94763d52f7a77654bd2a0676bd5ac7cc2e0b71d6422ab13bb14fd6648bc11c89b2ee0807d8c42703688b00685f60e6e10f7c51bc7c04910331b8c64d636257198abdba13da1ac0127e7761e949ffa588e66edb0ca76d934476ab866e6c1cd60d3b56e301f43f676b26a2c2a892fc17f0585ff199e866f4cccc5f92ff232d7ce479a66afd2208076dbe0e67da315eea126b41d72892c23c7afff07304a4cf8261a11c43666deeddc89740f69ede4b140da0563e71f4d5c166f95b496a1674bb673f22139e1d667d8f47d642a4343fd6f41ca6a2a4513623929eef703e7703f79558f292b7854d0eb2ec2fb7ba7012993e3360986e6d3edd24e54551e9d026732445f375a321aae85b52d8e40490ff3412ab2f82af46b3d6213883479f0b96be02721ea832da96f160663524d1c9d7501f56633c81206b1dbd4bd381256a9d6efc40557bb1121af3c72bec97c22ad3e4db023dc23ea3c257e5b242b5204d435ca534853c6992d19165aae917572567ee0aeccb56d5e547b7dfb79b6d821cbca97b2cfac697c3c96df2210c43756cb5f710adb7747ca6e93c64ad61270af2a783965ec969a3a95da4d81312456f7ccffa0985cba7b7e2d7cd478718c857325541c44783df781bef4143de219d52785793c766bf7ab00667450da2a607deb4a77c12d5e915b15a26d625f585b0c6896716d5c6ffaaf66f3af270c2ac78ef6d61796045684e89a3f9376b6222b54cdc1ac5c08c05d63871e7a5f10f524a341c242f8230a1cf8a4d1ba3d8e7a31e76b5ce85c8485bd853a03b52ca3179202cf16929a22746a6c366ba561825b0f33a710b4302e1014d45952d804767235c483e593079413f80b9e61a27050fc8c9727b050f7ab0b65b8e94440d42a5715da32831e1a0f8e4d33faa1c5b205ac7f3bce2f3ada8e77ea742ac64dc9fbaf749b6e7c3cf81de57db4e97770bbadc1f5a710a982069f539d611113c921b739970a17c52cd255068cdabf74a32f3fa59c16b435a45aa14491dc7ef00bc1da37110b08ff54c1d6dc1ac9cb81dd5030c0a70393daeb9d754bd01b88396a1d626688a55861bd8c7f20a5608d53cf399b1b94b573a816f29c683da435f656020b6ab9ccbc1877204e2af93f39eff66edc742068e63f3283c38d35620c060ae32c857e1958abd53debaeb135d90befe3ee9e923a04f8aa76d12cfb513f233df4b5d879ac350f42f98f656a46ee08d78e3204b37ed37727beba8d3eed77dbc3b5f985757c5092917819958e9262585b47387da53178a785138042576039ab7c996f3ebfd6e4a41ffee0e632fc95d902bf88c42c9648acc9ed1bf90967f10ef5cbe0d913f97b4574d64ef31a368e2a2a24d049af096096a5da9f0b74eb2f3bf29fa8f57dbee17fcc562a4dad0e1914cf2ed19e6e68d768705e9d4d24e5385f4827274331572d0b14518a0ce50bb06286eb4e86bc7f71570155e83a9c248e0a2848aa28a107dac8c45b6ada5fbe622a0b94e42440e0513654ed8b46d5faa5ae3fd1993df20bb25d005fe254e94a0479686a3c8792e7b0c91832ade55e17298933fb0eb62c88111b8faecc55149591d399f316e12c476de26b4ab9edc8f2656968e88456a8f441156f4ac8d786e2be311852302a6ce1d938ee16fed71ac9961785fe5ecb8075480a42a788ebae8dcbdf0dfff47e7166e699d54d0ff4ba8c4e6dde7831bd88af7cdcb45e011405a7c9937f46c86c703aa9cc3d1fe1b4ac047bcfff547ce523e28d7eb0b469ed3e6e8cf4edf84b28304bed1b595bce15c2d8d466decadd453adde513608e441a020d5ca81af5e81cea4100b011b3a4276df61e7a843e25e590d4459e2a565c74155c99323967ed473f563c7f23659ffcb6ddaf6debe5cbf63048dfa6f72acaa510a07b83fe7091414185e69dfb76aab27071846e97cbd0c42deb486d5598525246eb6bf8c2cf17a26ca031280e2c1609f94a8ce7d5a55ecfaee95fe502ba75b22c02e15cd8455da4be8e34749933d8fd3a92e8c91545d8ae44c48caf76dac5af0cf4d585fb739cf006846ef28013d4833ceeb108d3c3d76e2ba675299264b3793aa99426fc117de43c5b26a39a6fec3f017c828c4878cb3de9c1cd3b4557b470470e5dd61638d222169b89129231f7c04d771a098e5d360afe15f00d1a3941001157b2d725668f09db8389ae017b884d82f31c5274fbcffb156687758760a7bf5efc21489f5588d5eff16aea78c961d16044978cd1e15d6b0520d509d64eb34d0acff27e9bbc843a5f07b050049478ee8b4800c3aa25b3c3986f90faee858390bd21d40a5ae5518d449f4349c33ed2ef77d4f594416df8b8aa4769f583790675c85b74977bbaca9eb0001fb4d38d004aadd2b1212d71824faf70eb35d37b88c1483e0c513351cc6a96f48da5e123bf23c7357d0881092ac97917a0fda04d68e919cdc14bfce9a504b59988e0744c527c6ca012fc0e806725d97e7196ed63467221bfae9bde78a3371ec3fabc52432ecf3add26e2d5740453975fa6ccba1a1ca64e1856280983dca770e5aec55a292dfc8d60c59150572417b9585f3d0d028f8ef54b879b983c673f36bf33c495691554c3dacb219d1b3aabb77c701a9fe2b79f3fec3985841c098db7f33c2f64a4637526df36d0497901bf17441b11df49af7afce7f11bb992429e049920a2ae93adf187dc9b584980cbe262893d6da020b3e84b11062ffb2eb4370fe7c68c5b2375bc5377c95f7d47b1fbe790a617df9d3311eb2855b091bfb3c4d5960ee7ab7e2ef833ccada31d0415fa56de62e33d3476050f322e40d898ab966aaa3faf29b7576233a5b597f05ab953ee157e8a9ae9ff7e7f4efcea426b2426b40df20ac9c56080050a88c4e0b627e7fcab72709618f23bc30f63215671650ad7055126df8e9d5894ff2129ebe0f2074ee60f412a0ea368a62186c1a2ce3c6173dffbfaadf941910a77d8d013637a510103fb781b4ad95c6320b1e259703e5147418e024b97a304175af6c7e2ba2708a2a7005768a6a475cdd8b65c37d882dd42a1f31c8c6797316d19396616888e57058c0fa70356520ceda8253badd156bad4cc74b63702f1132ce29dd711599ab957e4f09cda0f71808c45f6651c0282100398e0abab578cbe5aebebffd544824c336691fc6c2f0feb1907d708896e915999992725221023edd905c66fadd05156ddd39fc228302d1fbda83d3052bbf96a530ec951189b34ac51306f2a5cc4bbd4979f43c6855187a9bf115cbb15ad21bedc8a505493553bb9704118e52a803bde217803f2734877b625564b1d1390e5a7a0d7c6838d7c8a0f09b81e954209f315dfe476e95ef36c6350b913b748b69b9914fbbf4dbc4919133a890286565dc3d5b1ed0d491c673df11d6e82ff4bbe6298ee516d5a8096a332d6936906b35cf03b36a2df001f1cf58c7df5b4d1a37ec8c4163850a41019aa15e7b9cac356e87d0d3744e71498eea23100656721f41be651ac941355403e84975fc2163fde1ec199541ea9c0f45ad189a64b07a49218e387e553083f8f1a2096c8b55f21895451f4e3d607c845d5f86fffe034c29e6207603da460fbe69eec80968707ba7804b6e0fafa25a8ef4cac1fd4a7e000e90f89906aa586ee45b34aba766db57abf2ba7779c3e6d8e88095b4aec9f81f07ed616a58860282da9cbaaab5cdaee3b77cde4d3bc1f61616d8cfb095d05a360016630a723d2ee3fafbf74716ed97df36e709e9744876b5665ae84dd239daa58f7bc689bdb0214ecd7bac0d1f13e986ee03dc5b07efd92986924fe49535c550bd4efbd631b319d8cfa60ad000456c5c8351dd0c9c812b16cefea750d35989b2333953ac54ec64733ab3bf3b98bf62d4adc1c2389f9aceb7cfbe5b3526f161e4e1860fb043a483b36278c8c3fa2dfb21d2d216fe813f4fb0c96e1270e3feef00df3df0f25c0578c3eca37e925519cb8451b381b5f452e403b0a571e78c68cec23bcfa14b978dba5d0007b0a060bc0a6b6446c5bbcf6fba1f31d549f63c24e753ee851854110c463909facf7354fb30e2fc1cf2cf4782823505dd6ea6853990b40f7703738e186707afca1384d39cd30ff25bc3ac7476698739137683483cb9593a18f2e7a2195dbffaba168f51f3b82d4d9339a8914dff488354f71e6283c5bacffc5e5668745811f15f334080272f29715c8059c47911bfc8066c4feb9180d0e7ed1b6e5c4885f6db509feaf96381ef281f66aebb35b0f639be82d10280df678083eb412da66076c139f1789e5d91dd2aa099c31a719485a521d190a3556b1559cf5e5862064990c2540f70ec709b147f670ec4669a76b252d6c68e98ab9bead60028ac8f3598381798fee7e3bddccca417e9469d8219b9a2bd104b052126539ce27f44110ff3b310e3eeb6719226fff933a456817178ca865981bf6158475ad91c8306a98d9240aee4a5781ef5b548444ad513232062e5fc6a9c10cf41acd1a0fae4ca46cce55de26dbf1dfa1394555bf4907cbb88f23640906ec5595a12c00abefd823ea3c0c9e53dffacdc01678d379e399a285e9a6eeab11fd920da5d3f3fd4570296f35d1cabbf4d833d8370c7b7f1d68fa6c30dec51c3ae6224d419016aee99146eec748e71e5bba1f4ec07bd6b5ceef330f6cff719012e86be63be5f1c2676cb86345a543bb001e1e60fa1fe7726cbfae98d2d088f79b4e2ca7632de4dc31363b0cb1db17612126f3e0b7039bc9848b8375dfd67f672ce15e94592ce52b3d83ceb11457c226b711a6900430925a3d1007360c0bd113354c2a56092f62dea25f06c0a45657df4ebd6c93ceca91e6ad287698d9142e610dc31e0edc7e117e5967ca0dd7d72edbd1b0cccc9bd012866b6b42a00ec27332c53fb42d17782ea7448a188f1b1fc310003b3c08a4d0edd0d8e4514c0e8c6a743e484e67cc567043b11b7a28f664a390e35e375f3ea5f9af370db89008a9620124295bff6dcaad0aad978a90483089668530055ed01669494973a525e2507e368f41e35caa6c7a9b9a347678918c1464c51aeaded8d2fabac704b3497e4126aa80ffd8366d089eb829528436f8408691f64ae564c555afdb471ce9971c1476ff8e314e01d6300cd97e9666ea7d4ce91e7fb6c738b12cd6eec86f2ae8fa6faae03fc147fd4259cd8840c4316ccf1831120a441334075126d3cbe9c9ae2bc984c348384826527b2b9370751ccf1c5b8dbd508bfefcdaa7c09012c240eba8710200df8102df31d49e397bad7c41db3fd0b11e2d58d69c160b68edada2301cc4855b2bf751c07d5162b601427d2a70187bb4ccbf38a9bb509b1e95e34d8157552a4d51f052512c58b5a8fbdc7987e6e6d03ef303cb9544c28af612794f1ab3ac399053dac5a78ad0c159226c5de13280a45e315d02f9d57de65e343cba601e7f372562572890b2ccd0402bf174e91a49fd1a82b4d70f42e887bb2124beb514bd5dc178189826f5dc04996c8d0ab1e00333d1baad800e7dace5dac9b1a6d3e9eeddfb06eb9d021da3ee3e5b80d36f8e3e2babfe5e21411d29cc3a47ee5c033c5810cc6036eb7761ec2d570907f57a89432aa5ea3b18002aed45af1ff4eafba69bc2ba9fae1f5828c0d2fe13e17454436b98b9128612070fc42fdb4a83e3884dad5206fe49836206fff5aec8f36e468673a4d419988b1f8b0e370fde77db563e9f798977eacd1428cdcff4855ff025588630fbfd1dbdee213edf20143e7d87495919967da730e20d7369cf812a096a3a77bc3acc8fe2697778a1993e73b96b6e9cf5e2a680c4cf5045c19779af65b0c4c2101b8499b66635ac7b074de4827c937d4b2144deb344daf0f33552acb406e59e24e3f17e76683c5f264d0c12b3ed015e39c2129d0a2a7bf748800f3f29375ffe53a215f1ca76d4185eb6430fca52b1b4e8abaad6948f49bbe2f58ccb255444c2ea0617459bb1cd11c77573f29e128fff42b9d7383dee3036c7c34685de68488fba427066e6d184feaf9b6e3dca6ec4ee4bd87b59845461dc4c70a07befb2a17fbf5c4b127d8bb32cd2c09792a29a100b37ec0d62bedd9ab6a2a884fa47f7b2cb5dc91475e6a8bbe95de2b7c54b99975b86107d00fceec3bf785acd908059c71a0b37c4d57ecdf918dc567c235a252fc0d3e7311d5060bbda2fa2dcbb9e2a84ea50c2a1de298020eb63567bc730bc06ee0f610cd7ebe3bfea5477e4c76b686263bb3e240f73f80764e605aea1c767b31e2f77beb6250139feb949ba6af4e56ea5bd6b201596dfa861567cbdc9a048b79724b5f93d817c42a45989a7b7f8e49baecf6b5f81e5d778d17604194a803912a184631eaf6c918ed1aa34037ea37f15c2d1fd675847ba9b16119074ec58c856258ac12d0e680474723d0a1b41ad59adef9949369d9ba17e2d16935efc7f2c0bb24b1f933689df77e183dbc78d0d2bdd3bb021282562e9cae066c19c6ff6ed937586fc7834ce0f688ee770c42c1a8f042f1599968f080cb3f29bc2deb019cd061a210980483884cdeec6a54aeb69e198d394ec80bd3cdb6ff2e90e19b711dcc9fe73c7ac6ef3524eefe0e9b56ced894237ea0d7fc9c50d219e0b69b6624fb5c27bf938e655f2816b70336830b70c01df6f58fb07a0209d79da97f7bc73d56381648863ebe5e4e72469f8d02c227a640bc7b2a84fb0a3b628beaca66e29338c62e6cf134a13c5c0c76b06c9b1cd5166d8368575e19418a9f0b41eb646b66ca5de4f85e39b7183c2b2e39621d09e24b7c6a9c7a0b2f7843d1cd2288019e5935f0d959b431fca2ce45c6122a25f8451c3eff5b863652fe856f03e56f7ce669f9c2b20f4885a6514932091a3ad467ad73e7c4db7f7635f05520d172a55ae8e9bde7d4f0790f31ae469e9ff633b3dcd63bb4cc5776c1cfdd3ebb19faf5d37ec857aecd0c0a14f3f9ad791119a6e0861afc4a827c8873d9316af3babd298ae000584e4c947670e7cb888cd9af9d9fa36bb17cfcdb2be0e6423eb9948c7b08b8add3bc1b2578a185701db77a87c74b25a9d5a4dd1262942156504d288bf74975dde80531a29be7f3b9362a17d36916ed99295f01d25f423be0bcd24ae71b56b7835048407ae432c079551a7a9fdd9203b9bda4a9bbaa6f932512b23086053eb70e6db4feb5fc1dd3474c6e2755cd03812ca2f0ddd01fbc505a2a4b6d3653cede0bd63657358d713d2c076279a72597671e6b45ffc1d5ce0a11fb0a9312218999f432e64070ee505cc637ac54b2246975be748cd17983d2e8ebc63960093c238bcfa6f6d98e50ba2a5dd4acc357b77eb441862b59df2e8c7b12865b7f8d336deff4e42392e2340bc0ba27f3e221c96c4c98f09b3fa62def716896b7b685cd78a1304c131f1d7320646e9f0da60ee129bf56b760f569fd847553270ce60b6962bc4376758c099d3983667b3f4b37175e085e621b73d28a8884448b501ace6ecf3be8f5410e9560c4a153f773e5816a16d77791474dc02b5e44ca40f2b3fa0ba4cf69e1d3ed3ffa58bdd1976941cd88c7665d5f1a20293ae7281eb9c858f1ccafa6b9e2d16ddf14b0e8bc56910bd9c170a3f46969aeae83a6c2b7bb02b4651b90fe316c404e5e0b8cd6363d2933f53f2b6be570ad72ca7c0dd8909804deecc3b2c2abaf5dd695bb8085a7318c4b9a3f3468980e96526fb4b3a8bfbcd89232d4ade8ae14383aa254c4edc4448f75ba51ab1b63ecb8ff02587a0c25eb0976878ca245fa70d58bb8a56f9dc7f726adea49aa5eecf5087a85df330d9329b9089be25fe216f5746cff8ee17e22dc48268cfbff7db88df8f2048d666aee5a25fc64b2076e509cbeafea5362540cc154ffb85e022aed55f22c3a865706d00d8bf0508a12c4ab33bc7cc661b0de5281cb8a8b35215ea50ecee65fc42baf1e2ebfe549070e954e5280cccc113ea06e48c1abb208ba48c018e4b3bd214091958ea188273078f3f43ca9d482d1541027d235a291f72f5abbd6160be8bd9ea1e8e87daf3933e629d99a6f536ee85f4514fecf6a9be044df65ac8d2de6420bdaaff29ec2af590d304ede55cbefd0f1dfa012368fc7da4bcc43f4040a00606ed6e8cee7a1a733fb9f4e4a3d39dd62a53043c23fcb9ae0f260ca77525f1f8b9e4b53f1572fea0dd579f5d3de96cb300990d24ffd00c01a96a168425f538b7c0a04048e4bc559fadbf461dc10eb26105e1092e23c57b5c0fe906efbdc64cdd9d4daeab477eabd30ff426700650faf5aeab5a5edb39ad18a49697c1c29166a4ae704056f67d6f3fdf174d52a9ad8738947822a5d69f70c971f5d0759d663575495732bbe53900a7144934e11278a1471c29489196422e23e07f0954b8a7a0fe1262e611a962fae36c6893c8fc35606416b7049523a3b27f0aa3378e3ca888e56006dfeed47b1274b870ec2470a6c32a72ab831310e7884100cf1a9a87d045f8693a99ab2c6abab58c87d38943262059d36951401f2ecd0c2afd11ffbccf7b5eb3b45d848911c8f5da3ae10185de80a9001457cd03cf15f1e667d789c263e5b7ee8b95dbad22fd56df344b5a07cf1a84059ce5884040616f5163fe12acb2343a01c740bac58c3d45816f9113487851a3d67acc211626234678fec377f7afadee2687def5ef65f8d316c506ef07918a55bb919d04d95f4c2f37ba9f2ce1c9f65e9e435dc4049dea903f57ff9c609c0c6c9a8924470ae1bfe1cac21e9303d52006b88a2a21519c4ad0502b32451c840ebc0bf78a02ca51164df957b980b76131a21f0799f093773423695e89609b08699bcf66ea6c08909c9d1945727b6fab78d7348c046d2c925a90d14013e538d0fe5a3a6cb7bc05558a2caa384535ea01b1fa44f2f8d91a13c20c6fc796b7f4f3bd00530504497a33d0cd43d194a9d36443a167ab1381ba2ec4a6c5ea54bde58161f4d5e88cb944a99fa113a4738c9ba8d520727328d3035ab3a0294648a1e549885f8d060363b67e3b4d6c8e17063839700a878bb9e29415c6009d185b00616462ad8733abddc5fb66a13e2d492be440494af5fbd982c12ffff9ee7ed7613b942bfb40a871818980fafa794546bc62ad79aab949356cc6b6b4cfd5f13324e3fdcbceb213e9055bffb4ef67e7ecf4d78229bd2d4c4e817f3991f66446a9632d3f99c61a41ac708f0341a61839d426c6d07db2f30221d0a50937b0e64d2684f311f394017d1d9bb05ab63a0fdb95cb8dd8cf10bc217d601f0039f6953e01416a4a66c8b248871b7dcd93ccb0a756d3607dd81e0733f3d9c58da7883e2ff6044f978fb64debbf2468436fc576df84dc8d2a7acb2f6f94b923fe5f2c29e62eb6b2bb02a98ac4b44801d166dd9d3a45047060a83c13ea8a8d747e7416874d8f9de5b9e3711edf59bdb1a906ac6775a11e64461c51391d0e5900c35246d5898851fafec54ee6da841ac3239f515dec9084146fce2dc38062370ec7c67c690b598e34b3504f24856a4c92e9fc2dcd98682ad390ebf1569008d86a53d2cbb46dd6f48561d7e54eca5027e1cc68c9b104738b2c239d380a7806b10d799480fd17d534c3d33c183c184a2cb165ea017305e02a5a1418ac1f2b9e6f37fb2b06664220b1509b95db08472447b2364d324d4fbeb8a39bec86cf4c381b93b1f0fc2a3907f1dbca18a885f29ffc69612bc1ceb0aa65b0c86fc3425159ebb6c2d3410589c5bdad8c85b437e72b990ead2b0a656e1b18b864b6469c829dce5cc3ddd6a534f239f72e61fb41173305c0444cb7e71bf66301285a4b1c326013eb7650cb97bc33879fc53af139c5d65203a06565eb491623f9d01f38c20fad887477c3c897a58d75ce9ccf5b33c6e318b64914320a811292c8a5bdd7dade67fe6158ea9a452899ca8e363e7325026eced4d1f510f9fe99bb35ceaccde1284d1256e1c657478966af1f581fdde17cfa903108740ec643d438e23c7df661728410e26534bff2a629c42726e3cbbf0830fa6eecea92ee5336f7337959c22757c8a481442cb279f7b2ebf73d6207c87cbcc71fd4570936ff60cec2597d0caba6c24505a011120ff4359e77a35c704060ec09466dfde31c9a5552967c9d41d6b5484b9947a4c04866b085631f2c688f249e1a9cef8f8d7dfb0752b6d04c682e34f0f89368cd8ae6de1f46fa90dea736dc56c9565b3bc6ab1c99c1b219916a60cd7ef95162cc8e4c19ffc9dffc79a9fc7658af59db546103dca9fed676d9e246be5458972a5f9b7f991ef74bac17dbb6349b18a867055210e747fe10aa877790335b6e922617ca9a825093b9fa1d92a765421135f5322343d70d7a1eee85e25d43b30857f784de191fd209eb328ca17bcbbe17f9df9201585bd0fd5413173a5bc7e09b4d41b89e00c448bc590b5ea78d787eaa70e90ddeb7ec83df0f94766c7fce2dca41b45555210c3424a1ff71b924f5d374aaf0a28417f01f8fb38f507c9bdfcf2404717363263d4ba5ee2b57a588fafcfa81e77af210071e542150a5fcb5c84032cc8cecbac784ede31ccf78d25ace31595abe299c3a9143cf0e6a5421f98fc70d8b2a9d404f70d9464d38cec8518c678da77c6d32fc6732b82d9642162c9945b47237b1fa96f516a12d37711afa7ac3149de3e147b676fd2020a6f7340e1747878ff8339d0e436fe6c44b9cc13d66865f0ef78c0313b1a54964d932e0a255eeb788f9bec9c9d14cdb17ee4ab8a9415c6a516b298e5f2bb19aaea809677fe3ca1f6fe379d82af2255f3493873c3cca96b46c4252b29d997f7d8b05d83fd0db8ad58b374054671d9ba3372e7257e9795e5ed2b6c21b98f54416601ef5d22ba906b5dadeaf952b40b446b6965a0f84ccd93e11ee0462b75c357f1f47ed7efc519f7d3fae99f3eac2f3169183576d78718f5f07249622ba2853b03d99db24781d1336fa6bd039916f30ba736bda9482e6990d7a890dbadaa5c36fc2ea79a57e99d800d54b3db698adec96d75affd23acbb4e1a402c52ef59e48cc717a9fa04fea72577c6b6dc825d6bcf8b1ff4e2e1064e09de3cabfdeb9a804220055b5fd8fbc60d7c1db86d81d137a8545dd822f57fb054792dd5bc1a673d02351f0d09076fd99f394b107a8287e23fd47c684c09b1bfc7287753589c071f0360abc0b1870983828db840dec34ed2d3977a99880a512ecc0cbbd5a842c7597ba91bd10cf9b9d82b6565694db3b6bfe3049ecc0719eeac0ff956de008f1fc3e095acdd1b6d76567267fca8d0526ff198f8a7dee7af67bfb0f674c8c51e06da102aa08f0d73ca63cd1135c79b72fef4cf4b0ae5300194c91be269cf0e729b0ffe34ac3e87573520b9d7feeed33f7264ab19a1a9002a07a9459e74f3d4dbdb7010de67d56b49a7afd816e90bd8db3e282649cea4cf96e8044cc15a607a85969a5cb62052047bdd8716cc7800a0f4f92ee515acf1e068af64907542e0d833f4fcca81b88f4afc99daf777f44d7f1b7bc14fd5ac30aca0a3a1136d775f9be1e259e43a33efa92d8e2a38b6bbb1344cd3058b581a77e497ef6f747206887219eda379212aa893bd693ca74b98a8624567950afa8dc75b910f707d4227fe5f407ec06add953544054680a30e30e460afb165b739ce10a0d806d1ad369d17c2a9fa67ca49463bdbf5581518646a8a1f46e7c10d9311c5fd9519a040e88d67812ad7306ad13a6817fa91f016b9cd6321c28ddf7b57aa4d36c414d901d8b8350a4902da56af888988c543ff8d30881432710b0cd93913eebce252ada04a504b277b50793bffe780ec51681b73f38e6e098178a2319373c9aa32e57e5ecf5d53be5b41302b13cd4749ca062f71f5391e4a6302ce6a4021a5a2e7a7d7e537a4472cc90ff898577f9635ab57d918ea1443d1e94db1d4f42f16c0bf7b88086552a99ccecd153580b37a40d05dfceb922a740a435195f7d7095d9e136dbdb5c51154c2d98269ca29f796cecb7aaea9b8629280d722aea4d735e13ef5b50da91a51998077bec4d6630a7fa7ba6b996f55776beb117cce0f44d2de362d142411d44a12ccd690637a29642ecfa76d3515b651cb2b47eaca44f9ad4172069691f97d87cdf231867e651834b5baad1a87410e7188877a3a9bc30e7e7028f084f4f602095d22495b1b3789b8115277462fbee611fbce26602fc436e52782811a83fdddc29cd0948176e6ddc1fb20ef539f465dae209320bffc49dcbccd6141735bcde6e90dea25d313acc2159cef4a977feede337d126af12642570c3f3d1dafa4aa734a9ec97883aa7805563392ae3692448076039e95fdb23ad27293e2e044fe722e82f2a80f401c17b056445a27ee6525aa0280703e9ac24f666aa447727c8e0c2117fe84733106e8d8b6ef1ebd2ffdb464cb85e6537d3a1ce0daef079729e00b75dde985c8b4e5ff39ed768baf69bb6fba7cbc68346bab5e07e0cfcfdf17ea873db4a10b9a0845a7da2ee146c88739903a61e87da3974da83338e59db18eb7cdde16443271e204e5193a5a658105ad69608c28941a1a58be495fb5b66c2797083c4da316a566caf0fe9f0d122481313dcb40e45f6e73fcce912b08bf35b865780e92a86995fb169bd2564592a541009c460b2b8ef532ac4cb0a0c28f41e837ca4f296ae872d43d1639d7e880a539239838d15410422ac53debcef066781c9551a1d4245eefc618d5f819cc6de91fb6e3ab4cdd55baddaa5c4956092bf20fd39cd9f13f5970272329cefc904faf4b95682064f9e7c235160b17ff87ae8a452863170e6854b378a2cac06b1bcf6584057225e9e82cd76ebcbcf8978b89f95d1f80710f3f85eaae35d555aebf8b3a7dc192e9d035883e48bd1cedbb5dd70bc63053f1d3e2502c687da0b2b2d09ff95afe1d454a0165af4fe149c7e7708789a51771b383590f348d848222781f5d23a13d5d6a0768eaf16fabb4ae400103a8b68aaec5993315e5dce9150356d5a5d9ccf963f9971a22a431ce151a528f3627aa371295933d74da006a3604d20349d571a71dec3af79158a29863fb516a69ab2936f15ac5a1e8a1c901a30fd6efdfca1762e2ffc267551edc1fe582c58b1de134ddaddca936f338ce7a7c61d64553b371fea1d04703aa5a96798a360e39adff43f608b2cf3e626b6cad1b615b8225d51c99a8d91aad0e4275a3853d644e0c0453f634052891f77ce3766d133ce1b3685e82c993017f7e20bcfd9c3ff9e62207b889f2aad854b8b9353185d3ccca1af6f98a952f87ba45dd56856e8b91ba67b9e95663fb2ecfda1a953f1b373e731fe14514c1fe6feb9d7aefeb9c72e237fe750e286b021b12f2f3470775e38f86d99ae256b500ae06e6bd33851c5de8e49734919ad77a3dc99c04a916d75f64c8103bc513979ece37478f32ceb385ba987f616c79e35b8f419cf813a396f2f8638efadc6702424f25106cae8792ce089625982f8f6175a83c0d502567e24bd868305ef1c113a908382c35e51b3b2d3455973beb3c3dcb4b3f867e87bca3621e9edee712ec2eda06ef808d20aa88ea51c20a427a6e3b8d0d798cd46b4bab9f09c2371bbb479170d28e4cd5173fbfb32c58e3b33beb5cbac26aefa553e6bc98d049957d9d20ba6794b016edcf4059856b6b44602f5c91a397dc7dce701145c9a7512ffbcf5b8c5de35b9738c75227a2c2b86c6d00d595d13de5d63ba0c5313b327d626c46a1023b47a3414ba063e531316692afcb464898f30e334f2ad437cf2e78ede222bed0118b9378ebe5f2eebecfec51b55336c72af7cd7bd503b4e13ba507cc10aec9e3fab46a42fc93d841e7040c1c45757b2c9b75551aed45c39ae9a3be7ff2818378f89fcad04f1e4a7244cb0e8fea960466b6d67d023ca01b101d207e2b08e3091868b2dc882916fba7f4dc883a081e1446f48bff91499ed3ba6fda318c11a56d6e0df4628858e450de712a17b36bf959244aa7d5b71b4f83a19608701c55a1edcba3ce6cc5761ede1cbac28e48e96395e37996072b838aeaa1a507914060f9d835bc40962ee362055eaa07a36583e1f350b4efdac88aaf247554947620baefca68a740ac0693293d053b1154752af6395bea8ff05c867d3647b1fb5c6d8c2a6065c05338db99c4896fc9899632c73886a9fee155be0e2b012a1d31efcd96da2535271685386bb09037c363938cda4919cc0f0db76d9a0419bbd16ded970e9c2a8bdaa25c024e62621173de3ae3118d690db6b23bdf8965f599e70cdb4a44fe2d9334fe2dfc34fb63a0cab5afef9782c654a7ba5fc4abccbdfea0585b73066f105686199c5c3fd13191b305ffc9bba116e3063a01c2bdc0d6aca6d95a76a53d0d022c72d40b9c268ab0d5eb9fbbf781efa916d344eb4d22c2403b59a1655bc5827ffa5926945c2e13c5036711d3bacf35554325cd6a9a3f1da4687c3ecf20cb837433332cafefba6ee791bd78396ca64c752b0230515a89e5c5d584b6d2025ba090e0aaa6de2bd6c6bba32d4fcc8ce8cc040dacc0f75bbb1a43072ab981f222c4d48d5a888e856052b3ecd5ae5cde7c6ff6631cecb0e920f1db6a40d60fd37b5b4503a24f030dfdf94afd37f08d6244e4c37ed8d5ab3d229a314ffccc2d05c05d7a895a3b27b57c44b469c36e909d8bc5589af26a030ff9ec9f45d281b08e5176b119120d5c68841e94f2bc74a0e8818bbbdbeb3489a2036c2b457185f25b3f2a0f72d11a40e0f8431b67a559450ca9a3c3e8998500bbb746a7d15406a89f00aa486be36b7e0248dab71cc383a983701c770be9ea70332fe8839f34f33389182d3349b5be265efb0d9ece803faab889efde2c18fa37ff736bf4e011c9cdeb4a71e04397c7b67038a6a09853cd9045a83f2a36f7c62a5906787bc3347db0c6552e785493dbb4695119c45aba903d73f58379b46823033da9d5a74862f6694c98d507471f238fea16263cfcceb5f1061cc735d4f40ed5704435bb4659a58cb7c2bab516b7b46f7fc68263bad62f93559c7a5c6bef183942c6a651e64991056ab2b0fc6f103ad5c3a021b002e96f5c09981d75ced07f9750723fe002e043734d130d666e37fd72ec0414eff98054a77fb44ce0c1bea093b6d6922a2842ff9e333a4ce8b21695c9fc1f58116d71339e2b655541f2bbb8174ab0378b1f68469a0893c6a290a8462a4164c19b999efeaed49ffb337d4b786bf72597b4682906d4e7c58c1c50f024966e8a2441d08fcdc15fcaf388c3988314e93278d1fa39b91965c82829836d9c22587cdb7be2d518388ffbba61ae120e75e386f572408989b108f769c6ace10812cdac917764c0ac631f891e001977608e09dfebfbb1a390c84ca6bdb7d08bc23aac46ffe8e89616326573d6b861e7af102a9a09899e746821c62a70f7b6e47d9d99957a933784a66f71dab914094bd123f6b57b9bf0d8f942c754ed21180dd38d8559cd3d28036da5c821d67c3f33e32a95863554dcc5ad6a67cd2ed63afcd6661ffb8afbfd86e38d2a0882d7eb2c1995c3e8be9df3ef31c1ff92267e53f008109b59553a3794192f2b945fa28dd521e82dbd80071d1f8159ee0eaf7e04979c59643a410f69c16e038e9b9974a5d5f0d04db5320595e7286cc20a135f7c3f06855db3f985958de33c99724f34136dddcf4230f06ab0d6189150bd3ef4275c485d60f115c4027034423af8d595dfa719078629a171892e8e97ad817951a7d12dd0b6a070745f7f33d6708bd0e4bf96b62b3114b2c31d5646dc9783fc2b5c3d9c1871345e64442ea1dc274994355fe9e7bb477f4cc2f63dede30846d1f0333cdbcb3a2ce2685ab6d9ff5f9e8ac22526e353c1cb050386cd80157872e6fd33f3a352e127f9f03b0c58f306e2299ac54336192cb65d61459e8c5e4fdaf4e1f815f1dd35e598b187634b4b5a1d17e54ed3876882db49681a8b07564238fabdea7b481dec429d898771b6f10e3aef713cb52b432ff6647952595fa14ddb744b8b3baffcff95c69f86d98553c2274c061b24465145954f08fddc17fbd06024efdc59982f2413dc8a09bf84fd315be0bc4f9fc83f7308a57ded09451c07c7052685f43d8781ba6b820146efee62911a3cea2af607133f826abe189899aea8a554524bc90ea81c909598358ec6d841f5aa3d5aa38faf66a69eedcdefbad39100411667fca557d8e6a183a290fd6c1656eb67a3bad59b2628a40bfb7f16a60d565b4df7518f9ab1a3fda9acfff5994f3b48d4d303cdecfab18864933e1f2d77d9d07f32e0dfbea74984f5ebfe0e28f8ff0e3dc949f892b181898a70a61290473e3ff322511cb25018616b7830cf7828b539f1cda5eda421a77a4f34dc2ece3d012a7e031b3b3eaaf2520035d689a9d0b35f77a4d163d5ae33ca8ec8ab74f5f895a0062334d1aaaacf869d070b33803002a2c50e41c5dcb42af9a98b0972fbe0d9f543dbf92c79c4080f3f5b1cd3a7a13bab0c86d48b3cb3c0016939a3a1e875f0866bf0a053cb0cb527e89155221bfddcc8c2200b0b4fa887517bb0d6ef7417361cf685a81470b53aa90f22101aa3a926efe83f6f82def95a6fc0123a3e8ed577fecc958471860baa78134fd1ffa276f205f1f41292a45d74c143e0898789956a878660fb74f24b5ef5b7066f5568b1ad39ba66ee284efb6a3fb2e3cf06550af9223b198474158519dc30547005a12b095356d67612e7c7639f3efb9da9425f15e93d952097059e11d286a837e300e7c7c67da42c47e19c1c37f09c941654aec2ab75798207596e5fcb2dca0405821ddde4739d8bc7bcf402da11a46d5d7c8aedfd2e0d2c3e187a3db26b608c07addb5206ba6f1f1922ee3d5a689efc5aaf2becc6e6ac83c420f35346eafe9d65d9348c1baaa241f5e90a15b304008d258230edb9225a4f3f2f2c328100f0ae083b64c385bcbec52b1d263317a2543e27e1a8cfbcd425b6f13d4a7b5ba6b0009cdf99125219c29c97a108665880bbd9809857cb4441bb02caaf34f31cf6d2b751d98f3fa7e229f09aeba8da4cc396b132e678f2c3a1a71c4601259cfde243d13b1cabf650d5f5ef2faa3e2925d7bf7b1602f786474aa85600c48bc50d4c2ef126f88da7facc41631d91c7167675c4c7555aeab847095e73daef2b110213ee9abd1f43bcf074bf6214c8daf7ea4bd3dca44cc04dd106d4aa4e17c5556e524273d57621c4dfbad3fac05fbff48ce7479f4a34bf05d009c5aa5dc415403d903f18a62b527b646bb800596264cdd20f8663836e6ee4823eef83fc90b890b2ba1f441d6594e3a2b764202be34a15dc1c1a6399f9055a0751a5eb3eff25257262bf27e5c91d53cc33a8a0e3b4fd4be4954a61e912d02f7e42ca26579456305ef9d5edf57e65109d745cc6526326966ecdcdb23b690fac363d9a4e61501651e97ed3b164ec1d58daf30139fb4f5b856d001c82600084aac2f65a67752b44a64c65a9af1d9d050d884b6d3b0a6e495d08fdc5b67acc63152e6bb7b66558f0bcdd8cd52a3007082462bdf786b2d6596ad3e5d2e4efc80875f819f93377a9d2b7283ebbd98dcf462394b77ce792157b648469effbb6349c0af274eb6b005e71828b351f2aa0320c757374361d9be9e04d30ca24557d44fe0de0ddedcf59c7c22febac138bf5913c53681fcab740e09392a257276cb0a8538201bfd3a238a620fc714c981201755b0c047670cf0e1d2c8f9e116f19d711a5d43a78c77cc1e7084436d322b03b2d9eebda2094b01f61aa09345f870b60366c2e32f7c38bf57e95b7a76f7bd5ed902c9558f4f2b55b87933e043dacfb930dabca2d00ba026735cab72c2d10b9620912e6b48582e2088d919d36f84f2a376558595f434e27da3f516643eba5278009fc0af7585c52a20e333d80644e1800a8f9dbc619ca4d87d873474d27c70e018bbe694bee0928ddb5c2f88ed7b9d1ec75459d6e3d0d8dbc2dda88a0b35b16e443ec86c733d7f8fcc774f7f8400c64758aea438ec1f800fcc70af2511f54e174c101ee72a040028834bfac6bbf78b7c8c5ef1d6a3cca08df064601e4f4cafce2d26d334cd5baa401e89aade3b8dbe256b07b2b15da20ce83136d6a1fcd3a0545398d1a3ff27920df26a4ea53bd46b62eaa12212ab9b48150c7f26cc343939461051a1ed5a717ff7f3f8471c3b1c315cef2fa33f6fed031b480bd05a0b36592b4a061780dd5a1adb76471bf4c768f09dc422891398eabea866ebde0970cd634a8ac85e5ddac09909b00d5b024019dd0809fa622488196bda2c8501cac5415b2f42df1d4cec743b58cd36dd05769ba371e9626715fa6557e44126c0f6e3886c76ee182cdd8db6817ebf57ae3767679d5d347590ae28efa3d51ed844284dd7a3c6b8daf5cf17648bae74621ded8340444a98d36f9f86bd3b7ac5aebe7db2798f6871ee973c4e7146c2e5a6ada7bd4e081317edd6fa82840bb02737b25e2f2d37c145335feaf4bf7bcb863609e344422a75a33377de82db1d2e89156909667494c575afd7a30e570f571f45aa4b3eaa0544cb4971bdeb9495095903c05be6bd3d48b1a0f0eba67bdde5ed1004b270fdd3ca46a849be0c5427384cfb8b8827f36ca276b2e02b1ce4ebb4c3077f2402e08467b14dac8dd9137ff1f20b87d2fafe78b70bd250f273b46f2353606545a595fa8b0afe82ee588c9baeb579a9a0d68231c30317ceb06e2885e0be5bf9307ad62be3cc74ad21126f342474d5bbecf1b9df9efcf5240533ed19c4b952b04b6d2f57ad565596566cbb3d0935a9d7ef6af4215d067e682e7f194a17d7f537abf8509757bdcac47a0d264c089f8d31b8dc6ebd4c51e05a4a380213d72776b7375ef6759070ea6c4b0975ce483b365b1ad8925a7685c21aa1e38303a17a83db2500f2f1202366867a70aee4ffbb7f64f998ee79326a9e7d3f1895d5b39304e1fbe9a4e2a95063514e8db3640f1bc4b1018511512763184c49e69e6219a39aa0c65d9355564398c48bc665faf834e9d3b35e3c2794b8523a06ff580b73e93927c2ee2b5a68e7af12c0df76cfb72f24ba717cffc14592227f5f48726812f6d06e7108c61ff5e68c2a679a2cd1eccb9d6469fede21b6ac2bd188e1ac79e432cfd8fc06cfc2e9985f19ad1e9fc84649bb1d768dc85e9a8c74a283cba8140b3f13ae4e8a0e650abf6e946293d7fd8b3d98eb1a3365c68670eaa851318ea50b5f4ec499207acbf2c1e28e8239dcd832af6c9f050e01bd2d6a65b983b0952343aa5824df5b1dddf24af562a15e1efec94f38018e9e905b620ebaa2d4ecb671c9a668272148a1029020419900c32345fceb45621129206628ddaf4d460d097feb4524a7f543b087f55adaf6ce2404cdec2e0da4073bf158cb061a3cd2e2d6bc193edf35125e6380f3dd2a10269b94626477aa940d7f2c740c08d79ab83bbd5cbdc733d62b6f50ca08eddce08cb46fabb40d81599564756896a8c6b8474b86e194f34bc1664a8245d20358b9aa9b619d6befb9a1d2fa7f87cebce8518d618dc31ca6af00c30c875469990e62fa106756c984e8b384d1bcd169228e1e028b19b7bbe636c966f15f4993fa1d0bbac165b319e11b3bb653ff18c8e8e6e7c26f53a1918460b80c3466ae138301bc263fed9e59ed82488ed37d7ae370b323e2baa836d5bf87e4fade36e8182dd235b0fa38be1156d821048f06ee54707a8bd202d7fb6d73a37dc1079eb0d61249fb57bcdc51ba21a13f80889d270db7747cd95128a547700a32a4fa2c117c328c95ad81c7d57899a2d9cd01d795eb925b6928bc7148f56959a57db262d6c46f5926286ca0cc778179355c3dc0772e203925c72b16894e4eae48b628bacbac2f6d527fad457f167dc7fe20a27217fd253e5fb803a6d587a4177b90fd55e76e7ecea831043145f24160217dc2cdcde68b186eab6c78794d99f25abc4bf0b1b8f64df5b92f5c0583584ba0c7451216f5becba5ed663b49e5e9ba17418515e9b12702930561389aea4ca1d645d493003b88258587ce53f9de6c9bd1d29c39873a520515b7b9b734736eaba21860a5bc5802d524663ea0441e5f1a71417e5af8b036fffcc5aedb09abda12a88bc2c4cc1b3bcccdacece020fc1345809b9d659071021915dbf850f1f5807199d135558e1f37d5608163f3907ce1c0c3216e0468b62c2c5b2d4c026d343bcc6acf9e188bb474bda03331eb8c119b296f780cc4b6d108170849cbf802b85bf3b583a78186d1c76b4035556a5fbdf5b3d95d832265f5283665fb4d650b4c313924fbbd7161ef461887e4ee60ef0d26178c90cd8dd5bac26ca4231b172c86cff288be31b4875a7eaf94414010f1f8ce1ab2ea4a8ae51a4d7876414e04a6399e8b8c12c10de4a59a798ff5932454409a4d64e2cd28fc994aeb1f96ee241c7dc71f20a28e6ea3aac87008a1d071731baa37119377a938b6760e90e6ccf1ba26399ad1c5419722e0961dc16c194f6d8d0c921edcf271d84f1df7f20c9a8b390d7f5bd454181749002426fccf842f25b07c646c78071e6dbbf26c855bba2204e65503c453275d58d830b7fe5e04476fe1d7b88d726e4fee9dfd6f155c1082a6adb3dba9f81633d16d4585f15a71714072c38e97afafb9fdb85e5d18c2fc2be2f85fce80db35190ef850915e216c965b75a5d7b7d75e9436d1496d40f385bad871865b74c95144bbf5f4e733cf39a4667b3517a9b179fd60b6c7d02e4187bf266fbfcd3a555c61880b59ac3179e7248b4b501a1c8a67a87b627443ab9427d91695a1bbca27b09a0e88b2b9968c0f6872b67021dc6b93402699f7be2937fed5f5cc664afe57a68e9ef7811cfbf72116d6a4e050dc56db2a484ae22a2322a4b33aba2fe2d8f270f2ac6175a37fc05f936aa5a9502d718ea0519b063addb687b8a2945b1f7dcc1dc377709117d3c3fcfe406301c74442ad200d8fd72d7dad3a0ef34af37f444f373a6b296acb1c023d307eb9f33476465da6a5d4875b60eaaa6366c1e45c60cd043ed8348ebede7cb58ca8c4b823f0efdf9dcf3a24acbfaa23d9ca964110a656efe948aa8feaa172df11cc749af6d4808d0715c40cfc31ffc83c5dc26eea9b503300cf2821080584ace77c1c22992abd77c257b041bea87edff370bd857516dafcc998c27bfb2899f516e63cad2d4b97b58554d1f457dcb1a43bef41a9f9e00d1f1a9aa5488c006948efcec3e6183448e28ca9ec70f85d4afbc84f742f6d639d64bfd0e2c4721fb746f9f3d50794c5a51b6d8cf74c95396ee57c1131c5caf2bce0314a1a0c0edcae27fbd34ccb6db2f4755679ed7e21fe9fb4b6257afed28c86d9d000a3ad989996fda79cffdd125c36c0108a88215dd7b68e763efd14c8888e5ea7a7cafa842ae419d013e32550d467ec72facba1131a999fb973fdc77d76184c3876fff2220bc3f293baa14fcf8315a5dd87461aa446b1f585bf804f43eeebb45f755a49fd56a37108af205106994b0a30b92d853aca01b08edfdceba37460d785baa842a0e014143a6816943d4c746e339ae22fbcefad54cd876c9721f79cdc707b48b8282616560bb7245952aa5a0a80d0627677ce88296e5e8d91216d91aa6b980299a172456e8713a08f4cf7cb46df2244256f0747905c8f9490d2bc753f29f53eb0e32248d658338153a23586fc06cb41d93545da831cc73a97cac45983144efb09791820b68b5a05cbdb2967b0221be3cdd0bb3e493861cbe2b505cd296d71002ba11e3749f81ce84e4239172eb043ad04d83ab29cbc646f02a21cf22b63e28be274d71697e01d74c40bc0243859c74d2d6fcf45d2e6deae21931eba501007f11136a784e2743fb3b4c58a4c925933fcb6aae70006d7c9947db1d49e8ae26547ec64b77f8e58539800db9254fda6c0de54024a04edded1aa263b933c5db6de29ccd02ecebf204121636ca285a3f1358745ea28ef53b3cd260ef5a3dd5ad9a9f26a7bfc7a6fa68b8026bcdee553011bd9c1411f5138df449916a526f494dfa29d3f4d08fc5d76993cc2dc6a71fb94fae9958c95c684c69adc7a33af55a096ac14cdd99f8dc951e0ad53cb12a6e52c01bef466c313e806008a722e798d278104e056ed8701383c0d6960a85b203ab665be95650f03b45a2ae2b241fe194879cb4fbce18661ad70092fddb5979249a55060ade0148ccdbc5a1c47509199f539fd74e6c705ccec6ee6bcc07ecadfcbda99294ee8ec35fa2072547b3d54e8f339232e80e18e00d01abbefe55119c01084ad075b06fd573901551a1576f4df8c73a6b20160c63d98a8802079aa51391ae4fcf8ce138223547fa09065515756e4184c7f859b8d99f802d31e2da840ad0e13072e2d347dac094e8276249b1cb66b0ea95e79a255348ca1f5d9d6631994272fc1d25a2efb5dc9e5e3315eba7846e276ddb311bca3ecd13ceaf42f258dbad670f9228b9b62c9fc28df72cfc05dbd117d2f9a5f66ac329bfca68fd66af9bf6d49c52a4f5d35185dc7d19e3b1c1d9a4a2ff515a2b7ade65ce7dc7d84e8c7fb2013baa48501bb097e74aaa0f9a10e1ba698a15ad9c501cb1727c225f770b742bc101dcb45a1054e054d39c871c64bf44d3ddbc5ca6c20362e1709c096b554839937e72806ba932bbd348abd9201444423f210907b321d953756751926d59b2c3954c1d321d0a598237657a2b49865a14a21d50d2f7697649893325556ef9de9af181502296d9c9471c29750d00246ca90745bf393e4b40b045ce68351b7ef195c2cedfe60c4a643135d4b1c146a9f764a05588ea388fdbb7e0a07469d003f1c3817fe229d39acf69f9f63f9e9d203e8947f63639e8816d16f87a9062eaea6b1bf2d57f1dc7fb8e511df95bd34fc5f8e9e0fe705785859938ef704947aa68e192f44188ba2387e32acf6c356b0343d6791cc28887e258f855b5f22fd6b0c48f448a85695c19dd9e9d117b1345370fddfc3c0f074b8cda33e8b12b69a70cce686aab2fb702ad970d49058f9bb0195cf9dfc6486a3098c1c409bc66467732a948ee97453be7090beea529173bc69b86f906636c9a89a269d9106093218207e78307ce34b24f61cab92850ae7ae92abd89123d34696e3b86e6daf2cb27ca2e9c3574f3d7bb6f9903bed0d5a76fcf945967c8d02deee5e26023eec937dc4c665a3b95a46fe27a125ac513a1e9b6d97f4572435849683be2bd3a4f973be91a1298011fb9bad90981b351f20f2fecda24b6412bf688cd19331b4448606b86c204e9086bd60e2413474b522787128624ef3ed708f0cf82a474524506e97eaf27c3eee13d88befb324e0ee8cae3bd2f1bec9c95a717842b6fb6dcf74e678a6889f4d306b2889eb40d1eee501055cb0f2b68e6730b59fc89e27d8c0ccbc6dd57da3c990f0b1b7090ca5c5969bb546665d0981463b268bcf2d83725bd61114b66a2d21fa2ba183010f4aa075a2df40d2a4de6c73c56d57a915911752daa98eca7e64e62e72c80bfb4c5176e32ba239ea457ee72ee74960cdf7e91726724483739cd19572d0d14ed600be04bf25b54335315d2b07eddb30542d9d398a44e56d74f15d34dd073c4b87c0f05ac0446690c48e93e8f41085568f41754c27397b077550849265c03eac67ed953975c7a1d123cdd6bfc4da8c16ee85ca322f332d80b8c5638d0f25878d2f9664f43cc4efd190d3c57f2683933bee8d3c3ab25e145841019f657a8887c9691e35b352e1547c35db84fedbcf7b0f8f63982b8174f809f02a9944a79675ce2a6ad7a50a6cc380c386b1e13022bdd9408731354bf2fbd844d26a51758ee37c2090ca5d5c2cedc3490adb2b00beec91f7badceddf00b596da4371c5f21e7869c7d3ef02ebe332a24acc1333832bd64eae04d96eb77ff106a15d6f1275175b9c1e3e87a8017804b740dd544025d8069af671275c96c52fe85c56b0d55c83d127554a4a49cb104fcd1c069d35c600da83e26a785ec86f71190c67785640444e000d89d1b03a3594f2036f951b0ef2c31d9ac6149778615b1f96e9337a791f218b3d90ab77836a52c8ed4fbabbb145aa1e10edc237983538ae6232fd4590221f41cc87a9715ad3501225e44c047839f1149afc50e9f8d8e80ce85529148599305d51c4d84e4ef9e5216b3e1d86b536a36df872b0fbf57804ae7340c4a0f509adac8c646820c1f92dcdc9039b33abe70625331cfe9ad242a4944be9580b962948d7d1c9a8c2eee45c658991d1d9f5a7bd4008efabafcfa8500720ed95a42334e2df5b54ca6f0a6dc65763aadfb64d9ba32bc9a2b1e37e138dbb226dff4f6bc65c08a941129cff7505018c3ac2239ac9da7b3ce6619c23759e194b80eccba88e0bd6d033e15b896aa95b5e8b4fa63e89a41cf7f7a0f8237eb8078fd50408ebe041991d59cad3bd2da59050f3153a68555076b9dbc935bc69d8c6ba4a8497c2ee9031de0148827cffc5fc3df61bf2561679ae8241d3d0abd5dac562aa76b2c4b6e659013036c5b19aaa0bdabf15eeef12af1ee31bf607827b7a9ee7cfcc2dac3dc4d2045d67ecc0e54a948138bfea2488459c39c99f1a7ed5516fcf696815bc33b0704468d0507c26bfda6fd0e733db1239d73b6af42936e7ed4d9022d678706a76e8abdf94b51c9228148ed2cec6c6e10d22678c8a156205450a29cdfc54443018c3bb94000d106cd6d7c5fd98ff0e585854c3862ef19db40be044fe00b5411233a24f2be94d805517e9e55fb370f77eddbadaa9a299db7b704ab9ce9dc4be9a26c35b7f9fa1702836f8e5e4152ae1f27a380b44b66098ed1501e701c871be397da6c0032495450b36f4cd57804a989d71729b566010f1ed19d264b54d5b37a417863853f10e053fc8de35f8c684a488d4811f15c8ae270cb941f50e398f0e119dedaf8e937a72d54467eda18a7d73565bd5c0c694ff22f893acc77f7e500c43c91123e23af9edcee877531b6de04fae474b6c9452c8296433a82f99e46dcd0b6f8a9b13b943231c08598baea98baf13d86f5b5cdb8a2e20409b545272c3cf748d9a87cfac4b0e90d30f0dc401a83c4b564be0b92fd24fb50022c01d092f29562f2a1e6c481dd5f91a957116d7f55cff533b91fadbb8f5d15d38d67b03d7a5d95e380fa419ac06a1d2d4f59884ea6061c5f0660c631eb5fee35865e43381f13efb24791de1b6d69eeea23ca925633b99b5b98d22a0480ae4248174ba2328d9a47342a67db2ea7a9b48775db35c8be5dcc10f7dd84c158dbd4757b33900b164e621f1dbeae885dccc9d0a350b48a1e55f8757c978c34fe34a9bffb272394d6c03873ad6084810ffe8f5d1a3e272d56785f24b52f7b3e5cfc8944a22c9cd32973507497ba35a0462d46f0e674488d47f7d2a52a6921b3bbe9dbaef2958db56c874e6dcccc2499b7078b5c2d4143d964c1410c76426ea2a2160ffa27876dabedbedbb9ab4b00aabf90f8f70f2a851e441622e6b9413967e04c347aab7488f4760d3e8fe1a26b0f84a1ee5eb0aa541c9b8b3fcc5c499ba7bb24babfca2f1edc91a792580846619738a8cd6a956fee442d94992beaaa80e7e6be27f33a03c5e67766e3b04e57670209e22cd0ae0282a1aa7b65f4eeb48168d65ebe60145fb771a250b9f1c8f1d7abd3dc3b62c3bc864e1a4df1e2d36914b8172f2ce840bfe7c07db6205485aee0e095a193e695633bdd2eade76239137193afe18bb5986f03da97a7e0c2a9f4406b92497a6c942e84e72ba6bb7275e435182101c16651ca1d497e61d6bd9e1390c8d100305a890b3d54eac2449a6a261c26b9403257c4253644ada152634a99e20d8f909d753bee656296c2338282f0779330f2db7bf0ad7151ff0b1edca7f4e56ba9a0c1dd35861d43f5b3942445bf5b0df198bb93a3e7d69113d454e849571e5c80b855ab9c1a399291471c5053ab43969298bae96c65f2e0d990973b02bf3c5e4788577f14a7732bb67c9a9ccffc12e65f1fb5aa486e3ffd0f405ef6ef305f41d2e38bfdb9ac9e5d87ceafc0628f23c2fbb211c1b106e4a551f9f04974a1747212061940b2e3161b8a0901b926afa3618ee7f9ab2237a5b96765d201da1432193d54690190ce37b22853b8d8a03eb5a93776cee5903439ab358dc5c921247c92e4ead264b706542b9f66e743452a589efd8ac02b81ac9004252345f20afeb72c2548ad5c85fb428ccd0cd61782b5d84efa18d54f91d8c19ed5f746cb4cb8a0bdc087f3b1f0392ac959c1a04935c9a89145755fb462b34b79cb341150e06a4912157ce4e8e4f7b14b6254e0db2aa7f9c06280b28d32f9b617516d00b79b6445f3278b8fba13e18447070c77508c3c172c9a7bf302f39d9bf938e4fc8c4f3afb97984d7e7654ac7adb783f1cbb408ad80a768da3461cd87920052a16b806c4166c6bb91ca721af5b1249eb25eaf3f5996b3039f9535488d98d826db940109da1bd43abc8a7bda4e94024dd5ab0b65b7d1877fbb48d51484fda02e25571ca87da898572d98292267253e93760993235dc93b211d32324aed6c1e1bfcb6cf2260afe408161558ebd89beb20c957f057c82570db0fe3") r38 = syz_kvm_setup_syzos_vm$x86(r33, &(0x7f0000c00000/0x400000)=nil) r39 = syz_kvm_add_vcpu$x86(r38, &(0x7f0000016800)={0x0, &(0x7f0000016280)=[@nested_amd_clgi={0x17f, 0x10}, @nested_amd_invlpga={0x17d, 0x20, {0x58000, 0x50df}}, @nested_amd_vmload={0x182, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0xf, 0x9a97}}, @nested_amd_invlpga={0x17d, 0x20, {0xfec00000, 0x1781}}, @nested_amd_invlpga={0x17d, 0x20, {0x1000, 0x691}}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @nested_load_code={0x12e, 0x79, {0x0, "67470f487f05410fc7280f20d835080000000f22d88f2978cb3d080000000f20c035040000000f22c0c7442400d0f60000c744240200000000c7442406000000000f0114240f0095bffb0000b98b0000000f32430f01f8363e3e66440f383c6e0e"}}, @nested_amd_vmload={0x182, 0x18}, @nested_amd_invlpga={0x17d, 0x20, {0x1, 0x2a0c}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x0, @save_area=0x4a9, 0x5, 0xffffffff80000001, 0xd}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_amd_set_intercept={0x181, 0x30, {0x3, 0xff, 0x1, 0x1}}, @nested_vmresume={0x130, 0x18, 0x2}, @wrmsr={0x65, 0x20, {0xc001103a}}, @code={0xa, 0x64, {"c4a1f9e6530066baf80cb83c050c8aef66bafc0cb0eaeec4017a705e4702360f01c9b805000000b9000001000f01d9c48299f774fd26b9490300000f32c4c115faba6736c958b8010000000f01c164430f01ca"}}, @out_dx={0x6a, 0x28, {0xb7cb, 0x1, 0x9}}, @nested_load_syzos={0x136, 0x58, {0x2, 0x2, [@nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @control64=0x2006, 0x6, 0xdd07, 0x5}}]}}, @uexit={0x0, 0x18, 0x8}, @nested_load_syzos={0x136, 0x80, {0x0, 0x1ff, [@set_irq_handler={0xc8, 0x20, {0x6a}}, @nested_amd_stgi={0x17e, 0x10}, @nested_amd_clgi={0x17f, 0x10}, @set_irq_handler={0xc8, 0x20, {0x76, 0x1}}]}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @set_irq_handler={0xc8, 0x20, {0xcd, 0x2}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x96, 0x2, 0x9, 0x2}}, @cpuid={0x64, 0x18, {0x1, 0xffff}}, @code={0xa, 0x6c, {"410f013ac744240072000000c744240203000000c7442406000000000f011c24c7442400c7d2b538c744240239000000c7442406000000000f011c24b8010000000f01c1400f791666b8bc008ec026440f01c5410f01d00f080f09"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0xa2, 0x3, 0x40, 0x3}}, @wr_crn={0x67, 0x20, {0x2}}, @nested_amd_set_intercept={0x181, 0x30, {0x1, 0x8, 0x1, 0x1}}], 0x541}) r40 = mmap$KVM_VCPU(&(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x1, r39, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r40, 0x4) syz_kvm_assert_syzos_uexit$x86(r33, r40, 0x6) r41 = socketcall$auto_SYS_GETSOCKOPT(0xf, &(0x7f0000016840)=0x1000) syz_kvm_setup_cpu$ppc64(r33, r41, &(0x7f0000efc000/0x18000)=nil, &(0x7f0000016ac0)=[{0x0, &(0x7f0000016880)="a600c07f0000e03e0000f7620400f77a0000f7660500f7620005003f00001863000017930000e03e0000f7620400f77a0000f7660500f7620000003f00001863000017930000e03e0000f7620400f77a0000f7660900f7620000003fa3201863000017930000e03e0000f7620400f77a0000f7660d00f762ffff003f4b451863000017930000603c00006360040063780000636400f063600000803c0000846004008478000084640500846022000044e403007c0000003c0000006004000078000000645b9200600003203c00002160000020900000003c0000006004000078000000645b9200600000203c00002160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084645b92846022000044889c7f1385793c110000603c0000636004006378000063640cef6360ae43803c0b6984600400847832d2846464ab84609f20a03ca8eda5600400a578b640a564b1f3a5607295c03ce2a3c6600400c6780ab5c664b456c6607af7e03c4f1ee7600400e7786dafe764735de7606ed4003dea68086104000879843e08652b1e08610f08203d57992961040029792ea52965a33a296110da403d21f44a6104004a796b7d4a651ac94a617ad9603d84786b6104006b79f9f16b6562ee6b61220000448c30803dde998c6104008c79c3848c65c4008c61427ef31308db47fd6310e03fa71cff630400ff7b5816ff6760a0ff6326ffa17f", 0x214}], 0x1, 0x8, &(0x7f0000016b00)=[@featur1={0x1, 0x9}], 0x1) syz_kvm_setup_syzos_vm$x86(r41, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$KVM_EXIT_HYPERCALL(r40, 0x20, &(0x7f0000016b40)="e5b31e151b44d5a7e6d4318c23841cad911cec23f0d39a4bed977a0a13d9f9d106f592bf97ea28b048c1764155a698d413be9712ccb298c0b89ca67076be69d83491ff71bc7733d0", 0x0, 0x48) syz_mount_image$adfs(&(0x7f0000016bc0), &(0x7f0000016c00)='./file1\x00', 0x80828, &(0x7f0000016c40)={[{@othmask={'othmask', 0x3d, 0x6}}, {@uid={'uid', 0x3d, r12}}], [{@smackfstransmute={'smackfstransmute', 0x3d, 'wlan1\x00'}}]}, 0x0, 0x1010, &(0x7f0000016cc0)="$eJwAABD/7+DzLu5nJlfY4S8N7x7c7H1u6LgA+exdzvpOLzQAr7/rfNFAHfnAo2qv5nhO5QygY0GgGz/kSfj6xNYfxXqBteG7nY3Vty0ff23vxTYFz5UfxoeEobtaWv+1og3Yxk2dXn1o6J9IlvClC+R9nWENAi8UlxSASZiae36mhq8Kat6nAIGsC0+v7RYUEprkHeyLogLBn+MVGrdNeyBRrbDI7fMQy4hlDsd0m95OqrFRe5iM1xgZqwl0IMDrI4ZSv0jNKx9QDgV0rEp9L1So8BWushiPyaoTCz4e5Uj2yo8qTDvP2eRW7gNKBKwo7by8nVXMOs5q6SYOm+Iv0Ed+vcWM6nTFc5IcCKlso5ealIwWEVuGuuQLcntNAZUK0mwv1MdzFjUE5VpjCFUzeZ+Bqp6ZJW0ROky4mBP2IQpLyWkgiEeNDedVt0Cm3B5LNG+jOzCiZ2M9O3CSP6t1GXKptT/VKBXzkDe1PLRpcNjlA8RbX38YaiVLOImft3UbIXbJ6UCTwf56q7ri0xqqeaB2pnCyTqqt+4/2nIDcCY2VFHKbYFJiLhMICgn/lJc8JOQwYGp6OwNDTVu705XrFH7dmZ7I440NmPRWgJuf3PdCMNYezlwY2wQELRqQ8B8kFSjZfTgyz8Yg5Zc2+xG4MTaNRZo+JjSh39rorZs0LF1wrjL+8/xkDuEogTjaTnrvieMkLjxLU035BJKNxCGfdOmrYqrpWcQsn0vDpxuoPJyQKh3mDm5R5JllVa/1mJ41oob0oQMPhY7fxQIO5CgOclTrTC3mO9c9byvnmE0nx/oX6jmGDuuCW5EropfqF42lJmLHkixSlv2skDGhmYJkvwcaA3QaS/vpq0NF+CwKZ1yTb1vWiqPVYhq6kAPbzd+BmWbxJyaTCUc60UYku/9J+VLLGkEwgBjps7TEZGT/SjpJ/Kp+/sj4pOzilfGreaDQkRs+p6H3+CUiGT7uGxcegn3yO0D9dl2ZhxBU3AinBTK/+kXFCNs1kGUE+7HuSIzZguM+DYgxNwAqROiwIjcSewciAK2Wf9N9KI0y9VmbOZ1226Nt+2drpFz+eT7YQlDzHdnAEF0C6I3Ws1YBxQHwMmcgVGoi3kc2O4dpn7ShwIvxXyRKbT3d73cG057wE/lV8BKx2BhaAErPjDOQBPG+Yo+kAUvilaZnZwSn8Jl/Il8RVjaOBkKIm+MG8zn3zfsEQLK5nZmIXDY1Y9xY7k4Usib9kOQeGLC9uNH7N+D5GRPwPaIiyY32R4OrZIbQMRm8oggL72pGc6khaPF4ztTXMD0OWAr+FjIe7yRrNKkhlMJGWwV/O2P2ctHc/BEIxpG/+SNj7Y+nJFgpfqzUuRI0mkYxlaYYagpImXAN+kWFhLG9s0OpiMQ1ek2G/7xFDUuQWKDAyJEkjWxxfg7OlTaSfM5N+nHKE0JwqYkZCS/3Z2Yc9lf5QyzJCXNt6lETfjInwK26k5BWgCcRJDUE0+H/MTojXRdG0ky/GPg+rexrA4I5FUDtJGuo+U9iGviyo2anDfFO66SmwkayKqvCmNUcsokvPUX9VychADi26NGVAp6KNFS8rB4WPPs4ccGB/cBpnnIrdx/1VSDon2lIX6j0MP4qw7ANTOiIcyVCTp5d1kAfaZo3QgFDHzlSCor6MpPfSkGDc1X6AN5hNByYPhB+KDKiMY8iEMUQLWLg197oRysm60uJgZnvXypwo2fUAwuHZmFzxSYxVL39XtVy+ZC/zq5oMUJxgGghXOJ3qzbm3t2sl0hiwIpJsIavbCrltLkQbgqO9+gnrcqA/WYisTQqJmFhvF/VeL0uDW4f2JmfV7UK/7pDxcdXqmz51Fc75lwGUzrR9JcaT3RMS+6YSCUJeV7cgjxUjxAE+Mmg8joDl4OBzgKr7Yw0mfkILHHDiQiE0t6ZXyRFjmKpadhripIg9P6vf8H6ig6OQs7XYtR7UrB7UEtD0R9AJawbMG46HQuD1P91pkazs0+MGhbbzsC86JdV+KB6ypwnJi2LAVf2N9SSA94c/LIwNkE+jQvmU8OkJsKGUKfSzX7iKJnB0Pj7N2jIDRQWd+ByCo72c5juv62PcVDeC5nadSbu1qNH0cD93QZyMFiknlhFyBchzcqoJDmxFoPFtv0ajILAdfB3c7I00fgdnwyA1kgs0h805c9xWPYI1MrfwVefG2hkXh5QFWlOqEIH+kGkMGu2GmSHdrWnFANiGCSGwPNbGYPP26HXx1hOTFCX/7mNEtPQ6qFps3rYx0bYtpanB+RaP/D2sMkxjXEptqRsn4bebqtMicNbGFvGxpNGSieHgXvDzdj+jMa8PW+ueRmPh8cT4hGgxRh1I+oZTAj5ZXo43K6x63NGF9Wb9vih651f3BVcllqUwQjmwIs7Eu4rbrP/DwimvGEXUTmmRf3ztR1LcPhpxCn5Yit4GmH/AFOYTNyU0G4u3hcqqJPfT7kTxzB50dbbsAo+YHrHKliCAI1iYFUyS/PaxmtBOJSLxyp9bVmfXTeimZ1/W3m2jmuqR+uUpiNAbTXSzLwuBR6dv7V0jmL1Hez/fZuQGsJwG56GqBfsAENkI0zwdsTsYtUNb2CF/zeI6xDiVU82dP1hgLb0NIQEFMjLFTc4nL+V5aQVJrz03kirusjs0TfxDU7YmVs1qZGpkBeV6VBd4OK7lnJ1GsTp1lJcaUj4kv+/fRJYKLlO5akkR+Z3ztimgaLzbqaqnzi6b0YksDW/O4cElQc3R6Dvt06ScYinuhZKoTH5RRbUi1tXOLJilAvGhSKg0U66qxZ0SP352NG/zhRPjG2uKKpVjVfFNBDLI118dt9BUzHQxw2vQw4dfXZ5Wo/EPxttR6n17xqdTbvpC2EJqVIWLiqXWW8KYauUcvGWAXU5PV8slOLu/acjqsjI4JTDrowX1TO1G8kG78vov2HIYWadyuS3qWee1WJzPHrpfGGPMNV1dqs7H+Lacu9D9NSqrYgTaWrUhSDBHQsCfIHthMB+ixoSL10VCHAu2DEzsn9EUHaaMAheNyuZS2iCZ6Ou8oz56aCLrhm0t5VIKv94CyUr+KPvT1yfIK6+po48KKnXyeWalemDodSW2utjqCaLc3bjlCqyEmbuN047AWByKLJ1CeOtiegd9O/SQ4XfFaln5TDMTNyNvSHk8R7IyHrJxUpd2pbI026b0AbExUkZ1rxWsMgrXM+4Kc+puYlohv14Pip27mVXBmvX8wHm/xcn9cMPmO7AUtI22sX1cfHqmsIV0i+bw8EFJ1C2iRiB9FzzJ13usOTAWSqAt/VBQWFVw8fz/C+rgy4JFpsIyEEU+c7ozzOtGEXZnz1UKH6vnxuWQS82qdcKV+x+SxEhGUCi+E7hgDj+L9uwmYvxSU3ROChcPHbdlSurJ6JdOMpYdBIOd4sxcoubkW4E7gpGjH8v/1qw/bi3GnHWWEp9PHThPs+UvcTiQaNLjaXNy/mygcDnqR91PbrKqFA+lS8evPflnc068rr/5lFm7YLRAgPybtIhMxZ1cSR0Ne+9mKBqu+lvb+mWlAUP+B/QkEFLyd4hDgP3n4B570BA0Ym/AyqZf0OOE7XSRp4JaQDiuYYJn+h1r24mDDe+TKoImpQKwH5YSevAJ7zyifYV83MTBY9hNa8l+CX8XyjOd6f3MVDQBqBwMQ+c8h/FIHvEAKZp0etmEP0SZ4wdI6eENK9Gv38l2Fj1bsQZmNSxepZGFPK13e8vECMVNVPINct7gkpTEa441vJA9B9FMwAOm97YIke5BEPk7QLcrat9bOH0Mv4aNyy4E8Ma0T7Y3I7hW8b+KfmhvFuvz/RAVqy8vH7//qwyxRBdQ1B9nPL1QpynGJfBa+lxlrbafWkZmwn8Nq3Qew4YmsrFI2bREEQi85ZM1cgUkrJVCn9/F6bjj/m88+lyVVKX8ZchUpPg3XiPDYofdlJM9UxywD66ZJL5O0NomZuzB82le7sDmvXgMZwnYlyFiUSip8VW8JBhJMYctzhdH2UdjF/uI4HMF1GdIGCAmdbOft+bqP0CSSYw+G7G56aB+OApIJUBKN/vWYFKKSE3qhrn7islCofanfsBMSBfluYS0ReN/9T59a3ztoJwxIy0Z3IAyu5wn6NzPBepo6caNkGI7BIXmhoihku6wAly4Z41zm7oSm3x3JXFW9rzfOA/zPHwntvnziMbBkZHrsdM0ORaIk3UIeapRxmYoNRxcAzUemH9xyhlGPqIn/gHfDlQqw5ySsh924BD5pxtcdLAtgfkJ28Z7MAjYzSJXcW1pmsyPPu3ZtXcHDwwHA6+K0cXW/AZLz4swCUMy4B8DUZriwqFKAG88SwnDirP7jTHzRdu+bOLPVlcAImA9FZdAgI8QHMgg/9unXANWCMn4GSrM1YRDPNQekOgU48w2idM8EVqbo+YR6I55yuZYhzeNOG2AmPTrlPi/RDRs+91RCbu9xvB9w+y+zQhxCSbrbPBlZJV2KQPZuGQZMTuARhQDXgFnFKG/3qjuD7JC39qBsnyBnaOw9ysYwXFjRBcou7lMr4v+wITsxE6l1jmgciRAdn7CLtMY0H0ZhmqVrV3efe5KhAXXk7/pNYRlmdplCoFl3B8ZCE2ZJq7s13SyPg0cPy5WMQ/1j4NLBfPH/AHXMRh2DBCmj4I5HHOEn7MwydW7LMAzYbQCbyW2sAVx7Yp3sJ5pKRQ7SQiwjxrMR5mOgqQ4aogTr0LvHED4xh5sEpHdFiO2GW4pVEBfU6F5zCyANr9f0tefrSPNaczTct0Q8Doo0w4EwtTSjwux102iX46uWv6pAqZBURzXjWXz6atokVTFKch5TM0yExzYkX7LU2YYxA1c0wNaSu2lbxdx//2jnHmxnIbAaKDp5hLVaiLPnMM7mS56eY0PqPBj0J8AYTLRJBGiQHorAfoig5o8owdtkBtCYU70+CX2lbB/1geky36s/0qdukaxlxcUSdzBgukzD7qTGukVnZReLitvHUUsMmrSGIbvQ0xRx0VZ57PqZRGMlOQbmDujbnoqx+hNZdiwC1hyk74btWRYmANzjNiLm6IFu4YawCjBiIInpA5+8GXxdGQZ6rL39Q3bHU/ZvCyppWJkMyNgW4+rmuUplv6FzbtmHqdq3W1QXKzydm6rkzyKXU50Px/cktZlktrUExSKGSuMEfyYUT83ynuLaiw3obHNSsgVNCl1aSXiiVg2YDudR0oxMdQCn5GxpeFFPA8+N91Xrq9OomvQfpnNN1t9XVvwRMNzORED1ewBIei73znBodVO/0dzssMJbwctCGwCxkSGOwdY0VcyFjaT2aXmcpNOfykGqFYkGjbuy48+REaWwLH+c+qGwRi1FucoafT38WtXBUs+KSJLp/e+Z+opJ0Cf7bRY8YINw+dIpiY7sJy2IywyfPPgGv4y/Q31MrTq9KpTVOzJrMA2esB0gA1tBlbBafPddfjr/QndNIDyMnj6S/ImLD/UIG8ey67/EitGAMBAAD//4vg68M=") syz_open_dev$I2C(&(0x7f0000017d00), 0x9, 0x484580) r42 = getpgid(r16) syz_open_procfs(r42, &(0x7f0000017d40)='net/if_inet6\x00') syz_open_pts(r33, 0x208800) syz_pidfd_open(r19, 0x0) r43 = pkey_alloc(0x0, 0x1) syz_pkey_set(r43, 0x1) syz_read_part_table(0xa3, &(0x7f0000017d80)="$eJwAkwBs/6RRXCBt7GMlTq9EwjPgL5iXkmoXVekSpoe7ibH6oF/5D/ZAK8XpdW8CA5rjuSzcvCA++0N5lxGWHxXxqSl4LLmGp3bnsP5gYb0gZdymHwDFW8VDe5gP/DZ5nimHPbk4LNscZFNeCdt6zcNh8i/TsdVkCZ1V5euwB4WSzV6Wxd/mGwg2gTZ3887ZGxYH5DiblIuYQAEAAP//2jdIgw==") syz_socket_connect_nvme_tcp() r44 = syz_usb_connect(0x2, 0x745, &(0x7f0000017e40)={{0x12, 0x1, 0x200, 0x8d, 0xd8, 0x82, 0x10, 0x1bbb, 0x203, 0xa779, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x733, 0x3, 0xb, 0x1, 0x80, 0x1, "", [{{0x9, 0x4, 0x2, 0x5, 0x0, 0xf, 0xcd, 0x1f, 0xf3, [@cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '<'}, {0x5, 0x24, 0x0, 0x80}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x8, 0x3, 0x1}, {0x6, 0x24, 0x1a, 0x7, 0x6}, [@mbim_extended={0x8, 0x24, 0x1c, 0xc, 0x6, 0x122}, @country_functional={0x12, 0x24, 0x7, 0x8b, 0x7, [0xfff9, 0x5, 0x3, 0xad97, 0x3, 0x0]}, @mdlm_detail={0xac, 0x24, 0x13, 0xb, "784f7bf45593f2145d18e49bc52edb011422491eba8fc40ebed34d5d81304da0a35565ec2036117bec4b01ef8f75c9d54e74b45316d0e1672a97b631729bcb7dc99bde682891bd5954d945f412979ecae7ee086c3650d3f976a990edea932dc3085d9c08f20badcebf87a97ba36151788daa2e6be45675380139cb89a17f95a65c87a272b183873660c9b63cee55c43ae5df58b45fbe08f00a86c6b1dfbd517b7dcdca1c6c75cd37"}, @country_functional={0x6, 0x24, 0x7, 0x1, 0xa}]}, @hid_hid={0x9, 0x21, 0x9a, 0x8, 0x1, {0x22, 0x373}}]}}, {{0x9, 0x4, 0xb8, 0xc, 0xf, 0xc3, 0x47, 0xe8, 0x7f, [], [{{0x9, 0x5, 0x80, 0x2, 0x410, 0xd9, 0xf6, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x5, 0x2}]}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x2, 0x2, 0x6}}, {{0x9, 0x5, 0xb, 0x3, 0x1308e9cbc37c7b4d, 0x6, 0x8, 0x5, [@generic={0x82, 0x11, "45836f6c3f5125725ed5b96b96b2911adb85370ceb5989894bd83417ee42276ce80fe734db8d2d94f2fe8c75bfd042fb632cfa5d5254f9b0fadc885d628a0dc92e274c02cd3be0421b608e2c538de20b208eaaea7b51dc13bdf7f2e00a6cbd3030df9baca667e6ccc42bdc2f5d822a3fc298b060da91265dd01583221a09899f"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x8, 0x4, 0x1, 0xfc}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0xd7, 0x0, 0x0, [@generic={0xf6, 0x22, "67439d731f507017a62ab89eb7118e315aab47bce00cfe092f9b6b6527812c051d98789a341cd8579c0c0f64f353faa641372867640b733bac8b8800b7baf106d03b36b934ebf24e84f554e1489e48416547bb7c90482fa4706467390768598bfddeee37f96a286a2f726ed89e5cfeb0dca14945145d5727fbd9b2949f9528d01e948e6305191bbbdfe60f223ae3a19823ce4a8797df004c048b9c0d793d173e5a39afc5eafe8ed82b45d9ac82fdfd1ef590fa300f32a49684630a4b392ff580eeaeff43c607a95169525530c24b189dee913cf7b9e1c1bafb11771b05c784720c28eb001ad218d0a92c1e32071606734ed956b6"}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0xd57d}]}}, {{0x9, 0x5, 0x1, 0x0, 0x400, 0x93, 0xff, 0x5e, [@generic={0x9f, 0x22, "faae6b7b5cb60baabdbe69da80d6306cc5c48a7eeedd7a47a92b693f17794385e5df43428ff861b389fffa4e903a47cbec60c794d78a7287affd416273fae978b7313ebd0b4ba90d2c47c1a1a66f6a698dcad67c6b40c482a09d3b92c05422f1eeed158be373e6623f40f82b25697f8f7934c60a81a403f22d919166e011d31a6497a0c7a512e4ddd841b5441454c1e15d8a2ab3e78f86a5cf03e792e7"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x1, 0x9}]}}, {{0x9, 0x5, 0x3, 0xc, 0x10, 0xb, 0x3, 0x2, [@generic={0xb1, 0x0, "33e5f9756d19a3eb392ba45b9f381dc2b062ee3ce942a485e678a8ea13f6c9eac74ec9641b119d78a9e36b32327cfb535d6ee402917d7b92a3ef09a79323735dbed9b623ca4b83db0117d537e5c58c6405bb0fe33bda56ba384b95fd4687df0217b223a0a525062ef259591dba73db936a7f85b82dddced8216aa4bc4ed636a57fc6e683e3ceb10a63be63330c0ea4d2a5cff5db4ac71ac10cdce3f5bd50c29ca7d1558dc5ed7f06b21dd7ba9a0dc6"}]}}, {{0x9, 0x5, 0x5, 0x10, 0x8, 0xd4, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x0, 0x20a}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x5}]}}, {{0x9, 0x5, 0x5, 0x0, 0x8, 0x7, 0x7, 0x1, [@generic={0xd4, 0xf, "737d3a4315658a8ffad124ef25692125494e376089b70b3fa63c98d548319145d9a432c0a3a910835f2c89b97e7168de3f5a68fc6d3086b5abbd9cad99b9f57df66d7a2af8b11c90041dd44ea5cb90b08493f1cc38391ab393edca7afe19ada684d62c76028a4283d3f7c4b6a29530b4345f74fedf78709f1a6172ae091c181037aa8d41503c854f5d64a4e1772982edb2faeb1f1a4ffb5f1b62415e46f1bb27374d48245031d050dc5528c7d19e7d9f4f71983984e44a633575f1b792d06db2ada0ca60eb3896c7e517981d567fe7b58ad2"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x5, 0x47, 0xff}}, {{0x9, 0x5, 0xd, 0x4, 0x10, 0x9, 0x9, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x5, 0x1}, @generic={0x84, 0x4, "c25a3fb73a08d8b88a25e396fee4b018b4487bccabbffe8ac964097b47dd926e5cb685c9568c4738e1bc0972ad10f12789a9a8080d7a492630e9a155a12e267604f53773b1f3a603c19d4dc0f4c5ccee5e9571706e990dc862312fb3d26cc37b011d95f3159d13c4ac34ab084c1a0660509ae13fa6f84d6068b33e5ff1da2a32373a"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0xa, 0x8, 0x4}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0x6, 0x4, 0x96, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0xbe, 0xda}, @uac_iso={0x7, 0x25, 0x1, 0x8}]}}, {{0x9, 0x5, 0x8, 0x2, 0x10, 0xb, 0x5, 0x8f, [@generic={0x77, 0x53a54cd3d610e5f7, "e6da6832665e8fc36a0e8f94157f6a5fbd96ba6085fa6cc0de01635150751fa9080a8ce5aaa4e50bddbefe649a9885244d8fd877920b570d6913ac5ef74d87139a81215ace972e769b6e707e2102de593a661d408d0cbce385ecdc66d00e649dd5504e8b1f2aeedf02eb08bd9a2b2102f37927bfb9"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x40, 0x8000}]}}, {{0x9, 0x5, 0xd, 0xc, 0x40, 0x6, 0x0, 0x9}}]}}, {{0x9, 0x4, 0x1e, 0x8, 0x3, 0x90, 0x1b, 0x5d, 0x9, [@uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x3, 0x1, 0x0, 0x35, 0x8}, @format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x4, 0x3, 0x4, 0xf6, 0x80}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x35c6, 0x1, 0x3}]}, @uac_control={{0xa, 0x24, 0x1, 0x8001, 0x51}, [@feature_unit={0x9, 0x24, 0x6, 0x4, 0x3, 0x1, [0x4], 0x8}, @processing_unit={0xb, 0x24, 0x7, 0x4, 0x3, 0x9, "d6e5bec9"}, @processing_unit={0x9, 0x24, 0x7, 0x1, 0x1, 0x6, 'CO'}, @input_terminal={0xc, 0x24, 0x2, 0x2, 0x204, 0x5, 0x9, 0x9, 0x1, 0xd4}, @feature_unit={0x11, 0x24, 0x6, 0x5, 0x6, 0x5, [0x3, 0xa, 0x3, 0x9, 0x3], 0x3}, @extension_unit={0xd, 0x24, 0x8, 0x2, 0x5, 0xfa, "cf521fd9778e"}]}], [{{0x9, 0x5, 0x0, 0x1, 0x200, 0x3, 0x9, 0x6}}, {{0x9, 0x5, 0x1, 0x10, 0x0, 0x7, 0x3, 0x1}}, {{0x9, 0x5, 0x9, 0x3, 0x20, 0xf, 0x4, 0x5, [@generic={0x30, 0x30, "9af3fe7151c3b3ad7bd1a1c8e2ee7c9495bfb52094d1dc13f41f06a76b111ebf9089a2372b323499e81536ed22f6"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0xd, 0x1000}]}}]}}]}}]}}, &(0x7f00000187c0)={0xa, &(0x7f00000185c0)={0xa, 0x6, 0x200, 0xe, 0x7c, 0x5, 0x40, 0x6}, 0xec, &(0x7f0000018600)={0x5, 0xf, 0xec, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x7f, 0x4, 0x10}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x19, "3708892f9f7225be3a6009559965ad74"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x20, 0xc9, 0x3, 0x3, 0x8}, @generic={0xba, 0x10, 0x3, "2a0452f8e56ac2ffaee6cb1fc6faea4298664f032676da02ee36cac0df472c05b6a895c87b06145c8cb2bf1563d915fb7459dfa37e7b010a2307d76ed4c75a0c1962074d24f9836e05df965fdf4e2460076f7f109708230872abfc7b89d4e5e08d5d7b3b28be99666169e4beaa1ed7099d4ead2e0aeab9e01ff1bf20b59a78a6d9852989b4c4732550c70f843daa0c88d82ef806ece508cc9553fe8134cfadc5769bff046dca8f1fe031f25dbae923962256a0d962f081"}]}, 0x2, [{0x5f, &(0x7f0000018700)=@string={0x5f, 0x3, "159faef02b246dab7cba3efc4a7fed8d174bd706d48457f261ad8fe88dc0426fe71a32291ee93575bf347cbfc21323b208f15a792abbf3017092aa8e551fcbd851ca7390612f9e5848738c872b638738755adfa7d432eab1cdf11246e6"}}, {0x4, &(0x7f0000018780)=@lang_id={0x4, 0x3, 0x41d}}]}) r45 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000018800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r44, &(0x7f0000018a00)={0x2c, &(0x7f0000018880)={0x20, 0xa, 0x6, {0x6, 0x11, "11be6906"}}, &(0x7f00000188c0)={0x0, 0x3, 0x4b, @string={0x4b, 0x3, "54f166c504f790b8fd2167ab4d2207faf4e0d9b9068564c8fee82a31e2a56d9b863c4188c802bd1e737993ba22a323795cb0b4f4e94cb796758840f7c88898694a059be76c0285d691"}}, &(0x7f0000018940)={0x0, 0xf, 0x1a, {0x5, 0xf, 0x1a, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x4, 0xa, 0x4, 0x10}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0x6, 0x0, 0x1}]}}, &(0x7f0000018980)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7e, 0x0, 0x2, 0x7, "3c6895ab", "138253ae"}}, &(0x7f00000189c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xe, 0x1, 0xb5, 0x2, 0x6, 0x7, 0x9}}}, &(0x7f0000018e40)={0x84, &(0x7f0000018a40)={0x20, 0xc, 0x2, "d80b"}, &(0x7f0000018a80)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000018ac0)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000018b00)={0x20, 0x0, 0x4, {0x0, 0x2}}, &(0x7f0000018b40)={0x20, 0x0, 0x8, {0x1160, 0x2, [0x1e0ff]}}, &(0x7f0000018b80)={0x40, 0x7, 0x2}, &(0x7f0000018bc0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000018c00)={0x40, 0xb, 0x2, '~s'}, &(0x7f0000018c40)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000018c80)={0x40, 0x13, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x17}}, &(0x7f0000018cc0)={0x40, 0x17, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x3d}}, &(0x7f0000018d00)={0x40, 0x19, 0x2, "b362"}, &(0x7f0000018d40)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000018d80)={0x40, 0x1c, 0x1, 0xfa}, &(0x7f0000018dc0)={0x40, 0x1e, 0x1, 0x9}, &(0x7f0000018e00)={0x40, 0x21, 0x1, 0x8}}) syz_usb_disconnect(r45) syz_usb_ep_read(r45, 0xd2, 0xde, &(0x7f0000018f00)=""/222) r46 = syz_usb_connect$midi(0x0, 0xde, &(0x7f0000019000)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x10, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xcc, 0x1, 0x1, 0x9, 0x0, 0x9, "", {{{0x9, 0x4, 0x0, 0x0, 0x5, 0x1, 0x3, 0x0, 0xa, [@ms_header={0x7, 0x24, 0x1, 0x0, 0x7}, @midi_out_jack={0x11, 0x24, 0x3, 0x0, 0xf5, 0x5, [{0x4}, {0x7, 0x7}, {0xc1}, {0x3, 0x3}, {0x2, 0xc}], 0xd4}, @midi_out_jack={0x13, 0x24, 0x3, 0x2, 0xd, 0x6, [{0x13, 0x80}, {0x2, 0xe}, {0x1, 0x3}, {0x8, 0x7}, {0x7, 0x4}, {0xeb, 0x6}], 0x4}, @ms_header={0x7, 0x24, 0x1, 0x3, 0x7}, @midi_out_jack={0x9, 0x24, 0x3, 0x0, 0x6, 0x1, [{0x2, 0x53}]}], [{{0x9, 0x5, 0xc, 0x0, 0x8, 0x0, 0x3, 0xef, {0xf, 0x25, 0x1, 0xb, "8dca6f86ba1543f9fd5417"}}}, {{0x9, 0x5, 0x1, 0x2, 0x10, 0xa5, 0x8, 0x3, {0x13, 0x25, 0x1, 0xf, "fc2ab7fab02e86b9c83c1a1c2ee5ba"}}}, {{0x9, 0x5, 0xc, 0x8, 0x400, 0x3, 0x0, 0xbe, {0x13, 0x25, 0x1, 0xf, "d9811e1ed3642bab8c2a71bc25bf6c"}}}, {{0x9, 0x5, 0x3, 0x0, 0x3ff, 0x7f, 0x96, 0x7, {0xf, 0x25, 0x1, 0xb, "0ec3b8efc022fc1b474cae"}}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x18, 0x5, 0x3, {0xe, 0x25, 0x1, 0xa, "e3c106c54a63638a2e82"}}}]}}}}}]}}, &(0x7f0000019280)={0xa, &(0x7f0000019100)={0xa, 0x6, 0x110, 0x2, 0x2, 0x8, 0xff}, 0x3d, &(0x7f0000019140)={0x5, 0xf, 0x3d, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x40, 0xab, 0x3, 0x100}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "5699f3928d2d0a00633f2b02584c016a"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x0, 0x8, 0x6baa, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x6, 0x0, 0x98}, @ext_cap={0x7, 0x10, 0x2, 0x12, 0x5, 0x3, 0x4}]}, 0x1, [{0xc1, &(0x7f0000019180)=@string={0xc1, 0x3, "b64349de30b23e683c87b0fe59341d26e0e391acdf6ad0571acc05f8e5fcfdc3936c96d99906c4c1e5d9ce59609e60fc394029a19fec981cfde7e9d38c1465f6a04b5b0ee298f5f21e58f71b8f7100d1bc55ca97b1b3ab63485b92e16630ae0c539315c25cefc347d66d80c2531e81af67e179c16966bcb8e998e0cd1b3c2bdc6c049946edb3eaafbbd9b5f0fe7c5925b619e8e7cfce1a62c4d2ac459740065e9f9eb72202c0edae4bfcf5d11b9314581d63e688ec40c037a3c41c0220bb1a"}}]}) syz_usb_ep_write(r46, 0x3, 0x9, &(0x7f00000192c0)="b72534d84209a7a862") syz_usbip_server_init(0x1) csource_test.go:162: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_cachestat #define __NR_cachestat 451 #endif #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t user_addr; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint32_t flags; uint32_t resv1; uint64_t user_addr; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; static long io_uring_sqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_SQE << !!(params->flags & IORING_SETUP_SQE128); } static long io_uring_cqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_CQE << !!(params->flags & IORING_SETUP_CQE32); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0, volatile long a1) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + params->cq_off.ring_mask); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + params->cq_off.head); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; uint32_t cqe_off = params->cq_off.cqes + cq_head * io_uring_cqe_size(params); struct io_uring_cqe* cqe = (struct io_uring_cqe*)(ring_ptr + cqe_off); long res = (long)cqe->res; __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return res; } #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_params_ptr_out = (void**)a2; void** ring_ptr_out = (void**)a3; void** sqes_ptr_out = (void**)a4; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); *ring_params_ptr_out = (void*)setup_params; uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * io_uring_cqe_size(setup_params); uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * io_uring_sqe_size(setup_params); *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < setup_params->sq_entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; char* sqes_ptr = (char*)a2; char* sqe = (char*)a3; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + params->sq_off.ring_mask); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + params->sq_off.tail); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sqe_size = io_uring_sqe_size(params); char* sqe_dest = sqes_ptr + sq_tail * sqe_size; memcpy(sqe_dest, sqe, sqe_size); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_io_uring_modify_offsets(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* params = (char*)a0; char* ring_ptr = (char*)a1; uint32_t params_off = (uint32_t)a2; uint32_t value = (uint32_t)a3; uint32_t ring_off = *(uint32_t*)(params + params_off); *(uint32_t*)(ring_ptr + ring_off) = value; return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 74; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 56 ? 4000 : 0) + (call == 64 ? 200 : 0) + (call == 66 ? 3000 : 0) + (call == 67 ? 3000 : 0) + (call == 68 ? 300 : 0) + (call == 69 ? 300 : 0) + (call == 70 ? 300 : 0) + (call == 71 ? 3000 : 0) + (call == 72 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); break; case 2: *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } break; case 3: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); break; case 4: memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; break; case 5: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); break; case 6: syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); break; case 7: *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); break; case 8: *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; break; case 9: *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); break; case 11: memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); break; case 13: memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; break; case 14: memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); break; case 17: *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; break; case 18: memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; break; case 19: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; break; case 20: *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; break; case 21: *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } break; case 22: res = syscall(__NR_geteuid); if (res != -1) r[14] = res; break; case 23: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; break; case 24: *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } break; case 25: *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } break; case 26: *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; break; case 27: memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; break; case 28: res = syscall(__NR_getuid); if (res != -1) r[22] = res; break; case 29: res = syscall(__NR_getuid); if (res != -1) r[23] = res; break; case 30: memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; break; case 31: *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; break; case 32: *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; break; case 33: *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; break; case 34: *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; break; case 35: *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; break; case 36: memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); break; case 37: memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); break; case 38: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 39: *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } break; case 40: res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; break; case 41: res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; break; case 42: *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } break; case 43: syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); break; case 44: *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } break; case 45: *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); break; case 46: memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); break; case 47: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; break; case 48: *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; break; case 49: res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; break; case 50: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); break; case 51: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); break; case 52: *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; break; case 53: *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); break; case 54: syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); break; case 55: memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); break; case 56: memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); break; case 57: memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); break; case 58: res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; break; case 59: memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); break; case 60: syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); break; case 61: syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); break; case 62: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; break; case 63: syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); break; case 64: memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); break; case 65: syz_socket_connect_nvme_tcp(); break; case 66: *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; break; case 67: *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; break; case 68: *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); break; case 69: syz_usb_disconnect(/*fd=*/r[45]); break; case 70: syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); break; case 71: *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; break; case 72: memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); break; case 73: syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); do_sandbox_none(); return 0; } : In function 'execute_call': :7190:17: error: '__NR_socketcall' undeclared (first use in this function) :7190:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor3933049435 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/33 (0.41s) csource_test.go:161: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_io_uring_complete(0x0, 0x0) (fail_nth: 1) write$cgroup_type(r0, &(0x7f0000000000), 0x9) (async) cachestat(r0, &(0x7f0000000040)={0xffffffffffffffff}, &(0x7f0000000080), 0x0) (rerun: 4) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0xf503, 0x0) r1 = openat$bsg(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bsg/2:0:0:0\x00', 0x2000, 0x0) ioctl$AUTOFS_IOC_READY(r1, 0x9360, 0x76) setsockopt$pppl2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x0, 0x4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f0000000240)={0x6, 0xa, &(0x7f00000001c0)={0xfffffffffffffff7, 0x4, 0x7, 0x1, &(0x7f0000000100)=[0x4], 0xd8d, 0x40, 0x42, &(0x7f0000000140)="397015495b433e062b4ef549b056c6053006148248bee934bd6a208a2a61c79f4a49357e536538e086957c377ed1f5a646b74017e305842144812e9bba2901bf4411", 0x9, 0x1}, &(0x7f0000000200), 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f00000003c0)={0x6, 0xa, &(0x7f0000000340)={0x3, 0x72, 0x23, 0x8, &(0x7f0000000280)=[0x107c, 0x10001, 0x7, 0x5e, 0x50, 0x5, 0x4, 0x1], 0x80000000, 0x4000000, 0x7b, &(0x7f00000002c0)="318d74c326f1d0a1ddbde1b51264ef98bfda4fb69c29e7e26f55d00aa6bd2497e23c8495bbc94403a7cba75120bcaa832dd53aee8ea1a66a79dbbaf3f0e23210a900059df2ddaca7125bd90eb91fa2c9c8109eb62552e90a219ef966dcaa594c33a1e623bc0d18fe1db97c9eb7beab52ef03c21bf7e61449526687", 0x10, 0x80000000}, &(0x7f0000000380)={0x0}, 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_PVRTL_TLWRITEDATA(r0, 0xc0206440, &(0x7f0000000500)={0xf, 0x7, &(0x7f0000000480)={r2, 0x77, &(0x7f0000000400)="8e468e19aab047d4e00e0ed7fae1830e8eaa0f74bf5f1a071c66a6cd46197d7c22aa47147d723bee80238fd9e275b5c9ac9c8979f6fcbd068acc9469f561db806a720d53b1dc48320b365bad54f04e1acd0ad40862618d0e8953cd0202169e1549392bb2edd07d80fd37fce2f6f848013f383853951906"}, &(0x7f00000004c0), 0x14, 0x4}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x7, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1}, {0x3}, @device_a, @device_b, @from_mac=@broadcast, {0x9, 0x3}, "", @void, @value=@ver_80211n={0x0, 0x7ffe, 0x0, 0x3, 0x0, 0x3, 0x1, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x70, "387497a69841a2e528b4f29912f3dd10b50ba5a1e170cc5b6d1c7a78f57a5e0fcc9b2e9a5e87d25516580ea1f223f1317f86ecc39117cf0e535c2e2befcf11ff81999d1b87d9b198c803d72ad724e94c783ccac7763ad34e6f7491b3637ce2f46677a7612873ed0a3fb64c0b3d78503b"}]}, 0x9c) syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000140)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000180)='bpf_lsm_path_link\x00') r3 = syz_clone(0x40000000, &(0x7f00000001c0)="4998de6d85ea9e09841517b61ce22a88", 0x10, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)="b9662d100f99f4e91d1de2c980ce459994b046bfe06b9a28c60dea9680ab4bcc3f5d3397a5a251d7ba7693b7eb37177d030a2b3fce8a232e5b03f10a948052ee907fb32f575b2310fae99107f95ccab714722f59ecdb") r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000540)='./cgroup.net/syz1\x00', 0x200002, 0x0) r5 = syz_clone3(&(0x7f0000000580)={0x200, &(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)=0x0, {0x22}, &(0x7f00000003c0)=""/179, 0xb3, &(0x7f0000000480)=""/66, &(0x7f0000000500)=[r3], 0x1, {r4}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000600)='./file0\x00') syz_emit_ethernet(0x56, &(0x7f0000000640)={@broadcast, @remote, @void, {@canfd={0xd, {{0x0, 0x0, 0x1, 0x1}, 0x13, 0x0, 0x0, 0x0, "52ba74a68ef063725a233b9509b8fd57d58ee264c37d44cd7c1e1075f83d41720f374e7e3c9c01b86bfdba9077a2c5bd2b73eb43874764a25316bd3b28368a77"}}}}, &(0x7f00000006c0)={0x1, 0x1, [0x193, 0x6b4, 0xfe9, 0x1fd]}) syz_emit_vhci(&(0x7f0000000700)=@HCI_EVENT_PKT={0x4, @extended_inquiry_info={{0x2f, 0x4f7}, {0x5, [{@none, 0x0, 0x6, "d24446", 0x8, 0x5, "43ca60b9ed4eb6934c4457f2bc5aa0ae593beeed8a789aefcfb8ec83ec7529d54cba5b40db8e0bbc549bf2daad5883da0869b376fdc0e0cc708e0215c9ba10d54ce801346c9731123e8edc523098a8c4c4e09c8ca5afaa510b825705bfcb534ccb8161511b23c1ef7eac6690ff08a8b48fec50ca28d759369c7000689e8e5efa7d691c1c67b2d98dc9bce7fe04657d156d148fa4c0e8ed5df1b820ab6fbd4c2f10f692da5df9e9e9e7463f732b908fe70608b36c8d33664739b2fbd81806cff9b2a19fddeca0685d84a3b4fb6e4b2da14198bdccf86f6daabd361fe7a259ac83c1e9a1ae73429f5bd2465cab2487bdd0"}, {@none, 0x9, 0x6, "7aa2fc", 0x2, 0x5a, "052195f68d623e277339549cd0596ea8d93dcb3704365a1fe131001ddfc78677d59246b7163b2a857523bc03137c5e74d51f91c59eea5ec1c9003d000733a466a074866803d3394bea9a3b3d7e5d67755ff3abb6cf741dde943f2a053ad9b328d0c53cded27abd1cd237341fd89842736abc794f81576ed5b95189dd4794b90dfe6748ae5c405e0827a8439ca368fbd6ea5a49d147e5364c2ffe32013afa0b7b4017951cc96a1d5aab926c9a85ac3529020fc62b2b8faa56f674682b27d994bcb4746d7aa06ef430a6140eec740627569287c2abf99514a28751d16d3b7aec64c16a217bfe2b13bdaa911d976f481516"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x3, 0x5, "24b80f", 0x7, 0x7, "b3ada341371175469ded69ecf799e4a1194f89133c06019703d569cd1c29c53a302e49b159a78f22df58260ea65730f1d60ce2bffb5bb00da408a73ba94586b850c8bdc188017de780947019c1160e4de6a4bcff9679840ee2f1bec62851a512f73912564c278f8bcf11b2459af745c4e302f7542fb586c218df5d5d741dd3b331b090adf53a39e6d179f698937eaf1f296ed38be5f78009b5593fbad7ce8de3177e1b85401c9b10180116ab3dd2b79fb27cf6b781b02c10d92b9077231baff2d796bdd6a60934decbd4730b8cd3a7f5d73b9d56fd8fe4428a8ee6e9aab0f07a170ed8880da6937863d6e273a5a50847"}, {@none, 0x2, 0xc, "ea7fc4", 0x8df0, 0x6, "717a9cb0a4bb327cbcd40c45a41da58abafefc56db61d4de5f808e54dafa830d32821b9b3d09636dfb4f09884853b276996613006c4936095b667d41cadb7d45b307e434c15619b8d90319f2ffe145511dffdbe0c87aa2eea977359cba985c28336398cb6fe4939f4c70271bb9890a63ce61b91d2ff386c94b83c3fee9a43bb705eadc97907676652fe06cf8872966ee9d8cb21f242185448f0c688a9d0b6bb5923c37587850bae8b0438915fa4b062009eacb71d33909586de59d758a635e4e18f5c5fd4e4cd08134cf4af6e71c783cbc71ea85fbc2e67d8499622ac2460d44822b33339f122efe0f0b0c76b56c3473"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x10, 0x6, "c5ecb3", 0x7, 0x5, "230276296df7a839cdb0c698a3b6cebba6e7f8f843267597af962842e4a5f003617064f27e1db99a03c126776b86d3b4b4ba41356c681f7ba54c248e2ae9f43ef5aa08f30721c5fbb3d7a0fb95da303be2e2607d775877945e61f5c98b72e4bd3f5b92c3ebc55a167e4bab5f16468e5d14ce3c988f71872d0985a2f50374c672de1477f60bd549a28206d4100aab9c222ba3330476025534ba2faf03a5c7e8885fe8041fcc9bf6de815abf2e09175e1981f89551e9b5cb59bb493e950edfc5ea0036351e4978cd63c8a50646e7104756e20605773fbd3e7131b7a55d8b60086b4fceb02b3015ba49de2d541fb06a9d27"}]}}}, 0x4fa) syz_extract_tcp_res(&(0x7f0000000c00), 0x1, 0x5) msgctl$auto_MSG_STAT(0xab1, 0xb, &(0x7f0000002fc0)={{0x8001, 0xee00, 0xee00, 0xdaf9, 0xd56, 0x6, 0x7}, &(0x7f0000002f40)=0x6, &(0x7f0000002f80)=0x8, 0x9, 0x3, 0x6, 0x7, 0x101, 0x9, 0x3, 0x7, @inferred=r6, @raw}) stat$auto(&(0x7f0000003040)='./file0\x00', &(0x7f0000003080)={0xfffffffffffffffb, 0x2, 0x1, 0x7, 0xee01, 0xffffffffffffffff, 0x0, 0x74ff, 0x4, 0x9, 0x5, 0xc50, 0x3, 0xd, 0x5, 0x1650, 0x4}) fstat(r4, &(0x7f00000031c0)={0x0, 0x0, 0x0, 0x0, 0x0}) shmctl$auto_IPC_STAT(0x81, 0x2, &(0x7f0000003500)={{0x6, 0xee01, 0xffffffffffffffff, 0xe, 0x101, 0xf1, 0x40}, 0x287c, 0x6a1a, 0x2, 0x9, @inferred=r3, @inferred=r6, 0x0, 0x0, &(0x7f00000033c0)="056976a58633696b63367a4cb488b16ce85e89943e5f0928ec40d6d893807fa6c44c5d38daab118433a7e8f1c46e1f060f28165f41adb8e679cd9e46ac384774e56bca1880a690fc3f8ed5f124dd98467a33bb40cf191cfbb9590f59179bb611cce789225922a0ef4f2286f87f847214fe25618b989a0501e7eca7170a3913bc68b4539966e289ff94ac31e8823668bd0499d09b055c41410ba2f2101abaf7155399f97ee924e9277e6f54819f12fef3c5769378b344b6ff6409edc578c6c93accb0f08a5d8ffcab30cdbd713d1b93ee7b8eefdf77ea", &(0x7f00000034c0)="020c5a2af3"}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000004640)={{0x35cdee94, 0x0, 0xffffffffffffffff, 0x3, 0x6, 0x2, 0x80}, 0x3, 0x8, 0x7ff, 0x1, @inferred=r7, @inferred=r5, 0x9, 0x0, &(0x7f0000003580)="cd052c206f368b4a7d16e28cd36b1ea6d10dab7017b7d085ea27b3e3389d760d2277e20febc686f359d6083a629e7981089e0419c7b562dbbdc2e67c1e95104a390549c9371a4345f2aa7d8458094c6075b84d11486d27bf68233bb457eb106bab49a3fad299b590025e4fb5e43c712ad891f39138bdb922ea9d21b7cfc7c343f9a21496c66922cab8e66535337a89a717c354bf1846b506c234a3093d728c6baf272a6fa5153dc039f87e0a36744e1f80f2aac030e2f8ae6a7dbcd3f17bc68ad0b61ce31212c46edd615d571b338e22c0ed5d26f7bb2f365ecb2c432647a7c6d775b0e41db928f9e7b2af72d690acf8b2ad8c2e000505b6952c4ab9e2a8ecd07de44b2b48af7b894696ae567b6dd0a1f99b007a8fcf41db20827f58325a9e8812354425bdcc3f81f2d3863d7777fd80360eb8b9e77e47059a1d2265733c4a8a063b45ed0b8c2481e1cdeafddc5f42c931b3d3e710e4538bbad815479cd9afdc5cb44723026c4bc006e256f6f427042c6765a3b253e9356ca1ce45d9d83d5e111928b47a8ab8422b37e8c382436862c944e08ebbadd1a33686219ab8cf995c12a7ab7085a79a7d1ec3c6cd73a443cfceacbaca1d7fc0cf34d58c9277881f983746ff62fe41d0f4f7a12ff44f4ba5bf7d8935bf09a88ad98ea8a9124de178c28acdf1ba1a9734d6c225da591c229d313fcbda810b0f1057b0730a9572a807758defb579db3ad021ac316fb744a1582c16256ea1c6bfa26c73af1e2b6c4b8e7ef329e7cad7db91799dc044aecce5f06e803a4d85bcf5f45dc015d13e3f2c1892099ee653777ca5f6c92e41f4e30ba30f832703df08a416752b831b46c56563820fce5ed3421e9b2ed0a19c64e9b2bb8081ea08255fdad2f235e7bac68f946b3427a44a758e78dadd8e42a909a77851bf66b01e427c2fed94ffee1d65e21753b39bce8daac6d6f11696e003a5f3c21bf9d1cbf4bdb8f3cf5ae542fe7b255fb5ae7b184fb59db73550d293254277b4f94a71c93a909bbbfaf3df95c3e7c4170fe8b91f9ecb8673cb5492750edf45c76a20d94e21b0d3614d3a99f7c9e3978faf09e067f64926204cd090a9f115cbe7f727f5809976aabd337e8b2aee42a9bf68e2fccd4152b3d9831149d40c75469fd9b03fe1860dc1920ac7d869ed88d4148cb746f5eb32a2761eed4473c54315d0d91044b62a14537c825c8cf578fbd68cf8748d67722e27b81f9fbcc13271c23335057cabced862125f764f5321f59643514392b72e2de32b1a54e4096ef73d0692ec6a365c035d0cbfdf77ac650e7de4c3dcc5a2f60c4e08536e75ccd81a41425a1de44ea275baaa2a7cd16ef64b41cc71f856861217bf243e8f61c899f56f4c64e116e0bb020986eca1f2a0d8fe1ab5130b639a7db41b54fd262ac858452a2c79d82d99ae5979571701dbb30fc7aedf237dc785bea7576ede6cfe60c53d88db5e7db59b3214c8e7f081a61d3b699eeb802e6ef4e298b87ab22a20bb1f3e8e4f7fe56c318d4bfa3eb312b9f3e75957bf62647e309ca0a5f669cdedb2c309aa7245cc832077f641b2cece614f0938ec1d456600fa30064f249e2f8efbacbd9d2eb90e99fc0938edca24924edaed9fbc50b1292e6475a5b4f38bfd379401eeda87b2d17de03ceb23d788db69b548ae2456989b8a5189d3800203890eb9a0491a20f44603c881ffb0647e7ff291139e80a5c46aeb4322e59356d9fb1e6dd3dffefd4df3e35eac72f2921774771b8e288adb818c8560554a7ae3647ae49baa80776b747abc82dcf9e408e8fd14472d3a5d7ee014a7ba4374306a6eade2df580389cad9f548bc42769b27c8c4aefddbea9c3d89d9960551cfcbfe37c214cb5fb31d9835f1f8a8857e53b36e91bfe3a2e3559d3838050afd13bfc6924587c8d22c21c2df3cb2a0e06f01f23103c4b6955a985a7b26347a6a9d178e835e775365d41fe3443ae79970dac382a32a597c3d567d0511b5dcdb4ebd1271db6e675a4f343f9501f10ab4723738bebb6366241cd602673ff9c76912de6141c5cd4f2ef95e7efd66dd51b565dd50035f8f7e86b576d5129481ae75f7a9b7cf033a402502d5d1b5aa4115ba1b84f7f2cc284e3f636a234f40e0aa118c8f9d0ce6fb7ee613cc2f1cc7ecc2e264b2573ac3dc264aaa27643a483a1cb38e2b0237775ecaed626f7cb89bc563492ffe1e5ae6401cd82a9ad0fbc32f7b5bd3029bdab72a8d47f34b37011e9fba52075a56b89f2963edca796930a4998c755da0d251da985a1829cd10ce7665d2b364776bd6c76ef9978f800b453fa7c2704838dde05f2f6489f31e35f6d731c2678f3285070f297cb3bc03c0a012b22fca31295576acc3e679bbcba5fceb7ee7692749fcc58495614eb4a7f3a1fa7f21a655172da28ca916292dc7484834c31a3e5f54912f10271d5867e57bc46466d781bbb502ef32ed8b2b4452a58e212e7db8aee573dc6252142ec5bf2683ded9a58b60cf7883ef04bd502e3df2d621bec0e7fcaf6726e84fb1c6953722c7b8523d4cb6e4b55bc3d196c793c44858814b029eb23e8f80b66aefdd8be21541228608852fc354f75605aeefb828971defa68e28cdc694b24f2f461c707d27b98da4000f9c823ebb3384c50d6e41e5ddaa601b696f41a9ba4feee08852874bf0e31d20152895e1da84a94d529a194be53a886304e7e360a6a40d2d4074905bbfd06e3713375b31bcca23f4db67da9bf6920a5bb44885dcc3086ca7895c1069dd35f189e57ce60f8e0b0b5d337bd669d3deac1f0115570a5fa6505fac83c621c46f693d84dc77e2148e887a822d86c8c0ff4c00485c7f37a5198c69c881c158b744fd09cc76c0574f4acaad646204552774e98e17c3998e34e75628da2630a531cfe927d3c55ef02df3377eab25143589a50a07a32906e714ea42584b3d69d7ddda2fc0fa486a0e93baf78ff1b35d98c0823841230a26b52120a445115adb78d8fd99b71ab86bd27aaecd1659e89f99efa54f8764c2f4bc01975ace6f35d27c2d18c713a9947179211819dc42f7cf3fe6b546674f1446f0c81aa08277ec6b140e14b6e4360782bd17d03255208cac917a5f8ac03e6e8d13d0e62d11bf55d00b3f8f1e80b8551bd7b65b6284d1566cdfdf4307a5ee5ce8bdd6fd04a3edb4871ba97aa01d673af337698f0ada53cab9bdf9f631d0ccb7617ff13e0a3b3785ed26db722e163271b1f5e4690005249427bd44362c6631157286dbe4ac19620b55a64fa6958fe32ff13b1addfd7f56a16f79daf4e9278727578d0154118fe591a0d89af07d8bc3582cf51a01766d9c9ee3f8f80b58e86fdfbb4770e6cf2554b0d9e0769928c4a2f383aaa525ddf4734f4cb19996be80b4c91f91bbca6094ab910b665241e29b3d48784f80d32d2161347d2bfd791a66c6e824f2308b07f767250d11626dbdcc9613683e46cdc9903aa0848803b4a3dfb1fc9b350d47164ec59db3651e1f5f9a5cc1ad484654ac3a7f013badb6a0ab87effaffd526a53bead659a15dc2fd631dcd843ec341804a563d06ff6c5631dda5044b9a99dc77bc4a4fe326798d672d450727e81e491533e6a21121e3b8e5cde35fb84e74fe5011896235fe05f335bf12e317240191e742df9438752984fbc697a53b3950e26b3da9031dc234e843326d04fe096b1c89ce93bc6c5a60d7e6f0c5e8438fd10fa66b3eef5df79a3df515245e2f370b913b9333875906015460283f873b82b791fb4db71aa4f57d8182bd914613ba4d85f2490bb9bfc6940c5c4986c544308c3ac22b795fcb0b5a062d3a15ae30f6b7ac271bf9aac4bdcd949aaee1d7bdc8895eea12daea16185d869d6cbd971ccf16e4da5d70376437a20b6ea6c35c507eaee0a0221c70527d69c57eb3551c617320ed3f817ee2a69988120964b331137406dde202c243a91a0d810d1613ac8709b26a0eccddd7fc75a0d818276cb4953bb8057626f23b721d6073d76586397a8f05d060d4e2dfcf14de48fadaae6ecbd5fbfe958a2f931c531ea325182ed29872a3dfec469074bcdabb2a1a13fe24667efaaa26c50519aa9335d306fd23379939743a10ac90d3171b3bd06a5b463ad1b612ef3d54f53fddff55a8eaef0b6f78779d948f7aa4598a1dcf726aaa45b99da0bca196812f9c5998608489e80ddef13a4b8eb030c71742c304665e15a9f56a77679e7c4d70aa84a53466bc5f50d55a676eae3cdf862936c8b2f3451e2187b7ae8ae1446e090142cb89e4ee09e40cd4a0fe820ec28450ed7e7ae2e0e47a3d4054a4acf536e9a3efb8fbf5d0d6fbc69a51bad4a6723d62c8311ec224ecc71048bc16f9805d917a8a6294c038b2842d61de810db1b1a6f37720d3011f5e55803850b6aa0c4bab3c812cd7dbab18a732ac8e167c49ecc8359388a95080cb1d796c324f1a9c3795749a36682357601b260d85c710dd0c67173a8e4c1aa1e95ddb860e37c44c990ec5d11c0e71907c3e5e5fd247fa321de92db50684506e829447a8c85909d2397ec11bbe0613a4d8af44c209bc4570293e9cf7ba6f47754fd0506ec34af2f9ef20250edc01f97b8374d82c7509a231b0d5c9b085f9948efce68c5712f96afcf4f92a1eb34934b1d664344104337c2b5028c8c7d6d7e62e74cf283d61dac1ad8721505c4884a81cf692aa33f801cbc7eee1ae61bd4c96a4b1adb88f24b0a5e7815c537b25b8bc2ee283e4e05fa0f157f194f5b22d6d0267fb0fd5ab10be2230cd21f870e0e651b5747bb7f4593ef52c8a2e51d5093ee1405e49bba6b36cf97f0b2f7150a10ab7669478a4831f9c5ee6790e91e93b0e814bc314b062c68a3d36cf48da349b0223802722d76b8bde97982f78dddab064084b3eea0a335bd0dd8461b10581d4a9aa699d542dba4ca8464f62ad3b9cd7e82026a3fd15c2bdb3e30a7643e82f2c8e764498866989e2fe5a9e89c237404aad6b55c2be458e3f6547f727f0b2c9052de4839a6b5f03f5a788e5a14d8448ee25b3dff69002d5fda5cafe5bed8260285b61ce3c53c16288ef8af1759f631360aee3bdc5ebfc229b967d1937996553952409f5f5860820fdd2ed846dab931b2d19fdda50693a926a41e56060f2d6c13c125c0c4b08e475a992cce4b51e0f76ebc3c7362fb1bb0b9805332c162e1e09d1ff0eb73b24e40d6188136bbc6ef8a36f632ea32ea4c06199181dbb78f399f47dfb4633d0f0768ee3d33befdcc3c0fa089c2182d6a85b272135eae3436bfa09b18b1021f37097994ad71ac94c97448e2b252a758616c15f0966447de5d6487105fa408042c90a9a89ce90f0728d7d767c472f60a1740c77c0a64af3ad4f94544ebb3de794201d17d6399765e055a5b94d569c6618e114275cfe79c2636369424e01ca8b8e3a530b924316f43df7e43cd070d1b09e8cc184ac7ae979119aae40155a2a67329e18722c3dc72dee0049eb4c29b306dc81de1a1967cfe17e97ca476562cad43e84ab3ec6e76d358829baad982241d0db7445454f6a405405057b57fb93dfbdc8dae5b30c64cd220dc48fdb5667a3c065f4b308bd076f95c810e91d5b2b921126128520028a700e506da6c7617f624242a59b874d06040911d534a0e15a5195fd8d9cb465176275119540034892cc6e6aaf174b06435625f9bde8e699e28cbeed2b9ae0fc684cbd8c77bf838086450395f22cd025c70460394cc219789fc7568379df9856583f796c8a2944b857077bd29f5478e8b3bdf916e6d67963f8c039ba469b60d0a24edb6f9e00402b6f286d88a4fc10bf764d8c37252710cb47b5693708", &(0x7f0000004580)="820718733b49daf8ed80b0ed25772d57d77435ef1da1ca4f1930ad4e713b84d4c1a24c712f02e0b86d1842c164415aa9e490e6c8230a89e309faf07d239dd7cd35da5cb5f36919db06df51a5a9c5fc8049897d04bb731725ff5f5d98476e15b1dbab8cdc405c2c17365805e27a61a5f061e7ead100272fe2d9bd8cae4a261b451919ebb927204c1f63a8908147b99835ba994378a32f9f1103574a08934fbc79d31aaf13"}) r14 = geteuid() fstat(r4, &(0x7f00000046c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000004740)={0x600b, 0xf, {r3}, {0xee00}, 0x6, 0x3}) shmctl$auto(0x0, 0xb, &(0x7f00000048c0)={{0x1, 0x0, 0xee01, 0x3, 0x6, 0x10, 0x1}, 0xfffffffb, 0xffffffffffffffa8, 0x800100000, 0x0, @raw=0x6, @inferred=r5, 0x40, 0x0, &(0x7f0000004780)="1f8aa38b61938fb7299a96aee61f6cfc70190f9df301d40ccf557795fc00d7759efa4ad1661cbb0d54c310aabcc29285c2ce84fcbe97407d849edec2f598b205fa5ea2460d0f615ad87e7e2605e8101f58adb62e178c78c454580a55d63f5e1d11f932250d1fefd45195451588bf530d73d83076a93a289b613bc68b49905423d7d5ace8016292e80377fed1b58877d9c4d04ea05ba8", &(0x7f0000004840)="b7376d34b8a4cc32667d885991bbbc6828d08bd669e6af09fe1e55bb32d885d217afb95645976390dd7308c504c5d39953a783b065bd4f0a72bfaa176a0d2acee5c8e41ff9b692a41d010c7b3459f84c721cdc4c7dad40cdb171ae49a556c98b5eda14db8d4cdcc0b47fa75bc9faa171e68b700c4960222516f6d5"}) shmctl$auto_IPC_RMID(0xfff, 0x0, &(0x7f0000004a80)={{0x8, 0x0, 0xee00, 0x5c6, 0x1000, 0x2}, 0x326, 0x3, 0x3, 0x7, @raw=0x1, @inferred=r5, 0x300, 0x0, &(0x7f0000004940)="8d80000898d81f2a2a537fc21c52023bc6ee66954a12a93f2418cd8b0b69067e3ffbce8f5d7431e001ed255fb5ed784374aad30a67500f8f6c042bf9e6670660d425f7611c7ecdfc450c05ef9c0a65c62dc2215fec7c02b712de12f5053e2c3f60d780fafc4d1ac221ca0907542932889c", &(0x7f00000049c0)="9ccfda869deb661f5fc9ba8f62d29a4ea3be9286f77ef11178f96e25e8bd888ecc08d452e94731dc6e97d39ab9814eec357acbb7ad4232899315b74df9b4df71302a482e3c52fc988162d57139e691028753aa86b20cbc060ceaf9de31cfbdfadb2802232870090286f90b426c18866fb62bb4662ac9cf938b12c2b380a1324d8313575eadbcec1a33832733dc87a6f8ef25230fc815e2b6756e60144a41195769ee48e21d497f0eb19aa12419eb8045ac2cada387"}) lstat(&(0x7f0000004b00)='./file1\x00', &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r22 = getuid() r23 = getuid() stat$auto(&(0x7f0000004bc0)='./file0\x00', &(0x7f0000004c00)={0x2, 0x3, 0x5, 0x6, 0xee01, 0xee01, 0x0, 0x0, 0x1, 0x5f2b, 0xffff, 0x2, 0x8, 0x80000001, 0x5, 0xcc8, 0x6}) shmctl$auto_SHM_LOCK(0x6, 0xb, &(0x7f0000004dc0)={{0x2, 0xee00, 0xee00, 0x401, 0x9, 0x6, 0x8}, 0x0, 0x8, 0x101, 0x4, @raw=0xffffff46, @raw=0x8, 0x2, 0x0, &(0x7f0000004cc0)="00b8fcb8c51e1af15f5b1d2c15821bb8f4e846f20d662dad19a0e59429994859bb1d0b6c63ef694416acb494494c6618f98573d370cc435065ec4da9efd3f67626f44c18b96b", &(0x7f0000004d40)="23c6651878ddaa085ae0bdfb7ccbb08b71af34f9f1565e8ac77c5293baddfe69ea20aced26de58664b32ebf6f734d3f7f692065fe4f99ea283362b12f96cb972632e80273d014687"}) msgctl$auto_IPC_SET(0x1, 0x1, &(0x7f0000004ec0)={{0x0, 0xee00, 0x0, 0x19, 0x6, 0x7, 0x53}, &(0x7f0000004e40)=0x3, &(0x7f0000004e80)=0x5, 0x45, 0x38, 0x0, 0xffffffff80000000, 0x4, 0x42, 0x7, 0x2825, @raw=0xa21, @raw=0x1}) shmctl$auto_SHM_STAT_ANY(0x80, 0xf, &(0x7f0000005680)={{0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, 0x6, 0xa87, 0x6}, 0x5, 0x7, 0x6, 0x1, @inferred=r6, @raw=0x5, 0x4, 0x0, &(0x7f0000005480)="feedc6aeab06ac00e00a4726dffa893698621bfa7d41a1acc3b82488d27e0ad499d0f4717604496303a3c32eeeb44df079182f9c1f77ba86b5d75d3cfc32f45062e93e184cec890244b195f2cd11bb0a90f2a2d8f67cc5c0be21ff7a4f4d4a43b7fb2ba733040d26fae0fb332ccc405709c4b602936c96942a8eb5ae327c87db6f2f6f610f803cc6d8d2099ec2a87419cd0c206b74ac2497ac1f8b637cffd4427dae82e77beaf37ce6f5d2bddeb31944c36a67ec4346592b8b0a7f4f28c952c8f6bcbe0a5ec35aae354c1f9e66bfab1fa0f8fbe02e56af6ecce525617800b42e8cb5831e20ae90e73bdd29da4c8b8d1d00ad8e8e8d8f", &(0x7f0000005580)="48fe27d996540af39ee63ed5b8cfd8523c9eeea2a9f619601421c6140e3a984abc8a5f421ac2621ad09dcfe4b7038983e0e88240cf3dd61196976f836b58bc78e8d080446c8c46fa4d9a6b522942ef8d58f89f4010f6b62b5aff902753b62fb29fb8a8a3a475f3e0e445bc8a4fe018fb6a5e3c2d534aabd3b0915d7b065781ca8cdb3eb734016390638cde9640375b4dfc90c211603b5ea2bd44295750415067bc3f147a66d77dcfbf658480369e1d1f193dad08c00f36c99af5c1b52ff0a1f2e893841f1a2de097fb0e001abdb956f682de1ecfc1801ec9436f864d3abe6e7f9e332a32e9e5445d85ed613ba1d59a8ae483ad90"}) shmctl$auto_SHM_STAT_ANY(0x7ff, 0xf, &(0x7f0000005980)={{0x0, 0xee01, 0xee01, 0x80000001, 0xa, 0x9, 0x50f4}, 0x8, 0x8, 0x4, 0x7, @inferred=r6, @raw=0x8, 0x3, 0x0, &(0x7f0000005800)="db4118b7fc550b52eec4c59cf4b93c169cd2e4c6b1eb5a84e95bb2109386544d8185388c504c495c8ef8b3d196ce76844652a8d2eddb5eff1169a558d6e7c56d46aa70e6298fbfaf95fa39d53985944c382b26cb4ee51e021bebc6e6e80388", &(0x7f0000005880)="11d01feaa20648967b16d3e6cb0d4989e61fca36740792d8808f572be0b70dd4faaa5ece7385998367d7daf2350e52a74dde027c397711a18faa7b877c14e92f48636c7b021b50828c936f30bdec29c674139d1d64369d02d6df35bd75c54a729a1c28f94a00497c2912e4f73e55746dc437cfb64d826fb5dc13286f2d3dc8a354ee9576b8b37c407814e55241fd871608c599ddb5f980e7c01c23b02b738ce34dc1f4d5577f02c5537eec8d5c15f8c93a7d450b4701de03802241a34c3a07a378119cfbb34eebe8753a4851cae1a14a124749ed8caaec19d2220b21d71edd4085672238c4582dbe77ee258f7504e586845878a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f0000005a80)={{0x1d, 0xee00, 0xee01, 0x9, 0x7, 0x100, 0x1000}, 0x4, 0x400, 0x3, 0x9, @raw=0x9, @raw, 0x4c17, 0x0, &(0x7f0000005a00), &(0x7f0000005a40)="20fca2d9a84b149b22cc118629f244c8f9909cbe317ad4693e5c7ddacf6ff08ff96441b29c38fb9a6161aac42a96f4e5b9a9ed648ca3d600f7631486"}) syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000000c40)="555b078cdcafe3df82ab074500b854e053e9be2bdea67c3fdc61395f5bcf269a1a3db8dd7f3db0cbe3e9ee7f3fd773e57fb4f6aba53b0282ae6ab4f9b9d69d362ebd6f9917ffa585a5e2b1dd85afdc2e0b9fd07d2bb693d6871743b73eddf8e6cc6e58e502fb0d8d80fb48be00be3acfe35fd1fe21f97c598eca5e0546f3f6eec8f7e403e8a80b58fb34342e2fcf0eef3ba1644b262d0a877deba64622aeee38f1ef528cd836085fb4f8437ca36c3cc211980a6523fc6bd07c49747f5f9d6d79ca435f84f59af8bc5d7a76ad9a4d29e4c5eaf20cf5e373c2677a048b4a064b25c80e3c225aefc79861e39f8898dc749ed0432a3474299b350ffb0c53cf96ca64a127308b7a77f80ec1ad1ca74fc58f71803c787fc89820ce647e6eedc38451b70b1530cc7060d1b0727b74685e6adb3310cfa9ed5165e3d3e74a38a7b5f2502461b93d633693f3c9259d2fa0ad389f2496c5c2e3df9f85c1a8a858db4b7c5815fcbb656821e1844e7d6e0f3cfb64528f9662979ac9a8ec10eef0603b3d1d78d5d2a485486aa8cc310e490b9471ae127194151b732ed19d494ea63d2836519409a213425fe1005e46695f4b24be7b25829653e41c174b1bc69f108a076769c652405d436a7c698ac8e54a850c0ed0249a8250e5548869616b9a72f26cb97096cc66cbbf0317a17f96ee0bae08024d5b80dff8be40c822d850f749e7bf5433d252202b03583d8b87b5b707905e3c8461241fea66c5995a3de30ef8e33bf0c792f23a2643be67d8e077b16a84e52d80c3c3e8c3ba8e58d0683d00412b9f98732524113d24c89ebb020ba631c1618c7c1dedf18ee59c677e585299fc6bc060d5c3f57f9d529f93c37e086db0ed5993a05dabffbae7430f9e2060b0b6ce6b0b21fe6dcc4f4016d87a74d0fadd6f9f12b102f78ac94f2b846c2a7b9bc243c56b0fe4412f03af3372d356432cff83c2d7127fa0a972906d1674d7e55dac178901b661f1f1ef39e71725d89bc1e7ce8ac6a238a9b2115c6563f9c219934350cbff04bfed916653cdfd93c25ca0cfa1223bc85fd26dcb17e5302128fd819451d0b7f0854c7032849777d1828d483bc58b2b91f6e4eb2a902655a95b03fe2c86f0fba9fd2c677f6e5b6092179a5e84a67d881aab57dd2c3239a1db9b47f2b5f6ceeb79a58cd125e6147d2068ca21a0cac47b0c12f6683b7198f139f11206b28490f756e0bf1522195f14608d19ffb6a3ba85f0474431f71d1a38b492e386db9eb0dde55769c02f8757a4e14e93dc241f2dd5e6550e3d753c917bbc4e5b1a3385259163d664b0c72d85bf78354f18cb63f1fe0a337a07f2e78fd3f894ffeb85dace3f30277b5c0fdbb24f9bc354546de812ed5445f854888a038f0436c78b21230ca73e770b4d375ac60d302ad1629ed8c17a12765302add9819e9bdd1002ddf7d773d0d201e6af2bf8e58f68915dcdb80f4bdd731ca0544f9be29297219dd3422df4f2e436422f940d8fe072414e843894c01f43807c4dd4f7c5c1feb20d50f060ee1fe612229c2f49da21728952a0bef81b47fa85848f65ae3756706013095f1ff84e5e32216b94af2479eea8199710c015597b00a97be8b3ba52439b12e3f1948218e2816b75b684f3182b434e0ac0cb31a1a83f2c7bbddf280d1e4fd508c4b7a0fb0b664c613edb4c7ec7f48cdc9411a1af51c7f29564950417cacf4c848bc3c6c2ffb31759917a52510001afd9de6d6e9ddc26364353ea5070fc730b22d8f434ecc21247949f637d03d430a5fbc036bdaa3501d49d63df3238abc594a56443d05f53a557b1e04c54f5de091086a0cfe9f3707c74771d416cbd75c53e7456bac5adce640cd93c66c0ba2e59096c5e08cf2c9b96489e94f80652f905849e4f38997f0cd4e6cf1ad18a881e9e81ae732c284df254de3981606b021ef41da37176e9a0946ab80826dc7fb9e4b99bd9948bb0ee334a5db291ea58807cecd59f870c691385e27f18d74846d1eda220b9607aaf2e6fc0ae9eae57608e601df944d9ac45d62d796512903bff90d740ef9fcc40c3b3f273a2bdfa30143e90cda7116d8c68826e67ea0cf578f59231ca85f03f11b40d0631ab3473ca2ee53587dd4d8abc53c6069d56bd9bf7cc9f04d8982a4faeda89fbff8884251a1fcc5fef642a205299930ee6c9022223576888c491f796624d04d95a983e40b344e8f4c98eeb55e0ff116fcc8b4f296ddc2f11c9322786440e0ba622ed96dccb6bf682b97a2c7806474738e9cea364a22830235ca35c60ca4b0fd30f81c051b96c6798217c7985e7fdfb4fd804093266f0d3947bc1d5b3bd535cbd34bf07a3096f16da818cde06887e94257579f2c020cbcac1cb700d34472bac930130530f9d094483faf311194f9a9641925cdee88879d218b3beb83df4f33f5cb109cac0c7926ff1eb494ebfc58f22e513de376d1ea903e7aa65b8d182e5e38217e2d2c0b0cb392d44ad7684c229968e71a761b967e25a2883929e19bb5dfb053218139dc304eaeed9e15de1f0a9e6f04761c75f7299e6c0eccbf93cc101eb5b017c2d97273b2238d4481cbb5d244db8f1b329b8930545eaa4a36d59c37ddb37a610de3a79ddd8a31deb0b1bbb31d01eeeb78cf95acf3f2727b53b6236b07d490d86318297dad4f6b80107a031299fb52ac0610da5af4b71a8a71c486eda6e77c350224a9e246599d2f01790796a21c1c90dfb6e64c49d6fe4eeebe6d6b5192b6e130eeac673c4cf4669c046cec7388079d14b25992528e205a8663d429d8cea1fccdd3e538b97c635562f2e269588aa14b930a7408076298cc4deda70b3c26c42c67022c59e26f0bc4aecc43a956ac60230ba1b0681b8db4efd0ef133f099563d0f55b919f6437722c86b4a5f928a756b45a84f9c54dc2bdd79ae9da5a39b5993055bf774b129b468fd3885a5447052460d71a68cb96dedbdc4882e6f6a2b7f642627f3e7783accc8f22d29ac8a83788e64abd60619e2b13c483bb9f6442cd0a672dca719262f2e8b52d58efccabe63120fa955da00629888b0986aee3503f94d690115528ea414ff93fcfc487f4a3b0213798f27ce362eccfa775c9f841144ae5fe9c7d95b4657ea1067f12d1dee02f91178b113f7962073a3c98b91de9b47023a22059201bd495e7e2e4d3b3dec65ef29fe442e271f13870b0aed818352bc691b5d3917565bf8b66acb665805d937e6358791ed9060f261ca7e34f0e7286cf7563f57254a05b3ce5f175d8bca322cb31bf8de32eb0ef636da055f3e9eee3b7e36066fe10c45c7742c39732cc789af38cb737aa17898d31a20ceba6a89c7883519ce2171c6e7b19b34494a5806f99c26c5df8fd641a1be5e660ce887a78fb691a1016fdbf107bc92992a2b62dc3474316dd24f40ffe61bfa848f9790e725c0df3fa6d090fd3837e1a46bf58f3beef4ad7721951a977948b86cedc07a24b7f04be14df36dff71531ad715328d70a2fffb3b59439619826e0c26729da1aa66fb892b940f8be7ee4f227b43fbb43094c5086447c8b4dd7266f07bc79c28a9b4b0b511739d6894c0f2049f9b8357a2451bc96489c2fdb4c63fe6a151a11c7230474bf51f4d04b160a65c22104dfc2968a23e427bd97c4d2c0a5b359d59fb17b551f8905a4b6acab2444d66082cf5c64803f5afdd46f05735d18b5207a927ef34cc76a8ed3819c869541e06e50950d550c9b8f034d4a329a135afaa257d3bf25d36ac7c7ff9851ab9c386c9b16b7b111cfbfc39f19ec3b71ce4354036cfcffe36c87a8d6547006ab44f19320a35db003a6cce51e5338afdeaf6fb6ad3db60babb521ad56b080e5564413be596994afe9d4555f7b7530c4fb1ad9b55900c76ba404971d8e2726ac6480ec1e1b56f68600e790a32806f10ee8076ffbbe63130b72ae22f0a799a5658f272faed770f1c72e4b6c32fa19b6b9ec28cec7bfb3b0869e7f47bb32b631d440bb1504e927fbf0a752959c4a633459bd2d34926ada22b97716adc61470eda3a968b898982d896e77da47af7d489728ade3950575389af4883b21f53e9f49d4b4fec3c56b95fae00271b01fd3adac979baca1f9c3bd6f078424720f747591ea8dc7094c608b1476d1e1051a55bb1e59410ef9d8c29f00a6a4d9b3103a8d2aa087e91116fb3639758ad6f93ed0706bf993ece70e8ed75bea28970859c7256f972af862b45b42be15957e218fa65424aaf13c2a847ce1d40dab52ee757669245140c4346c581f2e9ab2e72b64428237250e14293517845568d20edb8b103106c4826621b6bb0756c1facd859509f9331d0a1aadee7adf134d463309811220e9bddf1dc6302ad89abab68e32fd5f7c27ca0b217d8c2ec342a2605fe54eed4321b34eaf54f8c2162d3bf5d7ace2429fbeb4ca187065026aa814a9833b6ee943d1d337de2d9ecdaab2cf4634c16a915e6a9648b368d8df8d6d2de477211214b3e8c291f16ed30ea38ff581b81899cd1c4a74bb338a6322003c9fcbf16a0acf0c67b97d85d55a6b81fb7536d434a0e499929e0da0ae31818da52cc252418802621cf28ee5cd555f13d4a0f6c4160b97016809ba75f3050c2ef1d3f90045e97f4ea5d03739a8c5ab3492f5dd5b167d8f5294961f942847d9550f11f73a8ff1b8b288d27a0fb759d86544691f9ee3f9ee48d0e573f21ccef4610302871c7aec559ade89511dd907580f8f0d119b8274f652f5e4c8a8d32f30f2443ebf4d9bc12486188c5af74f98d315495389f1030d45de4219caaeab035bd511afea18c8448bf8054debe9c747e60431d66015c62578a00dbdfc06a5dd527e31413e8df00420c332bb416db84200cb7e14708a137b75490d95ffd693c9bd215cf71c3f8e2d1aaabff3dd63cc2280ab6ea46a0390e7535635059d128b5a92f68673a058d963303e7e579cc16619d78c6db79e82621525aef9a8af30df9112ce2b68d568c39a8138ebe5d0c3c263802095c3c4fe2a9ba48d97f6df31126b64abdb37cf806b410aa9f32c8f20ab137e12da99f8f069607224ac1ccf610e3621245f7cf017f8bb1f5de00bedd6a66811b286a870a89c11308a35dfc58ba245e93c1d3a5ff010f8de2aa446a90d153b3e6f8d0725dab1ee435bab26a0842c572d388e2b62657c133e5ca2d47fec65561ab2a71c6d7fbdd24dbf050f6889d83227094178096996d856625ddcdbc236c0b5ed28e7cf718b4f80589d3deccee9e705436dde6455d8f0bea6fc4c3544df55dfda6d52deb921c0bcd96f8a0c5dd8ce9d38c00837a5628a3b25297cd3baa1490545b5ccb871c36ac1aac4c70b05aa459734aa523ecf9476d90e719baa1e03de3492c3bd10ee0290a6cbada7296b26f463bcb051b53f08e9a80c47157cb49b7ded5021121c04315fea9d4800dd2d623c91234f9cec3a787bc28f273b029cb66d5a05d5463116138fbc87579a71e0dbb29703867fa8b6921b6fe65a7d196e514d8a8c21ea85666da05b72c0b3dac144fe904d818431b5dc7a90cc3e252667de04bc61a19dca565f5a5c1f4216c69cbb59c71db52e28d85c137d2c48662d31813041b60653139bde9d2b5c472685bef177c2fa2bd8256b32afd598e4f8252c57cd0c4ea6f7df77631ecf00b0b6fae0582b3af17a577ba6fdadb8c2274b63c3a5cec2cf0f302dfdcaeb2a38e32573799803b73686f45ab885f43df4561624c347ab1115591aec423b09bfd69461723de7b10f9189dfec9f0b2d3b66cf8b1ae59db79fc2611a6556165c3fdd11e438081f2e7473d3c16ae567619e58e4e4d2433749b90eeaee1f4e5f9e2acc37c67bd22dd92b856ebabf04b094b8a87d386e44446bd32cd75b6dc352469907dd39ae2bd9c5f965c3f17af0b7785a5eaf4fe485d4c3116ae77a74ab165eaf4ce8fd8634adff390bee91b5b3017ea83c1b2ffd7d04dd0c4db625d6c4f99cadb2fc1df1df877a6c5ee056433494bcc7df92f0239afa2fe75ff141b2e74975fb80cf957c517375059a6a095d4b8a917b71d520a3603662dde20de7c739794b6ccdd18fd54c05ccc814471899c4d6214d8805bef7ba4a4de0e02e5675d5f8065ccb2242d51eba5cfe8ef3cd70b532f9a0bc22d9b64193c79b6ce468890e6fc7f69ae0cbd8e3a42ae06fda98bfc7e041716959e5aee95114643a308c433e40291c532fffea7c88de8e536119ada3c5289c9c57d1d47fa0626bef327fa8c1956760664f96a38538a818837e9c8a66acfa42e01d59fe39a9c7261a77dff5ac509205a25f7c7d56b275f65107c3a4fd26e8edc677eb9a4c9208051e521fb7c932bdf60fd69d10c92f9be092bd6eec68d05972f820058c531d12068e4975ccb0d4f03f88937dc178998a7d68d433079f51da4239a5f5fd4a563fe6a738245fbca5e6b0bd88abbd6eb9fd80931036b0234cf667a5340ec1667c5782de675ab47862018d94ae8b7de9320d381cb843b1a885ddaf31c3576f2cebb6ab9576c334d3d401fa61632dba1e6ccec915c4500f86ac289a1de6549f7ea276f9ff9008968ab31a7a648ecd6f36ed185afb3e9b34c9228e2d726944c33227a9e3d77e4d5be8bd850f310dda0fbc30aff3f5bf2f1ea3eed0ce2ff15a7c313cd87a79add3e290c2ecd764c455520d581e3af9ebe2c56d1deefafa8731bfb4906b74d13f2712048b41a5158cf3cdb815cd8d63c90124686dfb56734834e15534f2b8b7ee2b224eaf79515021de3156191677ca7fb47674292f4eded887f3a63baaf564e358ee2dfdf1273b373c3aab499f4bc548ede7512b5e22cbed7618b23bc64b46c8e6fba9bfeaa963b335de58d0d8b66324ba8f592529d12094d2266819296d395e7b3b0b2e715e7ed73fa8e2a1e151159ed41ecf754f73cf82168df0814aa0c6fd8b9988d208f66badbb90a54b7a9b311839cd6cbbf09280137677a984ddf87951a4713cdf7f494fb54e537d8f1628d794eef29ed26e31321ac41b9373dc1cd85e482d7e7bd56baefbda3e205c2d4855126dabd2e24446214a633eb311cc487b863f1115963a421afa61ae48832ebed5eaecdae72d27de0ce761736e1a71bccfd361c2c9dfce619609ebca1a0d4d8637546891df38f2597eaa1007db2d3f20ef9a6560c7163ed1ae4b55dea61c31fbfd2888460506dbb7af26c178cca34ead9de4f0b71a0f216df958fe4f385e2c5908a5a55fdc0322e2d9793f88fb6ad766ffe8e17b644964b2749e564abfe28692416c661a8ce570baf464d47a0f1288888949ee80b4a6260d0c6b4f7547fe01ddc10dadaed67f39be2a7a6f121cfcce49029bcca23f7e4985411b816fb9b6bceab0cd135cf71a7eb10c97146b3f342aabafaac9c2c690dcdfa46fc4d288623ce1d1385dded99715f351f39b58e0a7561ce85da8e85eed6ca8d4eeb9aa2bcb7cc77716caf84393b3acbb6fbd93d5e266f62d2346d5886c3c58ebd6f71da40e1e677beef215b19a9dfe52e0862d06f287c7240b470954cc00571dc40c2d6fe958291cd26fc28ea6013958d00b0a7f0191033b244a9cd146bbe14492e4799e9a20a2769f096915155594a63e3a53743b06e44723d7f40f45647314a7ba959201d2a1d6b45f65a49398338afc820c765ad7fb759a4a84088e0cabe2209f7fc39e5e5dc177213fbc12c8f1fa828401b10e394896a809576ec118ad715048c7f2f5a3317dbd2b25d7595f6a1a1331f978d313f6492bf81e7b7868ed984c40071d2085403a83b9894816149c61bafdb553c31303df5cd1e6a0e28d81a10d9430946b329725122b15a45f8ffccc5b66632ef9b3e6291b8807d7c2ecf361f9c33b22ec1b4e9b1c15d5b7f69d7e63afe29a91802af6c5b40c609197063cea2d2eb679244adcd981b719fb991231a18102bf4f3c31d3af4be37568b8e82c33ca8e438d9dc076fe17ff21b9f924c8d8a60652941046f085d861d338d376fbae91f85460c1b13e38bfc5b72cf19ed32d34bf85b2c132c23c4c25167be365368ee0cb3818a856d5140de04f9ae445abc2a3a96c23023bec32b22e3b3eed70c25af8c1bc5fdd6731fe4bf7d56a81a3f226a0e94422da5ca31a6f389f7f3c1bc3f8705de1dc0f656552af4684f3ec235d526cb64f19a5a91e8a29147e3f7e131107a13035b365a0d4018d0ba855da90b7fc001fa12d62a43522f1c45a93ede4c1084dbb1019ebd464b33c788f124683f99a8665026f5d87bae954eeec7684c631de38826afcde61fc3f2382e607a78a583075761f5ddf41233a727a15f75831e7206b3b2e8abc03a8ea7a3437091c55938bf16e5435f483fd9a34ed879df652009fcfc3ba60a287b2df77fe136dc6d1c9dc24beff56e888e5497fb91a733d58bca739521f7f1afa4f94ac1ea3bc8d2cce1689eb3a39b9bb81f96e9ac19646c58a4eb72d47f653b4a28b4c2b4340947226f0854c45f766c1ae65d630071acf04b899d1467b46057c335769c4dd23077fa6b08a7cd44cb3fadaffad334f030098158df1ec89dd77f36a95ab58c080f8601d939bb2e143ecae478c0ae46a797e88121844d81296d09421f25e27abb3e357fed43a4733e33dd21d90ab4af3f77b341c35ea8d7222f49dc24e92ee26f28b2127fccbfdd63e1fe24159010a23c885292b55c4b61a7a9066664555982e657744fe4286ce5a183ea22cc462721bf9e61fc78d5f2c814041331f09a01a958e2b64c5a0826a553a8b994d66dbe89faa6403bbe70adb3823a1b55276f089b4b3857f0a4db9e8915ba0fea98b8811775ca4b9508894dd78d80a20a9a9f89054babb1fae304509c1584d444a8aed1f5426c78010c8e8e9ad17b894fa5e3b8d6cf8a9a231fd5967094c78c7b88f8c7040b0984dfe878bb2958ca3991ed8effcce2348bc6ab9375e0f8c1954362cb3e697ae01cabb06655812ceab2eac9383e04efc1d60bec2f188faecf373ae812aeda6e7cfb7407f322c1333589334bcd7204ee02ad89678fc299717cc1317eb53112d95159c38d92d01a13beee3e3ce64a9500e694d253b7575d37d2ed5996809b02c1c4a485d4c0da6e845eca355593cf184627ddfba4df2519beed80c2c73f89c811a446d32fe22fd5733ac77c870f9c1e03734bc44316d1a390764c4ffd4f106811cf57c9f6578d8734d5f49d913cfbf2a83b2483541e6f9136d6bf7baee87702e4b1cbbaf7df3ff6a73eff013c289008d2af8816c3577e8409590adee6a174600aa5166596b4f68d61436b85c549e203ccded56548862c5fc4f3825927d63a18314f8d2fb11e67f545340cbef8247f7373c2028bb4052bb4f7980498472d38afb1e00d60a80096cdf005926cb18560810ae576667dafc0678d72e2392e1e026335f783056885576070f0b36a8c344139225f5332fc49c1e458dea366ffeb2cf12de967b556a13880ca41140d7e79fb5641f64491c8793319a2627fa4400a420e90fa69a1594cb6474907c9a4acf622f9f0c4b7c5a0eec093b6715edd0c97b2d9a7560601218e77784c97ddb1a457d1f6bf851f3bf2623d2f0b1ff7c1e4b85dba900a379d5846e783964a08b016af92cfe59bfd26c31d85939f60d3d66ffab18baf13ea4786710b00be25af314def3cc0996196ba40353d0c47702d033d466158cd1773ddef965db9df67fe1cf8b1db86c3e24a713402ba7d791979b46dca1ac2dfebc30f1a43a0fc3081e8aa7c0004083a4b032c353e702a947c801a6579896c8a8fc55edf38d81831c703d0c82debe598c0bd2f99de66502106341636ca9ebc1a3e0b039851caeece0bc96c9e3eef1cb303f454e46e30e650017cfc202d5369d23c6a4b85eb3a664e2b95cb71b20e31113d83d1301ce527c40a39485add09fb4b498745587009d452a5b09bc3572db3bf3b285ab978ebaf4a3af073323f5992bb630bf4fbccd1c18ed5544c55b3d1a3e26e05db7c7e60a570170cd0ef9f77a4742c6e2c08f3f2f8cd66dd5ae60b19b5fefbd72d5e57149c760b74ac805e574d8ff12a8c12cebc72e13c0ebe3f39380a93f29bc7fb5e28948f9ee2ac056fb4c0378f9d415173f961bb791ab5ddfdd2ed716802876698c7a9553a5fce4bf1610ead50b199e02ccbd26e00024564477c554a5ff50ee50b979d0cb4202ba603461d3426f06f4d00d4ab842dc52c3bb63e117e1cc9bf09c406c186d3a4109ad7eda0fcc1649c547b3b20ebe26e2d8180ae5e4f48a2e7fa4552c8d83165c3ea741643289543ec56877c56187775c67d9c172b5b9e7c838e195562b2f50bb086ef495a9c27f07ffbf1f9b6f05e476fec2d969a88fff5d36d2ee673230d79945798c2619d4b0f5e2732c5a9ad3abcb9c6119867682bf20f1bc987a9692b43eaf198e4c00b05fcf9bbd6d0613353bc1904515516d3af2d1cef4ffec791d9fdf2779df4c914cb8ff40ee2e1bedf974ef95b973f9a5b35b5615ed60798c28f4f8ab08e8881015baf88f9729985ce056badbd88b1fa6f440af1cf1e3812439b04408cc59f4a6dbe3ce4a443c476040ad018dd828a0aff7f972472087e4dc5fde232f655781dfc422ce402a9c036436f7e20119edf27ec00ed99dbc5a6d09d6bfdd3a60aed38ed14a78120d35e848fdc012ef1d559ae04e6c4dccabdd79e5d4c8dab901b58316966a215d45807246d7b62aaee760cfc5d907bd4ee2cd749b86d5b679c409668d7f34a7abfa895349fb9d9eb4765c9d39f201c407b0d5a89b3e6821696d00de3b1ef714a7f259dd94e1ac707421e4ba4fb345fb571a7851b9b24c7ee585de4107adea328e9c0118c9ce62652a64940d63819a70b726e8851d5eb673e98d33bb3c6ca62be5551cfd4ffa0e93595ca43877cd8890ee00d0e109143b2eb0c14d541eb9ad11cc08b91194f515a4479c4cf333c09853842cdd75414e7b7d6889142c2999dc0e8986b6a3ac6e0b3c030c943e985feca927dc9531670a23dc91172ac8d779d9acec6a79714d0a0b1611b23603797e2228c8db7706b38b008a83237f28ed4f45612dd9e685ccc2279c862ce2cd74e3326abd9db1a8ef7118cfc82db1609bec22dd0502a4dc32c269bdde84a9ee5b17adb45c012706e66047dc3605da9f169e20c73c7f764720129ac00b2aefb69812d72ff64d5874fce5aca4df68b78e7ccecb35aa76b5e767ae394b41beff86d1070b21157cf34359a167b7dea68abdd224878ce3d3818358b92a52e4f313ba3dfb8d97d87dcfb39ff438bdacd7a8a4f8c79d245e4b16f42634d5cb63d612ba9f019b6c06cbe5223f24c44d2e16d8ee4fecbfd941b248bb6eb63e0136dc82b9df74eff1ebf9f042dc9166a644eb84b44453587c405164f221bdc4ffb51c26d1cd1828f69edfebadbafd5e03d26bb6dcef5d4c6c7cf512e757609c9e52abc42f20d6b18c81b5bec2d5aaf546f1edaec291a7a18285499115dfd75319e9b6102030aab5c0995f6faea2f29fa41e7d5828bfa59fbfb181f96004a67336f98ba0badd72dbed7319f96c1bf8fd43d1c0bdf65cf244247586bf9f4cb3105b8c30388d67848c1a2867fb416e4d54b30f4b258cf605aeb72b9ed04d3ee7302c2e2b33c4afe3f88f3dc97c1cb1b0ea83cfe5d14ec93510359a324b54a53c74acdf9191f8684ec2f43ec6acc0b672b3bb5132172a6879441", 0x2000, &(0x7f0000005c40)={&(0x7f0000002c40)={0x50, 0x0, 0x3, {0x7, 0x2d, 0x9, 0xa, 0x6, 0x0, 0x9, 0x57b, 0x0, 0x0, 0x2, 0x7}}, &(0x7f0000002cc0)={0x18, 0x0, 0x8, {0x6}}, &(0x7f0000002d00)={0x18, 0x0, 0xa, {0x1}}, &(0x7f0000002d40)={0x18, 0x0, 0xffffffffffffffff, {0x6}}, &(0x7f0000002d80)={0x18, 0x0, 0x80000001, {0x3}}, &(0x7f0000002dc0)={0x28, 0xfffffffffffffffe, 0x6, {{0x9, 0x1, 0x2, r5}}}, &(0x7f0000002e00)={0x60, 0xffffffffffffffda, 0xfff, {{0x5, 0x0, 0x3, 0x1, 0x100, 0x8, 0x4, 0x4}}}, &(0x7f0000002e80)={0x18, 0x0, 0x5, {0x1}}, &(0x7f0000002ec0)={0x12, 0x0, 0x93, {'-\x00'}}, &(0x7f0000002f00)={0x20, 0x0, 0x3, {0x0, 0x5}}, &(0x7f0000003140)={0x78, 0xffffffffffffffda, 0x2, {0x5, 0x30c, 0x0, {0x3, 0x1ff, 0x6, 0x8, 0x3, 0x0, 0x400, 0x400, 0x362b, 0x2000, 0x5, r8, r9, 0x0, 0x2}}}, &(0x7f0000003240)={0x90, 0x0, 0x8001, {0x2, 0x1, 0x7fffffff, 0x9, 0xc0, 0x7, {0x1, 0xffffffff, 0x8, 0x7, 0xfffffffffffff801, 0x2, 0x8, 0x1ee, 0xff, 0xc000, 0xf, r10, 0x0, 0xac, 0x4}}}, &(0x7f0000003300)={0xb8, 0x0, 0x4, [{0x1, 0x2, 0x1, 0x101, '{'}, {0x6, 0x8, 0x12, 0xffd, './cgroup.net/syz1\x00'}, {0x2, 0x2, 0x4, 0x0, '!\']!'}, {0x2}, {0x6, 0x400, 0x4, 0x3006bd82, '\xd2}$/'}]}, &(0x7f0000004f40)={0x538, 0x0, 0x200, [{{0x4, 0x0, 0x8, 0xe9, 0x8, 0x8f62, {0x6, 0x9, 0xffffffff, 0x9b, 0x0, 0x8000, 0x0, 0x400, 0xef0, 0xa000, 0x10, r11, r13, 0x3, 0x3}}, {0x2, 0x9f3, 0x5, 0x4, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x4, 0x1, 0x1, 0x2, 0x100, 0xdde0, {0x3, 0x401, 0x5, 0xef, 0x4, 0xff, 0xf, 0x94, 0x4, 0x6000, 0x4a, r14, r15, 0x40, 0x81}}, {0x0, 0x2, 0x6, 0xf, '\x01\x01\x01\x01\x01\x01'}}, {{0x3, 0x2, 0x3, 0x7b, 0x3, 0x0, {0x4, 0x9, 0x692c, 0x7, 0x3, 0x0, 0x80000000, 0x2, 0x6, 0x6000, 0x0, r17, r18, 0xfffffbff}}, {0x1, 0x100000000, 0x12, 0x0, 'bpf_lsm_path_link\x00'}}, {{0x6, 0x1, 0x80000000, 0x1, 0x9, 0x9, {0x4, 0x400, 0x9, 0x9, 0x4c4, 0xc, 0x8000, 0x0, 0xf, 0xc000, 0x6, r20, r21, 0x99df, 0x2}}, {0x5, 0x8, 0x12, 0x2, 'bpf_lsm_path_link\x00'}}, {{0x5, 0x1, 0x4, 0xffffffff, 0x0, 0x6, {0x3, 0x0, 0x9, 0x2c3d, 0x6, 0x479, 0x6, 0x5, 0x7aa, 0x2000, 0x4a0b, r22, 0x0, 0xffff, 0x8}}, {0x3, 0x9, 0x1, 0x1ff, '$'}}, {{0x5, 0x1, 0x10000, 0xd, 0x1, 0x5, {0x3, 0xa967, 0x3, 0x0, 0x200, 0x8b8, 0x8, 0x1, 0x6, 0x4000, 0x8, 0xee00, 0x0, 0x2, 0x1}}, {0x3, 0x0, 0x12, 0x5, 'bpf_lsm_path_link\x00'}}, {{0x3, 0x3, 0x2, 0x3d5, 0x0, 0x1000, {0x4, 0x5, 0x0, 0x2, 0x7f, 0xd, 0xfffffffa, 0x117, 0x6, 0x2000, 0x3ff, r23, r24, 0xb737, 0xd}}, {0x5, 0xfffffffffffffff8, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}}, {{0x5, 0x3, 0x8, 0xd, 0x8000, 0x7ff, {0x1, 0x5, 0x4, 0xfffffffffffffffd, 0x0, 0xd, 0x7, 0x4, 0xef, 0x8000, 0x7, r25, r26, 0x8, 0x3}}, {0x2, 0x1, 0x0, 0x7}}]}, &(0x7f0000005700)={0xa0, 0x0, 0x73f5b767, {{0x5, 0x2, 0x5, 0x8001, 0x4c3, 0x2, {0x5, 0x7, 0x800, 0x5, 0xa, 0x1000, 0x7f, 0x9, 0x6, 0x1000, 0x0, r27, 0xffffffffffffffff, 0x8, 0x18}}, {0x0, 0xb}}}, &(0x7f00000057c0)={0x20, 0xfffffffffffffff5, 0x100000001, {0x1, 0x0, 0x9, 0x40000000}}, &(0x7f0000005b00)={0x130, 0x0, 0xffffffffffffff98, {0x2, 0xa, 0x0, '\x00', {0x200, 0x9, 0x400, 0x200, r28, r29, 0x8000, '\x00', 0x3, 0x9, 0x5, 0x6, {0xefac, 0x9}, {0x8, 0x7f}, {0x635, 0x5}, {0xf, 0x9}, 0x8001, 0xb, 0xd, 0x4dc9}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000005d00), r4) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r30 = syz_io_uring_setup(0x2407, &(0x7f0000005d40)={0x0, 0xf86d, 0x4, 0x0, 0x11b}, &(0x7f0000005dc0)=0x0, &(0x7f0000005e00), &(0x7f0000005e40)) r32 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x1000009, 0x8000, 0xffffffffffffffff, 0x0) r33 = syz_io_uring_complete(r31, r32) syz_io_uring_setup(0x29b9, &(0x7f0000005e80)={0x0, 0x64a3, 0x2006, 0x1, 0x3e2, 0x0, r30}, &(0x7f0000005f00)=0x0, &(0x7f0000005f40), &(0x7f0000005f80)=0x0) syz_io_uring_modify_offsets$flags(r34, r32, 0x38, 0x0) syz_io_uring_setup(0x48a, &(0x7f0000005fc0)={0x0, 0x1e2b, 0x800, 0x1, 0x2ab}, &(0x7f0000006040)=0x0, &(0x7f0000006080)=0x0, &(0x7f00000060c0)) syz_io_uring_submit(r36, r37, r35, &(0x7f0000006140)=@IORING_OP_ACCEPT={0xd, 0x24, 0x0, r33, &(0x7f0000006100), 0x0, 0x0, 0x81000, 0x1}) syz_kfuzztest_run(&(0x7f0000006180)='$', &(0x7f00000061c0)="a0bdfd577d9b7197f566393b228cca01c4385baa7bb418fa8f4f4d373fe58fb157b45a06ce1aa0aab1292a2a289ec83463278644d9a5c3b2419acc6bf9ff6dedd36c7c838e89a72a34ade91f58e37d884bf0cbc40df6eb8ad546eab730f20beba1d21deda9c9e181c8d866bff996c8563886c1e04f002fcc9415cbc094ac5b1a442980b176bff5d75d345e0a9aed8990a646d0c92e001a91a339a2304c26c5c0", 0xa0, &(0x7f0000006280)="3c31d6b003151438b96612be04a2bed8bea9be0bbaabbf63c2834fd7d23a61dfcc500a8f27028ff650839bf58b0558fcbd8f622167ed30faf626053a0298c9938199a79a9645e045d4381e8ecbe1f25d1e8141a6866bebeb104d7d1eaf9eb5830ddd952c26edc01118ee54afc9219c8ee67ac984b3bf34f659db3e896f8524bde94c7e22e6b01ad57f9edda0c017242686d911c5e75e0d60ac4508fb853e549065cd83eaf67aef8a89f5669d036ed9c63f09c5a94da9edaaf0582d73f29ec44592cbf969879b5f5eca1ec27b9ff3e426861ae8123c57cc9dde5713d5a37d552a83059ff0f0b4fa2f0ab66e426dd572415f1156e38f02b9d849c7bb9f8cfb6337bb5494addf226efad9d61dd3b407de131e140b4b8a2039aa09ac8a117bafb62261b6a07a06a04f68c5b3fda4ab7234ec1d890b9053282e252f2f475e7c8b0710834a30907ed1a79e0738ec3dbea0b36e78c835772d267b51969e3600d7af1d5d12ac96c0d16e9037e49c97c6b8ea8c00015aeb2c44070eac5c125ea5113227e242ad3c50c58d00f1d80809f62c64cb6898d0570fb51c5da14ccc27fb3804a24338ec5fcea02235dc77d304cbacd3ecb03a662d23e1c7ba46adb595075a01c65661b1a1ba0f86e50f36bb59f1ab4e483ffaaac688b8d4d29e445acf1930f9f9b34127c59a3b6682f53ba78b76fc2ac22ed046b7e08abc20f42f78a341afe95800ca073c8b90782112bcc64f078f58bf702da6de6af3c9da9fede5c1bfa5d1f488dd0095d324f0e03240d103c3973d8f05229182358fd160e41520cd42cd2c24abac126068c5b132c913b8c0eda44d5435119ddcd3ca2102f4c4cdf99c67ef97ef9f4f79398d415f35b7a95d3aa29588dc07d0b8516b91d153bb33736a011ac958500cea122ed4fe5e2ff807eaab692fe471a4cfa33ef687f718de420c8ef6f84c02406bee55966231da6b5bf3dd2a61c0c47a92e6398c0d452af5f1b46a6157f98ed0935411a2d9d33401655e28f68facd02b365479447c3eeb7545c977d00c328c78ccac39d2aa523d21fa90305420808c53edacf949c72f3a43a210b450bb27fc5330ad5b7a46aae99515a7b088af980a90b089357d23126aea3942a5539e513c261065055327a4bdaf6161b289f87ba2c513d22bf08dbe8953a6a740ec68130ac28173ea8a016b9a84633a17406d83bc02f6f06b7e8a7b90ce574de90884108aa54abbf6391cdbcae2a0aea44503b504aa9a0359c6eb68e242bad9e959b7ea93a74bbef1bafa9607b8d81edd3507e6e15b9d3e3a5df92d8e77568475b279b22fa1354e75e5948f2f051b01ad4164711537b79815d0e7f9d0106c32a2fb88746d5a3b6454cac3f1e1c1bcaa9ef662595479fcd75b204e35e593a776914fd9d25a0d7cfbe17a355547f56b712e4238a402e48881c99774f71f651c3394d398596dec218dce2e253e023f0f4fe4a001f58e2977127516c0f35f7e9c70a877de114aab4bbf0f1a8d5acec4dce590ee9398fc02afc83ad8f26bff8dc9915aac3d3aa267604e38ade6c96615caa3d1021b3859c1a20c2f0a7f30e33ec512247041388af88e86698c904642dfd6e6a5a878b1b668103e85d0d809c18ca2457f99cee0b69a7ebef439f82c3ae5055216795fd97b16dddb8f529e10b7d4faa64a01e1b3f942c462f06d260ce64f65fbd2cae88a4f0b75006f77da595c29a282f0443104c08e7144da74069fa22e4b0fc72bd78f4425aba6f5261d7e25552bbdc4674fb3653f8c2bac5a7e7e2ded7d52e0c0344b7629b0baf268714d338901fa68268f3be46ed2dd172bc84f627a58f95ef5945dd3ffd25b1adc744f33f3f37ab13b9a8fc5227d88b54ee9f5f5c4dcc5673823af3d80ffc5048c5978d0138e53b59d202011c8afe89be42b2f8dfa1dfae67b2dc98e9014599800dc200c09267ff48c2a178c8a6ffe8676b468c5f9e5769ad4094bc93b82c3048c9ffb317b227c3a43fab5d8c6ce1591ac7596b922ed54cf781470a5c96ca9af82f8827fe08c453f7e8c699bfd89c76591be39941b0f12e7b8849eb6ef322fe17ae8b6db3d9c4e0357da73309ac66c3a8c53a43cfcd746c8f3f936ae5b92ca0ac6dce8e15d0735687e166a3790e39d61efbd2437fe7308f3cb4e300f037dc688a5880df58472f305597263edac7726a086f8a1534e8aae3ccd98a4729c07e8aeff24995fceadfbf4e66901b80e632625ddcd5611ef9e91701394ee09c2fad9a80384ce899d3b6e14400a7ebcb97ce03f39e1a06d3c85bc96ee412304994a797f0fdb4b94a92db2cd7fd49ab6af1de388bd3ede5f1b580a1ff582b840039ce414476914e762698eed79e553f614fb92dd92e76dbf0d61b26acddcf6b7878f08ee8418742482b448000cb3b7d80618a556954b5e974a845e485ab6e62b3e09b8d2e5c1a177592d338328f10f9644769cbc72c12a96b12441f77c0891db41d84b3c13961431de4257df96d3b0d02c19870403f216cee6af1daec7589280146b73f000ff74f932a4be09d47f4773d3666d33aeb16e5c5b8044beeee4c26e62ade79d7adf54cbf5d17af26dd15833e4e0e15cb49ec7c8abdd7426cb75ae2664b5594d435cf2ab3cad63f9c0c6fa2d95eda6332782b2bc06f01b2e498c81a76d736e49b18714296f36eee325292691d77761a5485f3dc6eca28ba861dca79a880b37bffd0d72d253950946ba8548dbbe8b5233fd3d5fd9c428d1c7112923d3f6d9ff1e370ab7814e60164f8aededbe676f2aed19b3a56e427c9bc42dd64147ed60b0a533b65767bdc978eb737243709a3d902e874d879b5dcfc8078c73ba4b19087b285b6df2a6b82e5e85f131e158aa576af8b2a94f371f3211d0f40779793dd6c909fd8572f75a2cef9c3b31f48f09dcd104ae3a939008458b778e723537a60247e71c658dacf9a9849b9961155d35cee773f01f1b51a33b9a6deca480b4c5aeeba7389d7f24cfe046f33d36ac3e0a0116490a6893f01f45a02f47f0d5fdab5c764bbb3478372efaf575a0ad792e1e9413f44253da63b41d72bb7bc99cc298bf2560cae2be0c73e79772126394b6feaf31158d531e6271e4061ddaa88f0bd5983355b7ccc6fc14323c12d18fe6dc50d71939ffd778f4060af60591adf28708e0ef3ac865484f9cf4491a98c88df165d0e96ee4111573c0c8e86d6e2bb3460d7f51d7989c35ea05ebbd42ede06acf46abe60d10c92dff086b982c61e8e968e8b345ef1126ced1ec68331e83abe07f91e22d5e545b1dbc7bb9754a53215d3398c2aeb6c64fb1edbd3cc8b4689e0979ad42beb9a847fc3ed03aa001a42b3d5636810bfb0a0550f993fa1a31419c74adcd4cb3ee9a4f6b65d4ed8f0e4bcfb7c1aa7ef117487f62c595dd4f75ae8f64a964188f25fd2a91d3b773b8e459631bdcdb05318ed4961ed0352f10e08dd4fc80a37a1bdafe91aa6aeae70e63e7c089f86b57fc757280fe5b0fd4dec6e4d5d625f97bcb5ad86a89cdec3060869e53365350be21cbc01401e72af4ee1b2eb83fc9fe6a853799062b35f2289cabf7406216fc9d90e67b57e46909c90ea2f3b70772d15fb34f15f775f912d6b3ce6b10b360a945c91d18c84a7b601ebb231a4fa751d812a05fa2b795104e872c61f5c5f3cde042886015abc3db85f4a5e8bc9691f87029f135044deb0fbd8644552723e92282286b1a279bedb56c2fc092328583e7aea07abda5593c702ca4cb0e39ba16b2839756b0740c46c692c389ca40405fc19d7b839f51dc0f6b0b2155dee7e4c60aacabffac8a8ad68a7d3c0e52456fc051abc37922adf0e7c10bcf9dfd850d88c22f8e2154777eb57a4a30db4b9994ff94fa82a007dd05711da0af0426b7bad381816fc7878f51a1b7c8e2a50133178255e864b3631e9b77b5059db069e5ca7ad88924cb4f1a58129e1c899aae0e8bf760c52db31d399ab9554d10e7e94b82c2dc0a05b56b1cdbf48a2b4ee8845d51ed0438c27ec9f490bc518557234dd00cd6b031c74d69c4eb06320498a2c52982b6599ec9b06d722b1f83a36e62131470dc9e78c20089d13937f0fb7ac8313591f22fce68357be3549af620055c217a1cee6b9af48f8be4732b29d960c34eba193aa894b0f6aa0c91c8c27f070ddceb9d73f8834b3249ef03c9cca7d3d5bd7cf15e734c6a65a8f387c9a7c51e3db37d82c6f6d3b6be8328feea7bbc2601de9af9ba560ee27cbba3e2e38967d93f261b5155aa12eb9ae98640cb06fbf024b3b51b6337991194c5b12024592a81c6ff644ff35d5b19f287fa3c6bace4167e3d3ee14a1d52a4fecae1c4c2fd862bec826f988462b8c2a2259d37f5c8292bd6cbbe22a7bb58d5608dd5a5a9e1bb8cd586d894a53dc2598e3fdef678e7467372520510d6d41ab7ffe76ff020f85aa14399068c98b2f62eaf2cc45694284db21155ca1be2aefd2b121681473249c6ae483342e9f29b7597854e432ecffa14dc287670216dc67e3a5332437a837ab006c1b814aee71aea1d110b56d06d4db725f0ca737c95e32174813696da128753ec29fde16514e09cb7858c43e13c36d785b07038016974974e7463dd656e162087353a99b0ab3eed6493f1c8eaa8764cf1a37f667a12f326968bebc595abd62850ce0c977c260fe399bd1f4f88aba29539d30c6f25a19f21d53c9f77e1fe777c8113034bc6a37aac74f97648963e0d2e617786176f2d7ee559c9802b0f5596782e518e8592a3282a1f5defde775d71c3608d089e5ae98da176bcacdb55ab7e85f6dd571c80e95ff8e6071940828e3c81f5505224feed5ee0aa4ce8c67eabe138359b5cd88df7ecb3b3962ef175d25e98af33a5852fed2b5ef4617ade008055523829f98347d19f8ecca3181d49ac881252cceb3aca0786e39b8a8336755311bb1938043a4f1b0da621fe5370ceca0d011b1d5e8fd395e248d23368e0ded75d3c33a72a8c276d046927da59d7098e4776e3d6f054d35940efe40f9f8290ad287e5acd8e1dda73953e58df7bef8f6252aafe0e4bfef5ef727a4842b0a6192f70c0d3ec508e351c7455e059649d615dba9d7d60aefd061db25c28309d582c20a6e66d8792d76d19406a7f4250c0f61550869de107aae9c93d3abfe40f1003d088f28a60f25892b844a794feb7e94602909403341b39679e3b04f7b0e8de037f14686e78bfeba960a62183cfe920bc46d50d0f005a7f7f4850c213406cd49b578dea6d350b392b6cb084ec343f7056e7c6c9c48b2e095a1bec578eb413083d41072a55ebd278d37dfeb493c74fdaca9da1c3cc6e03201dfe1939b8377f9ba21791bc494f6048826f0b7ace207797b0d9ec3964aa184cfaeeec3fbc5a1dd35a833e4d389cea9e3ced435e00ef656ff0de644d6e25410bb2bd940ac08f76550116b53ed4fbefb112d58c2affd58692e35006f670432551f8aab3c2ca4336c90c787d41d2b7f95ea9440b17f019f88701a26c978aedee0de9603fd6f56b08e56bcd3ea055aa7883d0f8acd7f7de3498bba566c2c696cf17f931da1ae3347599e8be7e12a8067fe2dce14ab0fd6df97f1d10ad76dff5902e182746ffea03faf97552bf035f9e86ec23a8736f20031fe3310d1bee7876d36623b80e2641990f951cd56dbda61ca8aef2ba14d35fa8f495977ac3fd7aa810d065315ea8007c8ecd85acd6d65f2946911709b1ccd0e629f56e01b040efefd58f35adcd00dc49ff7717062b24635d2e5f1e9a7db8e3d5786680e396911924d6b5a6c2d1dfe98425dac3019a7d8673609027c064b60814ff45200f18d05c328bc346f41e5f5d68b66569418c3a9d9bd04cbffd13db9d231a405754ef6017c30cccb7e934ef268f9c89352920c765190ac8817f9f98b6715a9847be783cafa0a86d734373f51aa8854ec72c6539ae162504336e87ba7347d2d7f6a25bfc72560485008f3e73e09bc6259fc3f61bfd72cdfe475891c5423ac4f10fc5d95ce567486fb661e232542f1323b4ba00a54e6ace661f685fa324f8835697ac6970f1c2560f4c2ebe0c834887f715ace332763993b9310b52e178ea9c4a145bbae5d7baa9c6d968ccc50d3cbac54cfbec1d76fa2900fce631ba341bba565fdecff0b09167887b0bf10b6cf6deb6a8870eeb7dec9ca932a57764a6385ef07865c467ec89937d8e40f91cee87afa25cb2cb6220bd7b0d32526fec7fd4ff663e557bf0e4b6e8ca3bab3cd035baf775c495a127fc026248bafb4735df8cff8d6799778feca624bd86158960272dc75caffcfd4c389e51ba43ff6d72caa03a699ece23d67dd4681dafe73151feaa10de5073e32eb46bb5adca0ba62e8dd922c8c80c5a8008ec80b75e872f87314b202fbe4d662f065eea19686338da1189c8cfc91b7cc63c1d82c797f98243d79a916b1416be117771a533f197dfbc7a7dc7a407c322c2280668abe1770b3de472e3129dd35f19835da7cc6f4dd7ecc82d20ecd267ea64944a614cb80b0c735444b1d62bcc9b760d58405a438fde50b4608c75306b8588948dbd02db904e77e13406e49c4e3b2491331bab87400dc903187d1da30df2ba51f54cb1ba00534b367e4b176c6a7ade4e12150665b8631fa6ad2077595a27bb4cd3b7080b8cda31b90566c38e0217fd024c374c7eeacb92742772e86cc7cd5a7fc36198af615fcadb8105a4aa2a08c1724d21271ac3c2ce7518ea67323fd3fbf1c0386c97fefbcdbe2a6258f1e9d3c09a13b50136fe1fe5f98be367ee368a15cfafcb5d5ddc58538396d78ffc2e542add6122b6351eb3f58aaa72870e701231677bf6a5c2300abf5740a26668fede2034f504b004733d4d78a963f2d877304481cccd5d2d51802c1cdc50d5a6d30d39cf62b080b418ae316cd89b4983943d8d3863678d89029b61993b58a221139efbc22747ee0e2d71c6627d7f1a3f573413de3af9f51353061a06beddc9198f2a68b57af54997ecba8867f0d4abf53c5a2a70b69b901156c3d0168463c8ff6746a4a7e87de9ae82f0816918f5df295369038795cac58d7707ba1a23c9cf9a3829ed17fad094ea1f4ede9fdbe844fa251bed775a185cd25793f8886d8eaffdd467d0fd5409f268de34da59beb7caf16878c066bfd13b16c05e4712c0e89264eb83c2b420690f5dca4f23f3beff755e1f05d2ff467fd29e6770b19f9b89c3fbf29ec69d1c29c1b1695f97997a086a73c27fe70cb4ac633733fb6e9898d822403ea637a26be636c0662c91b5e4ab19f022994957522a4779375c86ccfd44af5f42a6b4fede96592468be15de60df5f6544d6c6012bd32866196a5638468f1dee9e70b87085066942eb40ce4727aab03003f4bfb216c7ae54a45f0fcc18c7007791b26782b110de1fefa77831a3fa943484f0db3265ea587afcfad2b66ffc922d6577fa36a24151069a410ad297416ddc8cf27be264ab8b943d6a855debf254ae75046a008c607d14367739a6a8e5e80a2490b3a4b45d147e4310eedfc08245cc08667b0d9d0b4f26e252d36e85a8545a3146028616b91971bc952aa4f962aaa067e0771f206e9a956135e5ca8a02bb02cfed9087d589c0c0ac361ec1fcd2fa54478319fbc1b6e3625719f4fa7cffc759ca5476e66ec9431219b9af288c74a748454d77ab790960652c2ce6313e85522072730e30f483598a2f28165681c7475e44640bbb06dbd89ca467e2ff9c3968941ee3f1853ee334bac3175dab98fc51833e3cc32262967cc703d5cbe768614a94b51eebcbea3f99e1bb5140b389451ca8d280b3027954f986ecc35d4f368a3ce962785534309754a50cb548c8b0605afc07f5a8f6d8ad42774fc6d2753296e89109a075209c1c72d4d8068ebe0971e45050c9379c219e0b966fc47906d59fab98360bed11d76398c72d9c6df63854428c841e5dfd57aaa438bf9b35058c3e5dd0bb5457d1387c41f12959bd53583900906a9febe491c8f29ff48690dc78c6c463cc07e9d8ccfdcca4c19f2bb4e20f64b3dc8d0897507d270e613cad6e2802d2c74d174cbd2a4ca7c7d5decb81ba028144be39102b59b634c2e9c7c1915fec3a0add2c71bf686a120b9712007bd8be7aa63b55855d6b75a49ae754cc4156b1ec741d8793154daa10b3238aa2c92b18c18c3a691cc9624464019fd130a193e9ab607f9981ded6a2ba12f043fba3df5378da5a1be9da3b99da3fe6dbfd6f7360915df1c6a8bfbd8602e7d75e92ea3d320e7a43712326317b3c627c503731b99ea669402cfb9d877a190890427ae90367cd100f30428f5228693308376e0437a530cf7fff01c2a8e23ee2a345f820f8e1edd2d52654e332b690776863006638414425201e43a041a54735afe266505fbe93ccc9481487e31b23aef7940eb15c366995f9df141e5069efe4a48be1a7d0d3a239a7c5366d2bc4e209fdbba85584760450324fc1e5b41976e1f90788be645940828df62732754ccc6a248b0c7c7ba01745fbb13cf426af87bd54977d59b6fefa32c294320d1fad0f3ddf09bbe14f7e3834ff4999114dbbce932ab628b269db47efc58a5588b9af3e5e7ad34398dd47e797be4ca027be70549d564386956cc4e4cf9ab4e80a56394d05bda246fa4c87c7c3982f3c0e65ca5cf8b3bd03c177d54779e9f42e74f1800006cbee91b07440512f8964657327a6ce76e851ff1e6592a238c427f5d96feb5a8da875bb2bb6e172f6724a46f000a58a687ef7220ad71d9195ee58bb653f4d3cb7f928e93bef0a56c9d8b659ecea7ce2514b648a46059fc3edb457dc6bc9f4a1ae7fd9916de52ea35e8efe966fe96cb60c63ba0e018f85066fef1e3452aea7b86a6889e4018528bd0d8977cef33042f08d09503fee8cdf53f3d303488c724ebde9fa0105a65b89c547490f515c5ac675e51bab8b75e3d0c3f76d1074f3c7827db85aeb48879ea3e6241b3649bdf2ccbbd5717a4e1c5657ee22ec43a90c9d620a3cf22385dd47593902572eca35b566ed70905f6c72120e14022db5f99f52c9ccfccae45e97aa2236c6126bd20517ac93f049c7917104ec1bab4a723fa00c01e5b451e6c1737ff6ef93fe6ce7b35f71d231ec3b60f85dc45bb6679671776b3c0707b8b628dba87e87d2c1e9f542df5855cdf97412eda3bc1b66fa1b46ab1454afeb88b968c2ec366e42edb519844e07d644f378f9894fd2007884e2e2c92579e41f6f63204742d3aa278e33bf76f7f6dc674dced943bf18f586559efeb20f54f1e72117019c25f5744dd2e72298f561326175dba9d679fdc26c0c807c7c213cd072a0c4010fece820f6462ef6280c3e6476c0e3a9ace1de26741b4269bf0abf36df607df7c9bc6d9de9d42937d0bb241f5fd36f7c3bdb418bfb96893be9e3c4a3cc7a4b40bcf04b43144bc6c7475a215df6b2f296c772f111fb5067f48cb5550a0dc48c5f6fb9eb83d9f8eb9afd10619e3cf7d87b2e3864c68a48e7773decad778fd43336ad802488f3e6a4a4d642c835bbc4bc779fb1f0f770c6f05ee6c2df5e21bb8b25862df4eca4cb5f8e6d52e2ca983c88d8cd548f6e336ae38e8970a8957fbaaea4b06ac1c973c3cad3e26eb0e26216926df865d368997f4998fec334add690370ac94e16e2cd3dae8ae92ff1a53c4cac5e073ce8e328a4ae53eb8d9710b23b06488e041c5b506ba3ef65e9d848332dafc59195f35710147a81a4cfc4a9cc00a4e42ed49eecb0ebe9369902fa4c4030a06c83a8106170ed1cb5aa1f780e1961d815d7c4a189d40ae8e696b059aabf7805c1238db442b024bfb98ec9d8dab7e2fa7a356b58162c319a25e758702b7c8813a9b5c7a70e701ca2f7375f1b9d905f7cb5c38771661db8131d2ca4da1e08ef41a548bb9426b5a9df43f6a00fc4ff9f225322c1e7b609dc99f5759256d0a8e84dfc2973489f37170a009b6e37971c7efefb57c444236d9f5196eefb43da82ba1aa70175c678300934423f1f75b79b193e6d1676eca62982758b78571901a74aa325ad866a7cdce8835a9f3ddedd2ef6b56f4a3daa2bd1debe33a2f363dc042b349097610595df334d6d15dfcdf7b8964df708643f1ae644d3f1789aac2cf69bdae8a447c925414fea9c45eef3e26e57323c92791d5d335710b4ab0b51da83f40aae8ed4870e9655876508d280cc4b837915ae0caeaa88df1ae8c6cd2d4f9a9a8ca75c1491cc316f9a5a2fa68f508bf980dc65236491e3995472b25c7f7a70ffdbb89104136cfca7f4fc01f147a698542ffd9694fea9717c70269d18fd0577f236eac614d2e20771d026aacb9d63943548bcb515f6219722b10811fd0c748ef5fa2c33bb8acf6c55178f839c72d3aeb5f0c72726fdb95ed5ad0a840754307b5791de1e066e5c6c1ae15c4e57b63abc32702952a1720f473b77f0ac82087719b7ce82c3daacde95b46d47a44a89e296b3cfe5fb592a7858aa0730dbc5c1300e4b04465cdccdd89a2fddd2b4ad4882bd2ea5a337ba299762f0d9d3cb3793302f1ab639797a5d4602e2abfc41431b04158a3d99b2ab30d8793944ec4ee01bb3f9fb490aaaa164bebf0361bfb88b76fa4f3e7fbb7bfa0042b81ba6335c29f2d0802c6604857684d47fff4ffe922b6a98dc4915b37d338de877e48d8aad5b9b071e9e16538a4ad6afcd3136fff076f2b5e8726c6b561f2aff14a296b77f1bf619eca7defe845d24673e3919e8682c9a9cd40babbeb4a521a8877f7243335dba7bc2ef5a3983bc4db3633e18a4ab93cc53d09eabb39f06bd7839060f56efa4285e22092f999c9b41a926523c125ee41925f618b3264708fd1a7de74a5c42e7240b9db15ad15ac1d15b828cec474f517c5c494cb91abd4882f75b0fbb552acdaeefcd60535229a1370680e54a7911aa14c226e489007723a62f24c1164defa51f1f2f4a1ad5fbb8410f0bc7a759cb1bd8d44a47f2516feabb4a0393f4d95a64b76d9529272303451f4191a2b7ec214f0c6027b369f87da3d4b82c8fb4fb0ae305ed8de6f7a4870441243dfe49965d2d27e68a98b4c45f38f55e8fe819fccc1ec58c4f7519c87fe8eb5b6faefcc65d0e6b81136c844421e8ef070193accc45e7a70b9cb0c33cc2c7121e4f7c7c74347a0453cff1ecf1cd8265bf2fd364b6bda8994345068972c772e9c5e90a2cba218d08bd946bc6e5af93bdd9cbd75b4d106b58a81bf144e7e2d2d7696f9476cef8b5bad3c08d7881f7577b30303097704ea382f8b4da2bd8202ba5ef113d6c0aade0076b213d89a6f49cb17f42f7d5f7fc1a222e79f5664dda24023ce39108ba987988b6d2fe2f162f26319aba13f7831e8d4ce6204e8e4e2d3dc35679e065a986a2e6759b3bcd5fdd2ddc82326b768323b57f3b7bddede273dbe9d69bd88bf63e25e81b77cb80aa50b8ddbb5e81eb987679e121e1d3a25f65c3f7b462f0a7d188421814cbce3195c37f2aa47615e258f050deebad7a700abaa6bd6e0651923ef7af808454b263417050af8903dd0729cfd08222f1e545773ca33132f065d2552caf5d82b5b272df91f172fd6780c1abd517a7f46572694a42d3fbfc12e5c0c37aaa082cb3c6aff88c047a5fe8e1d8a92bb3307cc21bc6fc3e440ade6e49d542041af75397608dcbdedea4dff521935bafd53f2a7550d726423545d7d17e0a34db154019462c1cae55d83e7f232eed4ba2bd8425682dcf89d70181b326a65a47d49bea9533d9684b97b0351f66353590763591b4d5ef8ef70014335d677de4872d3877a61f05de65061a0a0d97b1267b9c5e45176592a17b6291c8e98305dbb7b44f4e2b69d4251249210dfa4757ca013540b0ae3ef3f134dae3c1bb462e0204a8fcb1069f1673eead8e5feafdbb4c9c22fc9d0e6a4c56eb46b174ed884c736557f7b60cbba6a9a4b03102c11b09629f74f13cadf7ce7bf2c77d4de2ab63461fba4199ba61eab68b3331dafd8fbfb105ab21b6a5dd770372c09e23cadb64560c242f06006eaf0d937ea3043ab2d30092eb9d5e3d5a20d2553ec7a38de922dcb5e8b893d3953b3586baff0f11af2dcb1aa034be5b0a8b14ff802c41ad149afce5015d9045b3e1afc7e15231b2e4be17a9eb57949e6f5eb189773d9f465cd23fe2707ea0b2f15f968293b29475543d74e0a25067f19b8652b9890856ee9fa06cbef42415181695a8d0a1932b82fc7a88fa4500356e7af723534f0d7787daad0051a31cb54be90b52cf61b765f426bcb126b928382de48cf9e7c99765fac289b18ac20a1815daebf7a6a3236dd26f74e4eadf391898e05e050f68a7e564b2c2daeae18d06077c28633e72f121c3f88dbc3670992d4735d1f47131f09fe14e21fea8b52ba60b5740b873c3702826a7e38e25dca652f8e5b4274936b0d6f49f84282c42491f13f0cc006347b0c40a0eaacdb2cd8facf845fe86785ab6fb22f770f045c5a8617221ba84a003fa8b2a8fec44289932d9536179dded0cec31a0fbb9011bc4e2aa2bfefd298f681b1c9568f02eefb8afa91503c985d8b8d98966f45f7250f6e269ae1eb835a791c8877a1d8ceb0e7b794a7d45e51f80d22347522956c25c962f956847e243ba03842cddbd103d778735d08a3b770353e49514cc710a44de5e31cf5832c3f1ff01d4a5fcace8054de807227da77b665a386b0cf0d74a2c99392d65826c05704f3076a22dbc7dc4102a923b45fb6e5d3e2133ad68f1fa91653322a0cc5ea8bfa2ff90db9d9c9abe21a5523a1057ad2bfe25375db1721b48e61d93b30d9e8f59d77a3871f1fd02249c1e7ef717e16bbec7e194926f6e55ca88f3674a0de2fc8ab9a935b38ae1a8769c677b4d3ee9242c443f26c4678fe5f969589f3248036e0c5b901026e373fb4cecb92220044bd05267570ba905b745a517a74b833e51384f40d7c7ea3993bf791285b53d733932b7b5d4d2759c141a72ed6b0cbefd5ef4ad00d303d52c104000adb42acd04c6f96cbaf7a3cb88affdf2aef627e8c2e9d1fa9605780b690ae6ebe62fc6236bde847c7b0757c3449d18a7fa72fe1f3813504c08ee64ed086b604571996e9cdf798f59c05ca7fe7cdbbdce682cdfde25514d3ebef68728d325a2204b8e6b4f845957908939648b9d274e24802cbd6714fb4f54cf22920acc265705281f352b946ca49ec17f609d24b4d8ec05292586733f45a930b903578afd2b8b3a2120ae80dfd76dbbaa491601ace0512bc80d86a47fa297efb5684d6c4a1d0bd60faa9818fc2ab7430b6604c6689c288e36d93510d04c3499181b16b7b085f772a75444c93dd7b1a9f6d2e9e1a984053fbae7275e2dbed3bab060fc058958420b1f45601f773be1b9ec04a4d1e6125cc4905e55cb02f089d4d513393478ddecab5e9f3deb8b6fa9b36f8edeffc87c37e2c898744123132c0d438fd1e0d089272373bd7b651e32d11e2b35b7175f2dbddba02ed7e4c2bd4a5c458884bb8c1834559efd6a199d54a022530b5399de69817f7d5dc381484b56915ede6137862c9b0d884e3b0f9062a98d3a2e83e21752f03f5684b89899dcf3ce38218d5aa179e81798656a81e29c84cb64676b49858f91bf5cc1ed0d299e796c4c85e7b39c6b01f77e021ede52aaa1bd271219bf879304286ac3b836a75501327c7d5802c88c39470d2df0177c8f13162dab8b850c7a0eebdaf16126c5c7915adfaa5dcb8a1f206dba082511835a0312e175c78cea82c19aab518e638e849772ca13e717cd32fe15e6b062a19c5457e0e07e19f0791ef493f7e1dd8e24dbb0817b5ac872be428ebc98060bae73dac900e0b92be6fa4376932f32bbda59cb33a4220062c7575fda71056d339ddd2e774200101134b87fc72b7d86c053eb97eaa59b5e745d80ca50b045a0c8a206c4c65ee82122ff502d260e0ba8864e5fdd6a98f12836ee425cc389aef2633228f39d4f76369d69176fe115f7768abbce205b7b528c3a90eca5da1f2aac464665b928b2d1d8230e02c1eb2db4e5171a2ea77ac34f32df40178dbc235e955724da451780921aa10cdab492636c93a1305d26c0cd19853689b098b52f0b887241fe32833ca4f6ab0aabdb4be87a41aca4b31a4ab87b2ee112a9f659d14543698b8d45c8a2d8ced94fb4f5c134ee1cc133edd1ee70fcf636c97670919be73baa1b66d585a754643b71f6c48148a3bf65396c47957961ddbeb43f3d4f95d98f5132153b8520a8c6d148d9b4236acf5b39358e67034d5639448a12a42b25caba714cc3954b5a347a5e3ddab7ad1949bae1ebb632d20aedba02f38878509acb870da58131fc95cda93f951b003763b885d726ef7250e2d8fbf22a814cc58013618f28106f43af86a62619fa6e24587dee2d8f91bb4a8691330faa3b9dce747cf0f4a87dd735b4f1d214f79208cc12a7162ef101ce144fa220744286c3cc2ac8d61583cde2f2253484cfbb18425712f1f8969bdf779fcfc28ca94775add2c9eb9920ff4f55d872cb95ee69a6ae1ec394fd7910e08f77441f31d0a1dbed3ccf62df333dc301e71b1b877c4343845c6b8d496270e2f7306451b130c69116313c51c9d0e8946f5977ee2969a93701d7fae768f3dfb6adad4f3390de9f7bd8ca091b32fdd68ae647e3cc6f2abea807382206a84996287316c6b4fcec1c7f6873451f546855c67f33b3c318a1fc37fe0c80cc86616670b4d51e96307197f5f6713dd1eb23b55466b450f3e92faaaa49774206d3b57bbffa14df0efb04a6e34a1f6af845903354571933a8b43260d762abda1c033e5485e76f27dd28c1575355927b050b4856e49e1d8a8640898bb168d8c3a05392e4a4285d44b26f15bb60f36182be383ffb54082a71a8e59aab0861db87af02b34ea6c91927a4abd506f662d17c59ec215456f8100a5ec13eab566e50a863030f916383cf00a151102ddbf8b468f4008a60a26634d55afdbcdca2ddffab7efd6e8403de28d5a6cf3c139f90d21c3d51f380257e4f861e0cdf93943d0db926dc65eba8785643da0238a02f39a31f5eb1c3af6bad1a6a2af06ee2e001b11704858ed59c5bf8949182cde0398694e6101eb977a1f6d47de568784a4b186041980b21b11c58b40a893873424fd56e41fd781f79100b5549596c38de5e90646824da314666266107eeaaa8bad928fc776229a8bf85817d3dd01dbedc578bb94a00dc3137c93480f585786b0bd777e8eb25307ba253e8d8e4ebd8880f2a854bde70ecc8d0b79f8ebca5b790d649d7d55777a4ab3126dc7e0bfab9a2670fc374799387dd22226a48b22ad303c46e2298197f7887dc7355a90485700c296f330ba6618a9b6ad84236f6610444318975a7eb459efdbed9db51f36a9538e2c1be53671ab762d4109dc36fb7eeaebb80d10c6f98591a29ec8f9472cb56467b258ba53168c021a6a79c126c1c5bb600f9123d02e0d56d2345f6d2e7befb2b05e111807b4e03fe70244e45070dc407f32315227b7396e2ab97633b8079b4f61c4987f775e9460e47ec26d109464589b847d1d684bd8d30f7c699da25208fa6dfb9e6a9c9fdc38f19745aa0136e41b5b3d2c9c98b362492869e7e8573dfb42315544fbaeebfdaab3b9d68c7e6dff07f6c5a49f0432401201c27d1d23670d7186838f5b2f15bb6f9301896035c34bc10f6bda13e7a85dcdec1c140f4cef3b35eb52c46e5386d125c2c04d19a5b739a2c6d1cd0b5c9dfa085f07202b4dedcfcb04d9265fc56edf9eda488f303f59f3f9b2f45933aad543c0cb8cc21a72230f59a0429d17a6f73a7ea7eacbc9035c3db832174daf39931f321c40cdb716d69d83758ddf9bdbb004f5970026ecb78b7fa0ecb95b42ebdcd428423ef74d56314ed579b3031ce4858d9818a23eda71583b2552556eca75526acf679f50790fcf9b4286ab9f9e9db094c63cc53be2e6ba7ed70e0654eccb9e7b73b310f48d8857be68c00cc330a629757d5aede52890fab53f772eac290b766df53bb46f3b1205318ceddfcbfb2151e5548864389d8c0e11892f290356d141a03767eb295d4d37af299688277ec3f56b614a8f641357a475ebe362c14320a68e8b5af14ddb58634fca956f367af25b6a7703c8f01be59966cd2fa2567bd74fa992a148007fefeae41a6aaf3ba0cce34315f2e2314d3d1f533b90827c1ebf9e7fb835ed455c015a6d004f25480805423cc5df90742d1d271ad09c1cd84e4035afd0d334b5361360df0ddd089e91c48752f1695c0b2e48c52c3a9d86d3da167a272026e19b75f726cc92e7ab0fb1d101648529d150773ad57b0b4227cf6fbc9b0766fa9c326a6ec66d3f351f2e6ca1bbde52760805550e64a82daaf16efae7ef879036d121ad303c3a26f40fae2377afe742640e117fcf766dcd016afd3436fa24e4d0e201daff85087f84cd839fe6bd8aa1cead952a942142fa66b314b032364e93db2267bb5152f6a731285e602f1e513235317dcc39476b36804a0e3abd327d6c3980d61382f31aed40bf0d758182af3c942aa836332babf38644c313491aa13f3206f18e3c68553e8e64f0dfa580c4427882f6fb134b0d33e21c30a495ff4a9bcd0fbbb20adce22fb9c27cadbd2fc48a195274f480075a91f2264c496708481e8e3b668d41482ecc8d2aae7ac140e8df0af2aaaed234ef0eba355a4944f03370c5f788775dc858e09921c3ab2fb180ae771178f9f5de6759e890620a4975e420916d455b965d3a11e0be0e53807577903265ab93056b518c7c62da1385e26f4ee1c487213f6ac8f46890f98ae4dbc061ba1cd4f8957e6c0685d9aa5f3e62213db2c33b2d82529a030739f3cad9a7b39971c05af8b606826dd5ed5159e69d039ce6a46c9fd16ad459165c352f8ca296f5d0622e6221947c3a064415deb731ca0727bd87f56dd255327badb39718b48bebbea61a5922a24438a15fa82176241c1f43c65e4f5e5305a2931897230000764e64bd2ba15b61aa11c2004e43ed66b265c219c254df7421c5412dd7092cba2e3b00bf88a39ca483cf5ef9495e1941092ebc505ebbf93f452e24023d5f8b81c613014a14a59e78a8f50d617013d0df9263e33c479c5ad4dc4462772236819c674d7cac8b8e20b287d7a8b48824cdb795ae71ddeba2c9d20e39378c24bb24fa679910424bc1f6ba761b2c3800a625fc32bafdec7733bf02ad9125a4464c0b0cb49735c81839822a8035046634ebaa5147ea6aa37d8b24e03d866d7410c8f9cddf77ab08142c163f37d5b413807c29b18767e7d23d1de72a13f10799e40c8c41d388b4cce82c16b0cccbf5906de5cd5748671e16616bac19498560ffbfd73fd7664140c1829796b99985eca15344657d6cafcf3ad0ae94665eead0df85cfd69c9356907a5005807b77b80a14411023cde95031f23db51bf1d312244fc8feeedd8381a1b34b61f6f663274a64a6d35ed61d8312ccfc1f82809852b77a1f2d339559bbb65820d793b566de6aaeb0994ed9aae588e329dcd64f8f0502472f4965b686a0a12c7cbde7a8d0b86e81c569ab586b3d80a8b9998a5fab0f3cefd33067b69ab9dc66e66d12265c862197ae8fb1ef3d55f48b13ae86cc4c60e312c9b55111f17a40164682f6867ca9f9379796bb690cc14c22395396df33a066adae7547ea133174bccad28c533099daa1e9226ead7f965befea6a7eb0b3c3f5e95b378d70f0ca27691f17722e871f62b259966443645cf5ad5154026b02afd221d0dff6fc733d01edacf24310a0653ee6ae3d0190a3cb14286fbdd7e5adf365bdab69d4afb9a8065c4b6057502a8461cc614f22fafcc747fff299c4fca9064fd197a6d3c51472403e7e47812ca26a62f5ce0c83f60b2bc588bcf05bc57ab7fc41b7dd536d04aba50186c6715a1ede0e5ba5488a7ed542f0ffd875ed2cd704ba9be150fb616b7c77a54e58023344a870acf3a4000a1a8de623f34131ee7acefd53ce302c293ca9f2801944611ea3e5256b37976cf6c063582bc90054f4bfa4361df2bc8123022d0387e4300e0cea5fd87753c4618aa5112dfbf089d529f4564e20fdf43f2334b55e64297c84fee5b83a2ac4f598c55b6b7da4f443f7afb4e493738b536433cb1f5509d967933a30b6c3629dfa817e645b1f4f0b942c5711a7ff22f33a8ed5295887fc44866ea4a1a383c39368b11d16c7be67c7e789a0e58b7421a3a116894c3d88da9799435e8285b79325fd143074e3bd20ed02bdd0077339e8c594a9274c9ba6158e3d7bc37d74cc4d51dbab3ccd469de2b692b8547c332dc74a94161df076f63c61cf7c50541169516f302708f48e4973c4c0e8aa960c228fda374969b5d0d606fb96f6a8bcd57dbdfd0d09d71eb58d1c5cef93f023a63c54a4ad5df397618fd4e9a0b925bd2e260b879e14fc5092c5cd217e8fa90c274faba7cb8b0c347178145902b021b015edfcb0afe36c7929306212b048c16fc8db03e026178a4fab71b427eaca6459ae2c3b1a36cc610507319e6d7046c6daa76461d7d5e4a4bfe917da1187e76cf0fc49e84551d7fe6b75487256b3372278a78cef0b20e9b1d73e20dd7f3a1600c0483dddc807f48ad631eaea3e99f4560e64b788731cf9977d76d15a2320135e354669e825c7254ce250c405d3662329b6d33267a7268b64d4c392e9531df2d2d8de0f9f166d8f02e54876e8c626cc1566a3e3010843054b8b44ccb7cb45ed8b050901e09c5e2d44958b598307576c7160b927259b407a1e82b3c713e2de49a2de21f1e19d3f1c23369861585ad6dd802a67ca075c730f8078d848042533b1d4518cd4435fb7c5a58a2a957b559af12af0bd79bc2cdcd920167ba949b683ceeca6853402ab4d1cd7fda7d74ac47cdf8a188fbc1ef7ab59de8e189f25ce6b8d3126b31eb836495089b5ddd51863e6b1dbb33f1d37dc74851cb3b9e961fedba22ceab2d251d493f6351d44e3151176e9caf553cbb9212c4bbf9a3b4bc451d1c4351cc1d74582f49b6de28cc5ecee5f7724f634695d12a49c5ea57a5d089c421ac4cd4aa6c5d06843922c933b5ac0dcbed86e5cffa3403ce6db406e130e8219755eab1e37190e2c737a3f3865b9ca7925f50e4ee1c775357579e03ba0e7c0731ae9e62cf67901368d376510a68da69b22b5e60be93c75b34d0caa2cc4c327c72731a193c93947837bf41ec25c0cd50dde47d0740cae7a99117b76502191125c43be006e6b66c936a3f7e5a38806394a73e292e2e9d8aff930b4498d7cb0fb7d928ca84e8b33bd0ca7ba6153e5b0a44e149968665ec673b145950b3df23e2b141871f1a12bcde7cfd10e35e42bfc1247ad11f5b5b6b287ec2e45e09f090b0fdbeb4379219ed5ffed9d40c6dbc9a93498a8aeec7133af2b67a94b470a56e774d5bc6811401caebeeaa307c3edfca3bbd374837c5a29a1f6ba1a2ad05d60aa94d6ed8f20ac2ab7bb34c7cd0d3b585198867f83b35296aa25f7b3e0f1109288d9edc75b3b7827179eaa7267daa441844de39cd1cd2894adaf8c9b620af809f99b997e0b93f59affaa04c6224521159af9f3ec8dd58494c17c4ccef738db8a1752b298e340d254a8fca7edb6f6dfe338e87edda4672783f6b7335526abacb76ad482ed520484c47717bc1c774caae5d787c90dccf46245e7b6bc9d1092a9580ae4561266163cb9ae7e3956dfbf90a957d92c4f192f7b5d589ac0eff779ef3dd28fe124539729c8520f94c42bedb7d9dd77df55f3d33540868159bc1b5956018814b1d9cf51fb3969f87bf15f292c12cace26b16fa73e77f92333f756b1ad5feb8f6e005f464eabfe45ecff277fb37272118ea1e2d2ec655be3f6e45208490faa236cbb8c459a9829aeb155966db6fd80d85102bd9fa4d549bc3af927e227bcedc668b86a1c63ee7505f32ec7f53652cad65a71dc6893a8db3c80d00690683f97b47f4297ac1c9d92edffc70e3fae85448078b7a7223299d9de7211dde2a7b7a3bc0358c3d16da0953d347aba47522a5e060738d35dfdc14a3a64c8c694016e0daeaefaaf50bdab9d6b22a0abe2eeb63d18c2ade2da22db24479fb4dd3fe131cba41cda5f778ad2269f4eb8d59b01f5772d03d3b7368102684b40490da96a68c55b1a6c0e326e790d9329042d7f3f16a5d6294b3235b0c1ad2b3e10fc8d1b5a4deee6a8a310d2fc6fc904323d4aeda962232c7ff614fcf123ea7432dfb688ce725e0cc22b0471c255497137ab3dc1f23442dc0b980d7939c39157fcaca0c49e625694c923fdac5384346f32cd05dedb78c13aec24b43605e52f201dff1565e0f7a1b3d99288835b540ff45ddd41e8c9d81e23f305ea42c6c39a91e0b81ec2376f2257d3f31f594a387450e9fc82242c059758e515ec761b5011d89675b2414bc5f77412ccc8e8fd6b4ef0971df7b9ac67f18b3cd033f58f17ea3a29e9776d0608ffa1a5fec53ecbd7cc2546bbad131a2a3a71c141770b819959e4756472426cd9fa1a55e84c0af81a2467b785a88f31e09e58e7607088462fba2049a6d6d74a0b0bf89f616eef5f3fe6721dc09d3663236a2dffc81e7e2b9730b8fbbc2c88b039535770171fdd5f00c8be90109790564651b3f0955054f853aef59c91013f5a06f62cab6d9336e3223f82a725c8c39f6c9907f4606275a576c83bb5f46a55ca5ae6c19a327350345bc22e578db297e7f27653a6bc8eeddf3f4af44656264192fd44d9b03890826c6584f0384e6f1c431fb035156397f4a306637d78cc243f01e26e4fb2f189caeb114340909bbc051c222069507b5061c429fc1f072776274150d74422e8ecd1887d07a14869980ca19671a758d8316f08aa49ee03295364c6c62d9345a2bf2790becdc49ebcb6aca062d122eda3e60d45327efd3e5b97169cd09f9908482e1c25b1526acc2c958d0452cdb9eb69844a13a6cfab5f4da1cef21740348d7742f094bae5e98e86be11ffdd3d271eb6981245aa4111cc398af055a150cdb232f3d9528b7cb3230bd017e53020415ed11e54e40e60508f343123017e4331bb15335ee56e7b0a78f0d213c7fd8766b7bf3f74842ecff50e1e06711a35ff387ebb2e513318a082af84281885e5c94071cdb1da45fdcd819ce9130d8ea9a47969131feb78d765963a8eaaffb7c32d5a7467379fb01a41614fb6019cfcbdd60a0bd90eabc5c41e49fc49104fff6f84ca4a0d2ba395131ee859672bcf6bd3ee559a78317b978cfb23da854d8f6a6e2f02b92228ca77b287644a410e027297e6f3ffb69cd3688423160b2605437e8e6bdc693c3dad240ffb7c5443899b95f40473a8a0a84011efdc1666fc60cbe93c991185f472c489eeaf5b5e00c92aebe9e7831f5ab1902c7a12089764c8cce0f40a482e22bb49f91cabb65a09d31a22e128bfb2cdc07d94da808e112c7aa4566bac4309c9836ef6161766b69579924d1b55077dc78c8e755cdd501595ae6cb76bf9ffdddf0026a4d21e3d13a0b3721f8c0264be0504950c858074a765acb27a27a1a8d9cb88b55231032b8aa4d4655a9e84c78ce7c77beb824898fef25de99f73017cc69ab6ddeb00c86490229ab33d34394502ea9f88191a134736c8737edf1c08f3b9326cd481fb0a73f00ec45f71c8add20432fd03ebcaf327fff6561a24a301376f5018510d54a32a3d814d56a455d29eb5460dc61a3ba133e5ec403b2217ab5d4bda0fb0fa6bcddf3fca51379216cfdec4351c138357b33e1804ad699dcd1cd526f557f6c2ab6740543e8b55ad808d02804c3ed0fb4b7777d2ff96d77ce09b04293717e4146485dfdbc2fb6cbba6a029ba5cca1819dc0fa5fd64b7797f7a4263be15e9d238c66ea999a096041e1839ac22d1b862b211954148f3c8a8a24fcd6145cc69f8937ce61fa8d898ae20cd695cbe1d1a7e23dd3b7c2c5cc8ac62d1f54c76bc5c5baaab8746a70573682f9ebb8037f4ebe9f68b8367e8b84b10990684ab12b4b4e585d69ba03059c6022873956216c91de5abf79144f29afe7c129f1322394bc2ad2e2d2c42ddf19352d80aad0d106e0bde251baeaf735dc14cb639102c9be0f9a2e93913fa9b01abbc0f106d35d57d55a73df58fa8648d49cb95b12988f0ecff93c60abbfd8f1617200174b11c8bb3c8c08af5b16276698209e4196ce64ecdf952d0e6c7dbbb5c8b2cdb716443a4c18729c3e07aecdc3c8ee4a944c8262e2d115406b9375da6b68fa363570d61be6fb6164c5adf060e626d86f8185057ceee1ba17f5dd7ff4b1c0deb89caff703f164a0ed313faf74c137cef19cd006326317c10944b33f211a5ff15c7b7d97314034ad1a8880b9cec55623ac4198e895f381b90cc14c8a718ac3a5a9cab6b42b01759b17b164b4315dd0c3029ca1c6f3daf8e6016bf131bf9d700490aa766a01a00c7ae2f66b61b452beb22c5d9876397c74bf6eeed803ec20e110e80ef7e23073b6902ccfc705ab30e808ad8181426683241d79248698fa738dcbb9443833dbbedf0eb5ec922bbf3d5304bc302bc207ca414d6153e2ffee3b3b0265fb6a8123c5c84138e821aadb80b87bd3476dea01db482718591cfaab73d74110b69138c6b4a40a4abb9f74f6254202d70703c3457166688c1a3ab233499b80b07852ae0a3fdcf16fcf6d5aaeed1f38adc24df28b746fa5e6358f3c6ba37803895c9f6babfe05995fc93e12166d91f6e901a1b9788fdd583980721a54d725970530db5b15b079acdb26156019ae144ecaa6a0cb10f2a0ffd2e5125f42bae8b2d0d9326da8c581db24d522b4f78b273632b0ff3dd5c665c6259a6bd6d10b8941ab17159bf6883b14272725578f71d1eba05159a80d7bc20fee968acb0a48910a90e6d8a2aff8627fdcf338d6c1aa5a4ff5aa765cc898e8b2f088b0c00bd87280856600fcc9e788239e1b3dd935cb500665f7fd343f335ff7d4ca27cb5bf63b796cda1bca42d735bb067154a3437f0f919d224f214796ade16af67b7766579742192219cb7f82fe6f17e8316119cc6939c24647b79bead50a00dc4c2810779fecefc306883fa3e60ce4ede45c003492c298d5df014e7d134505f23e197e7f67c72c59d7bd9f73f1421de670d3007ab095198b355849f76b91a2b8a50912da8dcdeb7a9ea3bc75928d31129586217a89da4fa0df65d0bf868a20d71544ce577d83b1af47307e0a747f4ea6543a9b282f35824400ab8f774147d574b196e253167bb5560585aa8317dac0524abb28db0c93a732adcb7ca7df63eace24f77332afebfa6b1577fcd413cba95ce96513ca8a9fde1edd3a783ea6f611771f2af916db39155dd92da7f6c38cc69ccfd3fc44fee9faed1c824e67f4afe08d094f16d04bc8d5d6562bdf27a463cdfd223bb5ba5c537245e52095c0cf60c2f9e71f9d54cecf352cc86b7c632b0ef2218727a8c9f273335dae076387cbff6601e88fcfd876a279290ea6b5f3875e01a467343ec1813ecf2f1c1c2f06db7d5d5799a41c9cfb600d6c39409826e8db600f1253f731123a8f386c2a172c1a78c3c04e012a9a7d1337ef0c8b63d658e5545fea2bb1604d66845368bfc05c62ad00c0c1a812c0c034655e9f165c09241c6dead5cb45f7a1e022552216774a82eabfd3b28c76118edc6cda9f5590fd8303390d821c839b68e19cf9a9ea3e629b39651432bb709c0b36b7f4b9d3c2b452ce1d37ceaf9bcb017b8b6f06e7a96a06b2225167da1c8d4f8fcfd290cb7ab0e6d1a21863cbf9702040734c321ec3c8d994eb7ebd2e13273ae1b97341af081ee36e7bffd31deaed5a33c73360089edc5bffd91aede31de4425e4d4f27f1df9943d171baa42b0fde6913c5c94b563c62d4f2557d1ccd8cd5039b61e9fb9b9f2d75f3658eb8b27086d6bda75423d42a6e30e8b8ac3823cb961e02fe95c0abcdfe39ff65a81c4f35bd5d15e916f05b09771b5dd8927869aa192879bf5c110833b19e7f947093c122c256d9bf9bb7e90dc89ac6d413f4e8a6d2c48c5bc0f9df8b09d8b3fc5459d30600ebdd7d4c3f70151788a3db4f515073001f1a91e32a27f5b2e1e9e0b94ecee3a0d28e7ab7a0494b03fb2743cfceb102b247b7d290f4b06ac144c6056d0d90b52820f6c17d9e0c735914d09fc710d7fda95c1bac88c42ff3d79382f1d4e3d0f89ec618ff97adbaeeaf14f5e59b2acd34c5277091a06108ff6168229ca8ede9271ccd3d4c6ad17658d349235f7b09bafc5ba63ee91cf42b7de0c6a2ef77b8d187e82876e0470a915c6e8d38ec4dae55073e560be970bf9f38567c230a3fd4e1ecbd0a525fad9d243399fe9f004e38eb27ab5fd63ff7bca64e91d61d023fc7b62a2c57f8a8dc78410f0f2efbd62e15b05e1e236345f9dc500ff5a4fbd6e767eb1ab90c54c5c7ea110ca6819c744b55846d841322cd89d8a3466efddc02c67a03b1c166a46efaa3ea835760e2aaa162608fa3d438ed1acdfd526f206912199b13a8a493690cf4a76bfbedab0399b7fa83a143058dd060d32e0af65c4edd22e49472668bf814567302918e10f8972490546d04d47d0cb96b6f6e407e322cb44bc5983641b2df97870a7205148b7303830a7676ab9d0fdc354b273fa5ec3cc246032b1c9c1a8b1c3ab7f35775b121ada5cbf8c2cae2ea21f612af40dc0937c06a994362721d3e49785d7c9455563df722f2c52f1c58a1879f7cbd766b6f5aa57947ca90bf259f8a4ef90822832b9b1e0d538c2ec7b9e1a378186e8502948a8fe1853634dbcab869ce06be40dd5ca80e0b328238bc0be98573b81045a5e744909a8b41ca9afc39bde4e11a62cbd56f7b2f251cd93a26008003d69c22d6f5523e638523e57d93d3a403dac5ed36f57d060142e56d31ee2a06d43374d3a1a858f38a01848d2182da0fd1e846939a389d2f73589492801cdb3e7d68b57378f0b2e6f273f43f924f35ad03b6736a68c202fa664e78e0ed1343d347f2ccb7cc19f880943833976d6d1baee9a9a53c1045b34d9a44ad883849a24f4c2e8f87d96686047d9e6abfdbc97a97dce5c2c435c2a5628d9f5f6ad204bd9f5278bfe4b6f2fe2be04a0f936c69c272fef750079acaea645f75a371cfa94194b5cbd9cfc472a353ef953cb5a5a700eb34d486fcbdefe238e4e8c48c3fc53a7709065c3b63e89b7ceff7ef8c8b1bb987aaa7510ee5a6357c7cc137a1a1d9f4f6633372f180ce1536325a5174d1e30279c112e5ca1ead2368eec1a34649c28daff413d069e90cdce4f11bfbf1c1f6b51517e0d9f66f15f3ae78f88597b0ee0cb2b21757436f9dfe18332419fb37ef177f2901bf1655229114468217c9777f6902aa562693d47bdb9d0d0ef30b4af908ea3f43df77bb66d0f204357c38243dceeedcf49f028aed6798e10daa38804c9f1552debc9f80708b1659eba23e3de883e5074a2640f66277f02826d5a01cb29b45aac47ed3702af6813556c0bb317c46f8be2537f5f3d78c31688b923f8b5ac67c4ba9234f80e520491fe85706978fc9f7fee4146305f5af4cd2284b37a97e0fb3d5859bb291a1dfbe6fb5270ce52ca35804681dbc7e3f4bafc44651f6c6416443ef6c55f51d1bec228abe89192db2877a912f98e85fa83c05ed25f57f10012c5bb6b354aec5911ae8177454b8fdaa7c29cd28267fdeb4a68d3ab9c31f94eaacf193cd7a2318de182e3e4ffd5421376f1a55c523960ba860f5996a68945d4b246ddd6f435c885182dde0f37b24f97400dc1eb3178120135a5bf388c29ebbff4d9fd723873a3a281ddaf0769f2b555c8b1d7e0852359032567e894e2a358e7395869c7bb58f02f95ddd3fa006c2b45f86e337767c4aec68aa8aba68ee2d284c2a2fa16361473aa72426761513ca882ea912aadb30fcb506ea9de889a832d01226a5dcc0a84a26ab573cec31921d3b671e612b956a51a490cdc0087e489375a89fa24f546fb88669a4ab2567b721a008d51a0ec93b1a68c06edcb7c7742ec02d9ebc4f182c55d841e121eeb2b134444b79356213eeb896610e09df0600dfd4b63227d01f370c261330234f715a64f989e0102406befaf12d154b8990c3ce3724b1302d3b9042442f104fb63db0b157eafa1981add92c68653673f9dce53c1baf8918bcf8aa869713c2d2537920738cc8b1ffb72e66f6d7384150fe0a72d61b6cdbb41e3d1ea85722479d00a017a1b4f7763fdcc30f890ade976bec32ab50bcbc4ac52617ee37b1bd5bafbf37a1136bf63b07234165ec35a13f0533214d94172744fcf0677ab06d401c44898ac7e61a54f82ef002009eac9e9c7f62c1d2afd0d7acc826aa69da7b9a120217c8397a0fbba15ec7874a638f139b0c36b7a6437b668421c43218bc00880a8dc40ece0cbd8a259ca0637c324b878eb34939ea5bb354ff4fbafdc57f59761f7dbe0713e60c770e368feedbb64b71c3f469a16821a65dccd07d79fbdc15de50a00a12a9f181be9f4360c523efea8134fe74abbcc1b28346b1ccd55c9fbe824d4de84d94e2e798d95640e377883b3da1fc8b1698b55d39b945cd31517fd5f0677fa0fc5e940e8a86317a42d42950b817e107683474ecd96553ae201f98db8cbb775e6857a5c4bc9868793d980e4a0b184f3882d55d12b895132aab7ca015527c307cd34ca3f0a344c204429c0be3c4bfa692b3bf5659afdb94a9a69103980a7bdb206983860f57bbe43fa2f456432625cc6b05f662c73aea43c229ce840ab33a112149822f7125782ffcf42ecec2eb26f2166d419e1ee42f015c48ada2dda2c47ae5dc5726c3d1b52be5244f6a10263627fc079a888eac195e8affa6621ff01ce85b21c208297b78db9ab894649d83ba07677e40691e207bee5c8c1afc31cca222b126e0010c2cb8a8c4bb8df301cc8c2d53e92d68991abfaa7678ef9e9c6b60f16ee67b913e3e49dd4b8c2b43adeb3cf01064ca96b8bfbbb36c0a8418596107cd1eb8198c5fe7f2e601884d88fd1100b45343a572554ed5556123c42f220ddd6bc858f66125c3b84d4290a153d956a37b3beeaa680fcc58630023eaf42d2b62bf47aa55744dcfeeb857b82f9ce12f75680eccb940425a1de2fb2dd9a5139fd5e4030d18615802410e84281603264ab96e336fdd9a56b521699677a59c0fdf2faf7dde535bf3161220045de75a407922273cb78c27fe7099dcd54effca0522294ef03681aa43300ae1e5d4623676bbfc53a002653d6eae9d3c0db37594eda7117f16358afef343bc1b51d8bf6683bf7fec5c9c8193550c7c72a6893be769204a4b3466cf3adfa8504f98522e3b0f5f5fca92d60821ef0a0fc65747684021fd8b4602b9554c5457031c7990fa6f998e607c78db79cc0fa598bfbc5e280b0a4b5ee802e7258c0a2ea41638d9acff6dc40a6982610d539bde09857e940f774440d644779982b8f296fdd2a6d44c3bad450c6a277b1f414db3239dd877510a289da6d3d065727efcdac3961f943c24b02bee0e67d86a2b19ee166bb901c82c56a37b36428012ce3d9b7726ab33828960ce85c2633c34ac0bceabbcc695617f64bc554390bf3d9c7fb954d97fcaa442f02aee9554e69948e42e73cd0bb4596ceab1cd1e9d2231d663e6de9a303b813780139a28ec57d4a9e223451964ff7a9c09483a65c9b3c245640b376197f5f44b0ea0484752cfef5ee6f906db4e3fb54d2b2c47bbec54de329d67e5a97febab05c4dc05f2c54323746cd0465fa9938c2b3c3cb111a259dc86f9c74d5d7a4a5129d79779b2d1304fbfa6cad81b8e2777486bceb5784ffdf34c91e4bb5411a9d7bc628030e7a842303b78ae496add2beda69db5132b2241087e29409a242625ff4f1c2952f91675d7c7ccd23024bae4c45f328e96b7665d3a90efd13b59fb5b55a183f91eb624ece8229a95ff78499628b0b4c28dcc6db8b1827cfa860375f63143aed924630f4a007ff69c9b5006596fb7e1c60ff2a26c47f14b253df8f522b780b7a320008d7bbd888c84507511d6d89116afc3170740b3c8bff54449774c5abb162b6f761c56dbc0b5fee80daf96bff96d37ee387dd379328ef1dbecb0b0752b092780e7bd51924de13aa4f25df48098acd55b1b28504117b829eb983768fa10ebbb290dad24ec3292753af4e7b532ba4922e2ae19a16a2f67f719716dbc6387a7cb98474e581ee256a1ab139c79eaf9baeec733a0fd8f84937bcac2fad79b8634fd318c079b0e1723c2ff56834e310a9b7a1154e13c02e2f671e868fd67e431233cf7181874b1d56ef857baed0bd399e1593d9550a7a4dbb89867a64c96d2d5f6c12cb5488cf9ff369f985f7ac6015ae055adf5c881c8fc5aba32bbe4437e20e3d0d477cb0d9861e06290f7f9bd4e0d2332d96280a049fa2404abfba8945f385f9c7226543bedbe966bb20bdfd8ccbe786b6f003659f25a7a0ad767d754d9b0245bcc421e171c5e6101bee7a0091d60ddd6451d0aef28f533bfd4d42edf2c00ac47fe4873fdf9243afd435098b20403592521f2c07069503ecad6d1e9db00405b9269357e08ff51296dd268b1220a8eb3ef86859c2d8abb4a3c4b2afe477faed5bfe08c76c371fc55d9db73568703d7c3e50fd4e5e42107de711f7aa1d47708a1142ce38530fba9adcf8c769074af4fffd8b447160bc043ba2a4d6864c5c8351a1241e6d780e21c89020244d1393c6f8b09ec4ff7500a233fd0c4be8479151d83334fc46ba04995cf8adeed9fa9a2b0ae7a873bd4059d87321cbb8c524e5ed10741e9fe4e68c2e490237cf492d14513fbed68dfde05be69b91d6e2701101b7b989dce7e4a36d9e9f6155adec0470cba77334e6faf660868839ef9b309588ad403fdd6d398c777b47a8434e6ab077043b06f5e058826c5b9197f47ba9cf26e1a2fc89c3d489c311f4f26d78568a9d56e784acae708f83b8d43045a8218264e13b633d744d62f7a6bf6ee2fa81f7fe02c8430db09dcb7da2925407112dc5098ee93ecf3bdf8d116b47c19650730d38ec12a84c34684ef6063a1c741f932f3fb571a9820039f34ee17e4653de9e24ebf8223e245e1e36605769854c5fd1c6dc0716dbd95f4ea05672ee53f27470cb584b097958730016d824006b7f3dc5484dac5eda6939fb086db0c7f89d6a99825e7402b45d73aa5f3437a7df8cac98b65a73bd428a3b16bd805f409517ce8ee036bfcd046929700133334a329d03f213e67ef8b4caa197c48c7e9ca1495f2715866ad07dd605673e2c29cb8257fdd7b0a3fcfdf2396b34175e55c24cb8a269368b1e6869ec9d2973bf6ab29268dafda4159f9ca448de9fe25569c8f01ecfb8c36872be9fb51e133ff24ae2bcac35e874b808c7382794e07d6db152769910ac5e054f114b4dfb32d6222557f53ea4fe23013ea5394b9414e844189d1732ff21c3d82af46a11dbc302aef39532f903c3162fd9442046fbca555625a4f73c81c851f4483567c917ad80c0c46a005bac81b84be25c5c4780d61fd172f0f932d845004d4da9ea1eda9ab71c99536ccf23b6e605b02536c2cafbb8810cd7c7f3d9b02c8d43245c1779a0176fb45c5ce0f01620420ee2f1f0afd3749a802bf811670e8c4ef166912887f1f1acffa0685a1e840d0296eeff1dcafbf36c752bf351a12aec01e3bbd480374b8ffdf9e7992f38b37afe34983541d13097124edc084054ef6e6fcd12c18b43d50078dda3b88b5f554160b8b29c0cfeaa9abb39f325fb16e65f78f31fcd1880174cc8ff5946e242efc33fb83bab1f228505e81717b56d853f8b89e8b341d7bc23a8a11848e2bf648196a5038e31ee6f4ebaa96e62882d8b0bb118e82c51d0e4c73807f889bc186a46d1d0ed770493a894cefc18960060cea9caa45e9aa890afdfcc260b8f6508d60784c5bef72bea58ddd9a89adfb74b6d5892ee37fe4994e0f15c0fea821417d5909c33942efdab662a069a5e184ec151cb7e6b5b883b7500b6bb989afb9b25e6bf5c389dcbdfdb23905fa264e84dd2e390e281055b4c62b82a202b1444a89fea67755fcf36360fa6f4cbef4e8f0f67be28ea2acb49016eb1d273ca5c71691c4268d5ed5871dd732318518f057efd17b264ebac412688a1743cc6b476cc4b23c2c79a4c76f549284c9775a29b3c11e94b797ad19812183848963470aab980905b39452b168d0c10779e79026a0867a27837ea0963a3334ff1af31058c1b0ece060fc3c9e01053e6b15224f95a6f12dcb4b85c10e238c4ffd67eb6e4440dc4a55ef1bb094987e63cb59813d4b312c2643a99dfafca290907bd5b8cdd3dcdd8cb0e73787c226835455f365781b4e1ce95d02794d4790be80558e6eacb045e63fb531a0760c7b7cfcc4b10983e99942e737ae6fc99d287eaba65eaace905d1b77189d9a692b64c2e075e60ab2cf2dc48725016e4c8741b4dbfbfce54803bab6fff7dee6af90dcd39a142367cf3f64492d02acea7c753f9aa656514b5412f6dd90b9bbf77728b3044539d67994bd07a1dfc4ebed97e085b757073dc956f9a246b5aacb677bf79dd63e978dfa8834cb2f9d58fc999123de8185fe5780756b62293b707b9a892bc0fb031fa8c6a7af8a21625a45578b6d9bd38d40e0e2b1452a14165bc87f8044c9d47e774ec66de0bf97b59e4da7ba3cc9b6f92605e393c1da5c226e5c13ee32dfc0778567804eb3fc5fb63c6cf9c509884492a0c973e401b710a38eca1f8725b7daf90aa17e2f36104cf22952dce65fb70487f9c173693be0eacf47affbcbb810e6233884f8337c8bd1d24ca1cb7ee810fd10f08ba7095bf16f41e02ec4a78e771c6b3d9b658b2988a6cc1cafc59c67149324a67fdcf17ff917a798f7707459323c4cdf5b4c72a397d40bcac7e408cddd7a2fc7dbd82ad80791a0853c40e98a44e6b2c654fcbd3fe999c297396d132f87b3c25bbeca9f4f4b5cf3c4e55a6f1841b5b3b6836f71cc5a33a462be355e9c944a1246eb140d13743c5d8ed4ea1ffac12e5856b73b0b650649a9cdf2769802654c5808db95d01879c99c6832a059230c8abe730d960a33485484a6ecfca9286614c0917878d91064e8401638a898c60ec7afa7c218098bf3e4dcee138c2eabb106d860f50fc270135ba1e14502717edd1acfe17affbf9a67062d79e4a9f76d49a162f9f052cc10591881b983288ea56c6452045504c25878dbcd435a7c0b384df871f9ac4816d00fc75cfebd25d217e41058d5af03c68bc1e04e5608c00e9cd7dde2ab8a2adccfbf0eeca965310f6c8fbdef16d28ea8589c8eb7a1f389c82b3f1fe1aeac9cff77f5e990a17ee9feef0322c7e5c38e0a0499785fa0af62cfaeb3e80c0502d78268a9ebed605a365e12a0d983e8bf80d115b55301497b6bcaa5b2193596200e34adabbbf475346d6d35d9a3e4e60363ca9b4817219902c3c437a4918815f482016c5d83c5ff4076276924693369571f276431c643866ec415339a9c079089735d349f093fa46d94d0f77f307e262763f08207c9f9ef89ff3e3a35d740d4c50dc199f78a74898cd2dbd72ec026c97a3f06c8701054eeb3493216e9fe041b7839057a681b699862e1a1c21246021278dc7f271d02f1afdba385891b6c091949193ea6759127fe51d3791e83fb1567a3bea668a1915a8d74e4192069a0ad7bbddbea9ac8dd6fe6669b183f47aa5d7d1337c5871ec2053f661a50128327c847c2b40d031b4011561124bc01eb00c76851747a1a3cb5b6b44462033b8cd0a15fc1e958d9a755d93e8965f60f8b64e08992dd4d1d466e532de3489df5e99cffa3b1a3b215f83cdb07f371dc05ed58480c85654f5ca001e683359f13bcb436af1f7d65339ca08f5517708dbfd761f2f2bfcb95d9647d49d7321b06973543d83959bcf87b694ca4312c90e2234bc5f34a4e6acf4109ee7b30618636fb41ebef519e41534f6ab1b0268d964b1040dd99a6c63481c4f85e440a7d24908c53c9eaa7f8223a4c9283bee436b14d2263a4eb4d841809b3a6ada30a0ca74941c2c0e5f406b970cf0080234bdeb603898684bca4027f803363769620c96271d36637b8a409c52a08d54f7bc1c26438313522dbfd784a8840cfe36a9719171fc193deceab52922d443a28285e1ce654ce93f87ce673ee6a42f5685ff7cdc75290352e6d128c2591554306d70fd117e137a018b182c331bba74c8e57dc8b6ac21f90edf95d4ae408cef9488d6240b993b1b496371f6e9f4f7be9f0a2d8d0833b3372f1978812cd0042842071be0ca0883c70d928bf3cbc8694c4816d3d34f05419c8dd4e093fd16c3c9e8db47b71d8aea020ab1e58a8be69b78031f4369451ac7eaadce5292f3a92b564029ee97811f5870c844711cf5b12bd535b7cae6d36f087583ae4bf1392d9a2ab30222d97df83206f82e6af6f45bf393f10d511fe27e819738489d81c3c85fa9c7edf2e83ab0434e6ad3acb1ce6445125d8402a9c66eac24da22cf54791892fb5600b68e9ed903e448ef4354e103896e5cb83b6d30100743833a6f7a34fd8040ad2d7455d68df92d8e08bea26c4eb1974050c1775eb68f4bbc8e0f945783fbec38d9faeedb026c40b90b561aebf5f220baefe42a6a2bdcf3d843797e058f828223fc9e06136794abfd7d1201af01a1d89f3739fa2543d7e260dd9cb70e06f9b8c005d7530a5cd590720255a8fa520c8dda07437b010ec6a55565a3ed60ef206580f860ca7221183e09ccfa4f5c413f633aed9d1047ea92acbe4bda0cdc7d77c09f88da93e4f593b4d4b85332ae2d3e391276184b3cedac50b5ed485f1c2942aeaf03662a7493829f70c2a4f0c9e017e59e1895d53133858fdd05432ed5733d7d4e4bc77dce9884d6638f0b00d50452fdc596b170f322e53fe2a83fbeebfe039160816626dd68b86f9f5d8a87723833c7aa0f3a1a8cf3c45ca918495b051ccc168f0c7ce7cae1d9d1796c55943cdb80ea22d24b9c60d71b9a3d93b08f4dc04994b340d1b28fb7151c8ba6baa854b9aed90823697a8b4c6af792ce95e46ab465d24610244b6838cde96d7909cfd2b87bb29e4dde8dff3c55d47017d703e98731a106a02b4f144c1a0008c76c9dd2589dcf6fbe85790e35583747724e272f5079816a46de5718dbb1a04f3a3fa5c535b9bfe7735c19a926921189b55c404971f727045a3d25c626efb702ab77d435b7a155bdf26cbb453c8e206dd365a8a9f546680f8cb016f489b44dc45e1248d00158732519229adcc71e0874af80342e7f3f160fe8602f693539ed5e4daf340aef81f49eb19158a56f0fe0b82cdf5e5fc1e1fba5acf764dac0322f2045ca07cf5a3f299a81b643566706b3f438b0deacdfd6e6fae950da7564bb648980e8a192c72e964ceeae11c2870aa856eb10ef95e50a4c068c794ff87469f8f0517102232c4bb63307978301e7847a677d0d5143cea4b48c992cb9805b8d0edfd632c2f9dba7ec90fada957af13ff2537245721d54eac1bc0db4a8d0a2e145a46983fd38c13918b8a440f39ae0ce127ddbe14dacbeee89c5bec666767ec70423ef6e569255ffd12e47d53e349ccc351ca698d8b3661d325e2ebceedc5d7a87fd6822c1f9e95871459c9d080187366299ae5afeb647c1e7fc0fbd1790708be2c0d7d23e616cb8518c2823ad0d1585ffdaa69ccb6d5d8e20f804ec15ec27fe80b36d2da93e67a770143b8228a850401f3473649f8afcc77d6561ff84ebdb3d6a32ff4995d30fdd9c7dbc5a540d5a949e1cc93fd49f96589f27b3058b8a7ae6a9f5d1728327d9acb45b30a6f633ccd1030149bc861eff32cac2afff5264ebc8fde6cd114a2cc4b8d786c8258d80abf5ba929055709333706b2d62ad5a5c900dbb991e2aaa2bcc3df2e525784fe54b9a74144a4deeb1aea37f38ecffa92c68da3b8b779bc40628718cc7944cc5a2cc53471bfae347ddd3f706715996f97a4eacd50c79346b3141257ce0d397bb142494c20a3b9f4222736ac2c813f3a5d3c32775acd95420247007a96b4819563e228215a81d182ba05883bcabb95df9c3fccc88ab427ad2730ea34c1364b021526a486c541905c79e74cfa70cc45276b25cae146d56bc34a0d36ffc9697fcdc4bf9e3b219c32378150215dd84dddbc3994747f2dbbbfd4ab4118af750c91bbaea8a6b9ec6c52fc25519c5525142a571c675ec0148cb517bd04e28dd5c78f345c97b9fcd26a79bce1a03abb3b0e7a29af23c008f4b8b31e847b1d9cd49db847fd1573854a6ba0dc09f2618348f5e6560b44f349ac5855c711b0d64e676c06ff190a0e331a898c8df82badcfe15f44ddd112fcb232d4ecded2385b087f14bff11faba40f05751eb51c02c02d18aa57c785df57a392b8e38c8135b9c237709079e96a1d5a5518e16f0ef12f9cd6831be8fd50536a5f50673ba719039b1f480f782869031e93f342b3e389030f16ad0438c8eccf235c476eb0fb0f6f6154399cc63fdf8bf37b2c845728c72cb6bfc53af9d4cd7eca489fbf194e4cd53a205b88ae8e91f3712a968875a98424282fc3cdef7d2e91b1f0bf47e6e39fc99e99de37b4dd216951084ad6adc6897cb9e3f5bfddf10f6d5d2bc703d6ecde79019601b3bbff596ca1d487b5fd18ea05101705f571efac7f12e36193d359a4bda63752654993d954235e4720b6b704dd827967622c4ed59aeca0eb9d2f5a44b8263c63b81de7916ea6dc372cf512093e0edfaaea64ba20865da0e81fc171e0e1ef7f6f2e551b3f8698e83797cea76c6dad50066a233f760dd612ced521d29509fb161a4f7515c284c52a0d85e418e78a6ab1b8b8a61d123654e6273af6c7f6e1d21d5029b67b1138efc7163c90d831bb9be29374fa027257e5c1116f879e2842c26b415a9edcfdeed84c1a21791ed688a0f6b53a24ee5b5a7d265144afa694b9e55f7bc6e21622b456f2801cc0ce3099396ade05a3d9a802b027740e21bbfd89462263c2849d8f4b8ffa5efe85270d3c524f74bdec4f73d9995d945b613e30997a1ca9c1a41995666c7f355eb924f6f9e3ba61aa82b1f19968b0135fdebb9992b249089bbec408d16c5619a77fcf9500f434b78d6840a799625e9056b0712fa613ac98f2e87a2ea5d1c841c428b3d26329e566c63a990e8933f13dfea87e7dbad5195606842e4daa275f9e5ccd4d8065ea5b5bf721871274b69a17ec571c74ef097f70a9d751c1223cc905dc57f88824f97c7417ae95d3b5cba8aba3bdc591f4f30b730c5d641fccacfea3807d78cdc51846862957ef30684d28b355c9932172a7e9052e638df279ee7169052739a9a4d09263b38ecfe645119e603117cf3d91ee7207a44582659b7edcabcb36e8e7b4480b5d5c97511b5a932eb9774cd2fc485cadd7224c7e42e50330e50905e66259c93eea983ed2ab46562bc61c4158ee9493c1f21688a31a43a2b387c12668385275a809e58cce3266fd345af0945d499696f5e7728cc1ad496eea148d6e9a773fbe19a109e195f94089325c141ecc71799b7c4baf5913ee32e77b11f4b5ad5bff333c7b835459c8394b13fdceb71205a6a14e1378dfb2f5b851eec60dfe615a83cfb46ad464f7d81fc324e9c64e37da77a468aaca33ee1c6b9e023f794a29333e44f976974bd471f6de7bd3c4531281c9db3295fb3f1973f5935bae976eb01d8c2460a1ac4b76c3466015ab60cc1e1a7cc120bb192fa007d60d28daf109488bd97481e601a7b7da4b5d8f4b326a5f2aaa1f8966fc399540f4a6ae503296235a9c3e12e8fc11a7d9c00c557495af999f48b84404cdaf60870139d74787ea72f227ff71c695f030a6ca6a16c1a87d23f17f74d86a8e821c19c1605c33df17a29a9ce60bb3d4c1009b47a7024676cc9f33f15c67da462376fb66c0be90153814c65434fc27cd614aad56e3fbdaefb04e3f0e493bd73a475d2b359065bb7c9e4c12fada58db7bb9864c5817e145767e2e076e2f67a6524e929da9e804e8117a219b045d0a2ee4644177505ddb00e8f8c7e308589afffac5997f99567dd7a111d3786c24362ab682518e2a8fab4705b4e2a0260c940a79fe0d98001065f20359554213f836386aaf0256d27eb8cb98b79b3c7ee4e88d4465c684864a0010c9aa372442f0a5b3beeb69fd8d1d59031ac5b896028643404c890321c731765a9cce593d6fdb1cf8929c95a6999f99095e562703e09a06160c1855cc25a716e1f89064d8398bd23502df9e77adf019d480b214eaf749be2eff5303e69e788c0c4b5c2ff9fd2f46ff1818cebc529187dbd26e26a959152613af717b8e4f0a6abc0057e9a0b4b65321640879c32969ea554fdae8e3a9f0c2ca683d66d0ba422c6eb410f56ec587d17087e748d326dc451806deeb9a3680a8ba87f852735fcb6ed0b69553c71744d41e54548dd2caac534c8fb3177919ba38ae0969780adf1855b846670f656fdb76696f71d62d5c24f92c403a33cde67ba3006b59cc6ef4d5be3215c2ead981775b7fd919d7bd63011ec564dc2c01007586a0f2d85f5e91e9cbf172cae245ba6327ef8cc24d4a81ddddd627bae9d5ff9097362833a46bb3c17a8b12a7e20178628107bdc4f2a129b4f3484c57bb0ff7c3f1ce6e971f921d5b404c6ba40cb1280932ba3fa72cc4f2f4ec22bbe5fc77b1423413af799fcff52ad90ec545604ea8cbdcbc03e01746f866cb133a244968158d21e1a381213b24869cc96df17484c9b4a3978c69d8ae77bd88a23b5344e7ca2d611793fde3af93e56d5b511ba43fce33a8751bd2a6a9575aa65e8005d56211521c0e65b180c3622f68cfeadbc612547295b36890b6d021c15ecc37746f7d95d681c9b8010e8015600d0ba661d6372af0aa8864add01ccbd0d6a72adda5f2321c77564472997013e1d9bfd73754982536a03d23446689ee3c31d1a5546a09524f6da1ee9a5a4d5ae7cfe02f7dfcfcce35c902e52b8976ea6c8c1242ade460e660f0c56d844979eb2ac5bdf3847cfdff9c77b0bad795adaf775f5a12233a0e376c4a7e4342c8f4f5694f89f115236b53cd3ac6b0451f386f8f333864ed4941e8aee2e9d459ac3cee0e48c3a49efc83f4e8c223c142f8ce2b3d5a1d7c81dc6bce88e2a3ea9050772604c9d3ff6a4d4117102c792f61ba35411ac040c978c4fd55f54657e79760f5b3c117a6b669a68a1864738016df75aa2c4d85b8a9d2be6f02163dfef1ce6171124e2f12dd2ce23504674609b001d4355d5b7914ea92fc0cb8d3aa3280b7212fe83aa08c3c7ea5bd37063acbaad245631d672d6873efb16e525de5aaa69c4e46a244f47738b5bad9e5c9b9dd12c4c7b6715414101b634be3787135345bb2997d4ca99ea1d42c8765d841dfc9df4442ac7b09ef29991f857c73853d6a88193627977b69d125f569f5725f5cd740918c4ad2d33f7643daeb22fcea0363fa54b0d3f9ea1a45e046eec1a36ab69fadc7fad6f1e257941b5faef346e6b730bbe1d415296c8ac5c1883305750042214b1754426c132785b9fbe2fe834b24dcf3cf31b0601a2886852ac66dc932b14a38fede595c7fd551caffd2bc1739461701381a9930c917f3aa1e568823a6adc968c97dd92e9bf06a662114ad62657ed90794b0681bcab6ca2f8ed2cb406048c5042661788a8e99209212e0b60f5314a07d2b95a893853717443a0106e0e8114d3a5d6c6f0700102beca83250af679272de2045dd177f5fbb72f19b76d323f99ae22cce644d2250c87f7a1fb9824f97243c78b5558d55c9c661edb8abb213c361aeefa22463c84c0f268ffebb45df004a719bdee731a1b36ff440d7b957c5ede98e83cb9b4085fd5cf3c5a7d422932f2424f640e500b79f4a18975dad90be967108518e848d89c69ce9fb976a71c07f8664130b4aacbb9c189adc6735ccbe12d4211208a13f93538d73ce6baf1bab1b86a3e53bcc68a44279f0c782c6a4d95d0759fa0645d78ae69375868a2410054a9859b841a3ddf86ff0d5b3632bbe8fdfae3bc1caf183dc0a8043f48c28c187b8305c651c1439a1354f8a389cf81b83d42b7ff2d5c2f6193de0ea02a9031c1de6021c9cce7fbd3712ed58cfdd36b7f6704373b356a2389093494d6ffe53497e557a52035cb79feeae8c46243756bfbc1b42f682dcd3bdbabd3db5135c0a0998bd69fdfc354568584085c4e169e484ffbd120f3952503b45b2ced23f244f2b8dfa489b27011744de27d2897a2b8015015d0f6967a3bbeff0e1396a9d14d033ce281e8b3e7926fff65aec9153f109c9cd97c017f15ddd1deb32e0f385fe6420d0220c28d2e6028b5ad933d4628f0e19d24bc94d9dbb2dafbf385dd99ebbc9ac5c0a19e82e1030b26250a71ba88bff25532795afaefbadb6057d28ecb7b1e777e26bd27e6c712a0cac628faa0961555a72d1f02e3bbe78930ff3ff4f5cf4b332619bd6639a8c058c0d0ce8ff418accaacae74fcc9975fd1aaea2780f6c7c409b36cf77d7241c716def5bc3d81f3a3eb4924359a0b37be645380e419f27da47aad45c986d8c2b6f58f4d20277b7193cf31ae5f8c7696c3d4578842d2df631194b17719b3354166acf9b0024bf6db5f7722428dc746a8c4f3994a7a64ca834add0ad259a871ebd3010b8b742262348c6e3f62fd70d2e62ddee4c05817c900f37e9c917095bf6d88f7fd05b2621ca3f56290dbab090f36d268789b6ccf97c36b1a249f66fc08d83bce54f0a51f5364c4b8842ce136b76b39db979fe3aa3b312fdc0a4d98ba8bbf8a768531e170454ed7ea689b78de5860eb1bd5f39d55e15b97d0076f975d56a07261dd689e3c7d222998d9068f4d069e0649072a0816e89669bd2f46340070d3d53f5899f772b73983ad07be40b39a2159f4d786f9eb76547fcc66cc2a0bfbdc8b5877b8798793b1ff6ca7effdc8b434e218996d5bd0421bb365ada1d019496e92a755766dcfc0b2ce80fbb5be54f89f74ffb62e54e93bec1fe75c89f7adfd0222b3de821eeca84fff369ebef1c1d63f17aebcef66d55832e525ea1602cd34373ca352fd1ca62e5749436a6dc2642ae4714d5329f2d65451a6ae3245656d7910bb205af5b3f4724fc4cb300585fd7634972acc68875ee09067f1ab1615951e49db3941465908d95bddcca5865f17c069915929a33119d03b80e4ec896e05fcb889a0b96930e37ed24d24f4c4046129198b7e655346281829ccff597aa5023e09a92c6e01abc29fa898beef98a13ee02bbf45873b28b2fdd5a0f1c3b4d6377abcc224caf0719a819bba26e975df1db7d365cc47a7bd7f56eee5257655562761848da2e957ed4fe8fee65004129ea9b0a9304d917d07649784cc81edf3333096cfb653e5625be6dcefc7590b921402d5bb768634c29c015a5cca9c8c5845da848d34a6ebdd06d246ebf216c449a28964081b843ba5dffc093fec0aba7420f7b581816b0d5565f9b1b3d8c8f0b01cbc064e14447ad56a8e87bd1ccf9d99ae07e9494592a6308af9837d0ea7649886f87b3c28cff9a95e1219ccca6a6e261c0e8559519e6edc155dbdc59e21b097826d4cdf21023c2638c8a6e9fc61c46bb00d4954e7d06f1a62999cdce2411c4ab15c7d67e530bc51abd6f3cf74930c88433cee7a92347768ab7e01c5b0199d4c832e9855d8a828585662e6196bc19680d335be3a453324e5e42a918087ce2c05a25cc567cd84dcf17ed5d642ac05a648230f8d85d898e788efbe9e2b31c4303ea6dd51f0c48ddadf5dd23b5cac3e2525ae1fdf6103ee3ebe5a3fc359b9728c7a20fa0f76a5ce1437ad58edfa51afb8a452ebe806af610aa97590aed7c0e7b068d929873a813799524ea1d5d19b2542e86e19be2901f2c689b202ce76f3ab7e9f5b744700e7f2820d05e32c6892f8cd7765cb2fb7ef7bbd064f7c69630024d8209a36f2f696a4b851b279af6473d06725f50b7df7ff7bf7e02abb086bb53c774a592641d07fa438e669533a04de8d5721dfcfa648913677055a8522c19c1a195ba013968fd3bbe7b8828bb982aaac92fb528fe721f69211594bd545334e60859ae1fc4f49a8ba967b0dfc445e7fe148c117e0666e843b9678b40e7e6f019bae4777132b3ccb5fc4004bdd844f2d05791666219a14158f8e5c69ef6de58395b3f43365f3452d5b95ec3da11ea87f3fc7d2a1827e8d199f2601879657c45a55b2574e0385284440de020e0d256b59bedaf3996fe93d8e66a9f5392b91ad2aa6c766eb33c524af46b5529b1c6f89137003c469e0018ba7d3df98ef5ccf1e8f67326ff0d9c34b4c2b219cf248ac556dcaa909185fc87461a40a2e5b742d782d649083d1fb59923c7a41526ea268253b52c61552427f877325e4c3dffcd048bc4325de1a5b0bcf188adfc5176441fd3bfa40256a257cf81e3297fd06405157b46b3425589f5f082432b84a21e2cf31a502cc35a82b51272a17c4f9149ac936af8c2bfa2d85485baf308d425fa7dde3020e13f174558dbd7142c87f7e5da34458ba420c450e8762bc4dd7e4bf5008c9a71a168729f1a0387852318a06cf31a666ab357a3f76ea4c11e68094d76dd8f3da00ade556cb996db12bc9cdc09c38572f99fd71d0fb60adcb594607c774784ddb4fdc7586caa4d912ddf51f825e6628fbaffa24be7956a749cc0b8ce1dd4710ce481b955bd8d062ac46c4972da1107d3d2e237222af8a59bc0af648c02145b8ad705cfe9d80245b8502f403653d296bd0b9e2218999435789f532faa70c55733179ba9ba94a12fb4ac5911f3180d75212141ada6c6d2c139cc6945a76a5a4c5282b812930d6875e842c12e2f53a5e747e1c5d256bfa0bd0db52fe3e5c4eafa7b406be0bb9d3dde9821635e7c782796a0d1b69b4051ae5617958fb5b0b27d04de0fba5949c3c208e04cd9713b9f493472a2cb50873794b58f30ecd4f765b2da187bf7c4d5aa5e56e77b86f34a355dcda8f785814f8820854cd852c15ab44db555ca8b063a36b0f862d59a5bfe7355a0be38f441fdb7a0fc224b8ba32c0a106e558c382abb73d0660467fcd93133991a176809f59a8e10124b38a58c294531c7a2c1811cce21bed18b056003f6461ce706f74e7483252b4d3923a559f1fd4c64cebd47e5c119b14eb2b599e2247762ad4da73e9bb656c855f166c529367ede6351cbb1d332a34d19db7a6f4efde942dd239b8af53248a68c3c8c58e81856d5f99c74421af67eb817f06c016de2b2c875beae9e4d856c5a2e66451eb5d4c197fa5544d40d3e97202f3941156019b5c7f94b925110e33fb4454b0bd17c90679363849f6626d33d4a06560b807d1ea4f81dd3da3a999d2a2f184aef50abeec7138dee8a369dc7a864f79979604aa634e99340faeb4f5622addcbc4053e550ff00f01160a066e118bb278246632c0f1f2477d808e4db22291891856c704a4f0ec3d7ba22465f625324ec2407d48196edcba4c141999f2b842c9b861f66dd7a3ecafa9b03bea6e02d72bd7b19749e7fd85fdc1ece6093cc568426ea736d67fff9e96e91cf609459445df3195db038044885b2353302d4fd2b49e9da8adffb511145ccb4296a73ce358d5fdc6ccd8f3bebec92043b965bb48ab330b7449babdda709fc8d595758e2269b0edbc05711cee236b81c97f17bd310585afca387bcca73021a7b03a5e41d4cb49c870c3900cf364fda444a71bde673fa58bc86ee6542089e745d3fbbf536db08c739ae4dcd24155eb35fa52576ee75ff7b8d292e10fd2439c8a2fb543513192a8e2996b28e859a337393ddb0289e75cd4a586e1b5b91c2f93df2d0cdba868080ff0d0b5fba7facdc6cce40a396e782d870c477c92e36e4a2216f4c47d3d6dc7c8e70217a6550d0de89328f44bc5e802a950907bca1a98f47b46956f81b069cbd888ee74c9e9b991401d69bc4fb226956a82bbeeada7e350f2873b750d0f5bbfcd4ef3a8ed6426ef84bc3039ded99fa82c68282c5be8c874fbb504c20587566d966e55026c0223f5557a3cbf50eaeab7c8c75a1ea8d90ad458784cd6a241f212a34d56bf284a50c5026b605f9d72cc4d8f129dff55257a52feb4e8764673b9e8bebc4bdf4d0180b7d5c22fb8d4062900a6f0d5763228fbb10b3f734b2640e0fa538bda28947c6c51e845af30b3774c75e7599fa1243f618fdb812f9048466e97c2356d8ec39ff89e0cc182c696ae4b598caef5eb74d829239cbf604dd6a3f4b7a72e925c270631f77e31c5b9c9ef584b939cfc307cb6450c0f0e9d3f625d419a8acdc6d33ccc0ce0720bd4d321a451e2e43f4fe319bad5e70cf231cfa274e47557bb0003f81c749dad0690d567c55215683f4551709140d68944e81aa7e1b0cb8fddff7214497eb646e89b1dfedaef98dc4d953b826b90caee626045f4e530c9e95ea26daeed6165f7abb87a2674f680a04beb4674495ebd905502079c80cba23b55df66f303e44373326e5e319f2efce432f6069d27822080bb67a536f67fd9fe52f64693204c5742c4be9af8574676aa2dc445f54bac9e09988ffd829832863e682d3fbe17945f3420283b7eaf7604138aa453e2f429dfe3d0cd322a046ec7dd2793d2bdb63e04699701c7bcbe03ec7079b1836bf959ce71ade7090afb82012e2cf81528c6597c354ce9afb949ba164011af7c8c58eb90bf9f08a08b89bc61e3c4e54b9b0488aca3f0fc6b3e1aa27b81af27a2f7565696b491db1e02c59d2b0c7a46fba68d9f3969b24923e09ff45a1c1049c98cad4de9fcdc582cde68a6c811bab26f153bfcd0d8482eb0082b7a9b4ca54d5005824e63ed3320c5897234b3df93e4d8aaab28e369c08ed0e12c28e80a63823b5fbb88eff8880473d587fcb55b49455208c12cd79acd6ac88021ae38a15871af2fadf4a4df9fab50dcfa69f9b3f0ecfc805610af0969f81d705ed5c1a8cc677265386a83142ca67ebf388834b06f69e16573bc0fa203999148431505c8a2adc60ba9773943ecd23808adb857784aa255ffc85b320420eeaa704761695acdde1c449a56350d64dd21e617e17c5bada0730c74e6f8624265af5ec6e33910d9a06a13b438255c143ec31f22d2499a23fb4ea9295dd4d87a5b950d6b1120b7f8bab3b1fb89ae37f6e1ab81322a7f17d2e38685999dbfe5d1af79d1305b9af7619ddc29fb2309d30a07c134eca0d2464ca9456c7a2ffb6a8e08988adb97ace314f55569fb71b23841eb36b2a1e7b8c609e59684de61cfc89395f35ec520d8f2f074c7bda98c0b4a0b136fadb0eb979753b6208c8103ec509809c1c5d38b1a35af476135ef03a1040b7194ae3bf1111778335a86497bedc5728ad81dde257c67a665f708e7943cbb19a8d087c82d1368bef930f64800ca0df287da9f5f2452853c8097919c6654da842e6132b2dd9fd177fd9c33d8e98a6535905bd16c2bf4f6f00193672654dac93f748fa3bd9ec050a4bc5e2051c8a1bc6debfb81130f42b35ba7574802e7df72bf7356808f6c3f4db01dd38a1b77ceeb2196aaf53b486a90c74f7fdf713a4d5eee823b038d923f5fecad38e0a297d6facf6545ebd75822717dff90abc300e49d35ac1b6e1806a4173a10abd30924db647175cbc6a6fc03c91fc37243d2b86e9c10c0746bf59d3283b55f9a03ba8a544368bb1b9b285c383cd4a3bbb2dae4f12f716d83440a875aae1a77f20c5ec26d7192dc62c0d723fb74a9b383060f297465c9f660601a9370b5bd087ec825cf2efa15d238f235f0ce7bda6e28eeeafcd069a94364c4f948d843622900fda24b6fced2a19eb01874766c38fa62c4ae6bfdb70bb44f845990ec5450e16707232606de62c0bcd2c8c35772fe7ab807a78b1c8e8ea5e4a9497a878d65a1972fa344fbf06169f39de1f8c6fd2bcc626de0407523c8438cc2d6a7a418313a5bf4c6699c8fb49dd0f1f6c6a3190056c0fd28c7f3eb39927468be20f2467cbc98c9f997e95ee8caa9867f48beacc1fdc2976ca76cd2562d06fdf12603e6bc96590bd182ae304b9a91a4b79084942191798526b45d5e5b39fff83bfaa284d62a1035d2c65f8f3819f86eeba77a7fa37fe1ed7e110abf5cc99f04b88ffa056a40485177def2080bcd553580e396613a74b6185421193a0d857ff9edcd9812320aeab9f2d74d78637b193840037e879ac36ee001535f6b30675fdaa1399bfe9f9370bc308c217031e3c22db9d60892ca57ea5e9b5fd11087335874ffdc2c166c3f61000871891f16693543cd9bffc41e0d333396081f802ec2aca66b71ca3efab8004b576aa5bac42424e8fedbaea419d4a182599132dc0444319e90b71757c56e7712b5ca8461c73513977800e44dfdd404abb1c91a98d23f4b38e2ae967ebaa577de0f3b929e79012232466bc6cb362c75ca362ee19cc2769e2f36e6f061315a722c2cfdbf1cc39115c7505e7c107476c5e346c753952b537800658fcea4804f52eb1259857c35289035f0bc5909d8dc841b19d67b02c870295ac2c3774bc0c48870a2a87481f52920a85625fa7cc5fdbdc5aef3f6ced5f6bf13bfaab1990f8ccfbdb27ec4e247932826feacbe35a222998fd5b4f1fb769253dcb12a8bb5ab3910101dca59f6f2c0358e75be580674851e4bfce8db32627b2e3e8ca5ef51fd1efae58ef5c6e231bd82c51ad1de03395d7caea75521b16f13a87e89eb300f8580dbd4a8507f959cc1170a61e82a15c27d661e9dd2590307bbde5d120f8e49ff9503a7e0adc97c02c5cd3d31a9abb24b2d13582e846f6ae1f5d408e9fa74080582213c23d2be962aa37894e5ea0ff0b802579ae420e8f8af4809c3f842a4e8dd1d40bf7b20163c6fd4d9e759242c809252d6cf928f2beba93c26816c049305a021e865adc816b6ad6a14d0eb475798ed3a59af24f006cfbbe5115ca2f8aad096e623908c0e733ed8ce659acb3a1a5508e17a4ddebd3e21abd697d0a6e8b21875ea84115ed7cd0db8cbc7d4c0479bb63a5151744136f4678c72ca235c1dd08a016f4f11134a614ead7ba37e420b2d7a255c0f0c48de510759819823fea6c07d96aa09bd3ad8d553a531315254827dfa577fdf7724897106c8e54606e68e0e8655237d7e9026e16f6c4cffabf901c3ac4722c899b0003de84eaf7c38aefbe8966a4b686ac2d43f238f06ded2d4889e9ddcb7147add56aeb2da6c32094c0d31c55f3f151d556882a02dc2ef81c4dc9092cce1b8f27895c8f87bbb1dbc95ef92e7361a20e5fb352da4eccb7e6cfd22dfd93215ec1e948f54d93d3b995bc7dbb898f35f5676ace41cda50c1bc61bb2f192f575cc96a57ef93ae8240decb2a89deaa946bdc9c975439634a4c1c989cfff28af50a05ade7c9da957dd2169aa837936c8ab2c1f42cb5b8f980ad1b1049568aa677bf24ee051a0937356c9f6328f3942d06e519c17b0db0a89a71b886d0acec72903029ef723cc44bf5f91df28cd0481933778ffd317e8063c6fe73bbc53e94831b736f7a576b6943da9a7b8c41d863b0bb4218578f76f26f95c164971a8d0f11f3e6fa0fbfe485ae47378558be1488142ea88bbccb4cec4b73f166a3f16622f442c55db2efbe7b9a6c0c2ff18153268027c099a9a04211cbce48e84f663191ee0449624f6a5a900f9ac0d45867612ad56b53421ff143257f7cb5d07f45c7cc70ab4afa4a9785dccc126a85a4b46007e63c981c448a7e1c03835c3827ff471a70fd7b2b7f1bc33fe29f60dd889d300592bcdd7fa3660e8087ff92b301d20fd07096d461f6f4237564de9209ce08e427119c9b5fb0ec7848e2059b076a9d4358ad1e7132e87ea93f6c7f32525f7f82c5526d244188c73f3a7d17cdddde3a2896827a94ebc12435e60cd68121cfc9a5b8a5e26a8482b4c8aa06cf8e18bd876f52890cca4e5125e07e4bf13df5633deafaa5cc0da424e895482adf8889d9eb3c1eef93fe1fb0464c43b520ca084d320ffc7827b033edd9c11de7d75ba818f344ff7db2f05a49b9de2a506b3a71974b5ed80c296cb43513a98e2f067993b8e0f60f079c7fce2f76a005ffdbbecf1c8c779d2bbfb0585fb32a35fa9ef1ec5a814502c4d7f59a94ea436687ce9118ce17922e408b2e6116a439682cbe0dddcaab6d0937a898fc0432bad7cdb388fe7add9aa8c3cffd5b1edb010dd6268b03b4ed12038e6e5605a7908026db22e46621e47bedfd18fb0dda3cb80c79b88bdaef5f721dba6c62c2395291c4b85f3e587605dd8521454c890876dd2f66b9f1a16b16545c3065174889acbe0fef736ee131b12b8c597e168bc96ee68918cda9c4d6002a6d9ae5f5fd1661acd14e23ed7b16aa3355425713fb513ec6a01ab3a475dd7bc68317eb973a9b494314f88242d7e9f166f5babfcb47d9b0ac3dc021dfc19c144a70cbe3237c6429a957c5568bc241cd791a3da0282c996c62eb89f13252c082af7bdff10d63480e3eb491f6bef36dadb7d53a9561af3ad6fc1f24c0a6e08f0fa9703299fd7dcb71444902ed8266353bd642649afab8ed57583a547394083432aa0b441eba37f2a4a7dd2030bc3fc824e50840268aaa8015bc83aa276b1c65790eeceb78346a299d7c9aabea8604682f6504ca87dc162837d319c45b02303a75e64e2bf5b7437d3bfc41fe08b3bfaa5f4d65e8dbb4c82501f5a0057a7ac97e7509c8aadaa10f0a629e52f85b20093458c57ccacf377eb4559c29f91bf1cbb54f40b5dfd742e51f8714d386abd5644f73347c75726019ef53f359e4769b006f4943e002750e2c7dca3ef82efe27430f771ef03cd99758550971d4275de055bd8ddc58ae2bcfd872d5b0180c43f98f84c07f17939024fb4d192c268bfd9ec7e6b2ad25882aefab5908f15c7a5f424e2bddd7a5a99f4e2281750f634f7c713b573b4addeed4691a2f8d6d58060342a084abcfd5cb047709fb1cdaa26c221d06c11d27b9d035c11f84d37c44424b303923f7a75f6809d95b1e63059948b9c840bfd5289cbd6373e058d31fa0dd5d498d1dc52eaa1e1950c62e8e39c268891c789ccc62dbd43ed15c58a528c0d2e9e0acbdfa62f6d195d87b4bc27f180b84261f68b6768fe93d8160c1561a5489276477d182c4620b2c605b6bfcb67b9d884d407aa3cf64d18cbaf9c6ad63d2cd4367dcb18ad5ad5e2900c79b645347c5d8b2fd4329d4b9d632c6adba01dabff814c8f70fe0d31ebfc22711174985cadba0c9c6fb5b5396f32acac034802e14a8ded588c94da857e55372c96c0546b18e5a20de62764ea398cd1bb25c3accd4b9db4ec2f8c045788e0700f2868268e749486603232427afc6c867bf1829c17c991b158ab488e2525f31e4fbe680e29114f92bcf38cd77d9e9657794dc52ac0876db200d7c96179d37b81c6137a10d642461557dbfc7d062c8d851436ac65b6a0314c8d49d81d4a2f25ee961720528d2e83df64615bcd74e6f15f00218b85d2b0281989e3ecdbb3107b553a9a8a47feeaf9b67aefdb7c0e067b26fed87683eb4745137f79fc809b8409644effbcc4d695d480ce651bb5370780f280b3a39b75b92e5d1f75618a6af791da17af3563bd3cbf9e07e3650a6a2f602b736a82c2d1c66a115194a3fc7c9196344aa2437ea029b43ef34c20d3dbadcf37ff0839afd75afa59d205581668b7d302570bbce1ef4229a30fc40c528f3945def73d836aa752b42d7fad3a24bbb3ffbb3b4c834405d7a37e2fc3d51be6a8d3eed3df4d7dd6cf05737579d1073216937980919dbb5eb84f8067748b774066190d24bfea50913776711ea298f9d9b674fe24c504578c78c202b99f1c54bb4e8c36e6e44ee597b1e28671a4dbd0c4f5838610e651e41a5e4dad25863576a78948ba5ac8cc8455d3be91885641c61df09b8888e7bc13aa73d90d9d4c3f293edf721e2ad85248d10534de4bad0b4b23506407a63cdb951b2dfc8f53aadcc988fed0a7e72c11daab50b3061b1f10ac2a1cf665e13335e97ba94b3e19fbd19a4a955c45d0b47880aa756032090cfa7aa9bd3ddcb1b54d6e2b34e6292e04a3a3b4cbe33eddf72967e0718fb9140ed23e3e8b5bb7ef6cd6e017625e509c34637393ed5facbf844f658f93c4fb0ac49e5b9a3be0ff849334b996bc71135a9ddebc41bfe84e9e443d6a07fc6c3baff479e2ff21d729358de678c426bed7a351e413f6463df0efa7621c201e291bad012d4179af6cdbf44ef278f6e7449e7afe7c586f5a4cfdd3d610126b87104e85eee8af49220b0eced5d9a2c69ce9166d84d448f3aa75b0be354d73b3dbc066567569895963cd08354b2bdf7754e5983fa77b7f3214b0652832c2ad45444785723f8690da04530a4271730fc4a5062df6f69c1fb2a643f53e58b62031c0bccab7157b6c1e53f9ab458c794f167ef52e9725c1318229b0bd8f5450c3275992059e908e0d9b45a6fbee125be6a4a00f969d79193d6e9eb7cf21722ea7a78273b0e54031e0042922aa4f0202f08f44d1b8482b9879086973df08bd430b1390164418b2b4467414c13f595b252cad319f7c00bc46081c45ffcf67b9f78dca78533d85de75a0c6f601793d73eb68f3c49c59de831c14ea4c9d40bb42ccc948fc5bb9184c06af6f02d4cd8f71916fcbbb0878c210652815632f2fceb8256bda3d0d08b9057eadff67a89a75c38cd9eb76de790573ca24d8e59ab3ed8430c3915adb573d1b773f75b69bc14b7a16dc0b93f16d0ca8b52d1922beaed20ef6c8e383368e8338bdba0f4e2eccdcfb6b60940acd5a16f73fb94b9072248497d54a544a5d41dba271e482e73157fa6ae96cf124e9e5af7b5a170b6bed8d27ffed073657a72ab6ae25435a64049902575ca951f2c08dabb6da7b75616ff35fc783ad65ef76dbc442a6413745452495562b6e3ff9b94448bc56681258529f3783c3059d3cebb38ad3fb859478fcef3b3d990ef029c9f072e852098e26a2c0fd8cd87bfcb8c0a71d7ddfb650ca4c21d3effb6285ba0fb557f609486e57507211ccdc996b37f6b86c3bf3654aec8c65bcb430ea919914b1599d1974f33c579841d8dfadf714918c7a33b543d444c18f02dffd26aad5f95655ba73e79ac1b46f975c8d82641ce1765bf457ff4f25318d83acb1bd64cd99a3135780b06485feed02296e1f3c557124cf8081991d1999a86faf774c9e39e39ce85722a3f9334c5a89bc182fb038a95c25350b341b5f7630ff9b0fb1ac3d849d2153cdd8ea9d5942f1b9788e6a0ebc78a22722f8cf6f0db480d817992b5b1e0d008573286ae803d579e51953c8d1ff58d5d7c9f2aeb85340b1926967a6add3882da3106a234b481e6269e5409064d9ae31a4c85633b0d1f1c3007d68bfcd7008d2b5f6e71fc4a955df16fa0ff39bfe28680b3d7d5c3096aacd36f989ca0bb3f774b34410aa4abcf31eb441fb62e5d7998fcf3edf6af5b5940b2d41d272946d6f0f97489f9071847cd1cfa94523058f11a35c69e3e96e8e43e029cb583d6c94a487c11d6d627f55ff45a8178cfa72d552a991057f170d1f74b08e0359951bcf779799a5597eb7cc862c9f7308a77a9021b86096975a95f497d5a09923c2a1a5b504db622557da0d493ff664f334e2cc08d5de0ddd26186a363d5c1a0d983768d370e2e06e894193914b55226ce3899dfab0716af60f9c3ffd4062520a77b1b7aed42feed55d9c467b409f9aa0be4dd78a3653e76acf28e44a76be13363351f185640b203eb8a2a330b947ade25735a8344a78f72e2d65e83eac0b853a09ade046e4be744fd5afcfce2e913c97c5b5bf3eca7038d889a63af730b8c232252cd64982e1d8cc060db6b321e3a83d8a323c8becee4d9869dd93586ccd322eff33bbe608aca4d83b3ae1a010bcc23790342501df7b26675aefe411b37693a9250e232ff0c206f9bb6ea6614c8f3cfb6e26a74aab4ddd799e3f47cf6629c61ddea0d1e6db2b4831590e048bf36222fe40a41801aa5cdbb24a896791f5f1b3c9c0ce86df60568e726224056c5fac7b57630a5c3753f17bfe8723e90341c3a2c1a5c7258651d31564295bf6c9ba58910243210ddce4df640a34d4cc4617505046de43ebf8dd042bd208296ad504ee4c7d44f0ca94ac8704efaec6562309d0e0d93e7543a9babea16116303b6224c55e4d0c0806b51eaeb1220729f0816098f8e244993eece2dbda5c24d1c59c6115f85396ffdb07ee4a380c7cd7fe79b49e4b670afb3a0e41e3d66d5c1333726f66dd25cafd5b23f145290108d1e5afd60a458d43442b99b4238bd1b116e202c6f571f68efca8b3fe2ea271ee7103b18e8d62ae8fdc96b7e1f3ec6eea22bc199f0f6ee9236db27442450f32a0e852e5b4bfbb606bd4489fc2c7ca3d31a088ac3a0c7dad3b96202f7165d5a57f8299b6fb630510723281f3d1f84afab654a915a2b4cb493c36e8dde7e86b6ff91df2cb69537c54a4e9d612b84705bbe4421d0c3c7b438529aa4bc1d7eae152ea725fa8321ffce5b4acc33a768df68e304157a2792b3cc462db6ff41a25b5b0fe562e7bc476d0d6ffc3b7dae40c830fbf4ea43020fa38b7301c23753fca45a984081c3b5a744c2ba587843f130e89f1ae1f08b8c16281a39db3308587381203d34552df7df4a1e6d2aa4440e26594ffb0d7a0134012a20b420282f60aedfc1478eb0e13bb8927972265462a95d7fba87ea425249536caede0cb6783a62e8b554c7d7b28e6d13e6e1cde54ba20e71d4a6c818862a177f74b9490d6281ae92f242c16b23c22cdb5a3bc5fc511f1775f911426e3e545375e74371a7c2c40af71e93afd240f3f69d2a9e90d1dc3092f19c57efda9e62e8c52bcf9bcea806f93f950444bd413fdf0440453b08aac17655c4477f0debf54ae7660ef10e4172bf28b7db11a4498651bede28b8862c0c83089de0bf420e9d4567914f70da09bba4816b8e38c94bb81704117fa1b1500796b9c4ed2efde202aa7f1901c6f1b30c717fd37b705431189a13cc019e15ceb44289a29340ea876a5dc42adefd86062ef93889c28a05901ab38f4e6a480ee65d1e44920e53d886f29b3dcbd96fd6d3575cde377807d1ed9c3e19ed5e81bdaa9677c9ce8697ff0ea8fc3f7086c780246ff4ae8261c52315f6de7043a8fc02a8a4ca5bbe13b0f19783194c344a06412c44094e94d0317d77173a7e6ee50ced15e202d1e5c0cf616c31fae53f5179c8160091961b9aed1e25ea5eaecbd91425cad4839d12bf0cdf80e1f7a9e809a74dffb12ec0bdcc610a6d9225abee9927104b61076ec42d25a30e74d30652919746649a933a082fcfec0893c50aa1efdce1f58e2bf04fbfb0198d137c4f56bc146dcecea5bbd87c03197113f278da63cdfaa92bebda52e790fa7bc3dc6669e9c88d57710f9d99880638a6ced75b24270a7b3456f73a247eacdd179fce4f02403c7f62e2f178ece290179e2e475df82451b3d8043febf92978835df3b44843c8919a162e179806f2ebb5e6edf30aacab3b0b9e4ab944998febc6571710ff3473d12b7347748ba34cc4923d401592be6aae78ea79c3b3c67f2283c6da83e95c7b9b751778cac836ad9871ffd955d1c6fd46b56a1472763ce3b363484d59d35804d676a7697785efd41a2091adcd51e5adf5f85d173717d1f02a9f6ec1180cef6030f9e45658160263ff66a6f501fda4f3737377079c2f91f80a6e5ef168f0da3dbe74f8fecdc0f4946cf1495c17cc8491b4bf2f352469f34779ff1ecbfb6877cb721f7d684493b5649bea70cd72aa9f227fe499da899d8e48da04c5ec26789aa4f11426d8e862c86d37e8952ea3dfbea4018c86f99cc6561bd0722a38ad506fbf1604c049841367797da9abe8177049e1de504e58a7ca3b57ed631034a21de9aa31413a9773430723957bd10aa66f698c82c778819c169a07154b94c88dd16c2e3171c037580b3bce41002ff4e47137de29461b9f42995ece9ca71aec18d6689e8d6b155ec2f4d7f206c96a16cdad7c54177f2b71c5259990d5a1a3baf9f1abebff124c6655cbe8037da1b6993f76f1ec4d56dbe7284de6c1d56ba8a1ea414f1ebb8974189da7ca7f063048bd9024c9ee5379597c8bd07ff163fde33105ffc63bdfb4704df5d2365451e7913467da019eebcd7074d708b0eb179a6f43d3c54c2668e48f3d1481cd4e34e2a89ae6d8587786f6a252c928127876c4fc017e0a9bc311c05b2cb57532693541862ca177c43db9cf20ac23d70b0863e97d784e816a027f35d14df6314231808431f79fd634e415659831c1a7c1a3f0bd0b9f59a8bf960be5aa7a0a89092a2eb379dc267605cdd21985f0234124a451af03d43d3839c9684f642327598c4a7473851df6c571a3aa2ba5de935c84b3b85de07b05f2115d8f8ab6a00d68626e3302f1b94db85c4a54e99c001a2c4b1a97347c3a728be28d6164dfa6af6eeb7f33c5450e83b14e95d415adf68eca9b8de24e7da280f83990550ad2c0f26bb49a11f5aba092ebadbc342ccba765d7c250f3b0a8b941474a3288d023d89ad97cb051ce9f714188b8bfa9effc1b5ca679c7bc83d4018bb11616fc8fe56023cdbc8f79b01113ce029c408240f57f96a8ccbc58441d71951943464d3727754fe94b96e2d4b6f022edb3e9f719005aeb748a2c36466068703a8b36084c4e70a48a05099c85ebbf7f085cb12282df47305094d9ac48ec273c86352bc292630a138acaa25dfd972b54871a1829a6981bed62a169ad94b8372bd06fb2e4d4b329219a702a2f996896ea6f8e9414f81c52b6977f87b9d7db7f9ab9d69dcc1520e41b55fa9c1ab72960bbba6a1bd37cf412300e2d78265ea16de4ec4fcbf0e97460fb56cc92474c554b500d4c411f708ca7f69c0c9a4bb5a095a23ec79cde709321734deb3ff2aa49e8203333878964c75c16719b422bfa6089b290a764492df889c327158007f531742645af798045fc613093bf107d5cf11713843e6bf5028efb41cd0d1e93f988755b96b82f03bdabfe7df0c4633142289ab56f041cde764624ecb8c2cf0edee15730c8a2122caa9f17a8c7028bce989769ba0adb7e818daf94bc72b9ca2b22759d9f00b3feeaf34e86e11e832e8bdb65e5acce99894e0af49e5d3f9421fdef8c480d60c475287d1684d0e34e70d73b28b23faa058a79bf7216dbcfc19e3b23a401f59077a8a742154435300a4c3b2e9b6698f583d25b37a02b7bcc4891fbab6c9823668fe9f7a6c807cd800a84f037c75b4d615adbcbd6108a1068fa4f9d3d7eee4dfe892c766a80bd4dbe5872747ed4cc7412c0a4fc690b66baf1f0df077108e43af1267b89e71487545ea4f7ce85a7b26c5fe5f4846316fedcf53dd11618fd83f2b1407298b0a9e4d3141df0cf3ca2d9cc95d9410f279636c7fab11621d0c36a237e2ebe0cca8192cb66807f42e2d06d1856ef9e92021ab2d565467c3bdfac556c464b5dbf86fd363d793f121e38a41aa6e247012602788e702ca5760342cb98c350b880925e65e002e76bca785e480c7298a6ccc166fdbb0ee5ecdb06c2fa97ba9c5b280d5906b26760996de7275ae0983abc4a4b0a5c28deffd25839d249fffdb30dad88f3439d8e1d35f636b3d29878931974cebacfe9a24daa3a1e58cea1cacc056fc3d828d7218fe0a41778ad0998149c4541a75e9c03384a7339addf9076de2e9421e08b3b74d87a172db8deedd08acd1764fe581fde10f0fc4423c0f7cfb8a0f575010b0d8ae98f7996b6be9fc2ca5e1ee32be22d32be54109b1924d30d002d62a5c673acb8633ced10925a760acae277dc054444c9e0e68874845706b2b7d06fe49e734b569485c3d92cf6bfe9aab230504e824ef33a87d30b96bdffa15f115abed200f68f349fe6c83bed8107d77d8706e8834298d5a66aa969b588c524aac377508ea6720161bb639e2ca492961aeca5bcedb335213ac4806cb4f9e15c29974d89914d37622e6e33afb7e6be874c5ba87d81a0dd124f23d5c2fbe0093d1831f1e53f90ccf0be8175471afe4bc0568f2f45ef0496e31e2bd7cb8aa2aa1fcd339766eb93dc0d8485a1c5147885fab089dbc20bf6f7bd7a75c29a50f2446074b4be2cf6159fe895e1240b8f1e691a846ccb959b1b6685292ca705a4fc9e4bf6d48973d92fdb9b30c88f7fd598e5dda529cba13d3eaea932445e2976956721366c5ef08ca8a36ee8b50e1c46b356a8bc54c2fb8d504084659becd6b0f9713a1d4af10a335553112b570fbe607a957a9010825518d8e1305ab1b78ba600ff26858a41888b4ea91954f95d89d6cdefa4b33cd58213540bc88d9d9b1ff398faedf3ca63a2f32b3c6433490d34775bdc285d5fa9b6080179ece821b0ff387b477717eeaa0e6d948838ecc7721dcf7e78aff9d9a8efa04e86b9cbb5446fded59aa6f863e825f856753040f54322ac12dd565a184df38fca93be65be57ebb5022b83a8397d2f6f8a042da3a1299522c9956dd5437f8e06a8534a22b449e2ad49da6e8a5844f47cbc9b57294095540f4d112a81387be81fdc68261e6a765f005c671471c70a46dca20728c0500d2d07572024489b5ab7106ab9945b2cd8df14067bf79e3165cdf91839cffdfc529b7673c3df590066e3277613b721c66034817d8ac2dd45d705f1c13c2e1d7b4411f1a0cbe19e618f95dd453f9f91c97da4808985b01497cb58cd69e8819c56ca81dfdd33ad2e4408e5f1f665c4374edfbb3418baed831c31baac974609d3a05d9e703042b4fe1ec73d50f66a2ea3862137a694932373613a2786125fe8653f436114716ba583ae10c5e92d87aff4d151f81c8d6f06fd97a1df30c73cb22c996e0fd2739967df50b6fec03cac5351797425853c06adafc728af2ed39911cb97fb54e0f90a30eda99e33f9039fb973010c1ff6a95cee6e28af678bfbd9ecbbb03f8ac78657279e4d99163dd45f819e82fa6e2f5bb794e906c850cca0535f757f2867ed7d20f06469c6f0e95fad62eca4f1f79804bfbaa3e28430130301548fb13645cd675b2ffc98e70434907a7e626b94cab768c1f25dfd521c3e80b41844afe5c457d7224204d78358a91dfe5e2d792d7b7b410750e81f5e3c4b5507912b470d4035d9835afe05614a938dc790bb9b3bf3af7f66d83f3fa7427c0a0fcf17f10ff7f58649565048e34d8b91eadd75f04f46fa0f6f5f7ff74113f12581caf90205d953e8b5bc56a75db9d0aab414e3ed88a68b19eaa156896f14934865891ac39733a40ddbf08758b6d8eda59d64d71007ca3a7baff294d5cf869a6e43e0beb623b832d40fa6f6ac1c2f322faa4fab039be48cf309ff510b6cf8904201f322c8282d27b4c99cd85884cf092ffa7603cf51d5a1c7ebab48a95e43ad84a6c6a382090134b93f40f32fca940c7b292fcef6103692347bccf6f6efc3a64bb93ade7f98ac21d79d0a9db8a47286f8150f352d7f09cad3dec0736aa58c70e2edfc4a701493ef3f1060614ef285b25f0c39578b7b8ebdb0ac6090d51b531bcfbbe50c0fad3d946b510539ced58497bb99a198959590818b365dfe2ba1b0b77413773430821f143dac8da378ed430a56e9c909d8bd39e21ed648d89851fa4116a487c5418c08d6cdced8c01db6b00b0d77191f4bfb3dc837215f61b1703ceb3d8e02a42a711c4b96213390b59bb8b4121e48b210be403591dafd4e987b4ce66ee1d6d919137e68166ae940180a3d254ca5537ca6fdad592e6269540107b3a2a231c61dff1432cebbf8d944d6ed57574d3e29c7bfa20fba9197ad699287568fe667d4dffe70e7bcf95c1a1a800d2da805cd57cdc8ddb7f7d96c860156197122da479a8e6d955c76ebc4432a4a6b9eec1e45da914c77bca89ef9c442e58f1588b3a38bfa8dd138f618e098f987d94ff3864e2e5090da6496666dbf029beb04054bc3ee417e59fd67b3cd4b3581744adea5c230f051bbfd602b8e94ad01b5289811e805001718f3037579c44e39d2e58808b76012f1452b784d960e18676032ba1acc8f0a2f43f0c4119d81a854ff0bced61b0402f3617b2baaf5912ae1c99cde35dd074ac7ea1238fb5e31a49c425bf7aa83c5b461bfae8842c7b172bf2c9d759ad5c02703da91bb352ee9b20ad9f569401718d615c95ebe7ebe8daf146d77b59b3deceffb67e4d3ca489e4975c1c9763a3612e87be30ddac6e8ad158778ad7fb9f8f02fe5e6057cc17644de962512911d404b59e033371452871cfc889e191382d4f95caa5dbc65e7dfece40d798b80b1d372720ab4736d71d5e78fe94b8f8bbcc11c9de94cfc3c23610b67a70e61fc2a5b091bc07824c1467440b5eb0de53dbca21cb114f59b3c808befd39f876777945b3f908b95d6a3afd61a99599ceeb533fdc36fc02ed996d942dfccedfbf7ee53cc5524afbfd58c0a6f8bad4a15b67fe25d4f44851275b8c828a91a0824c3f3b80ee6dff7f1cc210f3426c9f6969372ac225917306a967c572b87cf396f379aeca3f51c2241a2d8dc84909b3247c522e742bb33473204e4efa25f334add1199d3d3effd9e3bad76aeb78736c4c2a83858111f2c0bea4b2435a038b52fb4adfa151d75971d933f23df2aca55e649d7b4d2d35e4a7e2301f31d2bdbe3d9dfe55641bcaca90eaa084e0d95398f7b640971f886b360f2f2716cc98bf0679d06e38549148ed56ba144c598a962617128213c33b4d976a11cff009589ae9b1179ea037387435928c1ae2a2644ced552b5002b2b1045cd61b49bef9438df9272a99074f3524e543a24c53ff488556ba7f1f133b2320dd38ead27895945a50d1194e46c32234d90f08272a1375cc5aadf30bcd5dbcd0efdf8fb0531aad382609cec2e9c2a0c455a5c6be2d4025533ff3f7c2952577bbe14502315b4665e2ce59a3e16ab4dfb55ae94c25dbfea70cd310cd7ab5766db2ea7d7a07498d4d06c238920ca52bc2dd570dbaa729debf722f7e1bd3a38cfd5347971af4e6452b8ecd53fdba317dbfba97403ccd170a19acaf051519570943e9ca800e37dc286abeebf4134da43b80b7f3f53f0dd385566a177e04a769d8e493474cb611e063bed87f88693c93e7c8f1ec9a9e8314197a27627292a8d7cd86ce3eda6d537960a1338dc5eee35c20e9d925081d5220dc57bc8b8edf2354d461ff037a12650f8a10ff00c6a09fe1b8ecb5dce4ba37e7e0da9fb801b06c2910e4ed462968bcf033d2730652246a851311b6d9a93cf9ea517b57cec0d8ba15299ed6c057925f2bc26e22221eb276a8d1ebca05dd425af1023f1fb66fb50ae08f88d4feab11a7b15e8839ad565c0cb63564dbb26a9a3d173cd0b9a52ca1c936675153505eb7216c9b963c65c57295816ecb4f166cb14782af8e3541f2d050e9a6a872ef0a618b1c112f0de05cd62eb6954843c3ae3ae6a1c8a1dd2a381f96d2264c7377b29af1512e89e2bc12c9e348bbaf3d042180a94ed2106337e426e58ac11dac99cecbbdb4e7d739650070e80df298505e287bf23352b3392a43058603e48c20e9542f341eb89b5e365bfd1878e51c4f55be8e5fbf9a2036171249b4631d06831feeb4ab403f7ac351d09f50a361841a80d2444b5f5480c0c931a3261d36176e8cf5f2fbf32ede757ef859e00a4b4e841a63a4e65e7447c4dda23dc6b1cbf2c802f0b0bbf0855c8ff1cfbdfbcd02c462e307d33cbb272be2e6a0622a6a730654ba411aee57c575f6c374ee8b8cd62ba6f8161de46291efd62f5c8807bbf929ad94189d0d8de8915d8ee5d43a04c95c025c3c2f3d8ac31e031daed68ca4244732c13db58374efce6416bd45c4c29403a4813259c3d010a0b861d8e56d70460ef7d41e1667ef7a61deb7349f5862497bb4edd69ce3c8ce94863e7a19c8f150dc62d16d5f581a9d109f2e3d91aac1849c8016286102b97523b2dc3a0367f15c79649b0ccf6ec37e72a0bf804edc9b2b0ff21ebd72c8c4ba67dc36e478761e2a2fc2f4ee25bdab00880e85b815ff4707103c76aa4813d74aeb69035e1caeb46b4a51fe2dc9b3706f73478b7e411f7e9e81ceacbc27979bca251591a23be60cb2f00a8b4cc3c36f8e9b32350b0be73d7c29e0fdf63b053fd21c43b69c2e04b42badecfd8a7548a7d0b311f4e1d230d8a6c32f8bd7738e10cc0748cc44efb4ca8c9d5aae6de3e19b12fdcc597abb8dc209fffa9d5b7acdc044a97490b7877b2b13e754023853c55e674c067ed36d67db3b952563866698167eafa2d1878588ff0abb6bbe4e61b8f4f7db75e315a9cf5e39949f110b540120bc7b3bd84dd463d00df71332b01ab3304358dfc5a51d4b22a0997d851cb61e41d4e1a985e565d99eb8d8a8c1ea7b26b09cf3cddda7cc8669b77b8eeb70e0590f5f3ab2528b3e19e4d428f991a5df66cc73a821c501769494d1bba0108c8c894d91a58a59d432a43d8521a0bd616767d7158d77e530f3df4890cc71ddd0972318f04e6464d832291e55eab5d5f0f22e341e489a3c107c384f03b0c850a271d4bcee9591b332a884fccb6ec51f3b9363146d5cf918893fbdb78fef806181aa9f09c7f5e36cbca52500c85eb93bb84ad292363a6ce87e43145257b9df6a1f1db5574d3d7c6207da286105e92a3e0094f480a8db3e87a5c289525b0d18a7ee8bec7c13fbf923b9a14df4a66c55ddc68fc8f0ef2091f81d1296f8d4b278458c73ebc3d1fbb9b7ab138e9231986e9c9b83a599a2b399de243dc822196dc57e5ecd43f545233147f66fbed7451a4cfc4bc8faf720fe69efe335009d80543e22f3a898dcef26855bc86867f00d3556addffb5007c032640ba8b1cdd04d78405e2f2a2c213ef2c45b5ea711097753c15f028d4324a0fed31d7ad879302e9260601d03c9781f884cf858be31a49a55aef51955e1433036200ff55226227d991b8246d22e2e3a82ed9c54704b6fa8997bcd25451a2da4f92aef78a3e3a129a85cb076be89a5ae79f1081782f83f0044b76ae068c4860b5f315e3537b3ce24357402b18fa4c188f1a782775a8c16efb6bc868bd027fe79df5574df476357f3a00ab05894500c9964b14980983ea9e028b4b19951d25210d77a8c2513eec92856fbf402349a234944842063ad3cd2de842b14e016c13bd1ba0647f0c6cdf76be52b58504ce9b7725bd7b6c447060e949486ee3da6d9dc34ceeb2b79148a088a8abb7363fe3c25e96ab74970814f86a8f6392ad956dac9150ccf6b27e410c885053e313f5c9da25f52515f5b93bc4d592823063f84cf3d21404d4d6fed52025f3b653b82a3a273e9bb90f441998fac441e577ceaada944bbb1671e8f33b8dc3c19764b64485e0a7c095d0321a1c1388cdf7e4ca2a4f2a7ed49b6018550d2fbefc89559dbb525b31b9c136406ba347e3cea54af9515a3111d820931c234111c0570183e302ad9eef35d4c111904472cb5addbc2fb2a268747064d2f8c94eb9563bf93d4ce4fa91f908c3a81674d74f4b35394fc88f6b542fe87cc2ae3edff98e0f62c1aa0cc92d536cadec0e83eba7364c0c2f1e8193dd9d70454f4c95a3fdac00dda1362286aaad8ed86973e07a7bba0f92657f60997ded88248dc8738a468f36e7597f71d4b1fec4653c6dae5bc56e3d10289fa3a53bda1c84234945c303da1974a17aed860be63a69c16b5d7de6038b6e94437d3aa63a54dc639a60f69dd24857d86a617cfe837800cc6c5a03d3030fd7879d9a76cfe094f27d7db9bd2f0caed3f9b506c1d112f39410ec0b6f46d509ebeaeafbdf956e93cab08b62dddb118586d9b81c443dd930b1e5da20ea4b9b5803d3d834a577ee71e4cc5b4fca671d5125d528084cfd500380f64b284d3ebda1a2a733d92d6b47fc2ea6fb91b1c98292756468c2db73d33a60a43847003ee4e9c7cb7eac7cb0cb48b3ebd074c96ad146e711a863926d73d884dd48d0703200275be7365347b7a81527aabaa2dd1cf119ced298c902de0235ca3ac89c40b83ed1f8255aeb9581cdaf28e448ca8dd283b0e2a53d6e3f1c619787f067c9b6ac5d1288688be87b4948d4fd2152a40df68eaf4294c4273f893cd5d9737bbf59512d35eaf56dc80e0e4f406eb34abd669c2366f2eb8d5764acb515aae836b98e82c18eef37f1f1fa93e527d87b1fc13b853a9b5da40525131e2117931eda246d921d06fd457492b09ff8ffb2aad915aebe0d32ccca186e254d38845216d6676343250535f00f6722cbd1eb73a94b4857fc3b36f7406296345f1509226f12aed9959837ed7ec5b303ed5c03cd7cd78968c095e66dbade1c4b5bf69019d58c14f794c5bef306c44acc06dde8ab8d969789d67df964a8cc30e540b07bbd4e1f91e218422a699761f41d32b68f0878699895cec791a392222418e8ee7b8b27683471c42e8fe00126c14bcc9ca6e6c4861bc762ad2ac3be8b028328d8214e6101dd1fb8062114b1f56da52d015163a1e705f5e898148f6a77428a0cc2b48cdc61a672d4d9438f928f22934eb94948f43df9cd58ac36306a2577fde0ce5ee933c88da73f10992f91114fcb5d62fd7b2d7fc0c23fda74df67a6f1914407f9bc1ef4ecf8a1cde4ca6a549f3e05e23af1dfd083966ff2090efaf6c14845cf660c6fa4ba8f2cf62711e23c322b92f2efc9bdc1e079fb2b1f01958b09f0dd2e1de9a79db1d50428a9ca45ef739429dddb6c6515468c04f5eb841b1f11481c1a6edee6a5e3c6377810a0a871f99c2d3cdf22b8dfc16b74aac79ec25a3d77e06d272340bf69d78ab89f6d124eaee4d431a2675b9c319f530b05a18864c93ebfa521842f94f65dc799f911fa01c2ba3b3dffcc0903eeea10d1c4f3bd7b083ba762db8c2c3e37be24ca8039ea461cc447abfb98d596ef88f685bbe8bd00ce4ef4e63139b0bdf4961a7b349ebc42a0c146c5bb804be7c68435ee532df3c850c8f8234c60f6ecc921ef65c57a4d3fb4ffd08466bd06cc6b892c18b0c047c1b93bf32b8d2338995f1657eee140f0ecf1652d7d97e11c20e04fc9c843cb27074f405caa95fe93d23f7296f2285486384b99f9dcd0b8c2cd4c7fe236f563d2b414c0ccbe3fe242dc7899b11a3bdb838241ed1a078e082a3f0dd0017e7f51033ea648b1366f3e3557a966f3ac983654855e2ac3e43aa40ada283a6d71164a3b3e8a0adb745b77e37093c655020e1c75d330c00c9840af2ac72ecccbc0fe91ee3af7036ab6fb3deb9af5f73c4b4b5c65a1883af2267b43f5b4d3f685c66e226c1e6f05b2b33713010a18a3a78665bd1f8e4c9adbabccf5bfcc755743453ef319bed5c99978042c9229078e8a57030523517d8dda4986ee57fcd2a1ba03f52fe18fb9b1c29511331ead4f30527f98535f6a5507f53c6471612256a7c29e1f4b6678eae2238c66dba9a9c81f5052e7e4ec76c2acb34a25b36e64a46f5d0bc1800b77c98f91e398ffadafc5fe3dc6f15fb871e21ab307b01fb2d672e89bba1926c254ca97ac8013edbce4be2ad62890518d456a494b91002d0015d1a48212be2dc15e763b48d1dde231ccaf2c53073b6c39bec2b3e8b6e0b09d3a0c98cc4086192b971b4cda7b7737550e8d6634dc619713d7c7244049d9b41dacf67aa1f3da0db6a32978a81959bc036f8c5eaf153380611af34337551a82bf42a96bbead37fe21d8bcfc4ffd2ffc9aa61a3cf14c573904ec79110799440d30710328604f5ab0803b8d14e0b5d5a32c9fbb076c3a4ddf75fe43f16dbe3de6d9fe2635c60e5845542da959ee2676252f55c86123072ccb9e173a31a7ef0cb2b3702dfe0da380dbbd4d3fcac00fbb2ca0378693d512761ebfb077aa1408a09fcc1938e206ee87391171bde546302ae8a911fccac77cfb1a13c3b9f8053461300e9d2477e329f3c768dc95b6f3d18f940f3f886896aa7734560cf86008198a90af8e3c8163486b1e104e8f9f6228a9238d15d3bda2f81c19ab7d7435546873916652ee9ed4b43d64d5ca20785aaf880f0bb713fa273a2a2e8304cded6ce2bd64862b99f9cfc55f7ebefb15deb782dd0e0343190e6dbcc9adc152a8b99480ac4ab3c962e5fdffde4563fbefe3c7f2c72fa826784f63ababb06218768f4b6c09cb68008630cdda6cb9ede503f6b494d14ef0e2a1cdcc3bcb77c390c884f5bb2c25e194bd0bb651fa468a63e0d3a9bc0baedbcb0ea84500b8b43d2acb1a1456fe131972e93097ca42679e69723a3f254bbf4d0b498b519f41e6a37689a321bab19c0affc9bf68e6c861830ea5ed846c101ad9c6bc84dadb1ed03e3b7949011994fdf8a3aed564683a72bc2f9c9a53a1093840657c7a5854a8238ff269329722386bf9fffe7f77cc2eee6e660510b568563076248db4b77505baaa30036c195acc8824dd5ba61cd567eb8d094006cf4ac4ff213557fcf0fb21892d71af0e85a8437a380febd54ef3d5e544ecaf83250bc80159412fa7b25f86f21d3b10202d91a6d4dcaea11a334db952638b911e9895180d3af45f3555f15addc4e1283b5bcf2780819a5e607af429ed50709d087225b7c6dc0bd1be480d9b0f230384e86cfdc94c1feee37ef79fb148efba4fbbcfe9fa1aa2d48a557ad5a9b865e26aeff87d0c15bd73410f99b9e496145cc077d997dfe0e1d360ecb695b25688cd305ddc912ed38af7c4ba286bb6dc1d6df64958bc4635357f3773f7ea76fa3323c9a092f430c55179578368ef9dc9954de7af72c20ad17df6cac5ec72d632a2286e0a55269854ddaaac70eeab3c7e974fe6f73da8fecbc7bd45f2508419cdf87569481059db747d6dc6bb356c0931d7bd0111272ecbd0801bcd9ecd6b0d7152b921f3eba8ad2e6437d0045bffc45cbc3da37adfa5a0b29be0a8c8546d7c4c6721790df155f9ae38c4ee2f0aa56009c8eabfefce38dd3ad39a98bc1d34a1fb3ff93a21892e706b803ef1cfae2652ff0b12e74ceb341d7172882e571aa350236156498b17c9b5621b3905482fd78f979d69e91f74d9bbfd086f310d3b6521b826dcd1c622f5bdc185aeef174eb0dc4cca6990ea09e83ffa9e99a009cae11fe406e8880a9046df5fb81ebfdf4e3a421553b56e08c5eeb38dd09af4a912aac641301ef1095a245e15d137a633acb4e469315805e2766531722b8a2f875bfd8b6aaa0098e810c296e77f6682aa6a8b06c5ed850fcce929921be9f9d81f1fed8f993430efa8335f8ac5d08e8b355afc597be757c9d76c31e92352f1fc877961aa7e8ccfa9bcc5ac3dc59ff796b59dbc58f945a7283848b6552ae380b1df1a3c3e9d8b67e9458811b3053abf6fe7bff329e6e7df7c6f3d513fc9bcbfe6b42f2528602a1b4314ee9218fa1013a25194d405b3aef274d2203fd6f0567a7e5b498aa55478c5a544eeac6a3d9756cfbc0165427238b3d553ebdabc99dd575d3724d9c00f405f41fdd7d3244fd9820897a97c3a0fae469447f48a61822432643aa4e7f2a7f7be956675d1f460f111aa9e630730da9e0096caa13a054fe932146cc95f1b6d2671a5d2739538cc69f03457e302d998d89059e1a45707cc66a6ea8a94e17539e9a735a2c129fee395317d30feada724e72bd0527a3e30f8bc9b4477b8312efb9445622f0df496b6ce0f62db32b5e041be73b6d765c477f572e5f9e739a77a417ebeff4892243ac288aa3bf74b236e064a9c89106453e24311084e3d42cd748ca009d35817da8f93f18cb442a3e381d49ddd9622ca8f54a4eac8dbf6cf01106cd51800663829ee0fb534997900b9847e3f38a5637dbbd73dd83012ece0b350826b62e56e726c464cd8cf26fb5d77c8cb22379c2d21f54496d807d9234af9af9b65e7d1bc11b9fc7cbb398a9402347f8001d0de1a3031df0cc0322ed5f384bf57b76fc6b9c05f0b8aeec849632da59be5c6c75bbfbaa39fd76619f9ff3902e6d07160aaea2883b6bfeb267628b4d6f6d8ff47affb8174a7cf8e99ea9fdbc4fed743d8253a86d854123062dee12c9caa6053aa37d8844f76c230fd86ced8be208a52476bd7a9fcbbe76c05805462307d67d67e7be872244014cc50c94bd4cacca2473a44bc6fff19b2c1ac4da9299c396be479e13f99f10dd285fe143db45e621e94479a6bcf0854e4ac717e79b3180a56140d50492c8d44c1907713b3b54f571fe6287e2d7530b111fd4817c2d01aaa3861e7d212bfa225f2fcbf73462075d7f2e6654c7acf3aef64ba7a697df740ad4e9ddac9f1ebe8aa42f73994c41eb788f855a715bcb69a6f66538fee204b4606e81b8cc3b2947cf8d8d24bff7e3ceda4ec3508c53392def369596eb1937b7302952715a8af748a05dae24f512b10b78eee9784be25dd85d598e129284d971caf8cd7daa2c6648c183d4454df984047f9d0d2097cab7dbd1bd0b2754569c1b257092aac39103ea1c9229e46901535e77a570f0c214d026117d5464991c7f97bffa3ce179cbefaa0f7d65e0613f5ea5897dda14698ef3430a7dbd1f8c956f3949010925b1ef020370dc7ca9658b8213d6979151355e26d675fcd7bcc6e5ee72355a1ac6f38e2716773d21a4b856a8044974a32454ff9fd3f46278fb1021739b25a75d07c88170a13efda2d8671288f17bd82669e40f21bc9f86f8780b2958da335b820fb1a93689dd84796766cded39bd8725af0eb361eeac9c1a7f9475ce605a8c713d135e728d775db713291fc9d1b0e687cf8c1ba696106c1146cd3635f904780cf65aeee57ac82a5cb000f2bc2566456fcae946325600707059db7fd3dec2db0983dc9375f0d8471eabc748e6cb882d869d5865193e561a449147f44fc2cb069aebf07a2b1ba30966f20d97d8ce843337bf35213874ec328392cf7408284c8fb77e92f1d2eaaf2e8c968b7a205142ee267fe32c8fcdc2e69dd5aeacaf89e953ff790fbc816bd7c2c2e45183329a3c59cebe12ba8d19b1a358e67f4bf06c9b07bb41384d9eafb11cc1593feb6759bc0febd6ad8571f5ef88c4bac003430897dc19fb6d77d8f609b88d6ab4467e4e4b31bd0af289fc429afc58fbe394ce97dd44a5a3d03aae844ddb6711b4f67d2bdf88f3c604bf522184c2055daa0893d4a699c4336eabda303b3fdfaa930e22ae8989d37d5226588c712e635b9204a61d93e7fd3b06128e01e48e943050be4eae2d852c95d615c065276edd09c5ffff17f4da9ee0274faeba9c043f39a3f9ffc7b1b57fe5ce4d538974311cf876e708a2c752b0e1ec9c69f9f8c177d08b547888c659af4f4849cda3a8bb55e1ec279545c2d498e911e617ab5febcb06d7020a262f5944c18de0e392e82c265b00d11bf194793b478a02649c961784b925ddf07aea751b24d02c91a92d6f3c4eeeaf25b05bc5359dc6b088e1d26c322a45421619a0282d4e59944d4ef2e0755350a2b8b3a866f7b198199f7380bca110528c99170c8168f9a26f0da2e6c5d778332791a3d33d90bc487561911e269b6c6f33fa0eadcc02a943906779b734b8ead4ebe855090c98852788af3510eb95c928803e64a4b9970cef67003a9dfe0e28a61f1ea93b9ec240f449a338c2de8107298ed1b0fd7ba92bfccde6bf26ad4b0c70d9f30440beacdad4b3c81cb4d1e21ceb330c6ee8361d99281ef36a6a681a53505f333a64cfdd8ce2be3aa6ebc7661d29d3f31e724871f14f2a256dc6a47c13fb27c5d62dca45353cb9fb879c4e1e33f2d89fa025cc387068c37650ce1aa9542d2e063c09a2f4ae16a31640d7b905c7c80f00679f814518c9557e4bc87042e1d6f4ccff6d9fa13d0bdaff2510b5c4c6d7833df50d76250a6b25335117d8a3205b42f8341ec7c3a047401fbfbfa71f17639a804eb2be133e41ba6b511ae3e05b6fb33c91ebc6c870201c867131449e6d30523a3486c7168a0e23cb4a3268e6795ef6181ca84a5c67479eec4e160510c21f234afe322e65c700476a27fac73b2c0fbc627749c2af18d6d7fe21ff0558de1b92877c8d133bfe002c3f394a172c75219251a056e67223acb620d7f9fe996b119f0d60c09165b3a1a3236114c9d12b1c29eae7f911299940fee5c17205de200dfbee768cadb013838f4270b8b847951afb7b67f2d5ae240cd2bc6f1146eb35a9a6b7cc96b9f13cf7e346bffc2d9af2ef5e55c23b386a56ffe101dd3694771ae3e01bfc59b2602e1dee6de8513611c497f374d26e48bdaf0cd0c1c9689c92c9fe4cbde3aa3aec93ccd8ea4c2efcf50ec6894bdb14e75cd9eeca9b3ebd4c0d269e85cddcb9191521056e6a7951a698ef10e906e29a7e79aea4ae974b07d3793905f70e249d1044ffd75441d213ed7d44e9b1c71e3bc2ebad3d61d8894d9534ab5f0acb10444c6bf3a83e50b555b8f02cca04e7918825986386b0615024e0e155f560f6f659eef2618badf0bed607273f8a304848ff83d159fd44dbe54096d0fabaedd9e863a33d266726bd0b6fbd124ef900ff2e34388784c64babf6429bd533c9276a639d106fd643ff3d27d82c993b94dce11b9c7345d3fb328a3187624ac4c6e27dc70bad29ba81244ec782b3a77241a8b748c69ee79ce718760937706a049d3793999ea7b82672832190e311f0c0f70589c7859ee80236e319c10634c4be1dc6f0eb5c5900262e6c1564af002ee31a6a853a7b5a5620fc05937b2e166d70724dde1358bf89e4d4d7ffae23aaf4d57bfe2c2deb60b08b40f71400793304e1df69ff7add4f002c67a9b2f26c2ef0a35e9b9bb7d60cbc8c102eaf82faf425207f04386e599fafa78751fa94b90b593f4c0e7c9e40b65539ff77fb06c3e6c94763d52f7a77654bd2a0676bd5ac7cc2e0b71d6422ab13bb14fd6648bc11c89b2ee0807d8c42703688b00685f60e6e10f7c51bc7c04910331b8c64d636257198abdba13da1ac0127e7761e949ffa588e66edb0ca76d934476ab866e6c1cd60d3b56e301f43f676b26a2c2a892fc17f0585ff199e866f4cccc5f92ff232d7ce479a66afd2208076dbe0e67da315eea126b41d72892c23c7afff07304a4cf8261a11c43666deeddc89740f69ede4b140da0563e71f4d5c166f95b496a1674bb673f22139e1d667d8f47d642a4343fd6f41ca6a2a4513623929eef703e7703f79558f292b7854d0eb2ec2fb7ba7012993e3360986e6d3edd24e54551e9d026732445f375a321aae85b52d8e40490ff3412ab2f82af46b3d6213883479f0b96be02721ea832da96f160663524d1c9d7501f56633c81206b1dbd4bd381256a9d6efc40557bb1121af3c72bec97c22ad3e4db023dc23ea3c257e5b242b5204d435ca534853c6992d19165aae917572567ee0aeccb56d5e547b7dfb79b6d821cbca97b2cfac697c3c96df2210c43756cb5f710adb7747ca6e93c64ad61270af2a783965ec969a3a95da4d81312456f7ccffa0985cba7b7e2d7cd478718c857325541c44783df781bef4143de219d52785793c766bf7ab00667450da2a607deb4a77c12d5e915b15a26d625f585b0c6896716d5c6ffaaf66f3af270c2ac78ef6d61796045684e89a3f9376b6222b54cdc1ac5c08c05d63871e7a5f10f524a341c242f8230a1cf8a4d1ba3d8e7a31e76b5ce85c8485bd853a03b52ca3179202cf16929a22746a6c366ba561825b0f33a710b4302e1014d45952d804767235c483e593079413f80b9e61a27050fc8c9727b050f7ab0b65b8e94440d42a5715da32831e1a0f8e4d33faa1c5b205ac7f3bce2f3ada8e77ea742ac64dc9fbaf749b6e7c3cf81de57db4e97770bbadc1f5a710a982069f539d611113c921b739970a17c52cd255068cdabf74a32f3fa59c16b435a45aa14491dc7ef00bc1da37110b08ff54c1d6dc1ac9cb81dd5030c0a70393daeb9d754bd01b88396a1d626688a55861bd8c7f20a5608d53cf399b1b94b573a816f29c683da435f656020b6ab9ccbc1877204e2af93f39eff66edc742068e63f3283c38d35620c060ae32c857e1958abd53debaeb135d90befe3ee9e923a04f8aa76d12cfb513f233df4b5d879ac350f42f98f656a46ee08d78e3204b37ed37727beba8d3eed77dbc3b5f985757c5092917819958e9262585b47387da53178a785138042576039ab7c996f3ebfd6e4a41ffee0e632fc95d902bf88c42c9648acc9ed1bf90967f10ef5cbe0d913f97b4574d64ef31a368e2a2a24d049af096096a5da9f0b74eb2f3bf29fa8f57dbee17fcc562a4dad0e1914cf2ed19e6e68d768705e9d4d24e5385f4827274331572d0b14518a0ce50bb06286eb4e86bc7f71570155e83a9c248e0a2848aa28a107dac8c45b6ada5fbe622a0b94e42440e0513654ed8b46d5faa5ae3fd1993df20bb25d005fe254e94a0479686a3c8792e7b0c91832ade55e17298933fb0eb62c88111b8faecc55149591d399f316e12c476de26b4ab9edc8f2656968e88456a8f441156f4ac8d786e2be311852302a6ce1d938ee16fed71ac9961785fe5ecb8075480a42a788ebae8dcbdf0dfff47e7166e699d54d0ff4ba8c4e6dde7831bd88af7cdcb45e011405a7c9937f46c86c703aa9cc3d1fe1b4ac047bcfff547ce523e28d7eb0b469ed3e6e8cf4edf84b28304bed1b595bce15c2d8d466decadd453adde513608e441a020d5ca81af5e81cea4100b011b3a4276df61e7a843e25e590d4459e2a565c74155c99323967ed473f563c7f23659ffcb6ddaf6debe5cbf63048dfa6f72acaa510a07b83fe7091414185e69dfb76aab27071846e97cbd0c42deb486d5598525246eb6bf8c2cf17a26ca031280e2c1609f94a8ce7d5a55ecfaee95fe502ba75b22c02e15cd8455da4be8e34749933d8fd3a92e8c91545d8ae44c48caf76dac5af0cf4d585fb739cf006846ef28013d4833ceeb108d3c3d76e2ba675299264b3793aa99426fc117de43c5b26a39a6fec3f017c828c4878cb3de9c1cd3b4557b470470e5dd61638d222169b89129231f7c04d771a098e5d360afe15f00d1a3941001157b2d725668f09db8389ae017b884d82f31c5274fbcffb156687758760a7bf5efc21489f5588d5eff16aea78c961d16044978cd1e15d6b0520d509d64eb34d0acff27e9bbc843a5f07b050049478ee8b4800c3aa25b3c3986f90faee858390bd21d40a5ae5518d449f4349c33ed2ef77d4f594416df8b8aa4769f583790675c85b74977bbaca9eb0001fb4d38d004aadd2b1212d71824faf70eb35d37b88c1483e0c513351cc6a96f48da5e123bf23c7357d0881092ac97917a0fda04d68e919cdc14bfce9a504b59988e0744c527c6ca012fc0e806725d97e7196ed63467221bfae9bde78a3371ec3fabc52432ecf3add26e2d5740453975fa6ccba1a1ca64e1856280983dca770e5aec55a292dfc8d60c59150572417b9585f3d0d028f8ef54b879b983c673f36bf33c495691554c3dacb219d1b3aabb77c701a9fe2b79f3fec3985841c098db7f33c2f64a4637526df36d0497901bf17441b11df49af7afce7f11bb992429e049920a2ae93adf187dc9b584980cbe262893d6da020b3e84b11062ffb2eb4370fe7c68c5b2375bc5377c95f7d47b1fbe790a617df9d3311eb2855b091bfb3c4d5960ee7ab7e2ef833ccada31d0415fa56de62e33d3476050f322e40d898ab966aaa3faf29b7576233a5b597f05ab953ee157e8a9ae9ff7e7f4efcea426b2426b40df20ac9c56080050a88c4e0b627e7fcab72709618f23bc30f63215671650ad7055126df8e9d5894ff2129ebe0f2074ee60f412a0ea368a62186c1a2ce3c6173dffbfaadf941910a77d8d013637a510103fb781b4ad95c6320b1e259703e5147418e024b97a304175af6c7e2ba2708a2a7005768a6a475cdd8b65c37d882dd42a1f31c8c6797316d19396616888e57058c0fa70356520ceda8253badd156bad4cc74b63702f1132ce29dd711599ab957e4f09cda0f71808c45f6651c0282100398e0abab578cbe5aebebffd544824c336691fc6c2f0feb1907d708896e915999992725221023edd905c66fadd05156ddd39fc228302d1fbda83d3052bbf96a530ec951189b34ac51306f2a5cc4bbd4979f43c6855187a9bf115cbb15ad21bedc8a505493553bb9704118e52a803bde217803f2734877b625564b1d1390e5a7a0d7c6838d7c8a0f09b81e954209f315dfe476e95ef36c6350b913b748b69b9914fbbf4dbc4919133a890286565dc3d5b1ed0d491c673df11d6e82ff4bbe6298ee516d5a8096a332d6936906b35cf03b36a2df001f1cf58c7df5b4d1a37ec8c4163850a41019aa15e7b9cac356e87d0d3744e71498eea23100656721f41be651ac941355403e84975fc2163fde1ec199541ea9c0f45ad189a64b07a49218e387e553083f8f1a2096c8b55f21895451f4e3d607c845d5f86fffe034c29e6207603da460fbe69eec80968707ba7804b6e0fafa25a8ef4cac1fd4a7e000e90f89906aa586ee45b34aba766db57abf2ba7779c3e6d8e88095b4aec9f81f07ed616a58860282da9cbaaab5cdaee3b77cde4d3bc1f61616d8cfb095d05a360016630a723d2ee3fafbf74716ed97df36e709e9744876b5665ae84dd239daa58f7bc689bdb0214ecd7bac0d1f13e986ee03dc5b07efd92986924fe49535c550bd4efbd631b319d8cfa60ad000456c5c8351dd0c9c812b16cefea750d35989b2333953ac54ec64733ab3bf3b98bf62d4adc1c2389f9aceb7cfbe5b3526f161e4e1860fb043a483b36278c8c3fa2dfb21d2d216fe813f4fb0c96e1270e3feef00df3df0f25c0578c3eca37e925519cb8451b381b5f452e403b0a571e78c68cec23bcfa14b978dba5d0007b0a060bc0a6b6446c5bbcf6fba1f31d549f63c24e753ee851854110c463909facf7354fb30e2fc1cf2cf4782823505dd6ea6853990b40f7703738e186707afca1384d39cd30ff25bc3ac7476698739137683483cb9593a18f2e7a2195dbffaba168f51f3b82d4d9339a8914dff488354f71e6283c5bacffc5e5668745811f15f334080272f29715c8059c47911bfc8066c4feb9180d0e7ed1b6e5c4885f6db509feaf96381ef281f66aebb35b0f639be82d10280df678083eb412da66076c139f1789e5d91dd2aa099c31a719485a521d190a3556b1559cf5e5862064990c2540f70ec709b147f670ec4669a76b252d6c68e98ab9bead60028ac8f3598381798fee7e3bddccca417e9469d8219b9a2bd104b052126539ce27f44110ff3b310e3eeb6719226fff933a456817178ca865981bf6158475ad91c8306a98d9240aee4a5781ef5b548444ad513232062e5fc6a9c10cf41acd1a0fae4ca46cce55de26dbf1dfa1394555bf4907cbb88f23640906ec5595a12c00abefd823ea3c0c9e53dffacdc01678d379e399a285e9a6eeab11fd920da5d3f3fd4570296f35d1cabbf4d833d8370c7b7f1d68fa6c30dec51c3ae6224d419016aee99146eec748e71e5bba1f4ec07bd6b5ceef330f6cff719012e86be63be5f1c2676cb86345a543bb001e1e60fa1fe7726cbfae98d2d088f79b4e2ca7632de4dc31363b0cb1db17612126f3e0b7039bc9848b8375dfd67f672ce15e94592ce52b3d83ceb11457c226b711a6900430925a3d1007360c0bd113354c2a56092f62dea25f06c0a45657df4ebd6c93ceca91e6ad287698d9142e610dc31e0edc7e117e5967ca0dd7d72edbd1b0cccc9bd012866b6b42a00ec27332c53fb42d17782ea7448a188f1b1fc310003b3c08a4d0edd0d8e4514c0e8c6a743e484e67cc567043b11b7a28f664a390e35e375f3ea5f9af370db89008a9620124295bff6dcaad0aad978a90483089668530055ed01669494973a525e2507e368f41e35caa6c7a9b9a347678918c1464c51aeaded8d2fabac704b3497e4126aa80ffd8366d089eb829528436f8408691f64ae564c555afdb471ce9971c1476ff8e314e01d6300cd97e9666ea7d4ce91e7fb6c738b12cd6eec86f2ae8fa6faae03fc147fd4259cd8840c4316ccf1831120a441334075126d3cbe9c9ae2bc984c348384826527b2b9370751ccf1c5b8dbd508bfefcdaa7c09012c240eba8710200df8102df31d49e397bad7c41db3fd0b11e2d58d69c160b68edada2301cc4855b2bf751c07d5162b601427d2a70187bb4ccbf38a9bb509b1e95e34d8157552a4d51f052512c58b5a8fbdc7987e6e6d03ef303cb9544c28af612794f1ab3ac399053dac5a78ad0c159226c5de13280a45e315d02f9d57de65e343cba601e7f372562572890b2ccd0402bf174e91a49fd1a82b4d70f42e887bb2124beb514bd5dc178189826f5dc04996c8d0ab1e00333d1baad800e7dace5dac9b1a6d3e9eeddfb06eb9d021da3ee3e5b80d36f8e3e2babfe5e21411d29cc3a47ee5c033c5810cc6036eb7761ec2d570907f57a89432aa5ea3b18002aed45af1ff4eafba69bc2ba9fae1f5828c0d2fe13e17454436b98b9128612070fc42fdb4a83e3884dad5206fe49836206fff5aec8f36e468673a4d419988b1f8b0e370fde77db563e9f798977eacd1428cdcff4855ff025588630fbfd1dbdee213edf20143e7d87495919967da730e20d7369cf812a096a3a77bc3acc8fe2697778a1993e73b96b6e9cf5e2a680c4cf5045c19779af65b0c4c2101b8499b66635ac7b074de4827c937d4b2144deb344daf0f33552acb406e59e24e3f17e76683c5f264d0c12b3ed015e39c2129d0a2a7bf748800f3f29375ffe53a215f1ca76d4185eb6430fca52b1b4e8abaad6948f49bbe2f58ccb255444c2ea0617459bb1cd11c77573f29e128fff42b9d7383dee3036c7c34685de68488fba427066e6d184feaf9b6e3dca6ec4ee4bd87b59845461dc4c70a07befb2a17fbf5c4b127d8bb32cd2c09792a29a100b37ec0d62bedd9ab6a2a884fa47f7b2cb5dc91475e6a8bbe95de2b7c54b99975b86107d00fceec3bf785acd908059c71a0b37c4d57ecdf918dc567c235a252fc0d3e7311d5060bbda2fa2dcbb9e2a84ea50c2a1de298020eb63567bc730bc06ee0f610cd7ebe3bfea5477e4c76b686263bb3e240f73f80764e605aea1c767b31e2f77beb6250139feb949ba6af4e56ea5bd6b201596dfa861567cbdc9a048b79724b5f93d817c42a45989a7b7f8e49baecf6b5f81e5d778d17604194a803912a184631eaf6c918ed1aa34037ea37f15c2d1fd675847ba9b16119074ec58c856258ac12d0e680474723d0a1b41ad59adef9949369d9ba17e2d16935efc7f2c0bb24b1f933689df77e183dbc78d0d2bdd3bb021282562e9cae066c19c6ff6ed937586fc7834ce0f688ee770c42c1a8f042f1599968f080cb3f29bc2deb019cd061a210980483884cdeec6a54aeb69e198d394ec80bd3cdb6ff2e90e19b711dcc9fe73c7ac6ef3524eefe0e9b56ced894237ea0d7fc9c50d219e0b69b6624fb5c27bf938e655f2816b70336830b70c01df6f58fb07a0209d79da97f7bc73d56381648863ebe5e4e72469f8d02c227a640bc7b2a84fb0a3b628beaca66e29338c62e6cf134a13c5c0c76b06c9b1cd5166d8368575e19418a9f0b41eb646b66ca5de4f85e39b7183c2b2e39621d09e24b7c6a9c7a0b2f7843d1cd2288019e5935f0d959b431fca2ce45c6122a25f8451c3eff5b863652fe856f03e56f7ce669f9c2b20f4885a6514932091a3ad467ad73e7c4db7f7635f05520d172a55ae8e9bde7d4f0790f31ae469e9ff633b3dcd63bb4cc5776c1cfdd3ebb19faf5d37ec857aecd0c0a14f3f9ad791119a6e0861afc4a827c8873d9316af3babd298ae000584e4c947670e7cb888cd9af9d9fa36bb17cfcdb2be0e6423eb9948c7b08b8add3bc1b2578a185701db77a87c74b25a9d5a4dd1262942156504d288bf74975dde80531a29be7f3b9362a17d36916ed99295f01d25f423be0bcd24ae71b56b7835048407ae432c079551a7a9fdd9203b9bda4a9bbaa6f932512b23086053eb70e6db4feb5fc1dd3474c6e2755cd03812ca2f0ddd01fbc505a2a4b6d3653cede0bd63657358d713d2c076279a72597671e6b45ffc1d5ce0a11fb0a9312218999f432e64070ee505cc637ac54b2246975be748cd17983d2e8ebc63960093c238bcfa6f6d98e50ba2a5dd4acc357b77eb441862b59df2e8c7b12865b7f8d336deff4e42392e2340bc0ba27f3e221c96c4c98f09b3fa62def716896b7b685cd78a1304c131f1d7320646e9f0da60ee129bf56b760f569fd847553270ce60b6962bc4376758c099d3983667b3f4b37175e085e621b73d28a8884448b501ace6ecf3be8f5410e9560c4a153f773e5816a16d77791474dc02b5e44ca40f2b3fa0ba4cf69e1d3ed3ffa58bdd1976941cd88c7665d5f1a20293ae7281eb9c858f1ccafa6b9e2d16ddf14b0e8bc56910bd9c170a3f46969aeae83a6c2b7bb02b4651b90fe316c404e5e0b8cd6363d2933f53f2b6be570ad72ca7c0dd8909804deecc3b2c2abaf5dd695bb8085a7318c4b9a3f3468980e96526fb4b3a8bfbcd89232d4ade8ae14383aa254c4edc4448f75ba51ab1b63ecb8ff02587a0c25eb0976878ca245fa70d58bb8a56f9dc7f726adea49aa5eecf5087a85df330d9329b9089be25fe216f5746cff8ee17e22dc48268cfbff7db88df8f2048d666aee5a25fc64b2076e509cbeafea5362540cc154ffb85e022aed55f22c3a865706d00d8bf0508a12c4ab33bc7cc661b0de5281cb8a8b35215ea50ecee65fc42baf1e2ebfe549070e954e5280cccc113ea06e48c1abb208ba48c018e4b3bd214091958ea188273078f3f43ca9d482d1541027d235a291f72f5abbd6160be8bd9ea1e8e87daf3933e629d99a6f536ee85f4514fecf6a9be044df65ac8d2de6420bdaaff29ec2af590d304ede55cbefd0f1dfa012368fc7da4bcc43f4040a00606ed6e8cee7a1a733fb9f4e4a3d39dd62a53043c23fcb9ae0f260ca77525f1f8b9e4b53f1572fea0dd579f5d3de96cb300990d24ffd00c01a96a168425f538b7c0a04048e4bc559fadbf461dc10eb26105e1092e23c57b5c0fe906efbdc64cdd9d4daeab477eabd30ff426700650faf5aeab5a5edb39ad18a49697c1c29166a4ae704056f67d6f3fdf174d52a9ad8738947822a5d69f70c971f5d0759d663575495732bbe53900a7144934e11278a1471c29489196422e23e07f0954b8a7a0fe1262e611a962fae36c6893c8fc35606416b7049523a3b27f0aa3378e3ca888e56006dfeed47b1274b870ec2470a6c32a72ab831310e7884100cf1a9a87d045f8693a99ab2c6abab58c87d38943262059d36951401f2ecd0c2afd11ffbccf7b5eb3b45d848911c8f5da3ae10185de80a9001457cd03cf15f1e667d789c263e5b7ee8b95dbad22fd56df344b5a07cf1a84059ce5884040616f5163fe12acb2343a01c740bac58c3d45816f9113487851a3d67acc211626234678fec377f7afadee2687def5ef65f8d316c506ef07918a55bb919d04d95f4c2f37ba9f2ce1c9f65e9e435dc4049dea903f57ff9c609c0c6c9a8924470ae1bfe1cac21e9303d52006b88a2a21519c4ad0502b32451c840ebc0bf78a02ca51164df957b980b76131a21f0799f093773423695e89609b08699bcf66ea6c08909c9d1945727b6fab78d7348c046d2c925a90d14013e538d0fe5a3a6cb7bc05558a2caa384535ea01b1fa44f2f8d91a13c20c6fc796b7f4f3bd00530504497a33d0cd43d194a9d36443a167ab1381ba2ec4a6c5ea54bde58161f4d5e88cb944a99fa113a4738c9ba8d520727328d3035ab3a0294648a1e549885f8d060363b67e3b4d6c8e17063839700a878bb9e29415c6009d185b00616462ad8733abddc5fb66a13e2d492be440494af5fbd982c12ffff9ee7ed7613b942bfb40a871818980fafa794546bc62ad79aab949356cc6b6b4cfd5f13324e3fdcbceb213e9055bffb4ef67e7ecf4d78229bd2d4c4e817f3991f66446a9632d3f99c61a41ac708f0341a61839d426c6d07db2f30221d0a50937b0e64d2684f311f394017d1d9bb05ab63a0fdb95cb8dd8cf10bc217d601f0039f6953e01416a4a66c8b248871b7dcd93ccb0a756d3607dd81e0733f3d9c58da7883e2ff6044f978fb64debbf2468436fc576df84dc8d2a7acb2f6f94b923fe5f2c29e62eb6b2bb02a98ac4b44801d166dd9d3a45047060a83c13ea8a8d747e7416874d8f9de5b9e3711edf59bdb1a906ac6775a11e64461c51391d0e5900c35246d5898851fafec54ee6da841ac3239f515dec9084146fce2dc38062370ec7c67c690b598e34b3504f24856a4c92e9fc2dcd98682ad390ebf1569008d86a53d2cbb46dd6f48561d7e54eca5027e1cc68c9b104738b2c239d380a7806b10d799480fd17d534c3d33c183c184a2cb165ea017305e02a5a1418ac1f2b9e6f37fb2b06664220b1509b95db08472447b2364d324d4fbeb8a39bec86cf4c381b93b1f0fc2a3907f1dbca18a885f29ffc69612bc1ceb0aa65b0c86fc3425159ebb6c2d3410589c5bdad8c85b437e72b990ead2b0a656e1b18b864b6469c829dce5cc3ddd6a534f239f72e61fb41173305c0444cb7e71bf66301285a4b1c326013eb7650cb97bc33879fc53af139c5d65203a06565eb491623f9d01f38c20fad887477c3c897a58d75ce9ccf5b33c6e318b64914320a811292c8a5bdd7dade67fe6158ea9a452899ca8e363e7325026eced4d1f510f9fe99bb35ceaccde1284d1256e1c657478966af1f581fdde17cfa903108740ec643d438e23c7df661728410e26534bff2a629c42726e3cbbf0830fa6eecea92ee5336f7337959c22757c8a481442cb279f7b2ebf73d6207c87cbcc71fd4570936ff60cec2597d0caba6c24505a011120ff4359e77a35c704060ec09466dfde31c9a5552967c9d41d6b5484b9947a4c04866b085631f2c688f249e1a9cef8f8d7dfb0752b6d04c682e34f0f89368cd8ae6de1f46fa90dea736dc56c9565b3bc6ab1c99c1b219916a60cd7ef95162cc8e4c19ffc9dffc79a9fc7658af59db546103dca9fed676d9e246be5458972a5f9b7f991ef74bac17dbb6349b18a867055210e747fe10aa877790335b6e922617ca9a825093b9fa1d92a765421135f5322343d70d7a1eee85e25d43b30857f784de191fd209eb328ca17bcbbe17f9df9201585bd0fd5413173a5bc7e09b4d41b89e00c448bc590b5ea78d787eaa70e90ddeb7ec83df0f94766c7fce2dca41b45555210c3424a1ff71b924f5d374aaf0a28417f01f8fb38f507c9bdfcf2404717363263d4ba5ee2b57a588fafcfa81e77af210071e542150a5fcb5c84032cc8cecbac784ede31ccf78d25ace31595abe299c3a9143cf0e6a5421f98fc70d8b2a9d404f70d9464d38cec8518c678da77c6d32fc6732b82d9642162c9945b47237b1fa96f516a12d37711afa7ac3149de3e147b676fd2020a6f7340e1747878ff8339d0e436fe6c44b9cc13d66865f0ef78c0313b1a54964d932e0a255eeb788f9bec9c9d14cdb17ee4ab8a9415c6a516b298e5f2bb19aaea809677fe3ca1f6fe379d82af2255f3493873c3cca96b46c4252b29d997f7d8b05d83fd0db8ad58b374054671d9ba3372e7257e9795e5ed2b6c21b98f54416601ef5d22ba906b5dadeaf952b40b446b6965a0f84ccd93e11ee0462b75c357f1f47ed7efc519f7d3fae99f3eac2f3169183576d78718f5f07249622ba2853b03d99db24781d1336fa6bd039916f30ba736bda9482e6990d7a890dbadaa5c36fc2ea79a57e99d800d54b3db698adec96d75affd23acbb4e1a402c52ef59e48cc717a9fa04fea72577c6b6dc825d6bcf8b1ff4e2e1064e09de3cabfdeb9a804220055b5fd8fbc60d7c1db86d81d137a8545dd822f57fb054792dd5bc1a673d02351f0d09076fd99f394b107a8287e23fd47c684c09b1bfc7287753589c071f0360abc0b1870983828db840dec34ed2d3977a99880a512ecc0cbbd5a842c7597ba91bd10cf9b9d82b6565694db3b6bfe3049ecc0719eeac0ff956de008f1fc3e095acdd1b6d76567267fca8d0526ff198f8a7dee7af67bfb0f674c8c51e06da102aa08f0d73ca63cd1135c79b72fef4cf4b0ae5300194c91be269cf0e729b0ffe34ac3e87573520b9d7feeed33f7264ab19a1a9002a07a9459e74f3d4dbdb7010de67d56b49a7afd816e90bd8db3e282649cea4cf96e8044cc15a607a85969a5cb62052047bdd8716cc7800a0f4f92ee515acf1e068af64907542e0d833f4fcca81b88f4afc99daf777f44d7f1b7bc14fd5ac30aca0a3a1136d775f9be1e259e43a33efa92d8e2a38b6bbb1344cd3058b581a77e497ef6f747206887219eda379212aa893bd693ca74b98a8624567950afa8dc75b910f707d4227fe5f407ec06add953544054680a30e30e460afb165b739ce10a0d806d1ad369d17c2a9fa67ca49463bdbf5581518646a8a1f46e7c10d9311c5fd9519a040e88d67812ad7306ad13a6817fa91f016b9cd6321c28ddf7b57aa4d36c414d901d8b8350a4902da56af888988c543ff8d30881432710b0cd93913eebce252ada04a504b277b50793bffe780ec51681b73f38e6e098178a2319373c9aa32e57e5ecf5d53be5b41302b13cd4749ca062f71f5391e4a6302ce6a4021a5a2e7a7d7e537a4472cc90ff898577f9635ab57d918ea1443d1e94db1d4f42f16c0bf7b88086552a99ccecd153580b37a40d05dfceb922a740a435195f7d7095d9e136dbdb5c51154c2d98269ca29f796cecb7aaea9b8629280d722aea4d735e13ef5b50da91a51998077bec4d6630a7fa7ba6b996f55776beb117cce0f44d2de362d142411d44a12ccd690637a29642ecfa76d3515b651cb2b47eaca44f9ad4172069691f97d87cdf231867e651834b5baad1a87410e7188877a3a9bc30e7e7028f084f4f602095d22495b1b3789b8115277462fbee611fbce26602fc436e52782811a83fdddc29cd0948176e6ddc1fb20ef539f465dae209320bffc49dcbccd6141735bcde6e90dea25d313acc2159cef4a977feede337d126af12642570c3f3d1dafa4aa734a9ec97883aa7805563392ae3692448076039e95fdb23ad27293e2e044fe722e82f2a80f401c17b056445a27ee6525aa0280703e9ac24f666aa447727c8e0c2117fe84733106e8d8b6ef1ebd2ffdb464cb85e6537d3a1ce0daef079729e00b75dde985c8b4e5ff39ed768baf69bb6fba7cbc68346bab5e07e0cfcfdf17ea873db4a10b9a0845a7da2ee146c88739903a61e87da3974da83338e59db18eb7cdde16443271e204e5193a5a658105ad69608c28941a1a58be495fb5b66c2797083c4da316a566caf0fe9f0d122481313dcb40e45f6e73fcce912b08bf35b865780e92a86995fb169bd2564592a541009c460b2b8ef532ac4cb0a0c28f41e837ca4f296ae872d43d1639d7e880a539239838d15410422ac53debcef066781c9551a1d4245eefc618d5f819cc6de91fb6e3ab4cdd55baddaa5c4956092bf20fd39cd9f13f5970272329cefc904faf4b95682064f9e7c235160b17ff87ae8a452863170e6854b378a2cac06b1bcf6584057225e9e82cd76ebcbcf8978b89f95d1f80710f3f85eaae35d555aebf8b3a7dc192e9d035883e48bd1cedbb5dd70bc63053f1d3e2502c687da0b2b2d09ff95afe1d454a0165af4fe149c7e7708789a51771b383590f348d848222781f5d23a13d5d6a0768eaf16fabb4ae400103a8b68aaec5993315e5dce9150356d5a5d9ccf963f9971a22a431ce151a528f3627aa371295933d74da006a3604d20349d571a71dec3af79158a29863fb516a69ab2936f15ac5a1e8a1c901a30fd6efdfca1762e2ffc267551edc1fe582c58b1de134ddaddca936f338ce7a7c61d64553b371fea1d04703aa5a96798a360e39adff43f608b2cf3e626b6cad1b615b8225d51c99a8d91aad0e4275a3853d644e0c0453f634052891f77ce3766d133ce1b3685e82c993017f7e20bcfd9c3ff9e62207b889f2aad854b8b9353185d3ccca1af6f98a952f87ba45dd56856e8b91ba67b9e95663fb2ecfda1a953f1b373e731fe14514c1fe6feb9d7aefeb9c72e237fe750e286b021b12f2f3470775e38f86d99ae256b500ae06e6bd33851c5de8e49734919ad77a3dc99c04a916d75f64c8103bc513979ece37478f32ceb385ba987f616c79e35b8f419cf813a396f2f8638efadc6702424f25106cae8792ce089625982f8f6175a83c0d502567e24bd868305ef1c113a908382c35e51b3b2d3455973beb3c3dcb4b3f867e87bca3621e9edee712ec2eda06ef808d20aa88ea51c20a427a6e3b8d0d798cd46b4bab9f09c2371bbb479170d28e4cd5173fbfb32c58e3b33beb5cbac26aefa553e6bc98d049957d9d20ba6794b016edcf4059856b6b44602f5c91a397dc7dce701145c9a7512ffbcf5b8c5de35b9738c75227a2c2b86c6d00d595d13de5d63ba0c5313b327d626c46a1023b47a3414ba063e531316692afcb464898f30e334f2ad437cf2e78ede222bed0118b9378ebe5f2eebecfec51b55336c72af7cd7bd503b4e13ba507cc10aec9e3fab46a42fc93d841e7040c1c45757b2c9b75551aed45c39ae9a3be7ff2818378f89fcad04f1e4a7244cb0e8fea960466b6d67d023ca01b101d207e2b08e3091868b2dc882916fba7f4dc883a081e1446f48bff91499ed3ba6fda318c11a56d6e0df4628858e450de712a17b36bf959244aa7d5b71b4f83a19608701c55a1edcba3ce6cc5761ede1cbac28e48e96395e37996072b838aeaa1a507914060f9d835bc40962ee362055eaa07a36583e1f350b4efdac88aaf247554947620baefca68a740ac0693293d053b1154752af6395bea8ff05c867d3647b1fb5c6d8c2a6065c05338db99c4896fc9899632c73886a9fee155be0e2b012a1d31efcd96da2535271685386bb09037c363938cda4919cc0f0db76d9a0419bbd16ded970e9c2a8bdaa25c024e62621173de3ae3118d690db6b23bdf8965f599e70cdb4a44fe2d9334fe2dfc34fb63a0cab5afef9782c654a7ba5fc4abccbdfea0585b73066f105686199c5c3fd13191b305ffc9bba116e3063a01c2bdc0d6aca6d95a76a53d0d022c72d40b9c268ab0d5eb9fbbf781efa916d344eb4d22c2403b59a1655bc5827ffa5926945c2e13c5036711d3bacf35554325cd6a9a3f1da4687c3ecf20cb837433332cafefba6ee791bd78396ca64c752b0230515a89e5c5d584b6d2025ba090e0aaa6de2bd6c6bba32d4fcc8ce8cc040dacc0f75bbb1a43072ab981f222c4d48d5a888e856052b3ecd5ae5cde7c6ff6631cecb0e920f1db6a40d60fd37b5b4503a24f030dfdf94afd37f08d6244e4c37ed8d5ab3d229a314ffccc2d05c05d7a895a3b27b57c44b469c36e909d8bc5589af26a030ff9ec9f45d281b08e5176b119120d5c68841e94f2bc74a0e8818bbbdbeb3489a2036c2b457185f25b3f2a0f72d11a40e0f8431b67a559450ca9a3c3e8998500bbb746a7d15406a89f00aa486be36b7e0248dab71cc383a983701c770be9ea70332fe8839f34f33389182d3349b5be265efb0d9ece803faab889efde2c18fa37ff736bf4e011c9cdeb4a71e04397c7b67038a6a09853cd9045a83f2a36f7c62a5906787bc3347db0c6552e785493dbb4695119c45aba903d73f58379b46823033da9d5a74862f6694c98d507471f238fea16263cfcceb5f1061cc735d4f40ed5704435bb4659a58cb7c2bab516b7b46f7fc68263bad62f93559c7a5c6bef183942c6a651e64991056ab2b0fc6f103ad5c3a021b002e96f5c09981d75ced07f9750723fe002e043734d130d666e37fd72ec0414eff98054a77fb44ce0c1bea093b6d6922a2842ff9e333a4ce8b21695c9fc1f58116d71339e2b655541f2bbb8174ab0378b1f68469a0893c6a290a8462a4164c19b999efeaed49ffb337d4b786bf72597b4682906d4e7c58c1c50f024966e8a2441d08fcdc15fcaf388c3988314e93278d1fa39b91965c82829836d9c22587cdb7be2d518388ffbba61ae120e75e386f572408989b108f769c6ace10812cdac917764c0ac631f891e001977608e09dfebfbb1a390c84ca6bdb7d08bc23aac46ffe8e89616326573d6b861e7af102a9a09899e746821c62a70f7b6e47d9d99957a933784a66f71dab914094bd123f6b57b9bf0d8f942c754ed21180dd38d8559cd3d28036da5c821d67c3f33e32a95863554dcc5ad6a67cd2ed63afcd6661ffb8afbfd86e38d2a0882d7eb2c1995c3e8be9df3ef31c1ff92267e53f008109b59553a3794192f2b945fa28dd521e82dbd80071d1f8159ee0eaf7e04979c59643a410f69c16e038e9b9974a5d5f0d04db5320595e7286cc20a135f7c3f06855db3f985958de33c99724f34136dddcf4230f06ab0d6189150bd3ef4275c485d60f115c4027034423af8d595dfa719078629a171892e8e97ad817951a7d12dd0b6a070745f7f33d6708bd0e4bf96b62b3114b2c31d5646dc9783fc2b5c3d9c1871345e64442ea1dc274994355fe9e7bb477f4cc2f63dede30846d1f0333cdbcb3a2ce2685ab6d9ff5f9e8ac22526e353c1cb050386cd80157872e6fd33f3a352e127f9f03b0c58f306e2299ac54336192cb65d61459e8c5e4fdaf4e1f815f1dd35e598b187634b4b5a1d17e54ed3876882db49681a8b07564238fabdea7b481dec429d898771b6f10e3aef713cb52b432ff6647952595fa14ddb744b8b3baffcff95c69f86d98553c2274c061b24465145954f08fddc17fbd06024efdc59982f2413dc8a09bf84fd315be0bc4f9fc83f7308a57ded09451c07c7052685f43d8781ba6b820146efee62911a3cea2af607133f826abe189899aea8a554524bc90ea81c909598358ec6d841f5aa3d5aa38faf66a69eedcdefbad39100411667fca557d8e6a183a290fd6c1656eb67a3bad59b2628a40bfb7f16a60d565b4df7518f9ab1a3fda9acfff5994f3b48d4d303cdecfab18864933e1f2d77d9d07f32e0dfbea74984f5ebfe0e28f8ff0e3dc949f892b181898a70a61290473e3ff322511cb25018616b7830cf7828b539f1cda5eda421a77a4f34dc2ece3d012a7e031b3b3eaaf2520035d689a9d0b35f77a4d163d5ae33ca8ec8ab74f5f895a0062334d1aaaacf869d070b33803002a2c50e41c5dcb42af9a98b0972fbe0d9f543dbf92c79c4080f3f5b1cd3a7a13bab0c86d48b3cb3c0016939a3a1e875f0866bf0a053cb0cb527e89155221bfddcc8c2200b0b4fa887517bb0d6ef7417361cf685a81470b53aa90f22101aa3a926efe83f6f82def95a6fc0123a3e8ed577fecc958471860baa78134fd1ffa276f205f1f41292a45d74c143e0898789956a878660fb74f24b5ef5b7066f5568b1ad39ba66ee284efb6a3fb2e3cf06550af9223b198474158519dc30547005a12b095356d67612e7c7639f3efb9da9425f15e93d952097059e11d286a837e300e7c7c67da42c47e19c1c37f09c941654aec2ab75798207596e5fcb2dca0405821ddde4739d8bc7bcf402da11a46d5d7c8aedfd2e0d2c3e187a3db26b608c07addb5206ba6f1f1922ee3d5a689efc5aaf2becc6e6ac83c420f35346eafe9d65d9348c1baaa241f5e90a15b304008d258230edb9225a4f3f2f2c328100f0ae083b64c385bcbec52b1d263317a2543e27e1a8cfbcd425b6f13d4a7b5ba6b0009cdf99125219c29c97a108665880bbd9809857cb4441bb02caaf34f31cf6d2b751d98f3fa7e229f09aeba8da4cc396b132e678f2c3a1a71c4601259cfde243d13b1cabf650d5f5ef2faa3e2925d7bf7b1602f786474aa85600c48bc50d4c2ef126f88da7facc41631d91c7167675c4c7555aeab847095e73daef2b110213ee9abd1f43bcf074bf6214c8daf7ea4bd3dca44cc04dd106d4aa4e17c5556e524273d57621c4dfbad3fac05fbff48ce7479f4a34bf05d009c5aa5dc415403d903f18a62b527b646bb800596264cdd20f8663836e6ee4823eef83fc90b890b2ba1f441d6594e3a2b764202be34a15dc1c1a6399f9055a0751a5eb3eff25257262bf27e5c91d53cc33a8a0e3b4fd4be4954a61e912d02f7e42ca26579456305ef9d5edf57e65109d745cc6526326966ecdcdb23b690fac363d9a4e61501651e97ed3b164ec1d58daf30139fb4f5b856d001c82600084aac2f65a67752b44a64c65a9af1d9d050d884b6d3b0a6e495d08fdc5b67acc63152e6bb7b66558f0bcdd8cd52a3007082462bdf786b2d6596ad3e5d2e4efc80875f819f93377a9d2b7283ebbd98dcf462394b77ce792157b648469effbb6349c0af274eb6b005e71828b351f2aa0320c757374361d9be9e04d30ca24557d44fe0de0ddedcf59c7c22febac138bf5913c53681fcab740e09392a257276cb0a8538201bfd3a238a620fc714c981201755b0c047670cf0e1d2c8f9e116f19d711a5d43a78c77cc1e7084436d322b03b2d9eebda2094b01f61aa09345f870b60366c2e32f7c38bf57e95b7a76f7bd5ed902c9558f4f2b55b87933e043dacfb930dabca2d00ba026735cab72c2d10b9620912e6b48582e2088d919d36f84f2a376558595f434e27da3f516643eba5278009fc0af7585c52a20e333d80644e1800a8f9dbc619ca4d87d873474d27c70e018bbe694bee0928ddb5c2f88ed7b9d1ec75459d6e3d0d8dbc2dda88a0b35b16e443ec86c733d7f8fcc774f7f8400c64758aea438ec1f800fcc70af2511f54e174c101ee72a040028834bfac6bbf78b7c8c5ef1d6a3cca08df064601e4f4cafce2d26d334cd5baa401e89aade3b8dbe256b07b2b15da20ce83136d6a1fcd3a0545398d1a3ff27920df26a4ea53bd46b62eaa12212ab9b48150c7f26cc343939461051a1ed5a717ff7f3f8471c3b1c315cef2fa33f6fed031b480bd05a0b36592b4a061780dd5a1adb76471bf4c768f09dc422891398eabea866ebde0970cd634a8ac85e5ddac09909b00d5b024019dd0809fa622488196bda2c8501cac5415b2f42df1d4cec743b58cd36dd05769ba371e9626715fa6557e44126c0f6e3886c76ee182cdd8db6817ebf57ae3767679d5d347590ae28efa3d51ed844284dd7a3c6b8daf5cf17648bae74621ded8340444a98d36f9f86bd3b7ac5aebe7db2798f6871ee973c4e7146c2e5a6ada7bd4e081317edd6fa82840bb02737b25e2f2d37c145335feaf4bf7bcb863609e344422a75a33377de82db1d2e89156909667494c575afd7a30e570f571f45aa4b3eaa0544cb4971bdeb9495095903c05be6bd3d48b1a0f0eba67bdde5ed1004b270fdd3ca46a849be0c5427384cfb8b8827f36ca276b2e02b1ce4ebb4c3077f2402e08467b14dac8dd9137ff1f20b87d2fafe78b70bd250f273b46f2353606545a595fa8b0afe82ee588c9baeb579a9a0d68231c30317ceb06e2885e0be5bf9307ad62be3cc74ad21126f342474d5bbecf1b9df9efcf5240533ed19c4b952b04b6d2f57ad565596566cbb3d0935a9d7ef6af4215d067e682e7f194a17d7f537abf8509757bdcac47a0d264c089f8d31b8dc6ebd4c51e05a4a380213d72776b7375ef6759070ea6c4b0975ce483b365b1ad8925a7685c21aa1e38303a17a83db2500f2f1202366867a70aee4ffbb7f64f998ee79326a9e7d3f1895d5b39304e1fbe9a4e2a95063514e8db3640f1bc4b1018511512763184c49e69e6219a39aa0c65d9355564398c48bc665faf834e9d3b35e3c2794b8523a06ff580b73e93927c2ee2b5a68e7af12c0df76cfb72f24ba717cffc14592227f5f48726812f6d06e7108c61ff5e68c2a679a2cd1eccb9d6469fede21b6ac2bd188e1ac79e432cfd8fc06cfc2e9985f19ad1e9fc84649bb1d768dc85e9a8c74a283cba8140b3f13ae4e8a0e650abf6e946293d7fd8b3d98eb1a3365c68670eaa851318ea50b5f4ec499207acbf2c1e28e8239dcd832af6c9f050e01bd2d6a65b983b0952343aa5824df5b1dddf24af562a15e1efec94f38018e9e905b620ebaa2d4ecb671c9a668272148a1029020419900c32345fceb45621129206628ddaf4d460d097feb4524a7f543b087f55adaf6ce2404cdec2e0da4073bf158cb061a3cd2e2d6bc193edf35125e6380f3dd2a10269b94626477aa940d7f2c740c08d79ab83bbd5cbdc733d62b6f50ca08eddce08cb46fabb40d81599564756896a8c6b8474b86e194f34bc1664a8245d20358b9aa9b619d6befb9a1d2fa7f87cebce8518d618dc31ca6af00c30c875469990e62fa106756c984e8b384d1bcd169228e1e028b19b7bbe636c966f15f4993fa1d0bbac165b319e11b3bb653ff18c8e8e6e7c26f53a1918460b80c3466ae138301bc263fed9e59ed82488ed37d7ae370b323e2baa836d5bf87e4fade36e8182dd235b0fa38be1156d821048f06ee54707a8bd202d7fb6d73a37dc1079eb0d61249fb57bcdc51ba21a13f80889d270db7747cd95128a547700a32a4fa2c117c328c95ad81c7d57899a2d9cd01d795eb925b6928bc7148f56959a57db262d6c46f5926286ca0cc778179355c3dc0772e203925c72b16894e4eae48b628bacbac2f6d527fad457f167dc7fe20a27217fd253e5fb803a6d587a4177b90fd55e76e7ecea831043145f24160217dc2cdcde68b186eab6c78794d99f25abc4bf0b1b8f64df5b92f5c0583584ba0c7451216f5becba5ed663b49e5e9ba17418515e9b12702930561389aea4ca1d645d493003b88258587ce53f9de6c9bd1d29c39873a520515b7b9b734736eaba21860a5bc5802d524663ea0441e5f1a71417e5af8b036fffcc5aedb09abda12a88bc2c4cc1b3bcccdacece020fc1345809b9d659071021915dbf850f1f5807199d135558e1f37d5608163f3907ce1c0c3216e0468b62c2c5b2d4c026d343bcc6acf9e188bb474bda03331eb8c119b296f780cc4b6d108170849cbf802b85bf3b583a78186d1c76b4035556a5fbdf5b3d95d832265f5283665fb4d650b4c313924fbbd7161ef461887e4ee60ef0d26178c90cd8dd5bac26ca4231b172c86cff288be31b4875a7eaf94414010f1f8ce1ab2ea4a8ae51a4d7876414e04a6399e8b8c12c10de4a59a798ff5932454409a4d64e2cd28fc994aeb1f96ee241c7dc71f20a28e6ea3aac87008a1d071731baa37119377a938b6760e90e6ccf1ba26399ad1c5419722e0961dc16c194f6d8d0c921edcf271d84f1df7f20c9a8b390d7f5bd454181749002426fccf842f25b07c646c78071e6dbbf26c855bba2204e65503c453275d58d830b7fe5e04476fe1d7b88d726e4fee9dfd6f155c1082a6adb3dba9f81633d16d4585f15a71714072c38e97afafb9fdb85e5d18c2fc2be2f85fce80db35190ef850915e216c965b75a5d7b7d75e9436d1496d40f385bad871865b74c95144bbf5f4e733cf39a4667b3517a9b179fd60b6c7d02e4187bf266fbfcd3a555c61880b59ac3179e7248b4b501a1c8a67a87b627443ab9427d91695a1bbca27b09a0e88b2b9968c0f6872b67021dc6b93402699f7be2937fed5f5cc664afe57a68e9ef7811cfbf72116d6a4e050dc56db2a484ae22a2322a4b33aba2fe2d8f270f2ac6175a37fc05f936aa5a9502d718ea0519b063addb687b8a2945b1f7dcc1dc377709117d3c3fcfe406301c74442ad200d8fd72d7dad3a0ef34af37f444f373a6b296acb1c023d307eb9f33476465da6a5d4875b60eaaa6366c1e45c60cd043ed8348ebede7cb58ca8c4b823f0efdf9dcf3a24acbfaa23d9ca964110a656efe948aa8feaa172df11cc749af6d4808d0715c40cfc31ffc83c5dc26eea9b503300cf2821080584ace77c1c22992abd77c257b041bea87edff370bd857516dafcc998c27bfb2899f516e63cad2d4b97b58554d1f457dcb1a43bef41a9f9e00d1f1a9aa5488c006948efcec3e6183448e28ca9ec70f85d4afbc84f742f6d639d64bfd0e2c4721fb746f9f3d50794c5a51b6d8cf74c95396ee57c1131c5caf2bce0314a1a0c0edcae27fbd34ccb6db2f4755679ed7e21fe9fb4b6257afed28c86d9d000a3ad989996fda79cffdd125c36c0108a88215dd7b68e763efd14c8888e5ea7a7cafa842ae419d013e32550d467ec72facba1131a999fb973fdc77d76184c3876fff2220bc3f293baa14fcf8315a5dd87461aa446b1f585bf804f43eeebb45f755a49fd56a37108af205106994b0a30b92d853aca01b08edfdceba37460d785baa842a0e014143a6816943d4c746e339ae22fbcefad54cd876c9721f79cdc707b48b8282616560bb7245952aa5a0a80d0627677ce88296e5e8d91216d91aa6b980299a172456e8713a08f4cf7cb46df2244256f0747905c8f9490d2bc753f29f53eb0e32248d658338153a23586fc06cb41d93545da831cc73a97cac45983144efb09791820b68b5a05cbdb2967b0221be3cdd0bb3e493861cbe2b505cd296d71002ba11e3749f81ce84e4239172eb043ad04d83ab29cbc646f02a21cf22b63e28be274d71697e01d74c40bc0243859c74d2d6fcf45d2e6deae21931eba501007f11136a784e2743fb3b4c58a4c925933fcb6aae70006d7c9947db1d49e8ae26547ec64b77f8e58539800db9254fda6c0de54024a04edded1aa263b933c5db6de29ccd02ecebf204121636ca285a3f1358745ea28ef53b3cd260ef5a3dd5ad9a9f26a7bfc7a6fa68b8026bcdee553011bd9c1411f5138df449916a526f494dfa29d3f4d08fc5d76993cc2dc6a71fb94fae9958c95c684c69adc7a33af55a096ac14cdd99f8dc951e0ad53cb12a6e52c01bef466c313e806008a722e798d278104e056ed8701383c0d6960a85b203ab665be95650f03b45a2ae2b241fe194879cb4fbce18661ad70092fddb5979249a55060ade0148ccdbc5a1c47509199f539fd74e6c705ccec6ee6bcc07ecadfcbda99294ee8ec35fa2072547b3d54e8f339232e80e18e00d01abbefe55119c01084ad075b06fd573901551a1576f4df8c73a6b20160c63d98a8802079aa51391ae4fcf8ce138223547fa09065515756e4184c7f859b8d99f802d31e2da840ad0e13072e2d347dac094e8276249b1cb66b0ea95e79a255348ca1f5d9d6631994272fc1d25a2efb5dc9e5e3315eba7846e276ddb311bca3ecd13ceaf42f258dbad670f9228b9b62c9fc28df72cfc05dbd117d2f9a5f66ac329bfca68fd66af9bf6d49c52a4f5d35185dc7d19e3b1c1d9a4a2ff515a2b7ade65ce7dc7d84e8c7fb2013baa48501bb097e74aaa0f9a10e1ba698a15ad9c501cb1727c225f770b742bc101dcb45a1054e054d39c871c64bf44d3ddbc5ca6c20362e1709c096b554839937e72806ba932bbd348abd9201444423f210907b321d953756751926d59b2c3954c1d321d0a598237657a2b49865a14a21d50d2f7697649893325556ef9de9af181502296d9c9471c29750d00246ca90745bf393e4b40b045ce68351b7ef195c2cedfe60c4a643135d4b1c146a9f764a05588ea388fdbb7e0a07469d003f1c3817fe229d39acf69f9f63f9e9d203e8947f63639e8816d16f87a9062eaea6b1bf2d57f1dc7fb8e511df95bd34fc5f8e9e0fe705785859938ef704947aa68e192f44188ba2387e32acf6c356b0343d6791cc28887e258f855b5f22fd6b0c48f448a85695c19dd9e9d117b1345370fddfc3c0f074b8cda33e8b12b69a70cce686aab2fb702ad970d49058f9bb0195cf9dfc6486a3098c1c409bc66467732a948ee97453be7090beea529173bc69b86f906636c9a89a269d9106093218207e78307ce34b24f61cab92850ae7ae92abd89123d34696e3b86e6daf2cb27ca2e9c3574f3d7bb6f9903bed0d5a76fcf945967c8d02deee5e26023eec937dc4c665a3b95a46fe27a125ac513a1e9b6d97f4572435849683be2bd3a4f973be91a1298011fb9bad90981b351f20f2fecda24b6412bf688cd19331b4448606b86c204e9086bd60e2413474b522787128624ef3ed708f0cf82a474524506e97eaf27c3eee13d88befb324e0ee8cae3bd2f1bec9c95a717842b6fb6dcf74e678a6889f4d306b2889eb40d1eee501055cb0f2b68e6730b59fc89e27d8c0ccbc6dd57da3c990f0b1b7090ca5c5969bb546665d0981463b268bcf2d83725bd61114b66a2d21fa2ba183010f4aa075a2df40d2a4de6c73c56d57a915911752daa98eca7e64e62e72c80bfb4c5176e32ba239ea457ee72ee74960cdf7e91726724483739cd19572d0d14ed600be04bf25b54335315d2b07eddb30542d9d398a44e56d74f15d34dd073c4b87c0f05ac0446690c48e93e8f41085568f41754c27397b077550849265c03eac67ed953975c7a1d123cdd6bfc4da8c16ee85ca322f332d80b8c5638d0f25878d2f9664f43cc4efd190d3c57f2683933bee8d3c3ab25e145841019f657a8887c9691e35b352e1547c35db84fedbcf7b0f8f63982b8174f809f02a9944a79675ce2a6ad7a50a6cc380c386b1e13022bdd9408731354bf2fbd844d26a51758ee37c2090ca5d5c2cedc3490adb2b00beec91f7badceddf00b596da4371c5f21e7869c7d3ef02ebe332a24acc1333832bd64eae04d96eb77ff106a15d6f1275175b9c1e3e87a8017804b740dd544025d8069af671275c96c52fe85c56b0d55c83d127554a4a49cb104fcd1c069d35c600da83e26a785ec86f71190c67785640444e000d89d1b03a3594f2036f951b0ef2c31d9ac6149778615b1f96e9337a791f218b3d90ab77836a52c8ed4fbabbb145aa1e10edc237983538ae6232fd4590221f41cc87a9715ad3501225e44c047839f1149afc50e9f8d8e80ce85529148599305d51c4d84e4ef9e5216b3e1d86b536a36df872b0fbf57804ae7340c4a0f509adac8c646820c1f92dcdc9039b33abe70625331cfe9ad242a4944be9580b962948d7d1c9a8c2eee45c658991d1d9f5a7bd4008efabafcfa8500720ed95a42334e2df5b54ca6f0a6dc65763aadfb64d9ba32bc9a2b1e37e138dbb226dff4f6bc65c08a941129cff7505018c3ac2239ac9da7b3ce6619c23759e194b80eccba88e0bd6d033e15b896aa95b5e8b4fa63e89a41cf7f7a0f8237eb8078fd50408ebe041991d59cad3bd2da59050f3153a68555076b9dbc935bc69d8c6ba4a8497c2ee9031de0148827cffc5fc3df61bf2561679ae8241d3d0abd5dac562aa76b2c4b6e659013036c5b19aaa0bdabf15eeef12af1ee31bf607827b7a9ee7cfcc2dac3dc4d2045d67ecc0e54a948138bfea2488459c39c99f1a7ed5516fcf696815bc33b0704468d0507c26bfda6fd0e733db1239d73b6af42936e7ed4d9022d678706a76e8abdf94b51c9228148ed2cec6c6e10d22678c8a156205450a29cdfc54443018c3bb94000d106cd6d7c5fd98ff0e585854c3862ef19db40be044fe00b5411233a24f2be94d805517e9e55fb370f77eddbadaa9a299db7b704ab9ce9dc4be9a26c35b7f9fa1702836f8e5e4152ae1f27a380b44b66098ed1501e701c871be397da6c0032495450b36f4cd57804a989d71729b566010f1ed19d264b54d5b37a417863853f10e053fc8de35f8c684a488d4811f15c8ae270cb941f50e398f0e119dedaf8e937a72d54467eda18a7d73565bd5c0c694ff22f893acc77f7e500c43c91123e23af9edcee877531b6de04fae474b6c9452c8296433a82f99e46dcd0b6f8a9b13b943231c08598baea98baf13d86f5b5cdb8a2e20409b545272c3cf748d9a87cfac4b0e90d30f0dc401a83c4b564be0b92fd24fb50022c01d092f29562f2a1e6c481dd5f91a957116d7f55cff533b91fadbb8f5d15d38d67b03d7a5d95e380fa419ac06a1d2d4f59884ea6061c5f0660c631eb5fee35865e43381f13efb24791de1b6d69eeea23ca925633b99b5b98d22a0480ae4248174ba2328d9a47342a67db2ea7a9b48775db35c8be5dcc10f7dd84c158dbd4757b33900b164e621f1dbeae885dccc9d0a350b48a1e55f8757c978c34fe34a9bffb272394d6c03873ad6084810ffe8f5d1a3e272d56785f24b52f7b3e5cfc8944a22c9cd32973507497ba35a0462d46f0e674488d47f7d2a52a6921b3bbe9dbaef2958db56c874e6dcccc2499b7078b5c2d4143d964c1410c76426ea2a2160ffa27876dabedbedbb9ab4b00aabf90f8f70f2a851e441622e6b9413967e04c347aab7488f4760d3e8fe1a26b0f84a1ee5eb0aa541c9b8b3fcc5c499ba7bb24babfca2f1edc91a792580846619738a8cd6a956fee442d94992beaaa80e7e6be27f33a03c5e67766e3b04e57670209e22cd0ae0282a1aa7b65f4eeb48168d65ebe60145fb771a250b9f1c8f1d7abd3dc3b62c3bc864e1a4df1e2d36914b8172f2ce840bfe7c07db6205485aee0e095a193e695633bdd2eade76239137193afe18bb5986f03da97a7e0c2a9f4406b92497a6c942e84e72ba6bb7275e435182101c16651ca1d497e61d6bd9e1390c8d100305a890b3d54eac2449a6a261c26b9403257c4253644ada152634a99e20d8f909d753bee656296c2338282f0779330f2db7bf0ad7151ff0b1edca7f4e56ba9a0c1dd35861d43f5b3942445bf5b0df198bb93a3e7d69113d454e849571e5c80b855ab9c1a399291471c5053ab43969298bae96c65f2e0d990973b02bf3c5e4788577f14a7732bb67c9a9ccffc12e65f1fb5aa486e3ffd0f405ef6ef305f41d2e38bfdb9ac9e5d87ceafc0628f23c2fbb211c1b106e4a551f9f04974a1747212061940b2e3161b8a0901b926afa3618ee7f9ab2237a5b96765d201da1432193d54690190ce37b22853b8d8a03eb5a93776cee5903439ab358dc5c921247c92e4ead264b706542b9f66e743452a589efd8ac02b81ac9004252345f20afeb72c2548ad5c85fb428ccd0cd61782b5d84efa18d54f91d8c19ed5f746cb4cb8a0bdc087f3b1f0392ac959c1a04935c9a89145755fb462b34b79cb341150e06a4912157ce4e8e4f7b14b6254e0db2aa7f9c06280b28d32f9b617516d00b79b6445f3278b8fba13e18447070c77508c3c172c9a7bf302f39d9bf938e4fc8c4f3afb97984d7e7654ac7adb783f1cbb408ad80a768da3461cd87920052a16b806c4166c6bb91ca721af5b1249eb25eaf3f5996b3039f9535488d98d826db940109da1bd43abc8a7bda4e94024dd5ab0b65b7d1877fbb48d51484fda02e25571ca87da898572d98292267253e93760993235dc93b211d32324aed6c1e1bfcb6cf2260afe408161558ebd89beb20c957f057c82570db0fe3") r38 = syz_kvm_setup_syzos_vm$x86(r33, &(0x7f0000c00000/0x400000)=nil) r39 = syz_kvm_add_vcpu$x86(r38, &(0x7f0000016800)={0x0, &(0x7f0000016280)=[@nested_amd_clgi={0x17f, 0x10}, @nested_amd_invlpga={0x17d, 0x20, {0x58000, 0x50df}}, @nested_amd_vmload={0x182, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0xf, 0x9a97}}, @nested_amd_invlpga={0x17d, 0x20, {0xfec00000, 0x1781}}, @nested_amd_invlpga={0x17d, 0x20, {0x1000, 0x691}}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @nested_load_code={0x12e, 0x79, {0x0, "67470f487f05410fc7280f20d835080000000f22d88f2978cb3d080000000f20c035040000000f22c0c7442400d0f60000c744240200000000c7442406000000000f0114240f0095bffb0000b98b0000000f32430f01f8363e3e66440f383c6e0e"}}, @nested_amd_vmload={0x182, 0x18}, @nested_amd_invlpga={0x17d, 0x20, {0x1, 0x2a0c}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x0, @save_area=0x4a9, 0x5, 0xffffffff80000001, 0xd}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_amd_set_intercept={0x181, 0x30, {0x3, 0xff, 0x1, 0x1}}, @nested_vmresume={0x130, 0x18, 0x2}, @wrmsr={0x65, 0x20, {0xc001103a}}, @code={0xa, 0x64, {"c4a1f9e6530066baf80cb83c050c8aef66bafc0cb0eaeec4017a705e4702360f01c9b805000000b9000001000f01d9c48299f774fd26b9490300000f32c4c115faba6736c958b8010000000f01c164430f01ca"}}, @out_dx={0x6a, 0x28, {0xb7cb, 0x1, 0x9}}, @nested_load_syzos={0x136, 0x58, {0x2, 0x2, [@nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @control64=0x2006, 0x6, 0xdd07, 0x5}}]}}, @uexit={0x0, 0x18, 0x8}, @nested_load_syzos={0x136, 0x80, {0x0, 0x1ff, [@set_irq_handler={0xc8, 0x20, {0x6a}}, @nested_amd_stgi={0x17e, 0x10}, @nested_amd_clgi={0x17f, 0x10}, @set_irq_handler={0xc8, 0x20, {0x76, 0x1}}]}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @set_irq_handler={0xc8, 0x20, {0xcd, 0x2}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x96, 0x2, 0x9, 0x2}}, @cpuid={0x64, 0x18, {0x1, 0xffff}}, @code={0xa, 0x6c, {"410f013ac744240072000000c744240203000000c7442406000000000f011c24c7442400c7d2b538c744240239000000c7442406000000000f011c24b8010000000f01c1400f791666b8bc008ec026440f01c5410f01d00f080f09"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0xa2, 0x3, 0x40, 0x3}}, @wr_crn={0x67, 0x20, {0x2}}, @nested_amd_set_intercept={0x181, 0x30, {0x1, 0x8, 0x1, 0x1}}], 0x541}) r40 = mmap$KVM_VCPU(&(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x1, r39, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r40, 0x4) syz_kvm_assert_syzos_uexit$x86(r33, r40, 0x6) r41 = socketcall$auto_SYS_GETSOCKOPT(0xf, &(0x7f0000016840)=0x1000) syz_kvm_setup_cpu$ppc64(r33, r41, &(0x7f0000efc000/0x18000)=nil, &(0x7f0000016ac0)=[{0x0, &(0x7f0000016880)="a600c07f0000e03e0000f7620400f77a0000f7660500f7620005003f00001863000017930000e03e0000f7620400f77a0000f7660500f7620000003f00001863000017930000e03e0000f7620400f77a0000f7660900f7620000003fa3201863000017930000e03e0000f7620400f77a0000f7660d00f762ffff003f4b451863000017930000603c00006360040063780000636400f063600000803c0000846004008478000084640500846022000044e403007c0000003c0000006004000078000000645b9200600003203c00002160000020900000003c0000006004000078000000645b9200600000203c00002160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084645b92846022000044889c7f1385793c110000603c0000636004006378000063640cef6360ae43803c0b6984600400847832d2846464ab84609f20a03ca8eda5600400a578b640a564b1f3a5607295c03ce2a3c6600400c6780ab5c664b456c6607af7e03c4f1ee7600400e7786dafe764735de7606ed4003dea68086104000879843e08652b1e08610f08203d57992961040029792ea52965a33a296110da403d21f44a6104004a796b7d4a651ac94a617ad9603d84786b6104006b79f9f16b6562ee6b61220000448c30803dde998c6104008c79c3848c65c4008c61427ef31308db47fd6310e03fa71cff630400ff7b5816ff6760a0ff6326ffa17f", 0x214}], 0x1, 0x8, &(0x7f0000016b00)=[@featur1={0x1, 0x9}], 0x1) syz_kvm_setup_syzos_vm$x86(r41, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$KVM_EXIT_HYPERCALL(r40, 0x20, &(0x7f0000016b40)="e5b31e151b44d5a7e6d4318c23841cad911cec23f0d39a4bed977a0a13d9f9d106f592bf97ea28b048c1764155a698d413be9712ccb298c0b89ca67076be69d83491ff71bc7733d0", 0x0, 0x48) syz_mount_image$adfs(&(0x7f0000016bc0), &(0x7f0000016c00)='./file1\x00', 0x80828, &(0x7f0000016c40)={[{@othmask={'othmask', 0x3d, 0x6}}, {@uid={'uid', 0x3d, r12}}], [{@smackfstransmute={'smackfstransmute', 0x3d, 'wlan1\x00'}}]}, 0x0, 0x1010, &(0x7f0000016cc0)="$eJwAABD/7+DzLu5nJlfY4S8N7x7c7H1u6LgA+exdzvpOLzQAr7/rfNFAHfnAo2qv5nhO5QygY0GgGz/kSfj6xNYfxXqBteG7nY3Vty0ff23vxTYFz5UfxoeEobtaWv+1og3Yxk2dXn1o6J9IlvClC+R9nWENAi8UlxSASZiae36mhq8Kat6nAIGsC0+v7RYUEprkHeyLogLBn+MVGrdNeyBRrbDI7fMQy4hlDsd0m95OqrFRe5iM1xgZqwl0IMDrI4ZSv0jNKx9QDgV0rEp9L1So8BWushiPyaoTCz4e5Uj2yo8qTDvP2eRW7gNKBKwo7by8nVXMOs5q6SYOm+Iv0Ed+vcWM6nTFc5IcCKlso5ealIwWEVuGuuQLcntNAZUK0mwv1MdzFjUE5VpjCFUzeZ+Bqp6ZJW0ROky4mBP2IQpLyWkgiEeNDedVt0Cm3B5LNG+jOzCiZ2M9O3CSP6t1GXKptT/VKBXzkDe1PLRpcNjlA8RbX38YaiVLOImft3UbIXbJ6UCTwf56q7ri0xqqeaB2pnCyTqqt+4/2nIDcCY2VFHKbYFJiLhMICgn/lJc8JOQwYGp6OwNDTVu705XrFH7dmZ7I440NmPRWgJuf3PdCMNYezlwY2wQELRqQ8B8kFSjZfTgyz8Yg5Zc2+xG4MTaNRZo+JjSh39rorZs0LF1wrjL+8/xkDuEogTjaTnrvieMkLjxLU035BJKNxCGfdOmrYqrpWcQsn0vDpxuoPJyQKh3mDm5R5JllVa/1mJ41oob0oQMPhY7fxQIO5CgOclTrTC3mO9c9byvnmE0nx/oX6jmGDuuCW5EropfqF42lJmLHkixSlv2skDGhmYJkvwcaA3QaS/vpq0NF+CwKZ1yTb1vWiqPVYhq6kAPbzd+BmWbxJyaTCUc60UYku/9J+VLLGkEwgBjps7TEZGT/SjpJ/Kp+/sj4pOzilfGreaDQkRs+p6H3+CUiGT7uGxcegn3yO0D9dl2ZhxBU3AinBTK/+kXFCNs1kGUE+7HuSIzZguM+DYgxNwAqROiwIjcSewciAK2Wf9N9KI0y9VmbOZ1226Nt+2drpFz+eT7YQlDzHdnAEF0C6I3Ws1YBxQHwMmcgVGoi3kc2O4dpn7ShwIvxXyRKbT3d73cG057wE/lV8BKx2BhaAErPjDOQBPG+Yo+kAUvilaZnZwSn8Jl/Il8RVjaOBkKIm+MG8zn3zfsEQLK5nZmIXDY1Y9xY7k4Usib9kOQeGLC9uNH7N+D5GRPwPaIiyY32R4OrZIbQMRm8oggL72pGc6khaPF4ztTXMD0OWAr+FjIe7yRrNKkhlMJGWwV/O2P2ctHc/BEIxpG/+SNj7Y+nJFgpfqzUuRI0mkYxlaYYagpImXAN+kWFhLG9s0OpiMQ1ek2G/7xFDUuQWKDAyJEkjWxxfg7OlTaSfM5N+nHKE0JwqYkZCS/3Z2Yc9lf5QyzJCXNt6lETfjInwK26k5BWgCcRJDUE0+H/MTojXRdG0ky/GPg+rexrA4I5FUDtJGuo+U9iGviyo2anDfFO66SmwkayKqvCmNUcsokvPUX9VychADi26NGVAp6KNFS8rB4WPPs4ccGB/cBpnnIrdx/1VSDon2lIX6j0MP4qw7ANTOiIcyVCTp5d1kAfaZo3QgFDHzlSCor6MpPfSkGDc1X6AN5hNByYPhB+KDKiMY8iEMUQLWLg197oRysm60uJgZnvXypwo2fUAwuHZmFzxSYxVL39XtVy+ZC/zq5oMUJxgGghXOJ3qzbm3t2sl0hiwIpJsIavbCrltLkQbgqO9+gnrcqA/WYisTQqJmFhvF/VeL0uDW4f2JmfV7UK/7pDxcdXqmz51Fc75lwGUzrR9JcaT3RMS+6YSCUJeV7cgjxUjxAE+Mmg8joDl4OBzgKr7Yw0mfkILHHDiQiE0t6ZXyRFjmKpadhripIg9P6vf8H6ig6OQs7XYtR7UrB7UEtD0R9AJawbMG46HQuD1P91pkazs0+MGhbbzsC86JdV+KB6ypwnJi2LAVf2N9SSA94c/LIwNkE+jQvmU8OkJsKGUKfSzX7iKJnB0Pj7N2jIDRQWd+ByCo72c5juv62PcVDeC5nadSbu1qNH0cD93QZyMFiknlhFyBchzcqoJDmxFoPFtv0ajILAdfB3c7I00fgdnwyA1kgs0h805c9xWPYI1MrfwVefG2hkXh5QFWlOqEIH+kGkMGu2GmSHdrWnFANiGCSGwPNbGYPP26HXx1hOTFCX/7mNEtPQ6qFps3rYx0bYtpanB+RaP/D2sMkxjXEptqRsn4bebqtMicNbGFvGxpNGSieHgXvDzdj+jMa8PW+ueRmPh8cT4hGgxRh1I+oZTAj5ZXo43K6x63NGF9Wb9vih651f3BVcllqUwQjmwIs7Eu4rbrP/DwimvGEXUTmmRf3ztR1LcPhpxCn5Yit4GmH/AFOYTNyU0G4u3hcqqJPfT7kTxzB50dbbsAo+YHrHKliCAI1iYFUyS/PaxmtBOJSLxyp9bVmfXTeimZ1/W3m2jmuqR+uUpiNAbTXSzLwuBR6dv7V0jmL1Hez/fZuQGsJwG56GqBfsAENkI0zwdsTsYtUNb2CF/zeI6xDiVU82dP1hgLb0NIQEFMjLFTc4nL+V5aQVJrz03kirusjs0TfxDU7YmVs1qZGpkBeV6VBd4OK7lnJ1GsTp1lJcaUj4kv+/fRJYKLlO5akkR+Z3ztimgaLzbqaqnzi6b0YksDW/O4cElQc3R6Dvt06ScYinuhZKoTH5RRbUi1tXOLJilAvGhSKg0U66qxZ0SP352NG/zhRPjG2uKKpVjVfFNBDLI118dt9BUzHQxw2vQw4dfXZ5Wo/EPxttR6n17xqdTbvpC2EJqVIWLiqXWW8KYauUcvGWAXU5PV8slOLu/acjqsjI4JTDrowX1TO1G8kG78vov2HIYWadyuS3qWee1WJzPHrpfGGPMNV1dqs7H+Lacu9D9NSqrYgTaWrUhSDBHQsCfIHthMB+ixoSL10VCHAu2DEzsn9EUHaaMAheNyuZS2iCZ6Ou8oz56aCLrhm0t5VIKv94CyUr+KPvT1yfIK6+po48KKnXyeWalemDodSW2utjqCaLc3bjlCqyEmbuN047AWByKLJ1CeOtiegd9O/SQ4XfFaln5TDMTNyNvSHk8R7IyHrJxUpd2pbI026b0AbExUkZ1rxWsMgrXM+4Kc+puYlohv14Pip27mVXBmvX8wHm/xcn9cMPmO7AUtI22sX1cfHqmsIV0i+bw8EFJ1C2iRiB9FzzJ13usOTAWSqAt/VBQWFVw8fz/C+rgy4JFpsIyEEU+c7ozzOtGEXZnz1UKH6vnxuWQS82qdcKV+x+SxEhGUCi+E7hgDj+L9uwmYvxSU3ROChcPHbdlSurJ6JdOMpYdBIOd4sxcoubkW4E7gpGjH8v/1qw/bi3GnHWWEp9PHThPs+UvcTiQaNLjaXNy/mygcDnqR91PbrKqFA+lS8evPflnc068rr/5lFm7YLRAgPybtIhMxZ1cSR0Ne+9mKBqu+lvb+mWlAUP+B/QkEFLyd4hDgP3n4B570BA0Ym/AyqZf0OOE7XSRp4JaQDiuYYJn+h1r24mDDe+TKoImpQKwH5YSevAJ7zyifYV83MTBY9hNa8l+CX8XyjOd6f3MVDQBqBwMQ+c8h/FIHvEAKZp0etmEP0SZ4wdI6eENK9Gv38l2Fj1bsQZmNSxepZGFPK13e8vECMVNVPINct7gkpTEa441vJA9B9FMwAOm97YIke5BEPk7QLcrat9bOH0Mv4aNyy4E8Ma0T7Y3I7hW8b+KfmhvFuvz/RAVqy8vH7//qwyxRBdQ1B9nPL1QpynGJfBa+lxlrbafWkZmwn8Nq3Qew4YmsrFI2bREEQi85ZM1cgUkrJVCn9/F6bjj/m88+lyVVKX8ZchUpPg3XiPDYofdlJM9UxywD66ZJL5O0NomZuzB82le7sDmvXgMZwnYlyFiUSip8VW8JBhJMYctzhdH2UdjF/uI4HMF1GdIGCAmdbOft+bqP0CSSYw+G7G56aB+OApIJUBKN/vWYFKKSE3qhrn7islCofanfsBMSBfluYS0ReN/9T59a3ztoJwxIy0Z3IAyu5wn6NzPBepo6caNkGI7BIXmhoihku6wAly4Z41zm7oSm3x3JXFW9rzfOA/zPHwntvnziMbBkZHrsdM0ORaIk3UIeapRxmYoNRxcAzUemH9xyhlGPqIn/gHfDlQqw5ySsh924BD5pxtcdLAtgfkJ28Z7MAjYzSJXcW1pmsyPPu3ZtXcHDwwHA6+K0cXW/AZLz4swCUMy4B8DUZriwqFKAG88SwnDirP7jTHzRdu+bOLPVlcAImA9FZdAgI8QHMgg/9unXANWCMn4GSrM1YRDPNQekOgU48w2idM8EVqbo+YR6I55yuZYhzeNOG2AmPTrlPi/RDRs+91RCbu9xvB9w+y+zQhxCSbrbPBlZJV2KQPZuGQZMTuARhQDXgFnFKG/3qjuD7JC39qBsnyBnaOw9ysYwXFjRBcou7lMr4v+wITsxE6l1jmgciRAdn7CLtMY0H0ZhmqVrV3efe5KhAXXk7/pNYRlmdplCoFl3B8ZCE2ZJq7s13SyPg0cPy5WMQ/1j4NLBfPH/AHXMRh2DBCmj4I5HHOEn7MwydW7LMAzYbQCbyW2sAVx7Yp3sJ5pKRQ7SQiwjxrMR5mOgqQ4aogTr0LvHED4xh5sEpHdFiO2GW4pVEBfU6F5zCyANr9f0tefrSPNaczTct0Q8Doo0w4EwtTSjwux102iX46uWv6pAqZBURzXjWXz6atokVTFKch5TM0yExzYkX7LU2YYxA1c0wNaSu2lbxdx//2jnHmxnIbAaKDp5hLVaiLPnMM7mS56eY0PqPBj0J8AYTLRJBGiQHorAfoig5o8owdtkBtCYU70+CX2lbB/1geky36s/0qdukaxlxcUSdzBgukzD7qTGukVnZReLitvHUUsMmrSGIbvQ0xRx0VZ57PqZRGMlOQbmDujbnoqx+hNZdiwC1hyk74btWRYmANzjNiLm6IFu4YawCjBiIInpA5+8GXxdGQZ6rL39Q3bHU/ZvCyppWJkMyNgW4+rmuUplv6FzbtmHqdq3W1QXKzydm6rkzyKXU50Px/cktZlktrUExSKGSuMEfyYUT83ynuLaiw3obHNSsgVNCl1aSXiiVg2YDudR0oxMdQCn5GxpeFFPA8+N91Xrq9OomvQfpnNN1t9XVvwRMNzORED1ewBIei73znBodVO/0dzssMJbwctCGwCxkSGOwdY0VcyFjaT2aXmcpNOfykGqFYkGjbuy48+REaWwLH+c+qGwRi1FucoafT38WtXBUs+KSJLp/e+Z+opJ0Cf7bRY8YINw+dIpiY7sJy2IywyfPPgGv4y/Q31MrTq9KpTVOzJrMA2esB0gA1tBlbBafPddfjr/QndNIDyMnj6S/ImLD/UIG8ey67/EitGAMBAAD//4vg68M=") syz_open_dev$I2C(&(0x7f0000017d00), 0x9, 0x484580) r42 = getpgid(r16) syz_open_procfs(r42, &(0x7f0000017d40)='net/if_inet6\x00') syz_open_pts(r33, 0x208800) syz_pidfd_open(r19, 0x0) r43 = pkey_alloc(0x0, 0x1) syz_pkey_set(r43, 0x1) syz_read_part_table(0xa3, &(0x7f0000017d80)="$eJwAkwBs/6RRXCBt7GMlTq9EwjPgL5iXkmoXVekSpoe7ibH6oF/5D/ZAK8XpdW8CA5rjuSzcvCA++0N5lxGWHxXxqSl4LLmGp3bnsP5gYb0gZdymHwDFW8VDe5gP/DZ5nimHPbk4LNscZFNeCdt6zcNh8i/TsdVkCZ1V5euwB4WSzV6Wxd/mGwg2gTZ3887ZGxYH5DiblIuYQAEAAP//2jdIgw==") syz_socket_connect_nvme_tcp() r44 = syz_usb_connect(0x2, 0x745, &(0x7f0000017e40)={{0x12, 0x1, 0x200, 0x8d, 0xd8, 0x82, 0x10, 0x1bbb, 0x203, 0xa779, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x733, 0x3, 0xb, 0x1, 0x80, 0x1, "", [{{0x9, 0x4, 0x2, 0x5, 0x0, 0xf, 0xcd, 0x1f, 0xf3, [@cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '<'}, {0x5, 0x24, 0x0, 0x80}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x8, 0x3, 0x1}, {0x6, 0x24, 0x1a, 0x7, 0x6}, [@mbim_extended={0x8, 0x24, 0x1c, 0xc, 0x6, 0x122}, @country_functional={0x12, 0x24, 0x7, 0x8b, 0x7, [0xfff9, 0x5, 0x3, 0xad97, 0x3, 0x0]}, @mdlm_detail={0xac, 0x24, 0x13, 0xb, "784f7bf45593f2145d18e49bc52edb011422491eba8fc40ebed34d5d81304da0a35565ec2036117bec4b01ef8f75c9d54e74b45316d0e1672a97b631729bcb7dc99bde682891bd5954d945f412979ecae7ee086c3650d3f976a990edea932dc3085d9c08f20badcebf87a97ba36151788daa2e6be45675380139cb89a17f95a65c87a272b183873660c9b63cee55c43ae5df58b45fbe08f00a86c6b1dfbd517b7dcdca1c6c75cd37"}, @country_functional={0x6, 0x24, 0x7, 0x1, 0xa}]}, @hid_hid={0x9, 0x21, 0x9a, 0x8, 0x1, {0x22, 0x373}}]}}, {{0x9, 0x4, 0xb8, 0xc, 0xf, 0xc3, 0x47, 0xe8, 0x7f, [], [{{0x9, 0x5, 0x80, 0x2, 0x410, 0xd9, 0xf6, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x5, 0x2}]}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x2, 0x2, 0x6}}, {{0x9, 0x5, 0xb, 0x3, 0x1308e9cbc37c7b4d, 0x6, 0x8, 0x5, [@generic={0x82, 0x11, "45836f6c3f5125725ed5b96b96b2911adb85370ceb5989894bd83417ee42276ce80fe734db8d2d94f2fe8c75bfd042fb632cfa5d5254f9b0fadc885d628a0dc92e274c02cd3be0421b608e2c538de20b208eaaea7b51dc13bdf7f2e00a6cbd3030df9baca667e6ccc42bdc2f5d822a3fc298b060da91265dd01583221a09899f"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x8, 0x4, 0x1, 0xfc}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0xd7, 0x0, 0x0, [@generic={0xf6, 0x22, "67439d731f507017a62ab89eb7118e315aab47bce00cfe092f9b6b6527812c051d98789a341cd8579c0c0f64f353faa641372867640b733bac8b8800b7baf106d03b36b934ebf24e84f554e1489e48416547bb7c90482fa4706467390768598bfddeee37f96a286a2f726ed89e5cfeb0dca14945145d5727fbd9b2949f9528d01e948e6305191bbbdfe60f223ae3a19823ce4a8797df004c048b9c0d793d173e5a39afc5eafe8ed82b45d9ac82fdfd1ef590fa300f32a49684630a4b392ff580eeaeff43c607a95169525530c24b189dee913cf7b9e1c1bafb11771b05c784720c28eb001ad218d0a92c1e32071606734ed956b6"}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0xd57d}]}}, {{0x9, 0x5, 0x1, 0x0, 0x400, 0x93, 0xff, 0x5e, [@generic={0x9f, 0x22, "faae6b7b5cb60baabdbe69da80d6306cc5c48a7eeedd7a47a92b693f17794385e5df43428ff861b389fffa4e903a47cbec60c794d78a7287affd416273fae978b7313ebd0b4ba90d2c47c1a1a66f6a698dcad67c6b40c482a09d3b92c05422f1eeed158be373e6623f40f82b25697f8f7934c60a81a403f22d919166e011d31a6497a0c7a512e4ddd841b5441454c1e15d8a2ab3e78f86a5cf03e792e7"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x1, 0x9}]}}, {{0x9, 0x5, 0x3, 0xc, 0x10, 0xb, 0x3, 0x2, [@generic={0xb1, 0x0, "33e5f9756d19a3eb392ba45b9f381dc2b062ee3ce942a485e678a8ea13f6c9eac74ec9641b119d78a9e36b32327cfb535d6ee402917d7b92a3ef09a79323735dbed9b623ca4b83db0117d537e5c58c6405bb0fe33bda56ba384b95fd4687df0217b223a0a525062ef259591dba73db936a7f85b82dddced8216aa4bc4ed636a57fc6e683e3ceb10a63be63330c0ea4d2a5cff5db4ac71ac10cdce3f5bd50c29ca7d1558dc5ed7f06b21dd7ba9a0dc6"}]}}, {{0x9, 0x5, 0x5, 0x10, 0x8, 0xd4, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x0, 0x20a}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x5}]}}, {{0x9, 0x5, 0x5, 0x0, 0x8, 0x7, 0x7, 0x1, [@generic={0xd4, 0xf, "737d3a4315658a8ffad124ef25692125494e376089b70b3fa63c98d548319145d9a432c0a3a910835f2c89b97e7168de3f5a68fc6d3086b5abbd9cad99b9f57df66d7a2af8b11c90041dd44ea5cb90b08493f1cc38391ab393edca7afe19ada684d62c76028a4283d3f7c4b6a29530b4345f74fedf78709f1a6172ae091c181037aa8d41503c854f5d64a4e1772982edb2faeb1f1a4ffb5f1b62415e46f1bb27374d48245031d050dc5528c7d19e7d9f4f71983984e44a633575f1b792d06db2ada0ca60eb3896c7e517981d567fe7b58ad2"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x5, 0x47, 0xff}}, {{0x9, 0x5, 0xd, 0x4, 0x10, 0x9, 0x9, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x5, 0x1}, @generic={0x84, 0x4, "c25a3fb73a08d8b88a25e396fee4b018b4487bccabbffe8ac964097b47dd926e5cb685c9568c4738e1bc0972ad10f12789a9a8080d7a492630e9a155a12e267604f53773b1f3a603c19d4dc0f4c5ccee5e9571706e990dc862312fb3d26cc37b011d95f3159d13c4ac34ab084c1a0660509ae13fa6f84d6068b33e5ff1da2a32373a"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0xa, 0x8, 0x4}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0x6, 0x4, 0x96, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0xbe, 0xda}, @uac_iso={0x7, 0x25, 0x1, 0x8}]}}, {{0x9, 0x5, 0x8, 0x2, 0x10, 0xb, 0x5, 0x8f, [@generic={0x77, 0x53a54cd3d610e5f7, "e6da6832665e8fc36a0e8f94157f6a5fbd96ba6085fa6cc0de01635150751fa9080a8ce5aaa4e50bddbefe649a9885244d8fd877920b570d6913ac5ef74d87139a81215ace972e769b6e707e2102de593a661d408d0cbce385ecdc66d00e649dd5504e8b1f2aeedf02eb08bd9a2b2102f37927bfb9"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x40, 0x8000}]}}, {{0x9, 0x5, 0xd, 0xc, 0x40, 0x6, 0x0, 0x9}}]}}, {{0x9, 0x4, 0x1e, 0x8, 0x3, 0x90, 0x1b, 0x5d, 0x9, [@uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x3, 0x1, 0x0, 0x35, 0x8}, @format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x4, 0x3, 0x4, 0xf6, 0x80}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x35c6, 0x1, 0x3}]}, @uac_control={{0xa, 0x24, 0x1, 0x8001, 0x51}, [@feature_unit={0x9, 0x24, 0x6, 0x4, 0x3, 0x1, [0x4], 0x8}, @processing_unit={0xb, 0x24, 0x7, 0x4, 0x3, 0x9, "d6e5bec9"}, @processing_unit={0x9, 0x24, 0x7, 0x1, 0x1, 0x6, 'CO'}, @input_terminal={0xc, 0x24, 0x2, 0x2, 0x204, 0x5, 0x9, 0x9, 0x1, 0xd4}, @feature_unit={0x11, 0x24, 0x6, 0x5, 0x6, 0x5, [0x3, 0xa, 0x3, 0x9, 0x3], 0x3}, @extension_unit={0xd, 0x24, 0x8, 0x2, 0x5, 0xfa, "cf521fd9778e"}]}], [{{0x9, 0x5, 0x0, 0x1, 0x200, 0x3, 0x9, 0x6}}, {{0x9, 0x5, 0x1, 0x10, 0x0, 0x7, 0x3, 0x1}}, {{0x9, 0x5, 0x9, 0x3, 0x20, 0xf, 0x4, 0x5, [@generic={0x30, 0x30, "9af3fe7151c3b3ad7bd1a1c8e2ee7c9495bfb52094d1dc13f41f06a76b111ebf9089a2372b323499e81536ed22f6"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0xd, 0x1000}]}}]}}]}}]}}, &(0x7f00000187c0)={0xa, &(0x7f00000185c0)={0xa, 0x6, 0x200, 0xe, 0x7c, 0x5, 0x40, 0x6}, 0xec, &(0x7f0000018600)={0x5, 0xf, 0xec, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x7f, 0x4, 0x10}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x19, "3708892f9f7225be3a6009559965ad74"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x20, 0xc9, 0x3, 0x3, 0x8}, @generic={0xba, 0x10, 0x3, "2a0452f8e56ac2ffaee6cb1fc6faea4298664f032676da02ee36cac0df472c05b6a895c87b06145c8cb2bf1563d915fb7459dfa37e7b010a2307d76ed4c75a0c1962074d24f9836e05df965fdf4e2460076f7f109708230872abfc7b89d4e5e08d5d7b3b28be99666169e4beaa1ed7099d4ead2e0aeab9e01ff1bf20b59a78a6d9852989b4c4732550c70f843daa0c88d82ef806ece508cc9553fe8134cfadc5769bff046dca8f1fe031f25dbae923962256a0d962f081"}]}, 0x2, [{0x5f, &(0x7f0000018700)=@string={0x5f, 0x3, "159faef02b246dab7cba3efc4a7fed8d174bd706d48457f261ad8fe88dc0426fe71a32291ee93575bf347cbfc21323b208f15a792abbf3017092aa8e551fcbd851ca7390612f9e5848738c872b638738755adfa7d432eab1cdf11246e6"}}, {0x4, &(0x7f0000018780)=@lang_id={0x4, 0x3, 0x41d}}]}) r45 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000018800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r44, &(0x7f0000018a00)={0x2c, &(0x7f0000018880)={0x20, 0xa, 0x6, {0x6, 0x11, "11be6906"}}, &(0x7f00000188c0)={0x0, 0x3, 0x4b, @string={0x4b, 0x3, "54f166c504f790b8fd2167ab4d2207faf4e0d9b9068564c8fee82a31e2a56d9b863c4188c802bd1e737993ba22a323795cb0b4f4e94cb796758840f7c88898694a059be76c0285d691"}}, &(0x7f0000018940)={0x0, 0xf, 0x1a, {0x5, 0xf, 0x1a, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x4, 0xa, 0x4, 0x10}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0x6, 0x0, 0x1}]}}, &(0x7f0000018980)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7e, 0x0, 0x2, 0x7, "3c6895ab", "138253ae"}}, &(0x7f00000189c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xe, 0x1, 0xb5, 0x2, 0x6, 0x7, 0x9}}}, &(0x7f0000018e40)={0x84, &(0x7f0000018a40)={0x20, 0xc, 0x2, "d80b"}, &(0x7f0000018a80)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000018ac0)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000018b00)={0x20, 0x0, 0x4, {0x0, 0x2}}, &(0x7f0000018b40)={0x20, 0x0, 0x8, {0x1160, 0x2, [0x1e0ff]}}, &(0x7f0000018b80)={0x40, 0x7, 0x2}, &(0x7f0000018bc0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000018c00)={0x40, 0xb, 0x2, '~s'}, &(0x7f0000018c40)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000018c80)={0x40, 0x13, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x17}}, &(0x7f0000018cc0)={0x40, 0x17, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x3d}}, &(0x7f0000018d00)={0x40, 0x19, 0x2, "b362"}, &(0x7f0000018d40)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000018d80)={0x40, 0x1c, 0x1, 0xfa}, &(0x7f0000018dc0)={0x40, 0x1e, 0x1, 0x9}, &(0x7f0000018e00)={0x40, 0x21, 0x1, 0x8}}) syz_usb_disconnect(r45) syz_usb_ep_read(r45, 0xd2, 0xde, &(0x7f0000018f00)=""/222) r46 = syz_usb_connect$midi(0x0, 0xde, &(0x7f0000019000)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x10, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xcc, 0x1, 0x1, 0x9, 0x0, 0x9, "", {{{0x9, 0x4, 0x0, 0x0, 0x5, 0x1, 0x3, 0x0, 0xa, [@ms_header={0x7, 0x24, 0x1, 0x0, 0x7}, @midi_out_jack={0x11, 0x24, 0x3, 0x0, 0xf5, 0x5, [{0x4}, {0x7, 0x7}, {0xc1}, {0x3, 0x3}, {0x2, 0xc}], 0xd4}, @midi_out_jack={0x13, 0x24, 0x3, 0x2, 0xd, 0x6, [{0x13, 0x80}, {0x2, 0xe}, {0x1, 0x3}, {0x8, 0x7}, {0x7, 0x4}, {0xeb, 0x6}], 0x4}, @ms_header={0x7, 0x24, 0x1, 0x3, 0x7}, @midi_out_jack={0x9, 0x24, 0x3, 0x0, 0x6, 0x1, [{0x2, 0x53}]}], [{{0x9, 0x5, 0xc, 0x0, 0x8, 0x0, 0x3, 0xef, {0xf, 0x25, 0x1, 0xb, "8dca6f86ba1543f9fd5417"}}}, {{0x9, 0x5, 0x1, 0x2, 0x10, 0xa5, 0x8, 0x3, {0x13, 0x25, 0x1, 0xf, "fc2ab7fab02e86b9c83c1a1c2ee5ba"}}}, {{0x9, 0x5, 0xc, 0x8, 0x400, 0x3, 0x0, 0xbe, {0x13, 0x25, 0x1, 0xf, "d9811e1ed3642bab8c2a71bc25bf6c"}}}, {{0x9, 0x5, 0x3, 0x0, 0x3ff, 0x7f, 0x96, 0x7, {0xf, 0x25, 0x1, 0xb, "0ec3b8efc022fc1b474cae"}}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x18, 0x5, 0x3, {0xe, 0x25, 0x1, 0xa, "e3c106c54a63638a2e82"}}}]}}}}}]}}, &(0x7f0000019280)={0xa, &(0x7f0000019100)={0xa, 0x6, 0x110, 0x2, 0x2, 0x8, 0xff}, 0x3d, &(0x7f0000019140)={0x5, 0xf, 0x3d, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x40, 0xab, 0x3, 0x100}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "5699f3928d2d0a00633f2b02584c016a"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x0, 0x8, 0x6baa, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x6, 0x0, 0x98}, @ext_cap={0x7, 0x10, 0x2, 0x12, 0x5, 0x3, 0x4}]}, 0x1, [{0xc1, &(0x7f0000019180)=@string={0xc1, 0x3, "b64349de30b23e683c87b0fe59341d26e0e391acdf6ad0571acc05f8e5fcfdc3936c96d99906c4c1e5d9ce59609e60fc394029a19fec981cfde7e9d38c1465f6a04b5b0ee298f5f21e58f71b8f7100d1bc55ca97b1b3ab63485b92e16630ae0c539315c25cefc347d66d80c2531e81af67e179c16966bcb8e998e0cd1b3c2bdc6c049946edb3eaafbbd9b5f0fe7c5925b619e8e7cfce1a62c4d2ac459740065e9f9eb72202c0edae4bfcf5d11b9314581d63e688ec40c037a3c41c0220bb1a"}}]}) syz_usb_ep_write(r46, 0x3, 0x9, &(0x7f00000192c0)="b72534d84209a7a862") syz_usbip_server_init(0x1) csource_test.go:162: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_cachestat #define __NR_cachestat 451 #endif #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t user_addr; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint32_t flags; uint32_t resv1; uint64_t user_addr; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; static long io_uring_sqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_SQE << !!(params->flags & IORING_SETUP_SQE128); } static long io_uring_cqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_CQE << !!(params->flags & IORING_SETUP_CQE32); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0, volatile long a1) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + params->cq_off.ring_mask); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + params->cq_off.head); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; uint32_t cqe_off = params->cq_off.cqes + cq_head * io_uring_cqe_size(params); struct io_uring_cqe* cqe = (struct io_uring_cqe*)(ring_ptr + cqe_off); long res = (long)cqe->res; __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return res; } #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_params_ptr_out = (void**)a2; void** ring_ptr_out = (void**)a3; void** sqes_ptr_out = (void**)a4; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); *ring_params_ptr_out = (void*)setup_params; uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * io_uring_cqe_size(setup_params); uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * io_uring_sqe_size(setup_params); *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < setup_params->sq_entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; char* sqes_ptr = (char*)a2; char* sqe = (char*)a3; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + params->sq_off.ring_mask); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + params->sq_off.tail); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sqe_size = io_uring_sqe_size(params); char* sqe_dest = sqes_ptr + sq_tail * sqe_size; memcpy(sqe_dest, sqe, sqe_size); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_io_uring_modify_offsets(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* params = (char*)a0; char* ring_ptr = (char*)a1; uint32_t params_off = (uint32_t)a2; uint32_t value = (uint32_t)a3; uint32_t ring_off = *(uint32_t*)(params + params_off); *(uint32_t*)(ring_ptr + ring_off) = value; return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 74; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 56 ? 4000 : 0) + (call == 64 ? 200 : 0) + (call == 66 ? 3000 : 0) + (call == 67 ? 3000 : 0) + (call == 68 ? 300 : 0) + (call == 69 ? 300 : 0) + (call == 70 ? 300 : 0) + (call == 71 ? 3000 : 0) + (call == 72 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); break; case 2: *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } break; case 3: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); break; case 4: memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; break; case 5: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); break; case 6: syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); break; case 7: *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); break; case 8: *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; break; case 9: *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); break; case 11: memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); break; case 13: memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; break; case 14: memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); break; case 17: *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; break; case 18: memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; break; case 19: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; break; case 20: *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; break; case 21: *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } break; case 22: res = syscall(__NR_geteuid); if (res != -1) r[14] = res; break; case 23: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; break; case 24: *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } break; case 25: *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } break; case 26: *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; break; case 27: memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; break; case 28: res = syscall(__NR_getuid); if (res != -1) r[22] = res; break; case 29: res = syscall(__NR_getuid); if (res != -1) r[23] = res; break; case 30: memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; break; case 31: *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; break; case 32: *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; break; case 33: *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; break; case 34: *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; break; case 35: *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; break; case 36: memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); break; case 37: memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); break; case 38: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 39: *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } break; case 40: res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; break; case 41: res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; break; case 42: *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } break; case 43: syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); break; case 44: *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } break; case 45: *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); break; case 46: memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); break; case 47: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; break; case 48: *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; break; case 49: res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; break; case 50: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); break; case 51: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); break; case 52: *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; break; case 53: *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); break; case 54: syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); break; case 55: memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); break; case 56: memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); break; case 57: memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); break; case 58: res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; break; case 59: memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); break; case 60: syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); break; case 61: syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); break; case 62: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; break; case 63: syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); break; case 64: memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); break; case 65: syz_socket_connect_nvme_tcp(); break; case 66: *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; break; case 67: *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; break; case 68: *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); break; case 69: syz_usb_disconnect(/*fd=*/r[45]); break; case 70: syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); break; case 71: *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; break; case 72: memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); break; case 73: syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } : In function 'execute_call': :7298:17: error: '__NR_socketcall' undeclared (first use in this function) :7298:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor3043639989 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/17 (0.41s) csource_test.go:161: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_io_uring_complete(0x0, 0x0) (fail_nth: 1) write$cgroup_type(r0, &(0x7f0000000000), 0x9) (async) cachestat(r0, &(0x7f0000000040)={0xffffffffffffffff}, &(0x7f0000000080), 0x0) (rerun: 4) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0xf503, 0x0) r1 = openat$bsg(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bsg/2:0:0:0\x00', 0x2000, 0x0) ioctl$AUTOFS_IOC_READY(r1, 0x9360, 0x76) setsockopt$pppl2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x0, 0x4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f0000000240)={0x6, 0xa, &(0x7f00000001c0)={0xfffffffffffffff7, 0x4, 0x7, 0x1, &(0x7f0000000100)=[0x4], 0xd8d, 0x40, 0x42, &(0x7f0000000140)="397015495b433e062b4ef549b056c6053006148248bee934bd6a208a2a61c79f4a49357e536538e086957c377ed1f5a646b74017e305842144812e9bba2901bf4411", 0x9, 0x1}, &(0x7f0000000200), 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f00000003c0)={0x6, 0xa, &(0x7f0000000340)={0x3, 0x72, 0x23, 0x8, &(0x7f0000000280)=[0x107c, 0x10001, 0x7, 0x5e, 0x50, 0x5, 0x4, 0x1], 0x80000000, 0x4000000, 0x7b, &(0x7f00000002c0)="318d74c326f1d0a1ddbde1b51264ef98bfda4fb69c29e7e26f55d00aa6bd2497e23c8495bbc94403a7cba75120bcaa832dd53aee8ea1a66a79dbbaf3f0e23210a900059df2ddaca7125bd90eb91fa2c9c8109eb62552e90a219ef966dcaa594c33a1e623bc0d18fe1db97c9eb7beab52ef03c21bf7e61449526687", 0x10, 0x80000000}, &(0x7f0000000380)={0x0}, 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_PVRTL_TLWRITEDATA(r0, 0xc0206440, &(0x7f0000000500)={0xf, 0x7, &(0x7f0000000480)={r2, 0x77, &(0x7f0000000400)="8e468e19aab047d4e00e0ed7fae1830e8eaa0f74bf5f1a071c66a6cd46197d7c22aa47147d723bee80238fd9e275b5c9ac9c8979f6fcbd068acc9469f561db806a720d53b1dc48320b365bad54f04e1acd0ad40862618d0e8953cd0202169e1549392bb2edd07d80fd37fce2f6f848013f383853951906"}, &(0x7f00000004c0), 0x14, 0x4}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x7, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1}, {0x3}, @device_a, @device_b, @from_mac=@broadcast, {0x9, 0x3}, "", @void, @value=@ver_80211n={0x0, 0x7ffe, 0x0, 0x3, 0x0, 0x3, 0x1, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x70, "387497a69841a2e528b4f29912f3dd10b50ba5a1e170cc5b6d1c7a78f57a5e0fcc9b2e9a5e87d25516580ea1f223f1317f86ecc39117cf0e535c2e2befcf11ff81999d1b87d9b198c803d72ad724e94c783ccac7763ad34e6f7491b3637ce2f46677a7612873ed0a3fb64c0b3d78503b"}]}, 0x9c) syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000140)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000180)='bpf_lsm_path_link\x00') r3 = syz_clone(0x40000000, &(0x7f00000001c0)="4998de6d85ea9e09841517b61ce22a88", 0x10, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)="b9662d100f99f4e91d1de2c980ce459994b046bfe06b9a28c60dea9680ab4bcc3f5d3397a5a251d7ba7693b7eb37177d030a2b3fce8a232e5b03f10a948052ee907fb32f575b2310fae99107f95ccab714722f59ecdb") r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000540)='./cgroup.net/syz1\x00', 0x200002, 0x0) r5 = syz_clone3(&(0x7f0000000580)={0x200, &(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)=0x0, {0x22}, &(0x7f00000003c0)=""/179, 0xb3, &(0x7f0000000480)=""/66, &(0x7f0000000500)=[r3], 0x1, {r4}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000600)='./file0\x00') syz_emit_ethernet(0x56, &(0x7f0000000640)={@broadcast, @remote, @void, {@canfd={0xd, {{0x0, 0x0, 0x1, 0x1}, 0x13, 0x0, 0x0, 0x0, "52ba74a68ef063725a233b9509b8fd57d58ee264c37d44cd7c1e1075f83d41720f374e7e3c9c01b86bfdba9077a2c5bd2b73eb43874764a25316bd3b28368a77"}}}}, &(0x7f00000006c0)={0x1, 0x1, [0x193, 0x6b4, 0xfe9, 0x1fd]}) syz_emit_vhci(&(0x7f0000000700)=@HCI_EVENT_PKT={0x4, @extended_inquiry_info={{0x2f, 0x4f7}, {0x5, [{@none, 0x0, 0x6, "d24446", 0x8, 0x5, "43ca60b9ed4eb6934c4457f2bc5aa0ae593beeed8a789aefcfb8ec83ec7529d54cba5b40db8e0bbc549bf2daad5883da0869b376fdc0e0cc708e0215c9ba10d54ce801346c9731123e8edc523098a8c4c4e09c8ca5afaa510b825705bfcb534ccb8161511b23c1ef7eac6690ff08a8b48fec50ca28d759369c7000689e8e5efa7d691c1c67b2d98dc9bce7fe04657d156d148fa4c0e8ed5df1b820ab6fbd4c2f10f692da5df9e9e9e7463f732b908fe70608b36c8d33664739b2fbd81806cff9b2a19fddeca0685d84a3b4fb6e4b2da14198bdccf86f6daabd361fe7a259ac83c1e9a1ae73429f5bd2465cab2487bdd0"}, {@none, 0x9, 0x6, "7aa2fc", 0x2, 0x5a, "052195f68d623e277339549cd0596ea8d93dcb3704365a1fe131001ddfc78677d59246b7163b2a857523bc03137c5e74d51f91c59eea5ec1c9003d000733a466a074866803d3394bea9a3b3d7e5d67755ff3abb6cf741dde943f2a053ad9b328d0c53cded27abd1cd237341fd89842736abc794f81576ed5b95189dd4794b90dfe6748ae5c405e0827a8439ca368fbd6ea5a49d147e5364c2ffe32013afa0b7b4017951cc96a1d5aab926c9a85ac3529020fc62b2b8faa56f674682b27d994bcb4746d7aa06ef430a6140eec740627569287c2abf99514a28751d16d3b7aec64c16a217bfe2b13bdaa911d976f481516"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x3, 0x5, "24b80f", 0x7, 0x7, "b3ada341371175469ded69ecf799e4a1194f89133c06019703d569cd1c29c53a302e49b159a78f22df58260ea65730f1d60ce2bffb5bb00da408a73ba94586b850c8bdc188017de780947019c1160e4de6a4bcff9679840ee2f1bec62851a512f73912564c278f8bcf11b2459af745c4e302f7542fb586c218df5d5d741dd3b331b090adf53a39e6d179f698937eaf1f296ed38be5f78009b5593fbad7ce8de3177e1b85401c9b10180116ab3dd2b79fb27cf6b781b02c10d92b9077231baff2d796bdd6a60934decbd4730b8cd3a7f5d73b9d56fd8fe4428a8ee6e9aab0f07a170ed8880da6937863d6e273a5a50847"}, {@none, 0x2, 0xc, "ea7fc4", 0x8df0, 0x6, "717a9cb0a4bb327cbcd40c45a41da58abafefc56db61d4de5f808e54dafa830d32821b9b3d09636dfb4f09884853b276996613006c4936095b667d41cadb7d45b307e434c15619b8d90319f2ffe145511dffdbe0c87aa2eea977359cba985c28336398cb6fe4939f4c70271bb9890a63ce61b91d2ff386c94b83c3fee9a43bb705eadc97907676652fe06cf8872966ee9d8cb21f242185448f0c688a9d0b6bb5923c37587850bae8b0438915fa4b062009eacb71d33909586de59d758a635e4e18f5c5fd4e4cd08134cf4af6e71c783cbc71ea85fbc2e67d8499622ac2460d44822b33339f122efe0f0b0c76b56c3473"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x10, 0x6, "c5ecb3", 0x7, 0x5, "230276296df7a839cdb0c698a3b6cebba6e7f8f843267597af962842e4a5f003617064f27e1db99a03c126776b86d3b4b4ba41356c681f7ba54c248e2ae9f43ef5aa08f30721c5fbb3d7a0fb95da303be2e2607d775877945e61f5c98b72e4bd3f5b92c3ebc55a167e4bab5f16468e5d14ce3c988f71872d0985a2f50374c672de1477f60bd549a28206d4100aab9c222ba3330476025534ba2faf03a5c7e8885fe8041fcc9bf6de815abf2e09175e1981f89551e9b5cb59bb493e950edfc5ea0036351e4978cd63c8a50646e7104756e20605773fbd3e7131b7a55d8b60086b4fceb02b3015ba49de2d541fb06a9d27"}]}}}, 0x4fa) syz_extract_tcp_res(&(0x7f0000000c00), 0x1, 0x5) msgctl$auto_MSG_STAT(0xab1, 0xb, &(0x7f0000002fc0)={{0x8001, 0xee00, 0xee00, 0xdaf9, 0xd56, 0x6, 0x7}, &(0x7f0000002f40)=0x6, &(0x7f0000002f80)=0x8, 0x9, 0x3, 0x6, 0x7, 0x101, 0x9, 0x3, 0x7, @inferred=r6, @raw}) stat$auto(&(0x7f0000003040)='./file0\x00', &(0x7f0000003080)={0xfffffffffffffffb, 0x2, 0x1, 0x7, 0xee01, 0xffffffffffffffff, 0x0, 0x74ff, 0x4, 0x9, 0x5, 0xc50, 0x3, 0xd, 0x5, 0x1650, 0x4}) fstat(r4, &(0x7f00000031c0)={0x0, 0x0, 0x0, 0x0, 0x0}) shmctl$auto_IPC_STAT(0x81, 0x2, &(0x7f0000003500)={{0x6, 0xee01, 0xffffffffffffffff, 0xe, 0x101, 0xf1, 0x40}, 0x287c, 0x6a1a, 0x2, 0x9, @inferred=r3, @inferred=r6, 0x0, 0x0, &(0x7f00000033c0)="056976a58633696b63367a4cb488b16ce85e89943e5f0928ec40d6d893807fa6c44c5d38daab118433a7e8f1c46e1f060f28165f41adb8e679cd9e46ac384774e56bca1880a690fc3f8ed5f124dd98467a33bb40cf191cfbb9590f59179bb611cce789225922a0ef4f2286f87f847214fe25618b989a0501e7eca7170a3913bc68b4539966e289ff94ac31e8823668bd0499d09b055c41410ba2f2101abaf7155399f97ee924e9277e6f54819f12fef3c5769378b344b6ff6409edc578c6c93accb0f08a5d8ffcab30cdbd713d1b93ee7b8eefdf77ea", &(0x7f00000034c0)="020c5a2af3"}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000004640)={{0x35cdee94, 0x0, 0xffffffffffffffff, 0x3, 0x6, 0x2, 0x80}, 0x3, 0x8, 0x7ff, 0x1, @inferred=r7, @inferred=r5, 0x9, 0x0, &(0x7f0000003580)="cd052c206f368b4a7d16e28cd36b1ea6d10dab7017b7d085ea27b3e3389d760d2277e20febc686f359d6083a629e7981089e0419c7b562dbbdc2e67c1e95104a390549c9371a4345f2aa7d8458094c6075b84d11486d27bf68233bb457eb106bab49a3fad299b590025e4fb5e43c712ad891f39138bdb922ea9d21b7cfc7c343f9a21496c66922cab8e66535337a89a717c354bf1846b506c234a3093d728c6baf272a6fa5153dc039f87e0a36744e1f80f2aac030e2f8ae6a7dbcd3f17bc68ad0b61ce31212c46edd615d571b338e22c0ed5d26f7bb2f365ecb2c432647a7c6d775b0e41db928f9e7b2af72d690acf8b2ad8c2e000505b6952c4ab9e2a8ecd07de44b2b48af7b894696ae567b6dd0a1f99b007a8fcf41db20827f58325a9e8812354425bdcc3f81f2d3863d7777fd80360eb8b9e77e47059a1d2265733c4a8a063b45ed0b8c2481e1cdeafddc5f42c931b3d3e710e4538bbad815479cd9afdc5cb44723026c4bc006e256f6f427042c6765a3b253e9356ca1ce45d9d83d5e111928b47a8ab8422b37e8c382436862c944e08ebbadd1a33686219ab8cf995c12a7ab7085a79a7d1ec3c6cd73a443cfceacbaca1d7fc0cf34d58c9277881f983746ff62fe41d0f4f7a12ff44f4ba5bf7d8935bf09a88ad98ea8a9124de178c28acdf1ba1a9734d6c225da591c229d313fcbda810b0f1057b0730a9572a807758defb579db3ad021ac316fb744a1582c16256ea1c6bfa26c73af1e2b6c4b8e7ef329e7cad7db91799dc044aecce5f06e803a4d85bcf5f45dc015d13e3f2c1892099ee653777ca5f6c92e41f4e30ba30f832703df08a416752b831b46c56563820fce5ed3421e9b2ed0a19c64e9b2bb8081ea08255fdad2f235e7bac68f946b3427a44a758e78dadd8e42a909a77851bf66b01e427c2fed94ffee1d65e21753b39bce8daac6d6f11696e003a5f3c21bf9d1cbf4bdb8f3cf5ae542fe7b255fb5ae7b184fb59db73550d293254277b4f94a71c93a909bbbfaf3df95c3e7c4170fe8b91f9ecb8673cb5492750edf45c76a20d94e21b0d3614d3a99f7c9e3978faf09e067f64926204cd090a9f115cbe7f727f5809976aabd337e8b2aee42a9bf68e2fccd4152b3d9831149d40c75469fd9b03fe1860dc1920ac7d869ed88d4148cb746f5eb32a2761eed4473c54315d0d91044b62a14537c825c8cf578fbd68cf8748d67722e27b81f9fbcc13271c23335057cabced862125f764f5321f59643514392b72e2de32b1a54e4096ef73d0692ec6a365c035d0cbfdf77ac650e7de4c3dcc5a2f60c4e08536e75ccd81a41425a1de44ea275baaa2a7cd16ef64b41cc71f856861217bf243e8f61c899f56f4c64e116e0bb020986eca1f2a0d8fe1ab5130b639a7db41b54fd262ac858452a2c79d82d99ae5979571701dbb30fc7aedf237dc785bea7576ede6cfe60c53d88db5e7db59b3214c8e7f081a61d3b699eeb802e6ef4e298b87ab22a20bb1f3e8e4f7fe56c318d4bfa3eb312b9f3e75957bf62647e309ca0a5f669cdedb2c309aa7245cc832077f641b2cece614f0938ec1d456600fa30064f249e2f8efbacbd9d2eb90e99fc0938edca24924edaed9fbc50b1292e6475a5b4f38bfd379401eeda87b2d17de03ceb23d788db69b548ae2456989b8a5189d3800203890eb9a0491a20f44603c881ffb0647e7ff291139e80a5c46aeb4322e59356d9fb1e6dd3dffefd4df3e35eac72f2921774771b8e288adb818c8560554a7ae3647ae49baa80776b747abc82dcf9e408e8fd14472d3a5d7ee014a7ba4374306a6eade2df580389cad9f548bc42769b27c8c4aefddbea9c3d89d9960551cfcbfe37c214cb5fb31d9835f1f8a8857e53b36e91bfe3a2e3559d3838050afd13bfc6924587c8d22c21c2df3cb2a0e06f01f23103c4b6955a985a7b26347a6a9d178e835e775365d41fe3443ae79970dac382a32a597c3d567d0511b5dcdb4ebd1271db6e675a4f343f9501f10ab4723738bebb6366241cd602673ff9c76912de6141c5cd4f2ef95e7efd66dd51b565dd50035f8f7e86b576d5129481ae75f7a9b7cf033a402502d5d1b5aa4115ba1b84f7f2cc284e3f636a234f40e0aa118c8f9d0ce6fb7ee613cc2f1cc7ecc2e264b2573ac3dc264aaa27643a483a1cb38e2b0237775ecaed626f7cb89bc563492ffe1e5ae6401cd82a9ad0fbc32f7b5bd3029bdab72a8d47f34b37011e9fba52075a56b89f2963edca796930a4998c755da0d251da985a1829cd10ce7665d2b364776bd6c76ef9978f800b453fa7c2704838dde05f2f6489f31e35f6d731c2678f3285070f297cb3bc03c0a012b22fca31295576acc3e679bbcba5fceb7ee7692749fcc58495614eb4a7f3a1fa7f21a655172da28ca916292dc7484834c31a3e5f54912f10271d5867e57bc46466d781bbb502ef32ed8b2b4452a58e212e7db8aee573dc6252142ec5bf2683ded9a58b60cf7883ef04bd502e3df2d621bec0e7fcaf6726e84fb1c6953722c7b8523d4cb6e4b55bc3d196c793c44858814b029eb23e8f80b66aefdd8be21541228608852fc354f75605aeefb828971defa68e28cdc694b24f2f461c707d27b98da4000f9c823ebb3384c50d6e41e5ddaa601b696f41a9ba4feee08852874bf0e31d20152895e1da84a94d529a194be53a886304e7e360a6a40d2d4074905bbfd06e3713375b31bcca23f4db67da9bf6920a5bb44885dcc3086ca7895c1069dd35f189e57ce60f8e0b0b5d337bd669d3deac1f0115570a5fa6505fac83c621c46f693d84dc77e2148e887a822d86c8c0ff4c00485c7f37a5198c69c881c158b744fd09cc76c0574f4acaad646204552774e98e17c3998e34e75628da2630a531cfe927d3c55ef02df3377eab25143589a50a07a32906e714ea42584b3d69d7ddda2fc0fa486a0e93baf78ff1b35d98c0823841230a26b52120a445115adb78d8fd99b71ab86bd27aaecd1659e89f99efa54f8764c2f4bc01975ace6f35d27c2d18c713a9947179211819dc42f7cf3fe6b546674f1446f0c81aa08277ec6b140e14b6e4360782bd17d03255208cac917a5f8ac03e6e8d13d0e62d11bf55d00b3f8f1e80b8551bd7b65b6284d1566cdfdf4307a5ee5ce8bdd6fd04a3edb4871ba97aa01d673af337698f0ada53cab9bdf9f631d0ccb7617ff13e0a3b3785ed26db722e163271b1f5e4690005249427bd44362c6631157286dbe4ac19620b55a64fa6958fe32ff13b1addfd7f56a16f79daf4e9278727578d0154118fe591a0d89af07d8bc3582cf51a01766d9c9ee3f8f80b58e86fdfbb4770e6cf2554b0d9e0769928c4a2f383aaa525ddf4734f4cb19996be80b4c91f91bbca6094ab910b665241e29b3d48784f80d32d2161347d2bfd791a66c6e824f2308b07f767250d11626dbdcc9613683e46cdc9903aa0848803b4a3dfb1fc9b350d47164ec59db3651e1f5f9a5cc1ad484654ac3a7f013badb6a0ab87effaffd526a53bead659a15dc2fd631dcd843ec341804a563d06ff6c5631dda5044b9a99dc77bc4a4fe326798d672d450727e81e491533e6a21121e3b8e5cde35fb84e74fe5011896235fe05f335bf12e317240191e742df9438752984fbc697a53b3950e26b3da9031dc234e843326d04fe096b1c89ce93bc6c5a60d7e6f0c5e8438fd10fa66b3eef5df79a3df515245e2f370b913b9333875906015460283f873b82b791fb4db71aa4f57d8182bd914613ba4d85f2490bb9bfc6940c5c4986c544308c3ac22b795fcb0b5a062d3a15ae30f6b7ac271bf9aac4bdcd949aaee1d7bdc8895eea12daea16185d869d6cbd971ccf16e4da5d70376437a20b6ea6c35c507eaee0a0221c70527d69c57eb3551c617320ed3f817ee2a69988120964b331137406dde202c243a91a0d810d1613ac8709b26a0eccddd7fc75a0d818276cb4953bb8057626f23b721d6073d76586397a8f05d060d4e2dfcf14de48fadaae6ecbd5fbfe958a2f931c531ea325182ed29872a3dfec469074bcdabb2a1a13fe24667efaaa26c50519aa9335d306fd23379939743a10ac90d3171b3bd06a5b463ad1b612ef3d54f53fddff55a8eaef0b6f78779d948f7aa4598a1dcf726aaa45b99da0bca196812f9c5998608489e80ddef13a4b8eb030c71742c304665e15a9f56a77679e7c4d70aa84a53466bc5f50d55a676eae3cdf862936c8b2f3451e2187b7ae8ae1446e090142cb89e4ee09e40cd4a0fe820ec28450ed7e7ae2e0e47a3d4054a4acf536e9a3efb8fbf5d0d6fbc69a51bad4a6723d62c8311ec224ecc71048bc16f9805d917a8a6294c038b2842d61de810db1b1a6f37720d3011f5e55803850b6aa0c4bab3c812cd7dbab18a732ac8e167c49ecc8359388a95080cb1d796c324f1a9c3795749a36682357601b260d85c710dd0c67173a8e4c1aa1e95ddb860e37c44c990ec5d11c0e71907c3e5e5fd247fa321de92db50684506e829447a8c85909d2397ec11bbe0613a4d8af44c209bc4570293e9cf7ba6f47754fd0506ec34af2f9ef20250edc01f97b8374d82c7509a231b0d5c9b085f9948efce68c5712f96afcf4f92a1eb34934b1d664344104337c2b5028c8c7d6d7e62e74cf283d61dac1ad8721505c4884a81cf692aa33f801cbc7eee1ae61bd4c96a4b1adb88f24b0a5e7815c537b25b8bc2ee283e4e05fa0f157f194f5b22d6d0267fb0fd5ab10be2230cd21f870e0e651b5747bb7f4593ef52c8a2e51d5093ee1405e49bba6b36cf97f0b2f7150a10ab7669478a4831f9c5ee6790e91e93b0e814bc314b062c68a3d36cf48da349b0223802722d76b8bde97982f78dddab064084b3eea0a335bd0dd8461b10581d4a9aa699d542dba4ca8464f62ad3b9cd7e82026a3fd15c2bdb3e30a7643e82f2c8e764498866989e2fe5a9e89c237404aad6b55c2be458e3f6547f727f0b2c9052de4839a6b5f03f5a788e5a14d8448ee25b3dff69002d5fda5cafe5bed8260285b61ce3c53c16288ef8af1759f631360aee3bdc5ebfc229b967d1937996553952409f5f5860820fdd2ed846dab931b2d19fdda50693a926a41e56060f2d6c13c125c0c4b08e475a992cce4b51e0f76ebc3c7362fb1bb0b9805332c162e1e09d1ff0eb73b24e40d6188136bbc6ef8a36f632ea32ea4c06199181dbb78f399f47dfb4633d0f0768ee3d33befdcc3c0fa089c2182d6a85b272135eae3436bfa09b18b1021f37097994ad71ac94c97448e2b252a758616c15f0966447de5d6487105fa408042c90a9a89ce90f0728d7d767c472f60a1740c77c0a64af3ad4f94544ebb3de794201d17d6399765e055a5b94d569c6618e114275cfe79c2636369424e01ca8b8e3a530b924316f43df7e43cd070d1b09e8cc184ac7ae979119aae40155a2a67329e18722c3dc72dee0049eb4c29b306dc81de1a1967cfe17e97ca476562cad43e84ab3ec6e76d358829baad982241d0db7445454f6a405405057b57fb93dfbdc8dae5b30c64cd220dc48fdb5667a3c065f4b308bd076f95c810e91d5b2b921126128520028a700e506da6c7617f624242a59b874d06040911d534a0e15a5195fd8d9cb465176275119540034892cc6e6aaf174b06435625f9bde8e699e28cbeed2b9ae0fc684cbd8c77bf838086450395f22cd025c70460394cc219789fc7568379df9856583f796c8a2944b857077bd29f5478e8b3bdf916e6d67963f8c039ba469b60d0a24edb6f9e00402b6f286d88a4fc10bf764d8c37252710cb47b5693708", &(0x7f0000004580)="820718733b49daf8ed80b0ed25772d57d77435ef1da1ca4f1930ad4e713b84d4c1a24c712f02e0b86d1842c164415aa9e490e6c8230a89e309faf07d239dd7cd35da5cb5f36919db06df51a5a9c5fc8049897d04bb731725ff5f5d98476e15b1dbab8cdc405c2c17365805e27a61a5f061e7ead100272fe2d9bd8cae4a261b451919ebb927204c1f63a8908147b99835ba994378a32f9f1103574a08934fbc79d31aaf13"}) r14 = geteuid() fstat(r4, &(0x7f00000046c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000004740)={0x600b, 0xf, {r3}, {0xee00}, 0x6, 0x3}) shmctl$auto(0x0, 0xb, &(0x7f00000048c0)={{0x1, 0x0, 0xee01, 0x3, 0x6, 0x10, 0x1}, 0xfffffffb, 0xffffffffffffffa8, 0x800100000, 0x0, @raw=0x6, @inferred=r5, 0x40, 0x0, &(0x7f0000004780)="1f8aa38b61938fb7299a96aee61f6cfc70190f9df301d40ccf557795fc00d7759efa4ad1661cbb0d54c310aabcc29285c2ce84fcbe97407d849edec2f598b205fa5ea2460d0f615ad87e7e2605e8101f58adb62e178c78c454580a55d63f5e1d11f932250d1fefd45195451588bf530d73d83076a93a289b613bc68b49905423d7d5ace8016292e80377fed1b58877d9c4d04ea05ba8", &(0x7f0000004840)="b7376d34b8a4cc32667d885991bbbc6828d08bd669e6af09fe1e55bb32d885d217afb95645976390dd7308c504c5d39953a783b065bd4f0a72bfaa176a0d2acee5c8e41ff9b692a41d010c7b3459f84c721cdc4c7dad40cdb171ae49a556c98b5eda14db8d4cdcc0b47fa75bc9faa171e68b700c4960222516f6d5"}) shmctl$auto_IPC_RMID(0xfff, 0x0, &(0x7f0000004a80)={{0x8, 0x0, 0xee00, 0x5c6, 0x1000, 0x2}, 0x326, 0x3, 0x3, 0x7, @raw=0x1, @inferred=r5, 0x300, 0x0, &(0x7f0000004940)="8d80000898d81f2a2a537fc21c52023bc6ee66954a12a93f2418cd8b0b69067e3ffbce8f5d7431e001ed255fb5ed784374aad30a67500f8f6c042bf9e6670660d425f7611c7ecdfc450c05ef9c0a65c62dc2215fec7c02b712de12f5053e2c3f60d780fafc4d1ac221ca0907542932889c", &(0x7f00000049c0)="9ccfda869deb661f5fc9ba8f62d29a4ea3be9286f77ef11178f96e25e8bd888ecc08d452e94731dc6e97d39ab9814eec357acbb7ad4232899315b74df9b4df71302a482e3c52fc988162d57139e691028753aa86b20cbc060ceaf9de31cfbdfadb2802232870090286f90b426c18866fb62bb4662ac9cf938b12c2b380a1324d8313575eadbcec1a33832733dc87a6f8ef25230fc815e2b6756e60144a41195769ee48e21d497f0eb19aa12419eb8045ac2cada387"}) lstat(&(0x7f0000004b00)='./file1\x00', &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r22 = getuid() r23 = getuid() stat$auto(&(0x7f0000004bc0)='./file0\x00', &(0x7f0000004c00)={0x2, 0x3, 0x5, 0x6, 0xee01, 0xee01, 0x0, 0x0, 0x1, 0x5f2b, 0xffff, 0x2, 0x8, 0x80000001, 0x5, 0xcc8, 0x6}) shmctl$auto_SHM_LOCK(0x6, 0xb, &(0x7f0000004dc0)={{0x2, 0xee00, 0xee00, 0x401, 0x9, 0x6, 0x8}, 0x0, 0x8, 0x101, 0x4, @raw=0xffffff46, @raw=0x8, 0x2, 0x0, &(0x7f0000004cc0)="00b8fcb8c51e1af15f5b1d2c15821bb8f4e846f20d662dad19a0e59429994859bb1d0b6c63ef694416acb494494c6618f98573d370cc435065ec4da9efd3f67626f44c18b96b", &(0x7f0000004d40)="23c6651878ddaa085ae0bdfb7ccbb08b71af34f9f1565e8ac77c5293baddfe69ea20aced26de58664b32ebf6f734d3f7f692065fe4f99ea283362b12f96cb972632e80273d014687"}) msgctl$auto_IPC_SET(0x1, 0x1, &(0x7f0000004ec0)={{0x0, 0xee00, 0x0, 0x19, 0x6, 0x7, 0x53}, &(0x7f0000004e40)=0x3, &(0x7f0000004e80)=0x5, 0x45, 0x38, 0x0, 0xffffffff80000000, 0x4, 0x42, 0x7, 0x2825, @raw=0xa21, @raw=0x1}) shmctl$auto_SHM_STAT_ANY(0x80, 0xf, &(0x7f0000005680)={{0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, 0x6, 0xa87, 0x6}, 0x5, 0x7, 0x6, 0x1, @inferred=r6, @raw=0x5, 0x4, 0x0, &(0x7f0000005480)="feedc6aeab06ac00e00a4726dffa893698621bfa7d41a1acc3b82488d27e0ad499d0f4717604496303a3c32eeeb44df079182f9c1f77ba86b5d75d3cfc32f45062e93e184cec890244b195f2cd11bb0a90f2a2d8f67cc5c0be21ff7a4f4d4a43b7fb2ba733040d26fae0fb332ccc405709c4b602936c96942a8eb5ae327c87db6f2f6f610f803cc6d8d2099ec2a87419cd0c206b74ac2497ac1f8b637cffd4427dae82e77beaf37ce6f5d2bddeb31944c36a67ec4346592b8b0a7f4f28c952c8f6bcbe0a5ec35aae354c1f9e66bfab1fa0f8fbe02e56af6ecce525617800b42e8cb5831e20ae90e73bdd29da4c8b8d1d00ad8e8e8d8f", &(0x7f0000005580)="48fe27d996540af39ee63ed5b8cfd8523c9eeea2a9f619601421c6140e3a984abc8a5f421ac2621ad09dcfe4b7038983e0e88240cf3dd61196976f836b58bc78e8d080446c8c46fa4d9a6b522942ef8d58f89f4010f6b62b5aff902753b62fb29fb8a8a3a475f3e0e445bc8a4fe018fb6a5e3c2d534aabd3b0915d7b065781ca8cdb3eb734016390638cde9640375b4dfc90c211603b5ea2bd44295750415067bc3f147a66d77dcfbf658480369e1d1f193dad08c00f36c99af5c1b52ff0a1f2e893841f1a2de097fb0e001abdb956f682de1ecfc1801ec9436f864d3abe6e7f9e332a32e9e5445d85ed613ba1d59a8ae483ad90"}) shmctl$auto_SHM_STAT_ANY(0x7ff, 0xf, &(0x7f0000005980)={{0x0, 0xee01, 0xee01, 0x80000001, 0xa, 0x9, 0x50f4}, 0x8, 0x8, 0x4, 0x7, @inferred=r6, @raw=0x8, 0x3, 0x0, &(0x7f0000005800)="db4118b7fc550b52eec4c59cf4b93c169cd2e4c6b1eb5a84e95bb2109386544d8185388c504c495c8ef8b3d196ce76844652a8d2eddb5eff1169a558d6e7c56d46aa70e6298fbfaf95fa39d53985944c382b26cb4ee51e021bebc6e6e80388", &(0x7f0000005880)="11d01feaa20648967b16d3e6cb0d4989e61fca36740792d8808f572be0b70dd4faaa5ece7385998367d7daf2350e52a74dde027c397711a18faa7b877c14e92f48636c7b021b50828c936f30bdec29c674139d1d64369d02d6df35bd75c54a729a1c28f94a00497c2912e4f73e55746dc437cfb64d826fb5dc13286f2d3dc8a354ee9576b8b37c407814e55241fd871608c599ddb5f980e7c01c23b02b738ce34dc1f4d5577f02c5537eec8d5c15f8c93a7d450b4701de03802241a34c3a07a378119cfbb34eebe8753a4851cae1a14a124749ed8caaec19d2220b21d71edd4085672238c4582dbe77ee258f7504e586845878a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f0000005a80)={{0x1d, 0xee00, 0xee01, 0x9, 0x7, 0x100, 0x1000}, 0x4, 0x400, 0x3, 0x9, @raw=0x9, @raw, 0x4c17, 0x0, &(0x7f0000005a00), &(0x7f0000005a40)="20fca2d9a84b149b22cc118629f244c8f9909cbe317ad4693e5c7ddacf6ff08ff96441b29c38fb9a6161aac42a96f4e5b9a9ed648ca3d600f7631486"}) syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000000c40)="555b078cdcafe3df82ab074500b854e053e9be2bdea67c3fdc61395f5bcf269a1a3db8dd7f3db0cbe3e9ee7f3fd773e57fb4f6aba53b0282ae6ab4f9b9d69d362ebd6f9917ffa585a5e2b1dd85afdc2e0b9fd07d2bb693d6871743b73eddf8e6cc6e58e502fb0d8d80fb48be00be3acfe35fd1fe21f97c598eca5e0546f3f6eec8f7e403e8a80b58fb34342e2fcf0eef3ba1644b262d0a877deba64622aeee38f1ef528cd836085fb4f8437ca36c3cc211980a6523fc6bd07c49747f5f9d6d79ca435f84f59af8bc5d7a76ad9a4d29e4c5eaf20cf5e373c2677a048b4a064b25c80e3c225aefc79861e39f8898dc749ed0432a3474299b350ffb0c53cf96ca64a127308b7a77f80ec1ad1ca74fc58f71803c787fc89820ce647e6eedc38451b70b1530cc7060d1b0727b74685e6adb3310cfa9ed5165e3d3e74a38a7b5f2502461b93d633693f3c9259d2fa0ad389f2496c5c2e3df9f85c1a8a858db4b7c5815fcbb656821e1844e7d6e0f3cfb64528f9662979ac9a8ec10eef0603b3d1d78d5d2a485486aa8cc310e490b9471ae127194151b732ed19d494ea63d2836519409a213425fe1005e46695f4b24be7b25829653e41c174b1bc69f108a076769c652405d436a7c698ac8e54a850c0ed0249a8250e5548869616b9a72f26cb97096cc66cbbf0317a17f96ee0bae08024d5b80dff8be40c822d850f749e7bf5433d252202b03583d8b87b5b707905e3c8461241fea66c5995a3de30ef8e33bf0c792f23a2643be67d8e077b16a84e52d80c3c3e8c3ba8e58d0683d00412b9f98732524113d24c89ebb020ba631c1618c7c1dedf18ee59c677e585299fc6bc060d5c3f57f9d529f93c37e086db0ed5993a05dabffbae7430f9e2060b0b6ce6b0b21fe6dcc4f4016d87a74d0fadd6f9f12b102f78ac94f2b846c2a7b9bc243c56b0fe4412f03af3372d356432cff83c2d7127fa0a972906d1674d7e55dac178901b661f1f1ef39e71725d89bc1e7ce8ac6a238a9b2115c6563f9c219934350cbff04bfed916653cdfd93c25ca0cfa1223bc85fd26dcb17e5302128fd819451d0b7f0854c7032849777d1828d483bc58b2b91f6e4eb2a902655a95b03fe2c86f0fba9fd2c677f6e5b6092179a5e84a67d881aab57dd2c3239a1db9b47f2b5f6ceeb79a58cd125e6147d2068ca21a0cac47b0c12f6683b7198f139f11206b28490f756e0bf1522195f14608d19ffb6a3ba85f0474431f71d1a38b492e386db9eb0dde55769c02f8757a4e14e93dc241f2dd5e6550e3d753c917bbc4e5b1a3385259163d664b0c72d85bf78354f18cb63f1fe0a337a07f2e78fd3f894ffeb85dace3f30277b5c0fdbb24f9bc354546de812ed5445f854888a038f0436c78b21230ca73e770b4d375ac60d302ad1629ed8c17a12765302add9819e9bdd1002ddf7d773d0d201e6af2bf8e58f68915dcdb80f4bdd731ca0544f9be29297219dd3422df4f2e436422f940d8fe072414e843894c01f43807c4dd4f7c5c1feb20d50f060ee1fe612229c2f49da21728952a0bef81b47fa85848f65ae3756706013095f1ff84e5e32216b94af2479eea8199710c015597b00a97be8b3ba52439b12e3f1948218e2816b75b684f3182b434e0ac0cb31a1a83f2c7bbddf280d1e4fd508c4b7a0fb0b664c613edb4c7ec7f48cdc9411a1af51c7f29564950417cacf4c848bc3c6c2ffb31759917a52510001afd9de6d6e9ddc26364353ea5070fc730b22d8f434ecc21247949f637d03d430a5fbc036bdaa3501d49d63df3238abc594a56443d05f53a557b1e04c54f5de091086a0cfe9f3707c74771d416cbd75c53e7456bac5adce640cd93c66c0ba2e59096c5e08cf2c9b96489e94f80652f905849e4f38997f0cd4e6cf1ad18a881e9e81ae732c284df254de3981606b021ef41da37176e9a0946ab80826dc7fb9e4b99bd9948bb0ee334a5db291ea58807cecd59f870c691385e27f18d74846d1eda220b9607aaf2e6fc0ae9eae57608e601df944d9ac45d62d796512903bff90d740ef9fcc40c3b3f273a2bdfa30143e90cda7116d8c68826e67ea0cf578f59231ca85f03f11b40d0631ab3473ca2ee53587dd4d8abc53c6069d56bd9bf7cc9f04d8982a4faeda89fbff8884251a1fcc5fef642a205299930ee6c9022223576888c491f796624d04d95a983e40b344e8f4c98eeb55e0ff116fcc8b4f296ddc2f11c9322786440e0ba622ed96dccb6bf682b97a2c7806474738e9cea364a22830235ca35c60ca4b0fd30f81c051b96c6798217c7985e7fdfb4fd804093266f0d3947bc1d5b3bd535cbd34bf07a3096f16da818cde06887e94257579f2c020cbcac1cb700d34472bac930130530f9d094483faf311194f9a9641925cdee88879d218b3beb83df4f33f5cb109cac0c7926ff1eb494ebfc58f22e513de376d1ea903e7aa65b8d182e5e38217e2d2c0b0cb392d44ad7684c229968e71a761b967e25a2883929e19bb5dfb053218139dc304eaeed9e15de1f0a9e6f04761c75f7299e6c0eccbf93cc101eb5b017c2d97273b2238d4481cbb5d244db8f1b329b8930545eaa4a36d59c37ddb37a610de3a79ddd8a31deb0b1bbb31d01eeeb78cf95acf3f2727b53b6236b07d490d86318297dad4f6b80107a031299fb52ac0610da5af4b71a8a71c486eda6e77c350224a9e246599d2f01790796a21c1c90dfb6e64c49d6fe4eeebe6d6b5192b6e130eeac673c4cf4669c046cec7388079d14b25992528e205a8663d429d8cea1fccdd3e538b97c635562f2e269588aa14b930a7408076298cc4deda70b3c26c42c67022c59e26f0bc4aecc43a956ac60230ba1b0681b8db4efd0ef133f099563d0f55b919f6437722c86b4a5f928a756b45a84f9c54dc2bdd79ae9da5a39b5993055bf774b129b468fd3885a5447052460d71a68cb96dedbdc4882e6f6a2b7f642627f3e7783accc8f22d29ac8a83788e64abd60619e2b13c483bb9f6442cd0a672dca719262f2e8b52d58efccabe63120fa955da00629888b0986aee3503f94d690115528ea414ff93fcfc487f4a3b0213798f27ce362eccfa775c9f841144ae5fe9c7d95b4657ea1067f12d1dee02f91178b113f7962073a3c98b91de9b47023a22059201bd495e7e2e4d3b3dec65ef29fe442e271f13870b0aed818352bc691b5d3917565bf8b66acb665805d937e6358791ed9060f261ca7e34f0e7286cf7563f57254a05b3ce5f175d8bca322cb31bf8de32eb0ef636da055f3e9eee3b7e36066fe10c45c7742c39732cc789af38cb737aa17898d31a20ceba6a89c7883519ce2171c6e7b19b34494a5806f99c26c5df8fd641a1be5e660ce887a78fb691a1016fdbf107bc92992a2b62dc3474316dd24f40ffe61bfa848f9790e725c0df3fa6d090fd3837e1a46bf58f3beef4ad7721951a977948b86cedc07a24b7f04be14df36dff71531ad715328d70a2fffb3b59439619826e0c26729da1aa66fb892b940f8be7ee4f227b43fbb43094c5086447c8b4dd7266f07bc79c28a9b4b0b511739d6894c0f2049f9b8357a2451bc96489c2fdb4c63fe6a151a11c7230474bf51f4d04b160a65c22104dfc2968a23e427bd97c4d2c0a5b359d59fb17b551f8905a4b6acab2444d66082cf5c64803f5afdd46f05735d18b5207a927ef34cc76a8ed3819c869541e06e50950d550c9b8f034d4a329a135afaa257d3bf25d36ac7c7ff9851ab9c386c9b16b7b111cfbfc39f19ec3b71ce4354036cfcffe36c87a8d6547006ab44f19320a35db003a6cce51e5338afdeaf6fb6ad3db60babb521ad56b080e5564413be596994afe9d4555f7b7530c4fb1ad9b55900c76ba404971d8e2726ac6480ec1e1b56f68600e790a32806f10ee8076ffbbe63130b72ae22f0a799a5658f272faed770f1c72e4b6c32fa19b6b9ec28cec7bfb3b0869e7f47bb32b631d440bb1504e927fbf0a752959c4a633459bd2d34926ada22b97716adc61470eda3a968b898982d896e77da47af7d489728ade3950575389af4883b21f53e9f49d4b4fec3c56b95fae00271b01fd3adac979baca1f9c3bd6f078424720f747591ea8dc7094c608b1476d1e1051a55bb1e59410ef9d8c29f00a6a4d9b3103a8d2aa087e91116fb3639758ad6f93ed0706bf993ece70e8ed75bea28970859c7256f972af862b45b42be15957e218fa65424aaf13c2a847ce1d40dab52ee757669245140c4346c581f2e9ab2e72b64428237250e14293517845568d20edb8b103106c4826621b6bb0756c1facd859509f9331d0a1aadee7adf134d463309811220e9bddf1dc6302ad89abab68e32fd5f7c27ca0b217d8c2ec342a2605fe54eed4321b34eaf54f8c2162d3bf5d7ace2429fbeb4ca187065026aa814a9833b6ee943d1d337de2d9ecdaab2cf4634c16a915e6a9648b368d8df8d6d2de477211214b3e8c291f16ed30ea38ff581b81899cd1c4a74bb338a6322003c9fcbf16a0acf0c67b97d85d55a6b81fb7536d434a0e499929e0da0ae31818da52cc252418802621cf28ee5cd555f13d4a0f6c4160b97016809ba75f3050c2ef1d3f90045e97f4ea5d03739a8c5ab3492f5dd5b167d8f5294961f942847d9550f11f73a8ff1b8b288d27a0fb759d86544691f9ee3f9ee48d0e573f21ccef4610302871c7aec559ade89511dd907580f8f0d119b8274f652f5e4c8a8d32f30f2443ebf4d9bc12486188c5af74f98d315495389f1030d45de4219caaeab035bd511afea18c8448bf8054debe9c747e60431d66015c62578a00dbdfc06a5dd527e31413e8df00420c332bb416db84200cb7e14708a137b75490d95ffd693c9bd215cf71c3f8e2d1aaabff3dd63cc2280ab6ea46a0390e7535635059d128b5a92f68673a058d963303e7e579cc16619d78c6db79e82621525aef9a8af30df9112ce2b68d568c39a8138ebe5d0c3c263802095c3c4fe2a9ba48d97f6df31126b64abdb37cf806b410aa9f32c8f20ab137e12da99f8f069607224ac1ccf610e3621245f7cf017f8bb1f5de00bedd6a66811b286a870a89c11308a35dfc58ba245e93c1d3a5ff010f8de2aa446a90d153b3e6f8d0725dab1ee435bab26a0842c572d388e2b62657c133e5ca2d47fec65561ab2a71c6d7fbdd24dbf050f6889d83227094178096996d856625ddcdbc236c0b5ed28e7cf718b4f80589d3deccee9e705436dde6455d8f0bea6fc4c3544df55dfda6d52deb921c0bcd96f8a0c5dd8ce9d38c00837a5628a3b25297cd3baa1490545b5ccb871c36ac1aac4c70b05aa459734aa523ecf9476d90e719baa1e03de3492c3bd10ee0290a6cbada7296b26f463bcb051b53f08e9a80c47157cb49b7ded5021121c04315fea9d4800dd2d623c91234f9cec3a787bc28f273b029cb66d5a05d5463116138fbc87579a71e0dbb29703867fa8b6921b6fe65a7d196e514d8a8c21ea85666da05b72c0b3dac144fe904d818431b5dc7a90cc3e252667de04bc61a19dca565f5a5c1f4216c69cbb59c71db52e28d85c137d2c48662d31813041b60653139bde9d2b5c472685bef177c2fa2bd8256b32afd598e4f8252c57cd0c4ea6f7df77631ecf00b0b6fae0582b3af17a577ba6fdadb8c2274b63c3a5cec2cf0f302dfdcaeb2a38e32573799803b73686f45ab885f43df4561624c347ab1115591aec423b09bfd69461723de7b10f9189dfec9f0b2d3b66cf8b1ae59db79fc2611a6556165c3fdd11e438081f2e7473d3c16ae567619e58e4e4d2433749b90eeaee1f4e5f9e2acc37c67bd22dd92b856ebabf04b094b8a87d386e44446bd32cd75b6dc352469907dd39ae2bd9c5f965c3f17af0b7785a5eaf4fe485d4c3116ae77a74ab165eaf4ce8fd8634adff390bee91b5b3017ea83c1b2ffd7d04dd0c4db625d6c4f99cadb2fc1df1df877a6c5ee056433494bcc7df92f0239afa2fe75ff141b2e74975fb80cf957c517375059a6a095d4b8a917b71d520a3603662dde20de7c739794b6ccdd18fd54c05ccc814471899c4d6214d8805bef7ba4a4de0e02e5675d5f8065ccb2242d51eba5cfe8ef3cd70b532f9a0bc22d9b64193c79b6ce468890e6fc7f69ae0cbd8e3a42ae06fda98bfc7e041716959e5aee95114643a308c433e40291c532fffea7c88de8e536119ada3c5289c9c57d1d47fa0626bef327fa8c1956760664f96a38538a818837e9c8a66acfa42e01d59fe39a9c7261a77dff5ac509205a25f7c7d56b275f65107c3a4fd26e8edc677eb9a4c9208051e521fb7c932bdf60fd69d10c92f9be092bd6eec68d05972f820058c531d12068e4975ccb0d4f03f88937dc178998a7d68d433079f51da4239a5f5fd4a563fe6a738245fbca5e6b0bd88abbd6eb9fd80931036b0234cf667a5340ec1667c5782de675ab47862018d94ae8b7de9320d381cb843b1a885ddaf31c3576f2cebb6ab9576c334d3d401fa61632dba1e6ccec915c4500f86ac289a1de6549f7ea276f9ff9008968ab31a7a648ecd6f36ed185afb3e9b34c9228e2d726944c33227a9e3d77e4d5be8bd850f310dda0fbc30aff3f5bf2f1ea3eed0ce2ff15a7c313cd87a79add3e290c2ecd764c455520d581e3af9ebe2c56d1deefafa8731bfb4906b74d13f2712048b41a5158cf3cdb815cd8d63c90124686dfb56734834e15534f2b8b7ee2b224eaf79515021de3156191677ca7fb47674292f4eded887f3a63baaf564e358ee2dfdf1273b373c3aab499f4bc548ede7512b5e22cbed7618b23bc64b46c8e6fba9bfeaa963b335de58d0d8b66324ba8f592529d12094d2266819296d395e7b3b0b2e715e7ed73fa8e2a1e151159ed41ecf754f73cf82168df0814aa0c6fd8b9988d208f66badbb90a54b7a9b311839cd6cbbf09280137677a984ddf87951a4713cdf7f494fb54e537d8f1628d794eef29ed26e31321ac41b9373dc1cd85e482d7e7bd56baefbda3e205c2d4855126dabd2e24446214a633eb311cc487b863f1115963a421afa61ae48832ebed5eaecdae72d27de0ce761736e1a71bccfd361c2c9dfce619609ebca1a0d4d8637546891df38f2597eaa1007db2d3f20ef9a6560c7163ed1ae4b55dea61c31fbfd2888460506dbb7af26c178cca34ead9de4f0b71a0f216df958fe4f385e2c5908a5a55fdc0322e2d9793f88fb6ad766ffe8e17b644964b2749e564abfe28692416c661a8ce570baf464d47a0f1288888949ee80b4a6260d0c6b4f7547fe01ddc10dadaed67f39be2a7a6f121cfcce49029bcca23f7e4985411b816fb9b6bceab0cd135cf71a7eb10c97146b3f342aabafaac9c2c690dcdfa46fc4d288623ce1d1385dded99715f351f39b58e0a7561ce85da8e85eed6ca8d4eeb9aa2bcb7cc77716caf84393b3acbb6fbd93d5e266f62d2346d5886c3c58ebd6f71da40e1e677beef215b19a9dfe52e0862d06f287c7240b470954cc00571dc40c2d6fe958291cd26fc28ea6013958d00b0a7f0191033b244a9cd146bbe14492e4799e9a20a2769f096915155594a63e3a53743b06e44723d7f40f45647314a7ba959201d2a1d6b45f65a49398338afc820c765ad7fb759a4a84088e0cabe2209f7fc39e5e5dc177213fbc12c8f1fa828401b10e394896a809576ec118ad715048c7f2f5a3317dbd2b25d7595f6a1a1331f978d313f6492bf81e7b7868ed984c40071d2085403a83b9894816149c61bafdb553c31303df5cd1e6a0e28d81a10d9430946b329725122b15a45f8ffccc5b66632ef9b3e6291b8807d7c2ecf361f9c33b22ec1b4e9b1c15d5b7f69d7e63afe29a91802af6c5b40c609197063cea2d2eb679244adcd981b719fb991231a18102bf4f3c31d3af4be37568b8e82c33ca8e438d9dc076fe17ff21b9f924c8d8a60652941046f085d861d338d376fbae91f85460c1b13e38bfc5b72cf19ed32d34bf85b2c132c23c4c25167be365368ee0cb3818a856d5140de04f9ae445abc2a3a96c23023bec32b22e3b3eed70c25af8c1bc5fdd6731fe4bf7d56a81a3f226a0e94422da5ca31a6f389f7f3c1bc3f8705de1dc0f656552af4684f3ec235d526cb64f19a5a91e8a29147e3f7e131107a13035b365a0d4018d0ba855da90b7fc001fa12d62a43522f1c45a93ede4c1084dbb1019ebd464b33c788f124683f99a8665026f5d87bae954eeec7684c631de38826afcde61fc3f2382e607a78a583075761f5ddf41233a727a15f75831e7206b3b2e8abc03a8ea7a3437091c55938bf16e5435f483fd9a34ed879df652009fcfc3ba60a287b2df77fe136dc6d1c9dc24beff56e888e5497fb91a733d58bca739521f7f1afa4f94ac1ea3bc8d2cce1689eb3a39b9bb81f96e9ac19646c58a4eb72d47f653b4a28b4c2b4340947226f0854c45f766c1ae65d630071acf04b899d1467b46057c335769c4dd23077fa6b08a7cd44cb3fadaffad334f030098158df1ec89dd77f36a95ab58c080f8601d939bb2e143ecae478c0ae46a797e88121844d81296d09421f25e27abb3e357fed43a4733e33dd21d90ab4af3f77b341c35ea8d7222f49dc24e92ee26f28b2127fccbfdd63e1fe24159010a23c885292b55c4b61a7a9066664555982e657744fe4286ce5a183ea22cc462721bf9e61fc78d5f2c814041331f09a01a958e2b64c5a0826a553a8b994d66dbe89faa6403bbe70adb3823a1b55276f089b4b3857f0a4db9e8915ba0fea98b8811775ca4b9508894dd78d80a20a9a9f89054babb1fae304509c1584d444a8aed1f5426c78010c8e8e9ad17b894fa5e3b8d6cf8a9a231fd5967094c78c7b88f8c7040b0984dfe878bb2958ca3991ed8effcce2348bc6ab9375e0f8c1954362cb3e697ae01cabb06655812ceab2eac9383e04efc1d60bec2f188faecf373ae812aeda6e7cfb7407f322c1333589334bcd7204ee02ad89678fc299717cc1317eb53112d95159c38d92d01a13beee3e3ce64a9500e694d253b7575d37d2ed5996809b02c1c4a485d4c0da6e845eca355593cf184627ddfba4df2519beed80c2c73f89c811a446d32fe22fd5733ac77c870f9c1e03734bc44316d1a390764c4ffd4f106811cf57c9f6578d8734d5f49d913cfbf2a83b2483541e6f9136d6bf7baee87702e4b1cbbaf7df3ff6a73eff013c289008d2af8816c3577e8409590adee6a174600aa5166596b4f68d61436b85c549e203ccded56548862c5fc4f3825927d63a18314f8d2fb11e67f545340cbef8247f7373c2028bb4052bb4f7980498472d38afb1e00d60a80096cdf005926cb18560810ae576667dafc0678d72e2392e1e026335f783056885576070f0b36a8c344139225f5332fc49c1e458dea366ffeb2cf12de967b556a13880ca41140d7e79fb5641f64491c8793319a2627fa4400a420e90fa69a1594cb6474907c9a4acf622f9f0c4b7c5a0eec093b6715edd0c97b2d9a7560601218e77784c97ddb1a457d1f6bf851f3bf2623d2f0b1ff7c1e4b85dba900a379d5846e783964a08b016af92cfe59bfd26c31d85939f60d3d66ffab18baf13ea4786710b00be25af314def3cc0996196ba40353d0c47702d033d466158cd1773ddef965db9df67fe1cf8b1db86c3e24a713402ba7d791979b46dca1ac2dfebc30f1a43a0fc3081e8aa7c0004083a4b032c353e702a947c801a6579896c8a8fc55edf38d81831c703d0c82debe598c0bd2f99de66502106341636ca9ebc1a3e0b039851caeece0bc96c9e3eef1cb303f454e46e30e650017cfc202d5369d23c6a4b85eb3a664e2b95cb71b20e31113d83d1301ce527c40a39485add09fb4b498745587009d452a5b09bc3572db3bf3b285ab978ebaf4a3af073323f5992bb630bf4fbccd1c18ed5544c55b3d1a3e26e05db7c7e60a570170cd0ef9f77a4742c6e2c08f3f2f8cd66dd5ae60b19b5fefbd72d5e57149c760b74ac805e574d8ff12a8c12cebc72e13c0ebe3f39380a93f29bc7fb5e28948f9ee2ac056fb4c0378f9d415173f961bb791ab5ddfdd2ed716802876698c7a9553a5fce4bf1610ead50b199e02ccbd26e00024564477c554a5ff50ee50b979d0cb4202ba603461d3426f06f4d00d4ab842dc52c3bb63e117e1cc9bf09c406c186d3a4109ad7eda0fcc1649c547b3b20ebe26e2d8180ae5e4f48a2e7fa4552c8d83165c3ea741643289543ec56877c56187775c67d9c172b5b9e7c838e195562b2f50bb086ef495a9c27f07ffbf1f9b6f05e476fec2d969a88fff5d36d2ee673230d79945798c2619d4b0f5e2732c5a9ad3abcb9c6119867682bf20f1bc987a9692b43eaf198e4c00b05fcf9bbd6d0613353bc1904515516d3af2d1cef4ffec791d9fdf2779df4c914cb8ff40ee2e1bedf974ef95b973f9a5b35b5615ed60798c28f4f8ab08e8881015baf88f9729985ce056badbd88b1fa6f440af1cf1e3812439b04408cc59f4a6dbe3ce4a443c476040ad018dd828a0aff7f972472087e4dc5fde232f655781dfc422ce402a9c036436f7e20119edf27ec00ed99dbc5a6d09d6bfdd3a60aed38ed14a78120d35e848fdc012ef1d559ae04e6c4dccabdd79e5d4c8dab901b58316966a215d45807246d7b62aaee760cfc5d907bd4ee2cd749b86d5b679c409668d7f34a7abfa895349fb9d9eb4765c9d39f201c407b0d5a89b3e6821696d00de3b1ef714a7f259dd94e1ac707421e4ba4fb345fb571a7851b9b24c7ee585de4107adea328e9c0118c9ce62652a64940d63819a70b726e8851d5eb673e98d33bb3c6ca62be5551cfd4ffa0e93595ca43877cd8890ee00d0e109143b2eb0c14d541eb9ad11cc08b91194f515a4479c4cf333c09853842cdd75414e7b7d6889142c2999dc0e8986b6a3ac6e0b3c030c943e985feca927dc9531670a23dc91172ac8d779d9acec6a79714d0a0b1611b23603797e2228c8db7706b38b008a83237f28ed4f45612dd9e685ccc2279c862ce2cd74e3326abd9db1a8ef7118cfc82db1609bec22dd0502a4dc32c269bdde84a9ee5b17adb45c012706e66047dc3605da9f169e20c73c7f764720129ac00b2aefb69812d72ff64d5874fce5aca4df68b78e7ccecb35aa76b5e767ae394b41beff86d1070b21157cf34359a167b7dea68abdd224878ce3d3818358b92a52e4f313ba3dfb8d97d87dcfb39ff438bdacd7a8a4f8c79d245e4b16f42634d5cb63d612ba9f019b6c06cbe5223f24c44d2e16d8ee4fecbfd941b248bb6eb63e0136dc82b9df74eff1ebf9f042dc9166a644eb84b44453587c405164f221bdc4ffb51c26d1cd1828f69edfebadbafd5e03d26bb6dcef5d4c6c7cf512e757609c9e52abc42f20d6b18c81b5bec2d5aaf546f1edaec291a7a18285499115dfd75319e9b6102030aab5c0995f6faea2f29fa41e7d5828bfa59fbfb181f96004a67336f98ba0badd72dbed7319f96c1bf8fd43d1c0bdf65cf244247586bf9f4cb3105b8c30388d67848c1a2867fb416e4d54b30f4b258cf605aeb72b9ed04d3ee7302c2e2b33c4afe3f88f3dc97c1cb1b0ea83cfe5d14ec93510359a324b54a53c74acdf9191f8684ec2f43ec6acc0b672b3bb5132172a6879441", 0x2000, &(0x7f0000005c40)={&(0x7f0000002c40)={0x50, 0x0, 0x3, {0x7, 0x2d, 0x9, 0xa, 0x6, 0x0, 0x9, 0x57b, 0x0, 0x0, 0x2, 0x7}}, &(0x7f0000002cc0)={0x18, 0x0, 0x8, {0x6}}, &(0x7f0000002d00)={0x18, 0x0, 0xa, {0x1}}, &(0x7f0000002d40)={0x18, 0x0, 0xffffffffffffffff, {0x6}}, &(0x7f0000002d80)={0x18, 0x0, 0x80000001, {0x3}}, &(0x7f0000002dc0)={0x28, 0xfffffffffffffffe, 0x6, {{0x9, 0x1, 0x2, r5}}}, &(0x7f0000002e00)={0x60, 0xffffffffffffffda, 0xfff, {{0x5, 0x0, 0x3, 0x1, 0x100, 0x8, 0x4, 0x4}}}, &(0x7f0000002e80)={0x18, 0x0, 0x5, {0x1}}, &(0x7f0000002ec0)={0x12, 0x0, 0x93, {'-\x00'}}, &(0x7f0000002f00)={0x20, 0x0, 0x3, {0x0, 0x5}}, &(0x7f0000003140)={0x78, 0xffffffffffffffda, 0x2, {0x5, 0x30c, 0x0, {0x3, 0x1ff, 0x6, 0x8, 0x3, 0x0, 0x400, 0x400, 0x362b, 0x2000, 0x5, r8, r9, 0x0, 0x2}}}, &(0x7f0000003240)={0x90, 0x0, 0x8001, {0x2, 0x1, 0x7fffffff, 0x9, 0xc0, 0x7, {0x1, 0xffffffff, 0x8, 0x7, 0xfffffffffffff801, 0x2, 0x8, 0x1ee, 0xff, 0xc000, 0xf, r10, 0x0, 0xac, 0x4}}}, &(0x7f0000003300)={0xb8, 0x0, 0x4, [{0x1, 0x2, 0x1, 0x101, '{'}, {0x6, 0x8, 0x12, 0xffd, './cgroup.net/syz1\x00'}, {0x2, 0x2, 0x4, 0x0, '!\']!'}, {0x2}, {0x6, 0x400, 0x4, 0x3006bd82, '\xd2}$/'}]}, &(0x7f0000004f40)={0x538, 0x0, 0x200, [{{0x4, 0x0, 0x8, 0xe9, 0x8, 0x8f62, {0x6, 0x9, 0xffffffff, 0x9b, 0x0, 0x8000, 0x0, 0x400, 0xef0, 0xa000, 0x10, r11, r13, 0x3, 0x3}}, {0x2, 0x9f3, 0x5, 0x4, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x4, 0x1, 0x1, 0x2, 0x100, 0xdde0, {0x3, 0x401, 0x5, 0xef, 0x4, 0xff, 0xf, 0x94, 0x4, 0x6000, 0x4a, r14, r15, 0x40, 0x81}}, {0x0, 0x2, 0x6, 0xf, '\x01\x01\x01\x01\x01\x01'}}, {{0x3, 0x2, 0x3, 0x7b, 0x3, 0x0, {0x4, 0x9, 0x692c, 0x7, 0x3, 0x0, 0x80000000, 0x2, 0x6, 0x6000, 0x0, r17, r18, 0xfffffbff}}, {0x1, 0x100000000, 0x12, 0x0, 'bpf_lsm_path_link\x00'}}, {{0x6, 0x1, 0x80000000, 0x1, 0x9, 0x9, {0x4, 0x400, 0x9, 0x9, 0x4c4, 0xc, 0x8000, 0x0, 0xf, 0xc000, 0x6, r20, r21, 0x99df, 0x2}}, {0x5, 0x8, 0x12, 0x2, 'bpf_lsm_path_link\x00'}}, {{0x5, 0x1, 0x4, 0xffffffff, 0x0, 0x6, {0x3, 0x0, 0x9, 0x2c3d, 0x6, 0x479, 0x6, 0x5, 0x7aa, 0x2000, 0x4a0b, r22, 0x0, 0xffff, 0x8}}, {0x3, 0x9, 0x1, 0x1ff, '$'}}, {{0x5, 0x1, 0x10000, 0xd, 0x1, 0x5, {0x3, 0xa967, 0x3, 0x0, 0x200, 0x8b8, 0x8, 0x1, 0x6, 0x4000, 0x8, 0xee00, 0x0, 0x2, 0x1}}, {0x3, 0x0, 0x12, 0x5, 'bpf_lsm_path_link\x00'}}, {{0x3, 0x3, 0x2, 0x3d5, 0x0, 0x1000, {0x4, 0x5, 0x0, 0x2, 0x7f, 0xd, 0xfffffffa, 0x117, 0x6, 0x2000, 0x3ff, r23, r24, 0xb737, 0xd}}, {0x5, 0xfffffffffffffff8, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}}, {{0x5, 0x3, 0x8, 0xd, 0x8000, 0x7ff, {0x1, 0x5, 0x4, 0xfffffffffffffffd, 0x0, 0xd, 0x7, 0x4, 0xef, 0x8000, 0x7, r25, r26, 0x8, 0x3}}, {0x2, 0x1, 0x0, 0x7}}]}, &(0x7f0000005700)={0xa0, 0x0, 0x73f5b767, {{0x5, 0x2, 0x5, 0x8001, 0x4c3, 0x2, {0x5, 0x7, 0x800, 0x5, 0xa, 0x1000, 0x7f, 0x9, 0x6, 0x1000, 0x0, r27, 0xffffffffffffffff, 0x8, 0x18}}, {0x0, 0xb}}}, &(0x7f00000057c0)={0x20, 0xfffffffffffffff5, 0x100000001, {0x1, 0x0, 0x9, 0x40000000}}, &(0x7f0000005b00)={0x130, 0x0, 0xffffffffffffff98, {0x2, 0xa, 0x0, '\x00', {0x200, 0x9, 0x400, 0x200, r28, r29, 0x8000, '\x00', 0x3, 0x9, 0x5, 0x6, {0xefac, 0x9}, {0x8, 0x7f}, {0x635, 0x5}, {0xf, 0x9}, 0x8001, 0xb, 0xd, 0x4dc9}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000005d00), r4) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r30 = syz_io_uring_setup(0x2407, &(0x7f0000005d40)={0x0, 0xf86d, 0x4, 0x0, 0x11b}, &(0x7f0000005dc0)=0x0, &(0x7f0000005e00), &(0x7f0000005e40)) r32 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x1000009, 0x8000, 0xffffffffffffffff, 0x0) r33 = syz_io_uring_complete(r31, r32) syz_io_uring_setup(0x29b9, &(0x7f0000005e80)={0x0, 0x64a3, 0x2006, 0x1, 0x3e2, 0x0, r30}, &(0x7f0000005f00)=0x0, &(0x7f0000005f40), &(0x7f0000005f80)=0x0) syz_io_uring_modify_offsets$flags(r34, r32, 0x38, 0x0) syz_io_uring_setup(0x48a, &(0x7f0000005fc0)={0x0, 0x1e2b, 0x800, 0x1, 0x2ab}, &(0x7f0000006040)=0x0, &(0x7f0000006080)=0x0, &(0x7f00000060c0)) syz_io_uring_submit(r36, r37, r35, &(0x7f0000006140)=@IORING_OP_ACCEPT={0xd, 0x24, 0x0, r33, &(0x7f0000006100), 0x0, 0x0, 0x81000, 0x1}) syz_kfuzztest_run(&(0x7f0000006180)='$', &(0x7f00000061c0)="a0bdfd577d9b7197f566393b228cca01c4385baa7bb418fa8f4f4d373fe58fb157b45a06ce1aa0aab1292a2a289ec83463278644d9a5c3b2419acc6bf9ff6dedd36c7c838e89a72a34ade91f58e37d884bf0cbc40df6eb8ad546eab730f20beba1d21deda9c9e181c8d866bff996c8563886c1e04f002fcc9415cbc094ac5b1a442980b176bff5d75d345e0a9aed8990a646d0c92e001a91a339a2304c26c5c0", 0xa0, &(0x7f0000006280)="3c31d6b003151438b96612be04a2bed8bea9be0bbaabbf63c2834fd7d23a61dfcc500a8f27028ff650839bf58b0558fcbd8f622167ed30faf626053a0298c9938199a79a9645e045d4381e8ecbe1f25d1e8141a6866bebeb104d7d1eaf9eb5830ddd952c26edc01118ee54afc9219c8ee67ac984b3bf34f659db3e896f8524bde94c7e22e6b01ad57f9edda0c017242686d911c5e75e0d60ac4508fb853e549065cd83eaf67aef8a89f5669d036ed9c63f09c5a94da9edaaf0582d73f29ec44592cbf969879b5f5eca1ec27b9ff3e426861ae8123c57cc9dde5713d5a37d552a83059ff0f0b4fa2f0ab66e426dd572415f1156e38f02b9d849c7bb9f8cfb6337bb5494addf226efad9d61dd3b407de131e140b4b8a2039aa09ac8a117bafb62261b6a07a06a04f68c5b3fda4ab7234ec1d890b9053282e252f2f475e7c8b0710834a30907ed1a79e0738ec3dbea0b36e78c835772d267b51969e3600d7af1d5d12ac96c0d16e9037e49c97c6b8ea8c00015aeb2c44070eac5c125ea5113227e242ad3c50c58d00f1d80809f62c64cb6898d0570fb51c5da14ccc27fb3804a24338ec5fcea02235dc77d304cbacd3ecb03a662d23e1c7ba46adb595075a01c65661b1a1ba0f86e50f36bb59f1ab4e483ffaaac688b8d4d29e445acf1930f9f9b34127c59a3b6682f53ba78b76fc2ac22ed046b7e08abc20f42f78a341afe95800ca073c8b90782112bcc64f078f58bf702da6de6af3c9da9fede5c1bfa5d1f488dd0095d324f0e03240d103c3973d8f05229182358fd160e41520cd42cd2c24abac126068c5b132c913b8c0eda44d5435119ddcd3ca2102f4c4cdf99c67ef97ef9f4f79398d415f35b7a95d3aa29588dc07d0b8516b91d153bb33736a011ac958500cea122ed4fe5e2ff807eaab692fe471a4cfa33ef687f718de420c8ef6f84c02406bee55966231da6b5bf3dd2a61c0c47a92e6398c0d452af5f1b46a6157f98ed0935411a2d9d33401655e28f68facd02b365479447c3eeb7545c977d00c328c78ccac39d2aa523d21fa90305420808c53edacf949c72f3a43a210b450bb27fc5330ad5b7a46aae99515a7b088af980a90b089357d23126aea3942a5539e513c261065055327a4bdaf6161b289f87ba2c513d22bf08dbe8953a6a740ec68130ac28173ea8a016b9a84633a17406d83bc02f6f06b7e8a7b90ce574de90884108aa54abbf6391cdbcae2a0aea44503b504aa9a0359c6eb68e242bad9e959b7ea93a74bbef1bafa9607b8d81edd3507e6e15b9d3e3a5df92d8e77568475b279b22fa1354e75e5948f2f051b01ad4164711537b79815d0e7f9d0106c32a2fb88746d5a3b6454cac3f1e1c1bcaa9ef662595479fcd75b204e35e593a776914fd9d25a0d7cfbe17a355547f56b712e4238a402e48881c99774f71f651c3394d398596dec218dce2e253e023f0f4fe4a001f58e2977127516c0f35f7e9c70a877de114aab4bbf0f1a8d5acec4dce590ee9398fc02afc83ad8f26bff8dc9915aac3d3aa267604e38ade6c96615caa3d1021b3859c1a20c2f0a7f30e33ec512247041388af88e86698c904642dfd6e6a5a878b1b668103e85d0d809c18ca2457f99cee0b69a7ebef439f82c3ae5055216795fd97b16dddb8f529e10b7d4faa64a01e1b3f942c462f06d260ce64f65fbd2cae88a4f0b75006f77da595c29a282f0443104c08e7144da74069fa22e4b0fc72bd78f4425aba6f5261d7e25552bbdc4674fb3653f8c2bac5a7e7e2ded7d52e0c0344b7629b0baf268714d338901fa68268f3be46ed2dd172bc84f627a58f95ef5945dd3ffd25b1adc744f33f3f37ab13b9a8fc5227d88b54ee9f5f5c4dcc5673823af3d80ffc5048c5978d0138e53b59d202011c8afe89be42b2f8dfa1dfae67b2dc98e9014599800dc200c09267ff48c2a178c8a6ffe8676b468c5f9e5769ad4094bc93b82c3048c9ffb317b227c3a43fab5d8c6ce1591ac7596b922ed54cf781470a5c96ca9af82f8827fe08c453f7e8c699bfd89c76591be39941b0f12e7b8849eb6ef322fe17ae8b6db3d9c4e0357da73309ac66c3a8c53a43cfcd746c8f3f936ae5b92ca0ac6dce8e15d0735687e166a3790e39d61efbd2437fe7308f3cb4e300f037dc688a5880df58472f305597263edac7726a086f8a1534e8aae3ccd98a4729c07e8aeff24995fceadfbf4e66901b80e632625ddcd5611ef9e91701394ee09c2fad9a80384ce899d3b6e14400a7ebcb97ce03f39e1a06d3c85bc96ee412304994a797f0fdb4b94a92db2cd7fd49ab6af1de388bd3ede5f1b580a1ff582b840039ce414476914e762698eed79e553f614fb92dd92e76dbf0d61b26acddcf6b7878f08ee8418742482b448000cb3b7d80618a556954b5e974a845e485ab6e62b3e09b8d2e5c1a177592d338328f10f9644769cbc72c12a96b12441f77c0891db41d84b3c13961431de4257df96d3b0d02c19870403f216cee6af1daec7589280146b73f000ff74f932a4be09d47f4773d3666d33aeb16e5c5b8044beeee4c26e62ade79d7adf54cbf5d17af26dd15833e4e0e15cb49ec7c8abdd7426cb75ae2664b5594d435cf2ab3cad63f9c0c6fa2d95eda6332782b2bc06f01b2e498c81a76d736e49b18714296f36eee325292691d77761a5485f3dc6eca28ba861dca79a880b37bffd0d72d253950946ba8548dbbe8b5233fd3d5fd9c428d1c7112923d3f6d9ff1e370ab7814e60164f8aededbe676f2aed19b3a56e427c9bc42dd64147ed60b0a533b65767bdc978eb737243709a3d902e874d879b5dcfc8078c73ba4b19087b285b6df2a6b82e5e85f131e158aa576af8b2a94f371f3211d0f40779793dd6c909fd8572f75a2cef9c3b31f48f09dcd104ae3a939008458b778e723537a60247e71c658dacf9a9849b9961155d35cee773f01f1b51a33b9a6deca480b4c5aeeba7389d7f24cfe046f33d36ac3e0a0116490a6893f01f45a02f47f0d5fdab5c764bbb3478372efaf575a0ad792e1e9413f44253da63b41d72bb7bc99cc298bf2560cae2be0c73e79772126394b6feaf31158d531e6271e4061ddaa88f0bd5983355b7ccc6fc14323c12d18fe6dc50d71939ffd778f4060af60591adf28708e0ef3ac865484f9cf4491a98c88df165d0e96ee4111573c0c8e86d6e2bb3460d7f51d7989c35ea05ebbd42ede06acf46abe60d10c92dff086b982c61e8e968e8b345ef1126ced1ec68331e83abe07f91e22d5e545b1dbc7bb9754a53215d3398c2aeb6c64fb1edbd3cc8b4689e0979ad42beb9a847fc3ed03aa001a42b3d5636810bfb0a0550f993fa1a31419c74adcd4cb3ee9a4f6b65d4ed8f0e4bcfb7c1aa7ef117487f62c595dd4f75ae8f64a964188f25fd2a91d3b773b8e459631bdcdb05318ed4961ed0352f10e08dd4fc80a37a1bdafe91aa6aeae70e63e7c089f86b57fc757280fe5b0fd4dec6e4d5d625f97bcb5ad86a89cdec3060869e53365350be21cbc01401e72af4ee1b2eb83fc9fe6a853799062b35f2289cabf7406216fc9d90e67b57e46909c90ea2f3b70772d15fb34f15f775f912d6b3ce6b10b360a945c91d18c84a7b601ebb231a4fa751d812a05fa2b795104e872c61f5c5f3cde042886015abc3db85f4a5e8bc9691f87029f135044deb0fbd8644552723e92282286b1a279bedb56c2fc092328583e7aea07abda5593c702ca4cb0e39ba16b2839756b0740c46c692c389ca40405fc19d7b839f51dc0f6b0b2155dee7e4c60aacabffac8a8ad68a7d3c0e52456fc051abc37922adf0e7c10bcf9dfd850d88c22f8e2154777eb57a4a30db4b9994ff94fa82a007dd05711da0af0426b7bad381816fc7878f51a1b7c8e2a50133178255e864b3631e9b77b5059db069e5ca7ad88924cb4f1a58129e1c899aae0e8bf760c52db31d399ab9554d10e7e94b82c2dc0a05b56b1cdbf48a2b4ee8845d51ed0438c27ec9f490bc518557234dd00cd6b031c74d69c4eb06320498a2c52982b6599ec9b06d722b1f83a36e62131470dc9e78c20089d13937f0fb7ac8313591f22fce68357be3549af620055c217a1cee6b9af48f8be4732b29d960c34eba193aa894b0f6aa0c91c8c27f070ddceb9d73f8834b3249ef03c9cca7d3d5bd7cf15e734c6a65a8f387c9a7c51e3db37d82c6f6d3b6be8328feea7bbc2601de9af9ba560ee27cbba3e2e38967d93f261b5155aa12eb9ae98640cb06fbf024b3b51b6337991194c5b12024592a81c6ff644ff35d5b19f287fa3c6bace4167e3d3ee14a1d52a4fecae1c4c2fd862bec826f988462b8c2a2259d37f5c8292bd6cbbe22a7bb58d5608dd5a5a9e1bb8cd586d894a53dc2598e3fdef678e7467372520510d6d41ab7ffe76ff020f85aa14399068c98b2f62eaf2cc45694284db21155ca1be2aefd2b121681473249c6ae483342e9f29b7597854e432ecffa14dc287670216dc67e3a5332437a837ab006c1b814aee71aea1d110b56d06d4db725f0ca737c95e32174813696da128753ec29fde16514e09cb7858c43e13c36d785b07038016974974e7463dd656e162087353a99b0ab3eed6493f1c8eaa8764cf1a37f667a12f326968bebc595abd62850ce0c977c260fe399bd1f4f88aba29539d30c6f25a19f21d53c9f77e1fe777c8113034bc6a37aac74f97648963e0d2e617786176f2d7ee559c9802b0f5596782e518e8592a3282a1f5defde775d71c3608d089e5ae98da176bcacdb55ab7e85f6dd571c80e95ff8e6071940828e3c81f5505224feed5ee0aa4ce8c67eabe138359b5cd88df7ecb3b3962ef175d25e98af33a5852fed2b5ef4617ade008055523829f98347d19f8ecca3181d49ac881252cceb3aca0786e39b8a8336755311bb1938043a4f1b0da621fe5370ceca0d011b1d5e8fd395e248d23368e0ded75d3c33a72a8c276d046927da59d7098e4776e3d6f054d35940efe40f9f8290ad287e5acd8e1dda73953e58df7bef8f6252aafe0e4bfef5ef727a4842b0a6192f70c0d3ec508e351c7455e059649d615dba9d7d60aefd061db25c28309d582c20a6e66d8792d76d19406a7f4250c0f61550869de107aae9c93d3abfe40f1003d088f28a60f25892b844a794feb7e94602909403341b39679e3b04f7b0e8de037f14686e78bfeba960a62183cfe920bc46d50d0f005a7f7f4850c213406cd49b578dea6d350b392b6cb084ec343f7056e7c6c9c48b2e095a1bec578eb413083d41072a55ebd278d37dfeb493c74fdaca9da1c3cc6e03201dfe1939b8377f9ba21791bc494f6048826f0b7ace207797b0d9ec3964aa184cfaeeec3fbc5a1dd35a833e4d389cea9e3ced435e00ef656ff0de644d6e25410bb2bd940ac08f76550116b53ed4fbefb112d58c2affd58692e35006f670432551f8aab3c2ca4336c90c787d41d2b7f95ea9440b17f019f88701a26c978aedee0de9603fd6f56b08e56bcd3ea055aa7883d0f8acd7f7de3498bba566c2c696cf17f931da1ae3347599e8be7e12a8067fe2dce14ab0fd6df97f1d10ad76dff5902e182746ffea03faf97552bf035f9e86ec23a8736f20031fe3310d1bee7876d36623b80e2641990f951cd56dbda61ca8aef2ba14d35fa8f495977ac3fd7aa810d065315ea8007c8ecd85acd6d65f2946911709b1ccd0e629f56e01b040efefd58f35adcd00dc49ff7717062b24635d2e5f1e9a7db8e3d5786680e396911924d6b5a6c2d1dfe98425dac3019a7d8673609027c064b60814ff45200f18d05c328bc346f41e5f5d68b66569418c3a9d9bd04cbffd13db9d231a405754ef6017c30cccb7e934ef268f9c89352920c765190ac8817f9f98b6715a9847be783cafa0a86d734373f51aa8854ec72c6539ae162504336e87ba7347d2d7f6a25bfc72560485008f3e73e09bc6259fc3f61bfd72cdfe475891c5423ac4f10fc5d95ce567486fb661e232542f1323b4ba00a54e6ace661f685fa324f8835697ac6970f1c2560f4c2ebe0c834887f715ace332763993b9310b52e178ea9c4a145bbae5d7baa9c6d968ccc50d3cbac54cfbec1d76fa2900fce631ba341bba565fdecff0b09167887b0bf10b6cf6deb6a8870eeb7dec9ca932a57764a6385ef07865c467ec89937d8e40f91cee87afa25cb2cb6220bd7b0d32526fec7fd4ff663e557bf0e4b6e8ca3bab3cd035baf775c495a127fc026248bafb4735df8cff8d6799778feca624bd86158960272dc75caffcfd4c389e51ba43ff6d72caa03a699ece23d67dd4681dafe73151feaa10de5073e32eb46bb5adca0ba62e8dd922c8c80c5a8008ec80b75e872f87314b202fbe4d662f065eea19686338da1189c8cfc91b7cc63c1d82c797f98243d79a916b1416be117771a533f197dfbc7a7dc7a407c322c2280668abe1770b3de472e3129dd35f19835da7cc6f4dd7ecc82d20ecd267ea64944a614cb80b0c735444b1d62bcc9b760d58405a438fde50b4608c75306b8588948dbd02db904e77e13406e49c4e3b2491331bab87400dc903187d1da30df2ba51f54cb1ba00534b367e4b176c6a7ade4e12150665b8631fa6ad2077595a27bb4cd3b7080b8cda31b90566c38e0217fd024c374c7eeacb92742772e86cc7cd5a7fc36198af615fcadb8105a4aa2a08c1724d21271ac3c2ce7518ea67323fd3fbf1c0386c97fefbcdbe2a6258f1e9d3c09a13b50136fe1fe5f98be367ee368a15cfafcb5d5ddc58538396d78ffc2e542add6122b6351eb3f58aaa72870e701231677bf6a5c2300abf5740a26668fede2034f504b004733d4d78a963f2d877304481cccd5d2d51802c1cdc50d5a6d30d39cf62b080b418ae316cd89b4983943d8d3863678d89029b61993b58a221139efbc22747ee0e2d71c6627d7f1a3f573413de3af9f51353061a06beddc9198f2a68b57af54997ecba8867f0d4abf53c5a2a70b69b901156c3d0168463c8ff6746a4a7e87de9ae82f0816918f5df295369038795cac58d7707ba1a23c9cf9a3829ed17fad094ea1f4ede9fdbe844fa251bed775a185cd25793f8886d8eaffdd467d0fd5409f268de34da59beb7caf16878c066bfd13b16c05e4712c0e89264eb83c2b420690f5dca4f23f3beff755e1f05d2ff467fd29e6770b19f9b89c3fbf29ec69d1c29c1b1695f97997a086a73c27fe70cb4ac633733fb6e9898d822403ea637a26be636c0662c91b5e4ab19f022994957522a4779375c86ccfd44af5f42a6b4fede96592468be15de60df5f6544d6c6012bd32866196a5638468f1dee9e70b87085066942eb40ce4727aab03003f4bfb216c7ae54a45f0fcc18c7007791b26782b110de1fefa77831a3fa943484f0db3265ea587afcfad2b66ffc922d6577fa36a24151069a410ad297416ddc8cf27be264ab8b943d6a855debf254ae75046a008c607d14367739a6a8e5e80a2490b3a4b45d147e4310eedfc08245cc08667b0d9d0b4f26e252d36e85a8545a3146028616b91971bc952aa4f962aaa067e0771f206e9a956135e5ca8a02bb02cfed9087d589c0c0ac361ec1fcd2fa54478319fbc1b6e3625719f4fa7cffc759ca5476e66ec9431219b9af288c74a748454d77ab790960652c2ce6313e85522072730e30f483598a2f28165681c7475e44640bbb06dbd89ca467e2ff9c3968941ee3f1853ee334bac3175dab98fc51833e3cc32262967cc703d5cbe768614a94b51eebcbea3f99e1bb5140b389451ca8d280b3027954f986ecc35d4f368a3ce962785534309754a50cb548c8b0605afc07f5a8f6d8ad42774fc6d2753296e89109a075209c1c72d4d8068ebe0971e45050c9379c219e0b966fc47906d59fab98360bed11d76398c72d9c6df63854428c841e5dfd57aaa438bf9b35058c3e5dd0bb5457d1387c41f12959bd53583900906a9febe491c8f29ff48690dc78c6c463cc07e9d8ccfdcca4c19f2bb4e20f64b3dc8d0897507d270e613cad6e2802d2c74d174cbd2a4ca7c7d5decb81ba028144be39102b59b634c2e9c7c1915fec3a0add2c71bf686a120b9712007bd8be7aa63b55855d6b75a49ae754cc4156b1ec741d8793154daa10b3238aa2c92b18c18c3a691cc9624464019fd130a193e9ab607f9981ded6a2ba12f043fba3df5378da5a1be9da3b99da3fe6dbfd6f7360915df1c6a8bfbd8602e7d75e92ea3d320e7a43712326317b3c627c503731b99ea669402cfb9d877a190890427ae90367cd100f30428f5228693308376e0437a530cf7fff01c2a8e23ee2a345f820f8e1edd2d52654e332b690776863006638414425201e43a041a54735afe266505fbe93ccc9481487e31b23aef7940eb15c366995f9df141e5069efe4a48be1a7d0d3a239a7c5366d2bc4e209fdbba85584760450324fc1e5b41976e1f90788be645940828df62732754ccc6a248b0c7c7ba01745fbb13cf426af87bd54977d59b6fefa32c294320d1fad0f3ddf09bbe14f7e3834ff4999114dbbce932ab628b269db47efc58a5588b9af3e5e7ad34398dd47e797be4ca027be70549d564386956cc4e4cf9ab4e80a56394d05bda246fa4c87c7c3982f3c0e65ca5cf8b3bd03c177d54779e9f42e74f1800006cbee91b07440512f8964657327a6ce76e851ff1e6592a238c427f5d96feb5a8da875bb2bb6e172f6724a46f000a58a687ef7220ad71d9195ee58bb653f4d3cb7f928e93bef0a56c9d8b659ecea7ce2514b648a46059fc3edb457dc6bc9f4a1ae7fd9916de52ea35e8efe966fe96cb60c63ba0e018f85066fef1e3452aea7b86a6889e4018528bd0d8977cef33042f08d09503fee8cdf53f3d303488c724ebde9fa0105a65b89c547490f515c5ac675e51bab8b75e3d0c3f76d1074f3c7827db85aeb48879ea3e6241b3649bdf2ccbbd5717a4e1c5657ee22ec43a90c9d620a3cf22385dd47593902572eca35b566ed70905f6c72120e14022db5f99f52c9ccfccae45e97aa2236c6126bd20517ac93f049c7917104ec1bab4a723fa00c01e5b451e6c1737ff6ef93fe6ce7b35f71d231ec3b60f85dc45bb6679671776b3c0707b8b628dba87e87d2c1e9f542df5855cdf97412eda3bc1b66fa1b46ab1454afeb88b968c2ec366e42edb519844e07d644f378f9894fd2007884e2e2c92579e41f6f63204742d3aa278e33bf76f7f6dc674dced943bf18f586559efeb20f54f1e72117019c25f5744dd2e72298f561326175dba9d679fdc26c0c807c7c213cd072a0c4010fece820f6462ef6280c3e6476c0e3a9ace1de26741b4269bf0abf36df607df7c9bc6d9de9d42937d0bb241f5fd36f7c3bdb418bfb96893be9e3c4a3cc7a4b40bcf04b43144bc6c7475a215df6b2f296c772f111fb5067f48cb5550a0dc48c5f6fb9eb83d9f8eb9afd10619e3cf7d87b2e3864c68a48e7773decad778fd43336ad802488f3e6a4a4d642c835bbc4bc779fb1f0f770c6f05ee6c2df5e21bb8b25862df4eca4cb5f8e6d52e2ca983c88d8cd548f6e336ae38e8970a8957fbaaea4b06ac1c973c3cad3e26eb0e26216926df865d368997f4998fec334add690370ac94e16e2cd3dae8ae92ff1a53c4cac5e073ce8e328a4ae53eb8d9710b23b06488e041c5b506ba3ef65e9d848332dafc59195f35710147a81a4cfc4a9cc00a4e42ed49eecb0ebe9369902fa4c4030a06c83a8106170ed1cb5aa1f780e1961d815d7c4a189d40ae8e696b059aabf7805c1238db442b024bfb98ec9d8dab7e2fa7a356b58162c319a25e758702b7c8813a9b5c7a70e701ca2f7375f1b9d905f7cb5c38771661db8131d2ca4da1e08ef41a548bb9426b5a9df43f6a00fc4ff9f225322c1e7b609dc99f5759256d0a8e84dfc2973489f37170a009b6e37971c7efefb57c444236d9f5196eefb43da82ba1aa70175c678300934423f1f75b79b193e6d1676eca62982758b78571901a74aa325ad866a7cdce8835a9f3ddedd2ef6b56f4a3daa2bd1debe33a2f363dc042b349097610595df334d6d15dfcdf7b8964df708643f1ae644d3f1789aac2cf69bdae8a447c925414fea9c45eef3e26e57323c92791d5d335710b4ab0b51da83f40aae8ed4870e9655876508d280cc4b837915ae0caeaa88df1ae8c6cd2d4f9a9a8ca75c1491cc316f9a5a2fa68f508bf980dc65236491e3995472b25c7f7a70ffdbb89104136cfca7f4fc01f147a698542ffd9694fea9717c70269d18fd0577f236eac614d2e20771d026aacb9d63943548bcb515f6219722b10811fd0c748ef5fa2c33bb8acf6c55178f839c72d3aeb5f0c72726fdb95ed5ad0a840754307b5791de1e066e5c6c1ae15c4e57b63abc32702952a1720f473b77f0ac82087719b7ce82c3daacde95b46d47a44a89e296b3cfe5fb592a7858aa0730dbc5c1300e4b04465cdccdd89a2fddd2b4ad4882bd2ea5a337ba299762f0d9d3cb3793302f1ab639797a5d4602e2abfc41431b04158a3d99b2ab30d8793944ec4ee01bb3f9fb490aaaa164bebf0361bfb88b76fa4f3e7fbb7bfa0042b81ba6335c29f2d0802c6604857684d47fff4ffe922b6a98dc4915b37d338de877e48d8aad5b9b071e9e16538a4ad6afcd3136fff076f2b5e8726c6b561f2aff14a296b77f1bf619eca7defe845d24673e3919e8682c9a9cd40babbeb4a521a8877f7243335dba7bc2ef5a3983bc4db3633e18a4ab93cc53d09eabb39f06bd7839060f56efa4285e22092f999c9b41a926523c125ee41925f618b3264708fd1a7de74a5c42e7240b9db15ad15ac1d15b828cec474f517c5c494cb91abd4882f75b0fbb552acdaeefcd60535229a1370680e54a7911aa14c226e489007723a62f24c1164defa51f1f2f4a1ad5fbb8410f0bc7a759cb1bd8d44a47f2516feabb4a0393f4d95a64b76d9529272303451f4191a2b7ec214f0c6027b369f87da3d4b82c8fb4fb0ae305ed8de6f7a4870441243dfe49965d2d27e68a98b4c45f38f55e8fe819fccc1ec58c4f7519c87fe8eb5b6faefcc65d0e6b81136c844421e8ef070193accc45e7a70b9cb0c33cc2c7121e4f7c7c74347a0453cff1ecf1cd8265bf2fd364b6bda8994345068972c772e9c5e90a2cba218d08bd946bc6e5af93bdd9cbd75b4d106b58a81bf144e7e2d2d7696f9476cef8b5bad3c08d7881f7577b30303097704ea382f8b4da2bd8202ba5ef113d6c0aade0076b213d89a6f49cb17f42f7d5f7fc1a222e79f5664dda24023ce39108ba987988b6d2fe2f162f26319aba13f7831e8d4ce6204e8e4e2d3dc35679e065a986a2e6759b3bcd5fdd2ddc82326b768323b57f3b7bddede273dbe9d69bd88bf63e25e81b77cb80aa50b8ddbb5e81eb987679e121e1d3a25f65c3f7b462f0a7d188421814cbce3195c37f2aa47615e258f050deebad7a700abaa6bd6e0651923ef7af808454b263417050af8903dd0729cfd08222f1e545773ca33132f065d2552caf5d82b5b272df91f172fd6780c1abd517a7f46572694a42d3fbfc12e5c0c37aaa082cb3c6aff88c047a5fe8e1d8a92bb3307cc21bc6fc3e440ade6e49d542041af75397608dcbdedea4dff521935bafd53f2a7550d726423545d7d17e0a34db154019462c1cae55d83e7f232eed4ba2bd8425682dcf89d70181b326a65a47d49bea9533d9684b97b0351f66353590763591b4d5ef8ef70014335d677de4872d3877a61f05de65061a0a0d97b1267b9c5e45176592a17b6291c8e98305dbb7b44f4e2b69d4251249210dfa4757ca013540b0ae3ef3f134dae3c1bb462e0204a8fcb1069f1673eead8e5feafdbb4c9c22fc9d0e6a4c56eb46b174ed884c736557f7b60cbba6a9a4b03102c11b09629f74f13cadf7ce7bf2c77d4de2ab63461fba4199ba61eab68b3331dafd8fbfb105ab21b6a5dd770372c09e23cadb64560c242f06006eaf0d937ea3043ab2d30092eb9d5e3d5a20d2553ec7a38de922dcb5e8b893d3953b3586baff0f11af2dcb1aa034be5b0a8b14ff802c41ad149afce5015d9045b3e1afc7e15231b2e4be17a9eb57949e6f5eb189773d9f465cd23fe2707ea0b2f15f968293b29475543d74e0a25067f19b8652b9890856ee9fa06cbef42415181695a8d0a1932b82fc7a88fa4500356e7af723534f0d7787daad0051a31cb54be90b52cf61b765f426bcb126b928382de48cf9e7c99765fac289b18ac20a1815daebf7a6a3236dd26f74e4eadf391898e05e050f68a7e564b2c2daeae18d06077c28633e72f121c3f88dbc3670992d4735d1f47131f09fe14e21fea8b52ba60b5740b873c3702826a7e38e25dca652f8e5b4274936b0d6f49f84282c42491f13f0cc006347b0c40a0eaacdb2cd8facf845fe86785ab6fb22f770f045c5a8617221ba84a003fa8b2a8fec44289932d9536179dded0cec31a0fbb9011bc4e2aa2bfefd298f681b1c9568f02eefb8afa91503c985d8b8d98966f45f7250f6e269ae1eb835a791c8877a1d8ceb0e7b794a7d45e51f80d22347522956c25c962f956847e243ba03842cddbd103d778735d08a3b770353e49514cc710a44de5e31cf5832c3f1ff01d4a5fcace8054de807227da77b665a386b0cf0d74a2c99392d65826c05704f3076a22dbc7dc4102a923b45fb6e5d3e2133ad68f1fa91653322a0cc5ea8bfa2ff90db9d9c9abe21a5523a1057ad2bfe25375db1721b48e61d93b30d9e8f59d77a3871f1fd02249c1e7ef717e16bbec7e194926f6e55ca88f3674a0de2fc8ab9a935b38ae1a8769c677b4d3ee9242c443f26c4678fe5f969589f3248036e0c5b901026e373fb4cecb92220044bd05267570ba905b745a517a74b833e51384f40d7c7ea3993bf791285b53d733932b7b5d4d2759c141a72ed6b0cbefd5ef4ad00d303d52c104000adb42acd04c6f96cbaf7a3cb88affdf2aef627e8c2e9d1fa9605780b690ae6ebe62fc6236bde847c7b0757c3449d18a7fa72fe1f3813504c08ee64ed086b604571996e9cdf798f59c05ca7fe7cdbbdce682cdfde25514d3ebef68728d325a2204b8e6b4f845957908939648b9d274e24802cbd6714fb4f54cf22920acc265705281f352b946ca49ec17f609d24b4d8ec05292586733f45a930b903578afd2b8b3a2120ae80dfd76dbbaa491601ace0512bc80d86a47fa297efb5684d6c4a1d0bd60faa9818fc2ab7430b6604c6689c288e36d93510d04c3499181b16b7b085f772a75444c93dd7b1a9f6d2e9e1a984053fbae7275e2dbed3bab060fc058958420b1f45601f773be1b9ec04a4d1e6125cc4905e55cb02f089d4d513393478ddecab5e9f3deb8b6fa9b36f8edeffc87c37e2c898744123132c0d438fd1e0d089272373bd7b651e32d11e2b35b7175f2dbddba02ed7e4c2bd4a5c458884bb8c1834559efd6a199d54a022530b5399de69817f7d5dc381484b56915ede6137862c9b0d884e3b0f9062a98d3a2e83e21752f03f5684b89899dcf3ce38218d5aa179e81798656a81e29c84cb64676b49858f91bf5cc1ed0d299e796c4c85e7b39c6b01f77e021ede52aaa1bd271219bf879304286ac3b836a75501327c7d5802c88c39470d2df0177c8f13162dab8b850c7a0eebdaf16126c5c7915adfaa5dcb8a1f206dba082511835a0312e175c78cea82c19aab518e638e849772ca13e717cd32fe15e6b062a19c5457e0e07e19f0791ef493f7e1dd8e24dbb0817b5ac872be428ebc98060bae73dac900e0b92be6fa4376932f32bbda59cb33a4220062c7575fda71056d339ddd2e774200101134b87fc72b7d86c053eb97eaa59b5e745d80ca50b045a0c8a206c4c65ee82122ff502d260e0ba8864e5fdd6a98f12836ee425cc389aef2633228f39d4f76369d69176fe115f7768abbce205b7b528c3a90eca5da1f2aac464665b928b2d1d8230e02c1eb2db4e5171a2ea77ac34f32df40178dbc235e955724da451780921aa10cdab492636c93a1305d26c0cd19853689b098b52f0b887241fe32833ca4f6ab0aabdb4be87a41aca4b31a4ab87b2ee112a9f659d14543698b8d45c8a2d8ced94fb4f5c134ee1cc133edd1ee70fcf636c97670919be73baa1b66d585a754643b71f6c48148a3bf65396c47957961ddbeb43f3d4f95d98f5132153b8520a8c6d148d9b4236acf5b39358e67034d5639448a12a42b25caba714cc3954b5a347a5e3ddab7ad1949bae1ebb632d20aedba02f38878509acb870da58131fc95cda93f951b003763b885d726ef7250e2d8fbf22a814cc58013618f28106f43af86a62619fa6e24587dee2d8f91bb4a8691330faa3b9dce747cf0f4a87dd735b4f1d214f79208cc12a7162ef101ce144fa220744286c3cc2ac8d61583cde2f2253484cfbb18425712f1f8969bdf779fcfc28ca94775add2c9eb9920ff4f55d872cb95ee69a6ae1ec394fd7910e08f77441f31d0a1dbed3ccf62df333dc301e71b1b877c4343845c6b8d496270e2f7306451b130c69116313c51c9d0e8946f5977ee2969a93701d7fae768f3dfb6adad4f3390de9f7bd8ca091b32fdd68ae647e3cc6f2abea807382206a84996287316c6b4fcec1c7f6873451f546855c67f33b3c318a1fc37fe0c80cc86616670b4d51e96307197f5f6713dd1eb23b55466b450f3e92faaaa49774206d3b57bbffa14df0efb04a6e34a1f6af845903354571933a8b43260d762abda1c033e5485e76f27dd28c1575355927b050b4856e49e1d8a8640898bb168d8c3a05392e4a4285d44b26f15bb60f36182be383ffb54082a71a8e59aab0861db87af02b34ea6c91927a4abd506f662d17c59ec215456f8100a5ec13eab566e50a863030f916383cf00a151102ddbf8b468f4008a60a26634d55afdbcdca2ddffab7efd6e8403de28d5a6cf3c139f90d21c3d51f380257e4f861e0cdf93943d0db926dc65eba8785643da0238a02f39a31f5eb1c3af6bad1a6a2af06ee2e001b11704858ed59c5bf8949182cde0398694e6101eb977a1f6d47de568784a4b186041980b21b11c58b40a893873424fd56e41fd781f79100b5549596c38de5e90646824da314666266107eeaaa8bad928fc776229a8bf85817d3dd01dbedc578bb94a00dc3137c93480f585786b0bd777e8eb25307ba253e8d8e4ebd8880f2a854bde70ecc8d0b79f8ebca5b790d649d7d55777a4ab3126dc7e0bfab9a2670fc374799387dd22226a48b22ad303c46e2298197f7887dc7355a90485700c296f330ba6618a9b6ad84236f6610444318975a7eb459efdbed9db51f36a9538e2c1be53671ab762d4109dc36fb7eeaebb80d10c6f98591a29ec8f9472cb56467b258ba53168c021a6a79c126c1c5bb600f9123d02e0d56d2345f6d2e7befb2b05e111807b4e03fe70244e45070dc407f32315227b7396e2ab97633b8079b4f61c4987f775e9460e47ec26d109464589b847d1d684bd8d30f7c699da25208fa6dfb9e6a9c9fdc38f19745aa0136e41b5b3d2c9c98b362492869e7e8573dfb42315544fbaeebfdaab3b9d68c7e6dff07f6c5a49f0432401201c27d1d23670d7186838f5b2f15bb6f9301896035c34bc10f6bda13e7a85dcdec1c140f4cef3b35eb52c46e5386d125c2c04d19a5b739a2c6d1cd0b5c9dfa085f07202b4dedcfcb04d9265fc56edf9eda488f303f59f3f9b2f45933aad543c0cb8cc21a72230f59a0429d17a6f73a7ea7eacbc9035c3db832174daf39931f321c40cdb716d69d83758ddf9bdbb004f5970026ecb78b7fa0ecb95b42ebdcd428423ef74d56314ed579b3031ce4858d9818a23eda71583b2552556eca75526acf679f50790fcf9b4286ab9f9e9db094c63cc53be2e6ba7ed70e0654eccb9e7b73b310f48d8857be68c00cc330a629757d5aede52890fab53f772eac290b766df53bb46f3b1205318ceddfcbfb2151e5548864389d8c0e11892f290356d141a03767eb295d4d37af299688277ec3f56b614a8f641357a475ebe362c14320a68e8b5af14ddb58634fca956f367af25b6a7703c8f01be59966cd2fa2567bd74fa992a148007fefeae41a6aaf3ba0cce34315f2e2314d3d1f533b90827c1ebf9e7fb835ed455c015a6d004f25480805423cc5df90742d1d271ad09c1cd84e4035afd0d334b5361360df0ddd089e91c48752f1695c0b2e48c52c3a9d86d3da167a272026e19b75f726cc92e7ab0fb1d101648529d150773ad57b0b4227cf6fbc9b0766fa9c326a6ec66d3f351f2e6ca1bbde52760805550e64a82daaf16efae7ef879036d121ad303c3a26f40fae2377afe742640e117fcf766dcd016afd3436fa24e4d0e201daff85087f84cd839fe6bd8aa1cead952a942142fa66b314b032364e93db2267bb5152f6a731285e602f1e513235317dcc39476b36804a0e3abd327d6c3980d61382f31aed40bf0d758182af3c942aa836332babf38644c313491aa13f3206f18e3c68553e8e64f0dfa580c4427882f6fb134b0d33e21c30a495ff4a9bcd0fbbb20adce22fb9c27cadbd2fc48a195274f480075a91f2264c496708481e8e3b668d41482ecc8d2aae7ac140e8df0af2aaaed234ef0eba355a4944f03370c5f788775dc858e09921c3ab2fb180ae771178f9f5de6759e890620a4975e420916d455b965d3a11e0be0e53807577903265ab93056b518c7c62da1385e26f4ee1c487213f6ac8f46890f98ae4dbc061ba1cd4f8957e6c0685d9aa5f3e62213db2c33b2d82529a030739f3cad9a7b39971c05af8b606826dd5ed5159e69d039ce6a46c9fd16ad459165c352f8ca296f5d0622e6221947c3a064415deb731ca0727bd87f56dd255327badb39718b48bebbea61a5922a24438a15fa82176241c1f43c65e4f5e5305a2931897230000764e64bd2ba15b61aa11c2004e43ed66b265c219c254df7421c5412dd7092cba2e3b00bf88a39ca483cf5ef9495e1941092ebc505ebbf93f452e24023d5f8b81c613014a14a59e78a8f50d617013d0df9263e33c479c5ad4dc4462772236819c674d7cac8b8e20b287d7a8b48824cdb795ae71ddeba2c9d20e39378c24bb24fa679910424bc1f6ba761b2c3800a625fc32bafdec7733bf02ad9125a4464c0b0cb49735c81839822a8035046634ebaa5147ea6aa37d8b24e03d866d7410c8f9cddf77ab08142c163f37d5b413807c29b18767e7d23d1de72a13f10799e40c8c41d388b4cce82c16b0cccbf5906de5cd5748671e16616bac19498560ffbfd73fd7664140c1829796b99985eca15344657d6cafcf3ad0ae94665eead0df85cfd69c9356907a5005807b77b80a14411023cde95031f23db51bf1d312244fc8feeedd8381a1b34b61f6f663274a64a6d35ed61d8312ccfc1f82809852b77a1f2d339559bbb65820d793b566de6aaeb0994ed9aae588e329dcd64f8f0502472f4965b686a0a12c7cbde7a8d0b86e81c569ab586b3d80a8b9998a5fab0f3cefd33067b69ab9dc66e66d12265c862197ae8fb1ef3d55f48b13ae86cc4c60e312c9b55111f17a40164682f6867ca9f9379796bb690cc14c22395396df33a066adae7547ea133174bccad28c533099daa1e9226ead7f965befea6a7eb0b3c3f5e95b378d70f0ca27691f17722e871f62b259966443645cf5ad5154026b02afd221d0dff6fc733d01edacf24310a0653ee6ae3d0190a3cb14286fbdd7e5adf365bdab69d4afb9a8065c4b6057502a8461cc614f22fafcc747fff299c4fca9064fd197a6d3c51472403e7e47812ca26a62f5ce0c83f60b2bc588bcf05bc57ab7fc41b7dd536d04aba50186c6715a1ede0e5ba5488a7ed542f0ffd875ed2cd704ba9be150fb616b7c77a54e58023344a870acf3a4000a1a8de623f34131ee7acefd53ce302c293ca9f2801944611ea3e5256b37976cf6c063582bc90054f4bfa4361df2bc8123022d0387e4300e0cea5fd87753c4618aa5112dfbf089d529f4564e20fdf43f2334b55e64297c84fee5b83a2ac4f598c55b6b7da4f443f7afb4e493738b536433cb1f5509d967933a30b6c3629dfa817e645b1f4f0b942c5711a7ff22f33a8ed5295887fc44866ea4a1a383c39368b11d16c7be67c7e789a0e58b7421a3a116894c3d88da9799435e8285b79325fd143074e3bd20ed02bdd0077339e8c594a9274c9ba6158e3d7bc37d74cc4d51dbab3ccd469de2b692b8547c332dc74a94161df076f63c61cf7c50541169516f302708f48e4973c4c0e8aa960c228fda374969b5d0d606fb96f6a8bcd57dbdfd0d09d71eb58d1c5cef93f023a63c54a4ad5df397618fd4e9a0b925bd2e260b879e14fc5092c5cd217e8fa90c274faba7cb8b0c347178145902b021b015edfcb0afe36c7929306212b048c16fc8db03e026178a4fab71b427eaca6459ae2c3b1a36cc610507319e6d7046c6daa76461d7d5e4a4bfe917da1187e76cf0fc49e84551d7fe6b75487256b3372278a78cef0b20e9b1d73e20dd7f3a1600c0483dddc807f48ad631eaea3e99f4560e64b788731cf9977d76d15a2320135e354669e825c7254ce250c405d3662329b6d33267a7268b64d4c392e9531df2d2d8de0f9f166d8f02e54876e8c626cc1566a3e3010843054b8b44ccb7cb45ed8b050901e09c5e2d44958b598307576c7160b927259b407a1e82b3c713e2de49a2de21f1e19d3f1c23369861585ad6dd802a67ca075c730f8078d848042533b1d4518cd4435fb7c5a58a2a957b559af12af0bd79bc2cdcd920167ba949b683ceeca6853402ab4d1cd7fda7d74ac47cdf8a188fbc1ef7ab59de8e189f25ce6b8d3126b31eb836495089b5ddd51863e6b1dbb33f1d37dc74851cb3b9e961fedba22ceab2d251d493f6351d44e3151176e9caf553cbb9212c4bbf9a3b4bc451d1c4351cc1d74582f49b6de28cc5ecee5f7724f634695d12a49c5ea57a5d089c421ac4cd4aa6c5d06843922c933b5ac0dcbed86e5cffa3403ce6db406e130e8219755eab1e37190e2c737a3f3865b9ca7925f50e4ee1c775357579e03ba0e7c0731ae9e62cf67901368d376510a68da69b22b5e60be93c75b34d0caa2cc4c327c72731a193c93947837bf41ec25c0cd50dde47d0740cae7a99117b76502191125c43be006e6b66c936a3f7e5a38806394a73e292e2e9d8aff930b4498d7cb0fb7d928ca84e8b33bd0ca7ba6153e5b0a44e149968665ec673b145950b3df23e2b141871f1a12bcde7cfd10e35e42bfc1247ad11f5b5b6b287ec2e45e09f090b0fdbeb4379219ed5ffed9d40c6dbc9a93498a8aeec7133af2b67a94b470a56e774d5bc6811401caebeeaa307c3edfca3bbd374837c5a29a1f6ba1a2ad05d60aa94d6ed8f20ac2ab7bb34c7cd0d3b585198867f83b35296aa25f7b3e0f1109288d9edc75b3b7827179eaa7267daa441844de39cd1cd2894adaf8c9b620af809f99b997e0b93f59affaa04c6224521159af9f3ec8dd58494c17c4ccef738db8a1752b298e340d254a8fca7edb6f6dfe338e87edda4672783f6b7335526abacb76ad482ed520484c47717bc1c774caae5d787c90dccf46245e7b6bc9d1092a9580ae4561266163cb9ae7e3956dfbf90a957d92c4f192f7b5d589ac0eff779ef3dd28fe124539729c8520f94c42bedb7d9dd77df55f3d33540868159bc1b5956018814b1d9cf51fb3969f87bf15f292c12cace26b16fa73e77f92333f756b1ad5feb8f6e005f464eabfe45ecff277fb37272118ea1e2d2ec655be3f6e45208490faa236cbb8c459a9829aeb155966db6fd80d85102bd9fa4d549bc3af927e227bcedc668b86a1c63ee7505f32ec7f53652cad65a71dc6893a8db3c80d00690683f97b47f4297ac1c9d92edffc70e3fae85448078b7a7223299d9de7211dde2a7b7a3bc0358c3d16da0953d347aba47522a5e060738d35dfdc14a3a64c8c694016e0daeaefaaf50bdab9d6b22a0abe2eeb63d18c2ade2da22db24479fb4dd3fe131cba41cda5f778ad2269f4eb8d59b01f5772d03d3b7368102684b40490da96a68c55b1a6c0e326e790d9329042d7f3f16a5d6294b3235b0c1ad2b3e10fc8d1b5a4deee6a8a310d2fc6fc904323d4aeda962232c7ff614fcf123ea7432dfb688ce725e0cc22b0471c255497137ab3dc1f23442dc0b980d7939c39157fcaca0c49e625694c923fdac5384346f32cd05dedb78c13aec24b43605e52f201dff1565e0f7a1b3d99288835b540ff45ddd41e8c9d81e23f305ea42c6c39a91e0b81ec2376f2257d3f31f594a387450e9fc82242c059758e515ec761b5011d89675b2414bc5f77412ccc8e8fd6b4ef0971df7b9ac67f18b3cd033f58f17ea3a29e9776d0608ffa1a5fec53ecbd7cc2546bbad131a2a3a71c141770b819959e4756472426cd9fa1a55e84c0af81a2467b785a88f31e09e58e7607088462fba2049a6d6d74a0b0bf89f616eef5f3fe6721dc09d3663236a2dffc81e7e2b9730b8fbbc2c88b039535770171fdd5f00c8be90109790564651b3f0955054f853aef59c91013f5a06f62cab6d9336e3223f82a725c8c39f6c9907f4606275a576c83bb5f46a55ca5ae6c19a327350345bc22e578db297e7f27653a6bc8eeddf3f4af44656264192fd44d9b03890826c6584f0384e6f1c431fb035156397f4a306637d78cc243f01e26e4fb2f189caeb114340909bbc051c222069507b5061c429fc1f072776274150d74422e8ecd1887d07a14869980ca19671a758d8316f08aa49ee03295364c6c62d9345a2bf2790becdc49ebcb6aca062d122eda3e60d45327efd3e5b97169cd09f9908482e1c25b1526acc2c958d0452cdb9eb69844a13a6cfab5f4da1cef21740348d7742f094bae5e98e86be11ffdd3d271eb6981245aa4111cc398af055a150cdb232f3d9528b7cb3230bd017e53020415ed11e54e40e60508f343123017e4331bb15335ee56e7b0a78f0d213c7fd8766b7bf3f74842ecff50e1e06711a35ff387ebb2e513318a082af84281885e5c94071cdb1da45fdcd819ce9130d8ea9a47969131feb78d765963a8eaaffb7c32d5a7467379fb01a41614fb6019cfcbdd60a0bd90eabc5c41e49fc49104fff6f84ca4a0d2ba395131ee859672bcf6bd3ee559a78317b978cfb23da854d8f6a6e2f02b92228ca77b287644a410e027297e6f3ffb69cd3688423160b2605437e8e6bdc693c3dad240ffb7c5443899b95f40473a8a0a84011efdc1666fc60cbe93c991185f472c489eeaf5b5e00c92aebe9e7831f5ab1902c7a12089764c8cce0f40a482e22bb49f91cabb65a09d31a22e128bfb2cdc07d94da808e112c7aa4566bac4309c9836ef6161766b69579924d1b55077dc78c8e755cdd501595ae6cb76bf9ffdddf0026a4d21e3d13a0b3721f8c0264be0504950c858074a765acb27a27a1a8d9cb88b55231032b8aa4d4655a9e84c78ce7c77beb824898fef25de99f73017cc69ab6ddeb00c86490229ab33d34394502ea9f88191a134736c8737edf1c08f3b9326cd481fb0a73f00ec45f71c8add20432fd03ebcaf327fff6561a24a301376f5018510d54a32a3d814d56a455d29eb5460dc61a3ba133e5ec403b2217ab5d4bda0fb0fa6bcddf3fca51379216cfdec4351c138357b33e1804ad699dcd1cd526f557f6c2ab6740543e8b55ad808d02804c3ed0fb4b7777d2ff96d77ce09b04293717e4146485dfdbc2fb6cbba6a029ba5cca1819dc0fa5fd64b7797f7a4263be15e9d238c66ea999a096041e1839ac22d1b862b211954148f3c8a8a24fcd6145cc69f8937ce61fa8d898ae20cd695cbe1d1a7e23dd3b7c2c5cc8ac62d1f54c76bc5c5baaab8746a70573682f9ebb8037f4ebe9f68b8367e8b84b10990684ab12b4b4e585d69ba03059c6022873956216c91de5abf79144f29afe7c129f1322394bc2ad2e2d2c42ddf19352d80aad0d106e0bde251baeaf735dc14cb639102c9be0f9a2e93913fa9b01abbc0f106d35d57d55a73df58fa8648d49cb95b12988f0ecff93c60abbfd8f1617200174b11c8bb3c8c08af5b16276698209e4196ce64ecdf952d0e6c7dbbb5c8b2cdb716443a4c18729c3e07aecdc3c8ee4a944c8262e2d115406b9375da6b68fa363570d61be6fb6164c5adf060e626d86f8185057ceee1ba17f5dd7ff4b1c0deb89caff703f164a0ed313faf74c137cef19cd006326317c10944b33f211a5ff15c7b7d97314034ad1a8880b9cec55623ac4198e895f381b90cc14c8a718ac3a5a9cab6b42b01759b17b164b4315dd0c3029ca1c6f3daf8e6016bf131bf9d700490aa766a01a00c7ae2f66b61b452beb22c5d9876397c74bf6eeed803ec20e110e80ef7e23073b6902ccfc705ab30e808ad8181426683241d79248698fa738dcbb9443833dbbedf0eb5ec922bbf3d5304bc302bc207ca414d6153e2ffee3b3b0265fb6a8123c5c84138e821aadb80b87bd3476dea01db482718591cfaab73d74110b69138c6b4a40a4abb9f74f6254202d70703c3457166688c1a3ab233499b80b07852ae0a3fdcf16fcf6d5aaeed1f38adc24df28b746fa5e6358f3c6ba37803895c9f6babfe05995fc93e12166d91f6e901a1b9788fdd583980721a54d725970530db5b15b079acdb26156019ae144ecaa6a0cb10f2a0ffd2e5125f42bae8b2d0d9326da8c581db24d522b4f78b273632b0ff3dd5c665c6259a6bd6d10b8941ab17159bf6883b14272725578f71d1eba05159a80d7bc20fee968acb0a48910a90e6d8a2aff8627fdcf338d6c1aa5a4ff5aa765cc898e8b2f088b0c00bd87280856600fcc9e788239e1b3dd935cb500665f7fd343f335ff7d4ca27cb5bf63b796cda1bca42d735bb067154a3437f0f919d224f214796ade16af67b7766579742192219cb7f82fe6f17e8316119cc6939c24647b79bead50a00dc4c2810779fecefc306883fa3e60ce4ede45c003492c298d5df014e7d134505f23e197e7f67c72c59d7bd9f73f1421de670d3007ab095198b355849f76b91a2b8a50912da8dcdeb7a9ea3bc75928d31129586217a89da4fa0df65d0bf868a20d71544ce577d83b1af47307e0a747f4ea6543a9b282f35824400ab8f774147d574b196e253167bb5560585aa8317dac0524abb28db0c93a732adcb7ca7df63eace24f77332afebfa6b1577fcd413cba95ce96513ca8a9fde1edd3a783ea6f611771f2af916db39155dd92da7f6c38cc69ccfd3fc44fee9faed1c824e67f4afe08d094f16d04bc8d5d6562bdf27a463cdfd223bb5ba5c537245e52095c0cf60c2f9e71f9d54cecf352cc86b7c632b0ef2218727a8c9f273335dae076387cbff6601e88fcfd876a279290ea6b5f3875e01a467343ec1813ecf2f1c1c2f06db7d5d5799a41c9cfb600d6c39409826e8db600f1253f731123a8f386c2a172c1a78c3c04e012a9a7d1337ef0c8b63d658e5545fea2bb1604d66845368bfc05c62ad00c0c1a812c0c034655e9f165c09241c6dead5cb45f7a1e022552216774a82eabfd3b28c76118edc6cda9f5590fd8303390d821c839b68e19cf9a9ea3e629b39651432bb709c0b36b7f4b9d3c2b452ce1d37ceaf9bcb017b8b6f06e7a96a06b2225167da1c8d4f8fcfd290cb7ab0e6d1a21863cbf9702040734c321ec3c8d994eb7ebd2e13273ae1b97341af081ee36e7bffd31deaed5a33c73360089edc5bffd91aede31de4425e4d4f27f1df9943d171baa42b0fde6913c5c94b563c62d4f2557d1ccd8cd5039b61e9fb9b9f2d75f3658eb8b27086d6bda75423d42a6e30e8b8ac3823cb961e02fe95c0abcdfe39ff65a81c4f35bd5d15e916f05b09771b5dd8927869aa192879bf5c110833b19e7f947093c122c256d9bf9bb7e90dc89ac6d413f4e8a6d2c48c5bc0f9df8b09d8b3fc5459d30600ebdd7d4c3f70151788a3db4f515073001f1a91e32a27f5b2e1e9e0b94ecee3a0d28e7ab7a0494b03fb2743cfceb102b247b7d290f4b06ac144c6056d0d90b52820f6c17d9e0c735914d09fc710d7fda95c1bac88c42ff3d79382f1d4e3d0f89ec618ff97adbaeeaf14f5e59b2acd34c5277091a06108ff6168229ca8ede9271ccd3d4c6ad17658d349235f7b09bafc5ba63ee91cf42b7de0c6a2ef77b8d187e82876e0470a915c6e8d38ec4dae55073e560be970bf9f38567c230a3fd4e1ecbd0a525fad9d243399fe9f004e38eb27ab5fd63ff7bca64e91d61d023fc7b62a2c57f8a8dc78410f0f2efbd62e15b05e1e236345f9dc500ff5a4fbd6e767eb1ab90c54c5c7ea110ca6819c744b55846d841322cd89d8a3466efddc02c67a03b1c166a46efaa3ea835760e2aaa162608fa3d438ed1acdfd526f206912199b13a8a493690cf4a76bfbedab0399b7fa83a143058dd060d32e0af65c4edd22e49472668bf814567302918e10f8972490546d04d47d0cb96b6f6e407e322cb44bc5983641b2df97870a7205148b7303830a7676ab9d0fdc354b273fa5ec3cc246032b1c9c1a8b1c3ab7f35775b121ada5cbf8c2cae2ea21f612af40dc0937c06a994362721d3e49785d7c9455563df722f2c52f1c58a1879f7cbd766b6f5aa57947ca90bf259f8a4ef90822832b9b1e0d538c2ec7b9e1a378186e8502948a8fe1853634dbcab869ce06be40dd5ca80e0b328238bc0be98573b81045a5e744909a8b41ca9afc39bde4e11a62cbd56f7b2f251cd93a26008003d69c22d6f5523e638523e57d93d3a403dac5ed36f57d060142e56d31ee2a06d43374d3a1a858f38a01848d2182da0fd1e846939a389d2f73589492801cdb3e7d68b57378f0b2e6f273f43f924f35ad03b6736a68c202fa664e78e0ed1343d347f2ccb7cc19f880943833976d6d1baee9a9a53c1045b34d9a44ad883849a24f4c2e8f87d96686047d9e6abfdbc97a97dce5c2c435c2a5628d9f5f6ad204bd9f5278bfe4b6f2fe2be04a0f936c69c272fef750079acaea645f75a371cfa94194b5cbd9cfc472a353ef953cb5a5a700eb34d486fcbdefe238e4e8c48c3fc53a7709065c3b63e89b7ceff7ef8c8b1bb987aaa7510ee5a6357c7cc137a1a1d9f4f6633372f180ce1536325a5174d1e30279c112e5ca1ead2368eec1a34649c28daff413d069e90cdce4f11bfbf1c1f6b51517e0d9f66f15f3ae78f88597b0ee0cb2b21757436f9dfe18332419fb37ef177f2901bf1655229114468217c9777f6902aa562693d47bdb9d0d0ef30b4af908ea3f43df77bb66d0f204357c38243dceeedcf49f028aed6798e10daa38804c9f1552debc9f80708b1659eba23e3de883e5074a2640f66277f02826d5a01cb29b45aac47ed3702af6813556c0bb317c46f8be2537f5f3d78c31688b923f8b5ac67c4ba9234f80e520491fe85706978fc9f7fee4146305f5af4cd2284b37a97e0fb3d5859bb291a1dfbe6fb5270ce52ca35804681dbc7e3f4bafc44651f6c6416443ef6c55f51d1bec228abe89192db2877a912f98e85fa83c05ed25f57f10012c5bb6b354aec5911ae8177454b8fdaa7c29cd28267fdeb4a68d3ab9c31f94eaacf193cd7a2318de182e3e4ffd5421376f1a55c523960ba860f5996a68945d4b246ddd6f435c885182dde0f37b24f97400dc1eb3178120135a5bf388c29ebbff4d9fd723873a3a281ddaf0769f2b555c8b1d7e0852359032567e894e2a358e7395869c7bb58f02f95ddd3fa006c2b45f86e337767c4aec68aa8aba68ee2d284c2a2fa16361473aa72426761513ca882ea912aadb30fcb506ea9de889a832d01226a5dcc0a84a26ab573cec31921d3b671e612b956a51a490cdc0087e489375a89fa24f546fb88669a4ab2567b721a008d51a0ec93b1a68c06edcb7c7742ec02d9ebc4f182c55d841e121eeb2b134444b79356213eeb896610e09df0600dfd4b63227d01f370c261330234f715a64f989e0102406befaf12d154b8990c3ce3724b1302d3b9042442f104fb63db0b157eafa1981add92c68653673f9dce53c1baf8918bcf8aa869713c2d2537920738cc8b1ffb72e66f6d7384150fe0a72d61b6cdbb41e3d1ea85722479d00a017a1b4f7763fdcc30f890ade976bec32ab50bcbc4ac52617ee37b1bd5bafbf37a1136bf63b07234165ec35a13f0533214d94172744fcf0677ab06d401c44898ac7e61a54f82ef002009eac9e9c7f62c1d2afd0d7acc826aa69da7b9a120217c8397a0fbba15ec7874a638f139b0c36b7a6437b668421c43218bc00880a8dc40ece0cbd8a259ca0637c324b878eb34939ea5bb354ff4fbafdc57f59761f7dbe0713e60c770e368feedbb64b71c3f469a16821a65dccd07d79fbdc15de50a00a12a9f181be9f4360c523efea8134fe74abbcc1b28346b1ccd55c9fbe824d4de84d94e2e798d95640e377883b3da1fc8b1698b55d39b945cd31517fd5f0677fa0fc5e940e8a86317a42d42950b817e107683474ecd96553ae201f98db8cbb775e6857a5c4bc9868793d980e4a0b184f3882d55d12b895132aab7ca015527c307cd34ca3f0a344c204429c0be3c4bfa692b3bf5659afdb94a9a69103980a7bdb206983860f57bbe43fa2f456432625cc6b05f662c73aea43c229ce840ab33a112149822f7125782ffcf42ecec2eb26f2166d419e1ee42f015c48ada2dda2c47ae5dc5726c3d1b52be5244f6a10263627fc079a888eac195e8affa6621ff01ce85b21c208297b78db9ab894649d83ba07677e40691e207bee5c8c1afc31cca222b126e0010c2cb8a8c4bb8df301cc8c2d53e92d68991abfaa7678ef9e9c6b60f16ee67b913e3e49dd4b8c2b43adeb3cf01064ca96b8bfbbb36c0a8418596107cd1eb8198c5fe7f2e601884d88fd1100b45343a572554ed5556123c42f220ddd6bc858f66125c3b84d4290a153d956a37b3beeaa680fcc58630023eaf42d2b62bf47aa55744dcfeeb857b82f9ce12f75680eccb940425a1de2fb2dd9a5139fd5e4030d18615802410e84281603264ab96e336fdd9a56b521699677a59c0fdf2faf7dde535bf3161220045de75a407922273cb78c27fe7099dcd54effca0522294ef03681aa43300ae1e5d4623676bbfc53a002653d6eae9d3c0db37594eda7117f16358afef343bc1b51d8bf6683bf7fec5c9c8193550c7c72a6893be769204a4b3466cf3adfa8504f98522e3b0f5f5fca92d60821ef0a0fc65747684021fd8b4602b9554c5457031c7990fa6f998e607c78db79cc0fa598bfbc5e280b0a4b5ee802e7258c0a2ea41638d9acff6dc40a6982610d539bde09857e940f774440d644779982b8f296fdd2a6d44c3bad450c6a277b1f414db3239dd877510a289da6d3d065727efcdac3961f943c24b02bee0e67d86a2b19ee166bb901c82c56a37b36428012ce3d9b7726ab33828960ce85c2633c34ac0bceabbcc695617f64bc554390bf3d9c7fb954d97fcaa442f02aee9554e69948e42e73cd0bb4596ceab1cd1e9d2231d663e6de9a303b813780139a28ec57d4a9e223451964ff7a9c09483a65c9b3c245640b376197f5f44b0ea0484752cfef5ee6f906db4e3fb54d2b2c47bbec54de329d67e5a97febab05c4dc05f2c54323746cd0465fa9938c2b3c3cb111a259dc86f9c74d5d7a4a5129d79779b2d1304fbfa6cad81b8e2777486bceb5784ffdf34c91e4bb5411a9d7bc628030e7a842303b78ae496add2beda69db5132b2241087e29409a242625ff4f1c2952f91675d7c7ccd23024bae4c45f328e96b7665d3a90efd13b59fb5b55a183f91eb624ece8229a95ff78499628b0b4c28dcc6db8b1827cfa860375f63143aed924630f4a007ff69c9b5006596fb7e1c60ff2a26c47f14b253df8f522b780b7a320008d7bbd888c84507511d6d89116afc3170740b3c8bff54449774c5abb162b6f761c56dbc0b5fee80daf96bff96d37ee387dd379328ef1dbecb0b0752b092780e7bd51924de13aa4f25df48098acd55b1b28504117b829eb983768fa10ebbb290dad24ec3292753af4e7b532ba4922e2ae19a16a2f67f719716dbc6387a7cb98474e581ee256a1ab139c79eaf9baeec733a0fd8f84937bcac2fad79b8634fd318c079b0e1723c2ff56834e310a9b7a1154e13c02e2f671e868fd67e431233cf7181874b1d56ef857baed0bd399e1593d9550a7a4dbb89867a64c96d2d5f6c12cb5488cf9ff369f985f7ac6015ae055adf5c881c8fc5aba32bbe4437e20e3d0d477cb0d9861e06290f7f9bd4e0d2332d96280a049fa2404abfba8945f385f9c7226543bedbe966bb20bdfd8ccbe786b6f003659f25a7a0ad767d754d9b0245bcc421e171c5e6101bee7a0091d60ddd6451d0aef28f533bfd4d42edf2c00ac47fe4873fdf9243afd435098b20403592521f2c07069503ecad6d1e9db00405b9269357e08ff51296dd268b1220a8eb3ef86859c2d8abb4a3c4b2afe477faed5bfe08c76c371fc55d9db73568703d7c3e50fd4e5e42107de711f7aa1d47708a1142ce38530fba9adcf8c769074af4fffd8b447160bc043ba2a4d6864c5c8351a1241e6d780e21c89020244d1393c6f8b09ec4ff7500a233fd0c4be8479151d83334fc46ba04995cf8adeed9fa9a2b0ae7a873bd4059d87321cbb8c524e5ed10741e9fe4e68c2e490237cf492d14513fbed68dfde05be69b91d6e2701101b7b989dce7e4a36d9e9f6155adec0470cba77334e6faf660868839ef9b309588ad403fdd6d398c777b47a8434e6ab077043b06f5e058826c5b9197f47ba9cf26e1a2fc89c3d489c311f4f26d78568a9d56e784acae708f83b8d43045a8218264e13b633d744d62f7a6bf6ee2fa81f7fe02c8430db09dcb7da2925407112dc5098ee93ecf3bdf8d116b47c19650730d38ec12a84c34684ef6063a1c741f932f3fb571a9820039f34ee17e4653de9e24ebf8223e245e1e36605769854c5fd1c6dc0716dbd95f4ea05672ee53f27470cb584b097958730016d824006b7f3dc5484dac5eda6939fb086db0c7f89d6a99825e7402b45d73aa5f3437a7df8cac98b65a73bd428a3b16bd805f409517ce8ee036bfcd046929700133334a329d03f213e67ef8b4caa197c48c7e9ca1495f2715866ad07dd605673e2c29cb8257fdd7b0a3fcfdf2396b34175e55c24cb8a269368b1e6869ec9d2973bf6ab29268dafda4159f9ca448de9fe25569c8f01ecfb8c36872be9fb51e133ff24ae2bcac35e874b808c7382794e07d6db152769910ac5e054f114b4dfb32d6222557f53ea4fe23013ea5394b9414e844189d1732ff21c3d82af46a11dbc302aef39532f903c3162fd9442046fbca555625a4f73c81c851f4483567c917ad80c0c46a005bac81b84be25c5c4780d61fd172f0f932d845004d4da9ea1eda9ab71c99536ccf23b6e605b02536c2cafbb8810cd7c7f3d9b02c8d43245c1779a0176fb45c5ce0f01620420ee2f1f0afd3749a802bf811670e8c4ef166912887f1f1acffa0685a1e840d0296eeff1dcafbf36c752bf351a12aec01e3bbd480374b8ffdf9e7992f38b37afe34983541d13097124edc084054ef6e6fcd12c18b43d50078dda3b88b5f554160b8b29c0cfeaa9abb39f325fb16e65f78f31fcd1880174cc8ff5946e242efc33fb83bab1f228505e81717b56d853f8b89e8b341d7bc23a8a11848e2bf648196a5038e31ee6f4ebaa96e62882d8b0bb118e82c51d0e4c73807f889bc186a46d1d0ed770493a894cefc18960060cea9caa45e9aa890afdfcc260b8f6508d60784c5bef72bea58ddd9a89adfb74b6d5892ee37fe4994e0f15c0fea821417d5909c33942efdab662a069a5e184ec151cb7e6b5b883b7500b6bb989afb9b25e6bf5c389dcbdfdb23905fa264e84dd2e390e281055b4c62b82a202b1444a89fea67755fcf36360fa6f4cbef4e8f0f67be28ea2acb49016eb1d273ca5c71691c4268d5ed5871dd732318518f057efd17b264ebac412688a1743cc6b476cc4b23c2c79a4c76f549284c9775a29b3c11e94b797ad19812183848963470aab980905b39452b168d0c10779e79026a0867a27837ea0963a3334ff1af31058c1b0ece060fc3c9e01053e6b15224f95a6f12dcb4b85c10e238c4ffd67eb6e4440dc4a55ef1bb094987e63cb59813d4b312c2643a99dfafca290907bd5b8cdd3dcdd8cb0e73787c226835455f365781b4e1ce95d02794d4790be80558e6eacb045e63fb531a0760c7b7cfcc4b10983e99942e737ae6fc99d287eaba65eaace905d1b77189d9a692b64c2e075e60ab2cf2dc48725016e4c8741b4dbfbfce54803bab6fff7dee6af90dcd39a142367cf3f64492d02acea7c753f9aa656514b5412f6dd90b9bbf77728b3044539d67994bd07a1dfc4ebed97e085b757073dc956f9a246b5aacb677bf79dd63e978dfa8834cb2f9d58fc999123de8185fe5780756b62293b707b9a892bc0fb031fa8c6a7af8a21625a45578b6d9bd38d40e0e2b1452a14165bc87f8044c9d47e774ec66de0bf97b59e4da7ba3cc9b6f92605e393c1da5c226e5c13ee32dfc0778567804eb3fc5fb63c6cf9c509884492a0c973e401b710a38eca1f8725b7daf90aa17e2f36104cf22952dce65fb70487f9c173693be0eacf47affbcbb810e6233884f8337c8bd1d24ca1cb7ee810fd10f08ba7095bf16f41e02ec4a78e771c6b3d9b658b2988a6cc1cafc59c67149324a67fdcf17ff917a798f7707459323c4cdf5b4c72a397d40bcac7e408cddd7a2fc7dbd82ad80791a0853c40e98a44e6b2c654fcbd3fe999c297396d132f87b3c25bbeca9f4f4b5cf3c4e55a6f1841b5b3b6836f71cc5a33a462be355e9c944a1246eb140d13743c5d8ed4ea1ffac12e5856b73b0b650649a9cdf2769802654c5808db95d01879c99c6832a059230c8abe730d960a33485484a6ecfca9286614c0917878d91064e8401638a898c60ec7afa7c218098bf3e4dcee138c2eabb106d860f50fc270135ba1e14502717edd1acfe17affbf9a67062d79e4a9f76d49a162f9f052cc10591881b983288ea56c6452045504c25878dbcd435a7c0b384df871f9ac4816d00fc75cfebd25d217e41058d5af03c68bc1e04e5608c00e9cd7dde2ab8a2adccfbf0eeca965310f6c8fbdef16d28ea8589c8eb7a1f389c82b3f1fe1aeac9cff77f5e990a17ee9feef0322c7e5c38e0a0499785fa0af62cfaeb3e80c0502d78268a9ebed605a365e12a0d983e8bf80d115b55301497b6bcaa5b2193596200e34adabbbf475346d6d35d9a3e4e60363ca9b4817219902c3c437a4918815f482016c5d83c5ff4076276924693369571f276431c643866ec415339a9c079089735d349f093fa46d94d0f77f307e262763f08207c9f9ef89ff3e3a35d740d4c50dc199f78a74898cd2dbd72ec026c97a3f06c8701054eeb3493216e9fe041b7839057a681b699862e1a1c21246021278dc7f271d02f1afdba385891b6c091949193ea6759127fe51d3791e83fb1567a3bea668a1915a8d74e4192069a0ad7bbddbea9ac8dd6fe6669b183f47aa5d7d1337c5871ec2053f661a50128327c847c2b40d031b4011561124bc01eb00c76851747a1a3cb5b6b44462033b8cd0a15fc1e958d9a755d93e8965f60f8b64e08992dd4d1d466e532de3489df5e99cffa3b1a3b215f83cdb07f371dc05ed58480c85654f5ca001e683359f13bcb436af1f7d65339ca08f5517708dbfd761f2f2bfcb95d9647d49d7321b06973543d83959bcf87b694ca4312c90e2234bc5f34a4e6acf4109ee7b30618636fb41ebef519e41534f6ab1b0268d964b1040dd99a6c63481c4f85e440a7d24908c53c9eaa7f8223a4c9283bee436b14d2263a4eb4d841809b3a6ada30a0ca74941c2c0e5f406b970cf0080234bdeb603898684bca4027f803363769620c96271d36637b8a409c52a08d54f7bc1c26438313522dbfd784a8840cfe36a9719171fc193deceab52922d443a28285e1ce654ce93f87ce673ee6a42f5685ff7cdc75290352e6d128c2591554306d70fd117e137a018b182c331bba74c8e57dc8b6ac21f90edf95d4ae408cef9488d6240b993b1b496371f6e9f4f7be9f0a2d8d0833b3372f1978812cd0042842071be0ca0883c70d928bf3cbc8694c4816d3d34f05419c8dd4e093fd16c3c9e8db47b71d8aea020ab1e58a8be69b78031f4369451ac7eaadce5292f3a92b564029ee97811f5870c844711cf5b12bd535b7cae6d36f087583ae4bf1392d9a2ab30222d97df83206f82e6af6f45bf393f10d511fe27e819738489d81c3c85fa9c7edf2e83ab0434e6ad3acb1ce6445125d8402a9c66eac24da22cf54791892fb5600b68e9ed903e448ef4354e103896e5cb83b6d30100743833a6f7a34fd8040ad2d7455d68df92d8e08bea26c4eb1974050c1775eb68f4bbc8e0f945783fbec38d9faeedb026c40b90b561aebf5f220baefe42a6a2bdcf3d843797e058f828223fc9e06136794abfd7d1201af01a1d89f3739fa2543d7e260dd9cb70e06f9b8c005d7530a5cd590720255a8fa520c8dda07437b010ec6a55565a3ed60ef206580f860ca7221183e09ccfa4f5c413f633aed9d1047ea92acbe4bda0cdc7d77c09f88da93e4f593b4d4b85332ae2d3e391276184b3cedac50b5ed485f1c2942aeaf03662a7493829f70c2a4f0c9e017e59e1895d53133858fdd05432ed5733d7d4e4bc77dce9884d6638f0b00d50452fdc596b170f322e53fe2a83fbeebfe039160816626dd68b86f9f5d8a87723833c7aa0f3a1a8cf3c45ca918495b051ccc168f0c7ce7cae1d9d1796c55943cdb80ea22d24b9c60d71b9a3d93b08f4dc04994b340d1b28fb7151c8ba6baa854b9aed90823697a8b4c6af792ce95e46ab465d24610244b6838cde96d7909cfd2b87bb29e4dde8dff3c55d47017d703e98731a106a02b4f144c1a0008c76c9dd2589dcf6fbe85790e35583747724e272f5079816a46de5718dbb1a04f3a3fa5c535b9bfe7735c19a926921189b55c404971f727045a3d25c626efb702ab77d435b7a155bdf26cbb453c8e206dd365a8a9f546680f8cb016f489b44dc45e1248d00158732519229adcc71e0874af80342e7f3f160fe8602f693539ed5e4daf340aef81f49eb19158a56f0fe0b82cdf5e5fc1e1fba5acf764dac0322f2045ca07cf5a3f299a81b643566706b3f438b0deacdfd6e6fae950da7564bb648980e8a192c72e964ceeae11c2870aa856eb10ef95e50a4c068c794ff87469f8f0517102232c4bb63307978301e7847a677d0d5143cea4b48c992cb9805b8d0edfd632c2f9dba7ec90fada957af13ff2537245721d54eac1bc0db4a8d0a2e145a46983fd38c13918b8a440f39ae0ce127ddbe14dacbeee89c5bec666767ec70423ef6e569255ffd12e47d53e349ccc351ca698d8b3661d325e2ebceedc5d7a87fd6822c1f9e95871459c9d080187366299ae5afeb647c1e7fc0fbd1790708be2c0d7d23e616cb8518c2823ad0d1585ffdaa69ccb6d5d8e20f804ec15ec27fe80b36d2da93e67a770143b8228a850401f3473649f8afcc77d6561ff84ebdb3d6a32ff4995d30fdd9c7dbc5a540d5a949e1cc93fd49f96589f27b3058b8a7ae6a9f5d1728327d9acb45b30a6f633ccd1030149bc861eff32cac2afff5264ebc8fde6cd114a2cc4b8d786c8258d80abf5ba929055709333706b2d62ad5a5c900dbb991e2aaa2bcc3df2e525784fe54b9a74144a4deeb1aea37f38ecffa92c68da3b8b779bc40628718cc7944cc5a2cc53471bfae347ddd3f706715996f97a4eacd50c79346b3141257ce0d397bb142494c20a3b9f4222736ac2c813f3a5d3c32775acd95420247007a96b4819563e228215a81d182ba05883bcabb95df9c3fccc88ab427ad2730ea34c1364b021526a486c541905c79e74cfa70cc45276b25cae146d56bc34a0d36ffc9697fcdc4bf9e3b219c32378150215dd84dddbc3994747f2dbbbfd4ab4118af750c91bbaea8a6b9ec6c52fc25519c5525142a571c675ec0148cb517bd04e28dd5c78f345c97b9fcd26a79bce1a03abb3b0e7a29af23c008f4b8b31e847b1d9cd49db847fd1573854a6ba0dc09f2618348f5e6560b44f349ac5855c711b0d64e676c06ff190a0e331a898c8df82badcfe15f44ddd112fcb232d4ecded2385b087f14bff11faba40f05751eb51c02c02d18aa57c785df57a392b8e38c8135b9c237709079e96a1d5a5518e16f0ef12f9cd6831be8fd50536a5f50673ba719039b1f480f782869031e93f342b3e389030f16ad0438c8eccf235c476eb0fb0f6f6154399cc63fdf8bf37b2c845728c72cb6bfc53af9d4cd7eca489fbf194e4cd53a205b88ae8e91f3712a968875a98424282fc3cdef7d2e91b1f0bf47e6e39fc99e99de37b4dd216951084ad6adc6897cb9e3f5bfddf10f6d5d2bc703d6ecde79019601b3bbff596ca1d487b5fd18ea05101705f571efac7f12e36193d359a4bda63752654993d954235e4720b6b704dd827967622c4ed59aeca0eb9d2f5a44b8263c63b81de7916ea6dc372cf512093e0edfaaea64ba20865da0e81fc171e0e1ef7f6f2e551b3f8698e83797cea76c6dad50066a233f760dd612ced521d29509fb161a4f7515c284c52a0d85e418e78a6ab1b8b8a61d123654e6273af6c7f6e1d21d5029b67b1138efc7163c90d831bb9be29374fa027257e5c1116f879e2842c26b415a9edcfdeed84c1a21791ed688a0f6b53a24ee5b5a7d265144afa694b9e55f7bc6e21622b456f2801cc0ce3099396ade05a3d9a802b027740e21bbfd89462263c2849d8f4b8ffa5efe85270d3c524f74bdec4f73d9995d945b613e30997a1ca9c1a41995666c7f355eb924f6f9e3ba61aa82b1f19968b0135fdebb9992b249089bbec408d16c5619a77fcf9500f434b78d6840a799625e9056b0712fa613ac98f2e87a2ea5d1c841c428b3d26329e566c63a990e8933f13dfea87e7dbad5195606842e4daa275f9e5ccd4d8065ea5b5bf721871274b69a17ec571c74ef097f70a9d751c1223cc905dc57f88824f97c7417ae95d3b5cba8aba3bdc591f4f30b730c5d641fccacfea3807d78cdc51846862957ef30684d28b355c9932172a7e9052e638df279ee7169052739a9a4d09263b38ecfe645119e603117cf3d91ee7207a44582659b7edcabcb36e8e7b4480b5d5c97511b5a932eb9774cd2fc485cadd7224c7e42e50330e50905e66259c93eea983ed2ab46562bc61c4158ee9493c1f21688a31a43a2b387c12668385275a809e58cce3266fd345af0945d499696f5e7728cc1ad496eea148d6e9a773fbe19a109e195f94089325c141ecc71799b7c4baf5913ee32e77b11f4b5ad5bff333c7b835459c8394b13fdceb71205a6a14e1378dfb2f5b851eec60dfe615a83cfb46ad464f7d81fc324e9c64e37da77a468aaca33ee1c6b9e023f794a29333e44f976974bd471f6de7bd3c4531281c9db3295fb3f1973f5935bae976eb01d8c2460a1ac4b76c3466015ab60cc1e1a7cc120bb192fa007d60d28daf109488bd97481e601a7b7da4b5d8f4b326a5f2aaa1f8966fc399540f4a6ae503296235a9c3e12e8fc11a7d9c00c557495af999f48b84404cdaf60870139d74787ea72f227ff71c695f030a6ca6a16c1a87d23f17f74d86a8e821c19c1605c33df17a29a9ce60bb3d4c1009b47a7024676cc9f33f15c67da462376fb66c0be90153814c65434fc27cd614aad56e3fbdaefb04e3f0e493bd73a475d2b359065bb7c9e4c12fada58db7bb9864c5817e145767e2e076e2f67a6524e929da9e804e8117a219b045d0a2ee4644177505ddb00e8f8c7e308589afffac5997f99567dd7a111d3786c24362ab682518e2a8fab4705b4e2a0260c940a79fe0d98001065f20359554213f836386aaf0256d27eb8cb98b79b3c7ee4e88d4465c684864a0010c9aa372442f0a5b3beeb69fd8d1d59031ac5b896028643404c890321c731765a9cce593d6fdb1cf8929c95a6999f99095e562703e09a06160c1855cc25a716e1f89064d8398bd23502df9e77adf019d480b214eaf749be2eff5303e69e788c0c4b5c2ff9fd2f46ff1818cebc529187dbd26e26a959152613af717b8e4f0a6abc0057e9a0b4b65321640879c32969ea554fdae8e3a9f0c2ca683d66d0ba422c6eb410f56ec587d17087e748d326dc451806deeb9a3680a8ba87f852735fcb6ed0b69553c71744d41e54548dd2caac534c8fb3177919ba38ae0969780adf1855b846670f656fdb76696f71d62d5c24f92c403a33cde67ba3006b59cc6ef4d5be3215c2ead981775b7fd919d7bd63011ec564dc2c01007586a0f2d85f5e91e9cbf172cae245ba6327ef8cc24d4a81ddddd627bae9d5ff9097362833a46bb3c17a8b12a7e20178628107bdc4f2a129b4f3484c57bb0ff7c3f1ce6e971f921d5b404c6ba40cb1280932ba3fa72cc4f2f4ec22bbe5fc77b1423413af799fcff52ad90ec545604ea8cbdcbc03e01746f866cb133a244968158d21e1a381213b24869cc96df17484c9b4a3978c69d8ae77bd88a23b5344e7ca2d611793fde3af93e56d5b511ba43fce33a8751bd2a6a9575aa65e8005d56211521c0e65b180c3622f68cfeadbc612547295b36890b6d021c15ecc37746f7d95d681c9b8010e8015600d0ba661d6372af0aa8864add01ccbd0d6a72adda5f2321c77564472997013e1d9bfd73754982536a03d23446689ee3c31d1a5546a09524f6da1ee9a5a4d5ae7cfe02f7dfcfcce35c902e52b8976ea6c8c1242ade460e660f0c56d844979eb2ac5bdf3847cfdff9c77b0bad795adaf775f5a12233a0e376c4a7e4342c8f4f5694f89f115236b53cd3ac6b0451f386f8f333864ed4941e8aee2e9d459ac3cee0e48c3a49efc83f4e8c223c142f8ce2b3d5a1d7c81dc6bce88e2a3ea9050772604c9d3ff6a4d4117102c792f61ba35411ac040c978c4fd55f54657e79760f5b3c117a6b669a68a1864738016df75aa2c4d85b8a9d2be6f02163dfef1ce6171124e2f12dd2ce23504674609b001d4355d5b7914ea92fc0cb8d3aa3280b7212fe83aa08c3c7ea5bd37063acbaad245631d672d6873efb16e525de5aaa69c4e46a244f47738b5bad9e5c9b9dd12c4c7b6715414101b634be3787135345bb2997d4ca99ea1d42c8765d841dfc9df4442ac7b09ef29991f857c73853d6a88193627977b69d125f569f5725f5cd740918c4ad2d33f7643daeb22fcea0363fa54b0d3f9ea1a45e046eec1a36ab69fadc7fad6f1e257941b5faef346e6b730bbe1d415296c8ac5c1883305750042214b1754426c132785b9fbe2fe834b24dcf3cf31b0601a2886852ac66dc932b14a38fede595c7fd551caffd2bc1739461701381a9930c917f3aa1e568823a6adc968c97dd92e9bf06a662114ad62657ed90794b0681bcab6ca2f8ed2cb406048c5042661788a8e99209212e0b60f5314a07d2b95a893853717443a0106e0e8114d3a5d6c6f0700102beca83250af679272de2045dd177f5fbb72f19b76d323f99ae22cce644d2250c87f7a1fb9824f97243c78b5558d55c9c661edb8abb213c361aeefa22463c84c0f268ffebb45df004a719bdee731a1b36ff440d7b957c5ede98e83cb9b4085fd5cf3c5a7d422932f2424f640e500b79f4a18975dad90be967108518e848d89c69ce9fb976a71c07f8664130b4aacbb9c189adc6735ccbe12d4211208a13f93538d73ce6baf1bab1b86a3e53bcc68a44279f0c782c6a4d95d0759fa0645d78ae69375868a2410054a9859b841a3ddf86ff0d5b3632bbe8fdfae3bc1caf183dc0a8043f48c28c187b8305c651c1439a1354f8a389cf81b83d42b7ff2d5c2f6193de0ea02a9031c1de6021c9cce7fbd3712ed58cfdd36b7f6704373b356a2389093494d6ffe53497e557a52035cb79feeae8c46243756bfbc1b42f682dcd3bdbabd3db5135c0a0998bd69fdfc354568584085c4e169e484ffbd120f3952503b45b2ced23f244f2b8dfa489b27011744de27d2897a2b8015015d0f6967a3bbeff0e1396a9d14d033ce281e8b3e7926fff65aec9153f109c9cd97c017f15ddd1deb32e0f385fe6420d0220c28d2e6028b5ad933d4628f0e19d24bc94d9dbb2dafbf385dd99ebbc9ac5c0a19e82e1030b26250a71ba88bff25532795afaefbadb6057d28ecb7b1e777e26bd27e6c712a0cac628faa0961555a72d1f02e3bbe78930ff3ff4f5cf4b332619bd6639a8c058c0d0ce8ff418accaacae74fcc9975fd1aaea2780f6c7c409b36cf77d7241c716def5bc3d81f3a3eb4924359a0b37be645380e419f27da47aad45c986d8c2b6f58f4d20277b7193cf31ae5f8c7696c3d4578842d2df631194b17719b3354166acf9b0024bf6db5f7722428dc746a8c4f3994a7a64ca834add0ad259a871ebd3010b8b742262348c6e3f62fd70d2e62ddee4c05817c900f37e9c917095bf6d88f7fd05b2621ca3f56290dbab090f36d268789b6ccf97c36b1a249f66fc08d83bce54f0a51f5364c4b8842ce136b76b39db979fe3aa3b312fdc0a4d98ba8bbf8a768531e170454ed7ea689b78de5860eb1bd5f39d55e15b97d0076f975d56a07261dd689e3c7d222998d9068f4d069e0649072a0816e89669bd2f46340070d3d53f5899f772b73983ad07be40b39a2159f4d786f9eb76547fcc66cc2a0bfbdc8b5877b8798793b1ff6ca7effdc8b434e218996d5bd0421bb365ada1d019496e92a755766dcfc0b2ce80fbb5be54f89f74ffb62e54e93bec1fe75c89f7adfd0222b3de821eeca84fff369ebef1c1d63f17aebcef66d55832e525ea1602cd34373ca352fd1ca62e5749436a6dc2642ae4714d5329f2d65451a6ae3245656d7910bb205af5b3f4724fc4cb300585fd7634972acc68875ee09067f1ab1615951e49db3941465908d95bddcca5865f17c069915929a33119d03b80e4ec896e05fcb889a0b96930e37ed24d24f4c4046129198b7e655346281829ccff597aa5023e09a92c6e01abc29fa898beef98a13ee02bbf45873b28b2fdd5a0f1c3b4d6377abcc224caf0719a819bba26e975df1db7d365cc47a7bd7f56eee5257655562761848da2e957ed4fe8fee65004129ea9b0a9304d917d07649784cc81edf3333096cfb653e5625be6dcefc7590b921402d5bb768634c29c015a5cca9c8c5845da848d34a6ebdd06d246ebf216c449a28964081b843ba5dffc093fec0aba7420f7b581816b0d5565f9b1b3d8c8f0b01cbc064e14447ad56a8e87bd1ccf9d99ae07e9494592a6308af9837d0ea7649886f87b3c28cff9a95e1219ccca6a6e261c0e8559519e6edc155dbdc59e21b097826d4cdf21023c2638c8a6e9fc61c46bb00d4954e7d06f1a62999cdce2411c4ab15c7d67e530bc51abd6f3cf74930c88433cee7a92347768ab7e01c5b0199d4c832e9855d8a828585662e6196bc19680d335be3a453324e5e42a918087ce2c05a25cc567cd84dcf17ed5d642ac05a648230f8d85d898e788efbe9e2b31c4303ea6dd51f0c48ddadf5dd23b5cac3e2525ae1fdf6103ee3ebe5a3fc359b9728c7a20fa0f76a5ce1437ad58edfa51afb8a452ebe806af610aa97590aed7c0e7b068d929873a813799524ea1d5d19b2542e86e19be2901f2c689b202ce76f3ab7e9f5b744700e7f2820d05e32c6892f8cd7765cb2fb7ef7bbd064f7c69630024d8209a36f2f696a4b851b279af6473d06725f50b7df7ff7bf7e02abb086bb53c774a592641d07fa438e669533a04de8d5721dfcfa648913677055a8522c19c1a195ba013968fd3bbe7b8828bb982aaac92fb528fe721f69211594bd545334e60859ae1fc4f49a8ba967b0dfc445e7fe148c117e0666e843b9678b40e7e6f019bae4777132b3ccb5fc4004bdd844f2d05791666219a14158f8e5c69ef6de58395b3f43365f3452d5b95ec3da11ea87f3fc7d2a1827e8d199f2601879657c45a55b2574e0385284440de020e0d256b59bedaf3996fe93d8e66a9f5392b91ad2aa6c766eb33c524af46b5529b1c6f89137003c469e0018ba7d3df98ef5ccf1e8f67326ff0d9c34b4c2b219cf248ac556dcaa909185fc87461a40a2e5b742d782d649083d1fb59923c7a41526ea268253b52c61552427f877325e4c3dffcd048bc4325de1a5b0bcf188adfc5176441fd3bfa40256a257cf81e3297fd06405157b46b3425589f5f082432b84a21e2cf31a502cc35a82b51272a17c4f9149ac936af8c2bfa2d85485baf308d425fa7dde3020e13f174558dbd7142c87f7e5da34458ba420c450e8762bc4dd7e4bf5008c9a71a168729f1a0387852318a06cf31a666ab357a3f76ea4c11e68094d76dd8f3da00ade556cb996db12bc9cdc09c38572f99fd71d0fb60adcb594607c774784ddb4fdc7586caa4d912ddf51f825e6628fbaffa24be7956a749cc0b8ce1dd4710ce481b955bd8d062ac46c4972da1107d3d2e237222af8a59bc0af648c02145b8ad705cfe9d80245b8502f403653d296bd0b9e2218999435789f532faa70c55733179ba9ba94a12fb4ac5911f3180d75212141ada6c6d2c139cc6945a76a5a4c5282b812930d6875e842c12e2f53a5e747e1c5d256bfa0bd0db52fe3e5c4eafa7b406be0bb9d3dde9821635e7c782796a0d1b69b4051ae5617958fb5b0b27d04de0fba5949c3c208e04cd9713b9f493472a2cb50873794b58f30ecd4f765b2da187bf7c4d5aa5e56e77b86f34a355dcda8f785814f8820854cd852c15ab44db555ca8b063a36b0f862d59a5bfe7355a0be38f441fdb7a0fc224b8ba32c0a106e558c382abb73d0660467fcd93133991a176809f59a8e10124b38a58c294531c7a2c1811cce21bed18b056003f6461ce706f74e7483252b4d3923a559f1fd4c64cebd47e5c119b14eb2b599e2247762ad4da73e9bb656c855f166c529367ede6351cbb1d332a34d19db7a6f4efde942dd239b8af53248a68c3c8c58e81856d5f99c74421af67eb817f06c016de2b2c875beae9e4d856c5a2e66451eb5d4c197fa5544d40d3e97202f3941156019b5c7f94b925110e33fb4454b0bd17c90679363849f6626d33d4a06560b807d1ea4f81dd3da3a999d2a2f184aef50abeec7138dee8a369dc7a864f79979604aa634e99340faeb4f5622addcbc4053e550ff00f01160a066e118bb278246632c0f1f2477d808e4db22291891856c704a4f0ec3d7ba22465f625324ec2407d48196edcba4c141999f2b842c9b861f66dd7a3ecafa9b03bea6e02d72bd7b19749e7fd85fdc1ece6093cc568426ea736d67fff9e96e91cf609459445df3195db038044885b2353302d4fd2b49e9da8adffb511145ccb4296a73ce358d5fdc6ccd8f3bebec92043b965bb48ab330b7449babdda709fc8d595758e2269b0edbc05711cee236b81c97f17bd310585afca387bcca73021a7b03a5e41d4cb49c870c3900cf364fda444a71bde673fa58bc86ee6542089e745d3fbbf536db08c739ae4dcd24155eb35fa52576ee75ff7b8d292e10fd2439c8a2fb543513192a8e2996b28e859a337393ddb0289e75cd4a586e1b5b91c2f93df2d0cdba868080ff0d0b5fba7facdc6cce40a396e782d870c477c92e36e4a2216f4c47d3d6dc7c8e70217a6550d0de89328f44bc5e802a950907bca1a98f47b46956f81b069cbd888ee74c9e9b991401d69bc4fb226956a82bbeeada7e350f2873b750d0f5bbfcd4ef3a8ed6426ef84bc3039ded99fa82c68282c5be8c874fbb504c20587566d966e55026c0223f5557a3cbf50eaeab7c8c75a1ea8d90ad458784cd6a241f212a34d56bf284a50c5026b605f9d72cc4d8f129dff55257a52feb4e8764673b9e8bebc4bdf4d0180b7d5c22fb8d4062900a6f0d5763228fbb10b3f734b2640e0fa538bda28947c6c51e845af30b3774c75e7599fa1243f618fdb812f9048466e97c2356d8ec39ff89e0cc182c696ae4b598caef5eb74d829239cbf604dd6a3f4b7a72e925c270631f77e31c5b9c9ef584b939cfc307cb6450c0f0e9d3f625d419a8acdc6d33ccc0ce0720bd4d321a451e2e43f4fe319bad5e70cf231cfa274e47557bb0003f81c749dad0690d567c55215683f4551709140d68944e81aa7e1b0cb8fddff7214497eb646e89b1dfedaef98dc4d953b826b90caee626045f4e530c9e95ea26daeed6165f7abb87a2674f680a04beb4674495ebd905502079c80cba23b55df66f303e44373326e5e319f2efce432f6069d27822080bb67a536f67fd9fe52f64693204c5742c4be9af8574676aa2dc445f54bac9e09988ffd829832863e682d3fbe17945f3420283b7eaf7604138aa453e2f429dfe3d0cd322a046ec7dd2793d2bdb63e04699701c7bcbe03ec7079b1836bf959ce71ade7090afb82012e2cf81528c6597c354ce9afb949ba164011af7c8c58eb90bf9f08a08b89bc61e3c4e54b9b0488aca3f0fc6b3e1aa27b81af27a2f7565696b491db1e02c59d2b0c7a46fba68d9f3969b24923e09ff45a1c1049c98cad4de9fcdc582cde68a6c811bab26f153bfcd0d8482eb0082b7a9b4ca54d5005824e63ed3320c5897234b3df93e4d8aaab28e369c08ed0e12c28e80a63823b5fbb88eff8880473d587fcb55b49455208c12cd79acd6ac88021ae38a15871af2fadf4a4df9fab50dcfa69f9b3f0ecfc805610af0969f81d705ed5c1a8cc677265386a83142ca67ebf388834b06f69e16573bc0fa203999148431505c8a2adc60ba9773943ecd23808adb857784aa255ffc85b320420eeaa704761695acdde1c449a56350d64dd21e617e17c5bada0730c74e6f8624265af5ec6e33910d9a06a13b438255c143ec31f22d2499a23fb4ea9295dd4d87a5b950d6b1120b7f8bab3b1fb89ae37f6e1ab81322a7f17d2e38685999dbfe5d1af79d1305b9af7619ddc29fb2309d30a07c134eca0d2464ca9456c7a2ffb6a8e08988adb97ace314f55569fb71b23841eb36b2a1e7b8c609e59684de61cfc89395f35ec520d8f2f074c7bda98c0b4a0b136fadb0eb979753b6208c8103ec509809c1c5d38b1a35af476135ef03a1040b7194ae3bf1111778335a86497bedc5728ad81dde257c67a665f708e7943cbb19a8d087c82d1368bef930f64800ca0df287da9f5f2452853c8097919c6654da842e6132b2dd9fd177fd9c33d8e98a6535905bd16c2bf4f6f00193672654dac93f748fa3bd9ec050a4bc5e2051c8a1bc6debfb81130f42b35ba7574802e7df72bf7356808f6c3f4db01dd38a1b77ceeb2196aaf53b486a90c74f7fdf713a4d5eee823b038d923f5fecad38e0a297d6facf6545ebd75822717dff90abc300e49d35ac1b6e1806a4173a10abd30924db647175cbc6a6fc03c91fc37243d2b86e9c10c0746bf59d3283b55f9a03ba8a544368bb1b9b285c383cd4a3bbb2dae4f12f716d83440a875aae1a77f20c5ec26d7192dc62c0d723fb74a9b383060f297465c9f660601a9370b5bd087ec825cf2efa15d238f235f0ce7bda6e28eeeafcd069a94364c4f948d843622900fda24b6fced2a19eb01874766c38fa62c4ae6bfdb70bb44f845990ec5450e16707232606de62c0bcd2c8c35772fe7ab807a78b1c8e8ea5e4a9497a878d65a1972fa344fbf06169f39de1f8c6fd2bcc626de0407523c8438cc2d6a7a418313a5bf4c6699c8fb49dd0f1f6c6a3190056c0fd28c7f3eb39927468be20f2467cbc98c9f997e95ee8caa9867f48beacc1fdc2976ca76cd2562d06fdf12603e6bc96590bd182ae304b9a91a4b79084942191798526b45d5e5b39fff83bfaa284d62a1035d2c65f8f3819f86eeba77a7fa37fe1ed7e110abf5cc99f04b88ffa056a40485177def2080bcd553580e396613a74b6185421193a0d857ff9edcd9812320aeab9f2d74d78637b193840037e879ac36ee001535f6b30675fdaa1399bfe9f9370bc308c217031e3c22db9d60892ca57ea5e9b5fd11087335874ffdc2c166c3f61000871891f16693543cd9bffc41e0d333396081f802ec2aca66b71ca3efab8004b576aa5bac42424e8fedbaea419d4a182599132dc0444319e90b71757c56e7712b5ca8461c73513977800e44dfdd404abb1c91a98d23f4b38e2ae967ebaa577de0f3b929e79012232466bc6cb362c75ca362ee19cc2769e2f36e6f061315a722c2cfdbf1cc39115c7505e7c107476c5e346c753952b537800658fcea4804f52eb1259857c35289035f0bc5909d8dc841b19d67b02c870295ac2c3774bc0c48870a2a87481f52920a85625fa7cc5fdbdc5aef3f6ced5f6bf13bfaab1990f8ccfbdb27ec4e247932826feacbe35a222998fd5b4f1fb769253dcb12a8bb5ab3910101dca59f6f2c0358e75be580674851e4bfce8db32627b2e3e8ca5ef51fd1efae58ef5c6e231bd82c51ad1de03395d7caea75521b16f13a87e89eb300f8580dbd4a8507f959cc1170a61e82a15c27d661e9dd2590307bbde5d120f8e49ff9503a7e0adc97c02c5cd3d31a9abb24b2d13582e846f6ae1f5d408e9fa74080582213c23d2be962aa37894e5ea0ff0b802579ae420e8f8af4809c3f842a4e8dd1d40bf7b20163c6fd4d9e759242c809252d6cf928f2beba93c26816c049305a021e865adc816b6ad6a14d0eb475798ed3a59af24f006cfbbe5115ca2f8aad096e623908c0e733ed8ce659acb3a1a5508e17a4ddebd3e21abd697d0a6e8b21875ea84115ed7cd0db8cbc7d4c0479bb63a5151744136f4678c72ca235c1dd08a016f4f11134a614ead7ba37e420b2d7a255c0f0c48de510759819823fea6c07d96aa09bd3ad8d553a531315254827dfa577fdf7724897106c8e54606e68e0e8655237d7e9026e16f6c4cffabf901c3ac4722c899b0003de84eaf7c38aefbe8966a4b686ac2d43f238f06ded2d4889e9ddcb7147add56aeb2da6c32094c0d31c55f3f151d556882a02dc2ef81c4dc9092cce1b8f27895c8f87bbb1dbc95ef92e7361a20e5fb352da4eccb7e6cfd22dfd93215ec1e948f54d93d3b995bc7dbb898f35f5676ace41cda50c1bc61bb2f192f575cc96a57ef93ae8240decb2a89deaa946bdc9c975439634a4c1c989cfff28af50a05ade7c9da957dd2169aa837936c8ab2c1f42cb5b8f980ad1b1049568aa677bf24ee051a0937356c9f6328f3942d06e519c17b0db0a89a71b886d0acec72903029ef723cc44bf5f91df28cd0481933778ffd317e8063c6fe73bbc53e94831b736f7a576b6943da9a7b8c41d863b0bb4218578f76f26f95c164971a8d0f11f3e6fa0fbfe485ae47378558be1488142ea88bbccb4cec4b73f166a3f16622f442c55db2efbe7b9a6c0c2ff18153268027c099a9a04211cbce48e84f663191ee0449624f6a5a900f9ac0d45867612ad56b53421ff143257f7cb5d07f45c7cc70ab4afa4a9785dccc126a85a4b46007e63c981c448a7e1c03835c3827ff471a70fd7b2b7f1bc33fe29f60dd889d300592bcdd7fa3660e8087ff92b301d20fd07096d461f6f4237564de9209ce08e427119c9b5fb0ec7848e2059b076a9d4358ad1e7132e87ea93f6c7f32525f7f82c5526d244188c73f3a7d17cdddde3a2896827a94ebc12435e60cd68121cfc9a5b8a5e26a8482b4c8aa06cf8e18bd876f52890cca4e5125e07e4bf13df5633deafaa5cc0da424e895482adf8889d9eb3c1eef93fe1fb0464c43b520ca084d320ffc7827b033edd9c11de7d75ba818f344ff7db2f05a49b9de2a506b3a71974b5ed80c296cb43513a98e2f067993b8e0f60f079c7fce2f76a005ffdbbecf1c8c779d2bbfb0585fb32a35fa9ef1ec5a814502c4d7f59a94ea436687ce9118ce17922e408b2e6116a439682cbe0dddcaab6d0937a898fc0432bad7cdb388fe7add9aa8c3cffd5b1edb010dd6268b03b4ed12038e6e5605a7908026db22e46621e47bedfd18fb0dda3cb80c79b88bdaef5f721dba6c62c2395291c4b85f3e587605dd8521454c890876dd2f66b9f1a16b16545c3065174889acbe0fef736ee131b12b8c597e168bc96ee68918cda9c4d6002a6d9ae5f5fd1661acd14e23ed7b16aa3355425713fb513ec6a01ab3a475dd7bc68317eb973a9b494314f88242d7e9f166f5babfcb47d9b0ac3dc021dfc19c144a70cbe3237c6429a957c5568bc241cd791a3da0282c996c62eb89f13252c082af7bdff10d63480e3eb491f6bef36dadb7d53a9561af3ad6fc1f24c0a6e08f0fa9703299fd7dcb71444902ed8266353bd642649afab8ed57583a547394083432aa0b441eba37f2a4a7dd2030bc3fc824e50840268aaa8015bc83aa276b1c65790eeceb78346a299d7c9aabea8604682f6504ca87dc162837d319c45b02303a75e64e2bf5b7437d3bfc41fe08b3bfaa5f4d65e8dbb4c82501f5a0057a7ac97e7509c8aadaa10f0a629e52f85b20093458c57ccacf377eb4559c29f91bf1cbb54f40b5dfd742e51f8714d386abd5644f73347c75726019ef53f359e4769b006f4943e002750e2c7dca3ef82efe27430f771ef03cd99758550971d4275de055bd8ddc58ae2bcfd872d5b0180c43f98f84c07f17939024fb4d192c268bfd9ec7e6b2ad25882aefab5908f15c7a5f424e2bddd7a5a99f4e2281750f634f7c713b573b4addeed4691a2f8d6d58060342a084abcfd5cb047709fb1cdaa26c221d06c11d27b9d035c11f84d37c44424b303923f7a75f6809d95b1e63059948b9c840bfd5289cbd6373e058d31fa0dd5d498d1dc52eaa1e1950c62e8e39c268891c789ccc62dbd43ed15c58a528c0d2e9e0acbdfa62f6d195d87b4bc27f180b84261f68b6768fe93d8160c1561a5489276477d182c4620b2c605b6bfcb67b9d884d407aa3cf64d18cbaf9c6ad63d2cd4367dcb18ad5ad5e2900c79b645347c5d8b2fd4329d4b9d632c6adba01dabff814c8f70fe0d31ebfc22711174985cadba0c9c6fb5b5396f32acac034802e14a8ded588c94da857e55372c96c0546b18e5a20de62764ea398cd1bb25c3accd4b9db4ec2f8c045788e0700f2868268e749486603232427afc6c867bf1829c17c991b158ab488e2525f31e4fbe680e29114f92bcf38cd77d9e9657794dc52ac0876db200d7c96179d37b81c6137a10d642461557dbfc7d062c8d851436ac65b6a0314c8d49d81d4a2f25ee961720528d2e83df64615bcd74e6f15f00218b85d2b0281989e3ecdbb3107b553a9a8a47feeaf9b67aefdb7c0e067b26fed87683eb4745137f79fc809b8409644effbcc4d695d480ce651bb5370780f280b3a39b75b92e5d1f75618a6af791da17af3563bd3cbf9e07e3650a6a2f602b736a82c2d1c66a115194a3fc7c9196344aa2437ea029b43ef34c20d3dbadcf37ff0839afd75afa59d205581668b7d302570bbce1ef4229a30fc40c528f3945def73d836aa752b42d7fad3a24bbb3ffbb3b4c834405d7a37e2fc3d51be6a8d3eed3df4d7dd6cf05737579d1073216937980919dbb5eb84f8067748b774066190d24bfea50913776711ea298f9d9b674fe24c504578c78c202b99f1c54bb4e8c36e6e44ee597b1e28671a4dbd0c4f5838610e651e41a5e4dad25863576a78948ba5ac8cc8455d3be91885641c61df09b8888e7bc13aa73d90d9d4c3f293edf721e2ad85248d10534de4bad0b4b23506407a63cdb951b2dfc8f53aadcc988fed0a7e72c11daab50b3061b1f10ac2a1cf665e13335e97ba94b3e19fbd19a4a955c45d0b47880aa756032090cfa7aa9bd3ddcb1b54d6e2b34e6292e04a3a3b4cbe33eddf72967e0718fb9140ed23e3e8b5bb7ef6cd6e017625e509c34637393ed5facbf844f658f93c4fb0ac49e5b9a3be0ff849334b996bc71135a9ddebc41bfe84e9e443d6a07fc6c3baff479e2ff21d729358de678c426bed7a351e413f6463df0efa7621c201e291bad012d4179af6cdbf44ef278f6e7449e7afe7c586f5a4cfdd3d610126b87104e85eee8af49220b0eced5d9a2c69ce9166d84d448f3aa75b0be354d73b3dbc066567569895963cd08354b2bdf7754e5983fa77b7f3214b0652832c2ad45444785723f8690da04530a4271730fc4a5062df6f69c1fb2a643f53e58b62031c0bccab7157b6c1e53f9ab458c794f167ef52e9725c1318229b0bd8f5450c3275992059e908e0d9b45a6fbee125be6a4a00f969d79193d6e9eb7cf21722ea7a78273b0e54031e0042922aa4f0202f08f44d1b8482b9879086973df08bd430b1390164418b2b4467414c13f595b252cad319f7c00bc46081c45ffcf67b9f78dca78533d85de75a0c6f601793d73eb68f3c49c59de831c14ea4c9d40bb42ccc948fc5bb9184c06af6f02d4cd8f71916fcbbb0878c210652815632f2fceb8256bda3d0d08b9057eadff67a89a75c38cd9eb76de790573ca24d8e59ab3ed8430c3915adb573d1b773f75b69bc14b7a16dc0b93f16d0ca8b52d1922beaed20ef6c8e383368e8338bdba0f4e2eccdcfb6b60940acd5a16f73fb94b9072248497d54a544a5d41dba271e482e73157fa6ae96cf124e9e5af7b5a170b6bed8d27ffed073657a72ab6ae25435a64049902575ca951f2c08dabb6da7b75616ff35fc783ad65ef76dbc442a6413745452495562b6e3ff9b94448bc56681258529f3783c3059d3cebb38ad3fb859478fcef3b3d990ef029c9f072e852098e26a2c0fd8cd87bfcb8c0a71d7ddfb650ca4c21d3effb6285ba0fb557f609486e57507211ccdc996b37f6b86c3bf3654aec8c65bcb430ea919914b1599d1974f33c579841d8dfadf714918c7a33b543d444c18f02dffd26aad5f95655ba73e79ac1b46f975c8d82641ce1765bf457ff4f25318d83acb1bd64cd99a3135780b06485feed02296e1f3c557124cf8081991d1999a86faf774c9e39e39ce85722a3f9334c5a89bc182fb038a95c25350b341b5f7630ff9b0fb1ac3d849d2153cdd8ea9d5942f1b9788e6a0ebc78a22722f8cf6f0db480d817992b5b1e0d008573286ae803d579e51953c8d1ff58d5d7c9f2aeb85340b1926967a6add3882da3106a234b481e6269e5409064d9ae31a4c85633b0d1f1c3007d68bfcd7008d2b5f6e71fc4a955df16fa0ff39bfe28680b3d7d5c3096aacd36f989ca0bb3f774b34410aa4abcf31eb441fb62e5d7998fcf3edf6af5b5940b2d41d272946d6f0f97489f9071847cd1cfa94523058f11a35c69e3e96e8e43e029cb583d6c94a487c11d6d627f55ff45a8178cfa72d552a991057f170d1f74b08e0359951bcf779799a5597eb7cc862c9f7308a77a9021b86096975a95f497d5a09923c2a1a5b504db622557da0d493ff664f334e2cc08d5de0ddd26186a363d5c1a0d983768d370e2e06e894193914b55226ce3899dfab0716af60f9c3ffd4062520a77b1b7aed42feed55d9c467b409f9aa0be4dd78a3653e76acf28e44a76be13363351f185640b203eb8a2a330b947ade25735a8344a78f72e2d65e83eac0b853a09ade046e4be744fd5afcfce2e913c97c5b5bf3eca7038d889a63af730b8c232252cd64982e1d8cc060db6b321e3a83d8a323c8becee4d9869dd93586ccd322eff33bbe608aca4d83b3ae1a010bcc23790342501df7b26675aefe411b37693a9250e232ff0c206f9bb6ea6614c8f3cfb6e26a74aab4ddd799e3f47cf6629c61ddea0d1e6db2b4831590e048bf36222fe40a41801aa5cdbb24a896791f5f1b3c9c0ce86df60568e726224056c5fac7b57630a5c3753f17bfe8723e90341c3a2c1a5c7258651d31564295bf6c9ba58910243210ddce4df640a34d4cc4617505046de43ebf8dd042bd208296ad504ee4c7d44f0ca94ac8704efaec6562309d0e0d93e7543a9babea16116303b6224c55e4d0c0806b51eaeb1220729f0816098f8e244993eece2dbda5c24d1c59c6115f85396ffdb07ee4a380c7cd7fe79b49e4b670afb3a0e41e3d66d5c1333726f66dd25cafd5b23f145290108d1e5afd60a458d43442b99b4238bd1b116e202c6f571f68efca8b3fe2ea271ee7103b18e8d62ae8fdc96b7e1f3ec6eea22bc199f0f6ee9236db27442450f32a0e852e5b4bfbb606bd4489fc2c7ca3d31a088ac3a0c7dad3b96202f7165d5a57f8299b6fb630510723281f3d1f84afab654a915a2b4cb493c36e8dde7e86b6ff91df2cb69537c54a4e9d612b84705bbe4421d0c3c7b438529aa4bc1d7eae152ea725fa8321ffce5b4acc33a768df68e304157a2792b3cc462db6ff41a25b5b0fe562e7bc476d0d6ffc3b7dae40c830fbf4ea43020fa38b7301c23753fca45a984081c3b5a744c2ba587843f130e89f1ae1f08b8c16281a39db3308587381203d34552df7df4a1e6d2aa4440e26594ffb0d7a0134012a20b420282f60aedfc1478eb0e13bb8927972265462a95d7fba87ea425249536caede0cb6783a62e8b554c7d7b28e6d13e6e1cde54ba20e71d4a6c818862a177f74b9490d6281ae92f242c16b23c22cdb5a3bc5fc511f1775f911426e3e545375e74371a7c2c40af71e93afd240f3f69d2a9e90d1dc3092f19c57efda9e62e8c52bcf9bcea806f93f950444bd413fdf0440453b08aac17655c4477f0debf54ae7660ef10e4172bf28b7db11a4498651bede28b8862c0c83089de0bf420e9d4567914f70da09bba4816b8e38c94bb81704117fa1b1500796b9c4ed2efde202aa7f1901c6f1b30c717fd37b705431189a13cc019e15ceb44289a29340ea876a5dc42adefd86062ef93889c28a05901ab38f4e6a480ee65d1e44920e53d886f29b3dcbd96fd6d3575cde377807d1ed9c3e19ed5e81bdaa9677c9ce8697ff0ea8fc3f7086c780246ff4ae8261c52315f6de7043a8fc02a8a4ca5bbe13b0f19783194c344a06412c44094e94d0317d77173a7e6ee50ced15e202d1e5c0cf616c31fae53f5179c8160091961b9aed1e25ea5eaecbd91425cad4839d12bf0cdf80e1f7a9e809a74dffb12ec0bdcc610a6d9225abee9927104b61076ec42d25a30e74d30652919746649a933a082fcfec0893c50aa1efdce1f58e2bf04fbfb0198d137c4f56bc146dcecea5bbd87c03197113f278da63cdfaa92bebda52e790fa7bc3dc6669e9c88d57710f9d99880638a6ced75b24270a7b3456f73a247eacdd179fce4f02403c7f62e2f178ece290179e2e475df82451b3d8043febf92978835df3b44843c8919a162e179806f2ebb5e6edf30aacab3b0b9e4ab944998febc6571710ff3473d12b7347748ba34cc4923d401592be6aae78ea79c3b3c67f2283c6da83e95c7b9b751778cac836ad9871ffd955d1c6fd46b56a1472763ce3b363484d59d35804d676a7697785efd41a2091adcd51e5adf5f85d173717d1f02a9f6ec1180cef6030f9e45658160263ff66a6f501fda4f3737377079c2f91f80a6e5ef168f0da3dbe74f8fecdc0f4946cf1495c17cc8491b4bf2f352469f34779ff1ecbfb6877cb721f7d684493b5649bea70cd72aa9f227fe499da899d8e48da04c5ec26789aa4f11426d8e862c86d37e8952ea3dfbea4018c86f99cc6561bd0722a38ad506fbf1604c049841367797da9abe8177049e1de504e58a7ca3b57ed631034a21de9aa31413a9773430723957bd10aa66f698c82c778819c169a07154b94c88dd16c2e3171c037580b3bce41002ff4e47137de29461b9f42995ece9ca71aec18d6689e8d6b155ec2f4d7f206c96a16cdad7c54177f2b71c5259990d5a1a3baf9f1abebff124c6655cbe8037da1b6993f76f1ec4d56dbe7284de6c1d56ba8a1ea414f1ebb8974189da7ca7f063048bd9024c9ee5379597c8bd07ff163fde33105ffc63bdfb4704df5d2365451e7913467da019eebcd7074d708b0eb179a6f43d3c54c2668e48f3d1481cd4e34e2a89ae6d8587786f6a252c928127876c4fc017e0a9bc311c05b2cb57532693541862ca177c43db9cf20ac23d70b0863e97d784e816a027f35d14df6314231808431f79fd634e415659831c1a7c1a3f0bd0b9f59a8bf960be5aa7a0a89092a2eb379dc267605cdd21985f0234124a451af03d43d3839c9684f642327598c4a7473851df6c571a3aa2ba5de935c84b3b85de07b05f2115d8f8ab6a00d68626e3302f1b94db85c4a54e99c001a2c4b1a97347c3a728be28d6164dfa6af6eeb7f33c5450e83b14e95d415adf68eca9b8de24e7da280f83990550ad2c0f26bb49a11f5aba092ebadbc342ccba765d7c250f3b0a8b941474a3288d023d89ad97cb051ce9f714188b8bfa9effc1b5ca679c7bc83d4018bb11616fc8fe56023cdbc8f79b01113ce029c408240f57f96a8ccbc58441d71951943464d3727754fe94b96e2d4b6f022edb3e9f719005aeb748a2c36466068703a8b36084c4e70a48a05099c85ebbf7f085cb12282df47305094d9ac48ec273c86352bc292630a138acaa25dfd972b54871a1829a6981bed62a169ad94b8372bd06fb2e4d4b329219a702a2f996896ea6f8e9414f81c52b6977f87b9d7db7f9ab9d69dcc1520e41b55fa9c1ab72960bbba6a1bd37cf412300e2d78265ea16de4ec4fcbf0e97460fb56cc92474c554b500d4c411f708ca7f69c0c9a4bb5a095a23ec79cde709321734deb3ff2aa49e8203333878964c75c16719b422bfa6089b290a764492df889c327158007f531742645af798045fc613093bf107d5cf11713843e6bf5028efb41cd0d1e93f988755b96b82f03bdabfe7df0c4633142289ab56f041cde764624ecb8c2cf0edee15730c8a2122caa9f17a8c7028bce989769ba0adb7e818daf94bc72b9ca2b22759d9f00b3feeaf34e86e11e832e8bdb65e5acce99894e0af49e5d3f9421fdef8c480d60c475287d1684d0e34e70d73b28b23faa058a79bf7216dbcfc19e3b23a401f59077a8a742154435300a4c3b2e9b6698f583d25b37a02b7bcc4891fbab6c9823668fe9f7a6c807cd800a84f037c75b4d615adbcbd6108a1068fa4f9d3d7eee4dfe892c766a80bd4dbe5872747ed4cc7412c0a4fc690b66baf1f0df077108e43af1267b89e71487545ea4f7ce85a7b26c5fe5f4846316fedcf53dd11618fd83f2b1407298b0a9e4d3141df0cf3ca2d9cc95d9410f279636c7fab11621d0c36a237e2ebe0cca8192cb66807f42e2d06d1856ef9e92021ab2d565467c3bdfac556c464b5dbf86fd363d793f121e38a41aa6e247012602788e702ca5760342cb98c350b880925e65e002e76bca785e480c7298a6ccc166fdbb0ee5ecdb06c2fa97ba9c5b280d5906b26760996de7275ae0983abc4a4b0a5c28deffd25839d249fffdb30dad88f3439d8e1d35f636b3d29878931974cebacfe9a24daa3a1e58cea1cacc056fc3d828d7218fe0a41778ad0998149c4541a75e9c03384a7339addf9076de2e9421e08b3b74d87a172db8deedd08acd1764fe581fde10f0fc4423c0f7cfb8a0f575010b0d8ae98f7996b6be9fc2ca5e1ee32be22d32be54109b1924d30d002d62a5c673acb8633ced10925a760acae277dc054444c9e0e68874845706b2b7d06fe49e734b569485c3d92cf6bfe9aab230504e824ef33a87d30b96bdffa15f115abed200f68f349fe6c83bed8107d77d8706e8834298d5a66aa969b588c524aac377508ea6720161bb639e2ca492961aeca5bcedb335213ac4806cb4f9e15c29974d89914d37622e6e33afb7e6be874c5ba87d81a0dd124f23d5c2fbe0093d1831f1e53f90ccf0be8175471afe4bc0568f2f45ef0496e31e2bd7cb8aa2aa1fcd339766eb93dc0d8485a1c5147885fab089dbc20bf6f7bd7a75c29a50f2446074b4be2cf6159fe895e1240b8f1e691a846ccb959b1b6685292ca705a4fc9e4bf6d48973d92fdb9b30c88f7fd598e5dda529cba13d3eaea932445e2976956721366c5ef08ca8a36ee8b50e1c46b356a8bc54c2fb8d504084659becd6b0f9713a1d4af10a335553112b570fbe607a957a9010825518d8e1305ab1b78ba600ff26858a41888b4ea91954f95d89d6cdefa4b33cd58213540bc88d9d9b1ff398faedf3ca63a2f32b3c6433490d34775bdc285d5fa9b6080179ece821b0ff387b477717eeaa0e6d948838ecc7721dcf7e78aff9d9a8efa04e86b9cbb5446fded59aa6f863e825f856753040f54322ac12dd565a184df38fca93be65be57ebb5022b83a8397d2f6f8a042da3a1299522c9956dd5437f8e06a8534a22b449e2ad49da6e8a5844f47cbc9b57294095540f4d112a81387be81fdc68261e6a765f005c671471c70a46dca20728c0500d2d07572024489b5ab7106ab9945b2cd8df14067bf79e3165cdf91839cffdfc529b7673c3df590066e3277613b721c66034817d8ac2dd45d705f1c13c2e1d7b4411f1a0cbe19e618f95dd453f9f91c97da4808985b01497cb58cd69e8819c56ca81dfdd33ad2e4408e5f1f665c4374edfbb3418baed831c31baac974609d3a05d9e703042b4fe1ec73d50f66a2ea3862137a694932373613a2786125fe8653f436114716ba583ae10c5e92d87aff4d151f81c8d6f06fd97a1df30c73cb22c996e0fd2739967df50b6fec03cac5351797425853c06adafc728af2ed39911cb97fb54e0f90a30eda99e33f9039fb973010c1ff6a95cee6e28af678bfbd9ecbbb03f8ac78657279e4d99163dd45f819e82fa6e2f5bb794e906c850cca0535f757f2867ed7d20f06469c6f0e95fad62eca4f1f79804bfbaa3e28430130301548fb13645cd675b2ffc98e70434907a7e626b94cab768c1f25dfd521c3e80b41844afe5c457d7224204d78358a91dfe5e2d792d7b7b410750e81f5e3c4b5507912b470d4035d9835afe05614a938dc790bb9b3bf3af7f66d83f3fa7427c0a0fcf17f10ff7f58649565048e34d8b91eadd75f04f46fa0f6f5f7ff74113f12581caf90205d953e8b5bc56a75db9d0aab414e3ed88a68b19eaa156896f14934865891ac39733a40ddbf08758b6d8eda59d64d71007ca3a7baff294d5cf869a6e43e0beb623b832d40fa6f6ac1c2f322faa4fab039be48cf309ff510b6cf8904201f322c8282d27b4c99cd85884cf092ffa7603cf51d5a1c7ebab48a95e43ad84a6c6a382090134b93f40f32fca940c7b292fcef6103692347bccf6f6efc3a64bb93ade7f98ac21d79d0a9db8a47286f8150f352d7f09cad3dec0736aa58c70e2edfc4a701493ef3f1060614ef285b25f0c39578b7b8ebdb0ac6090d51b531bcfbbe50c0fad3d946b510539ced58497bb99a198959590818b365dfe2ba1b0b77413773430821f143dac8da378ed430a56e9c909d8bd39e21ed648d89851fa4116a487c5418c08d6cdced8c01db6b00b0d77191f4bfb3dc837215f61b1703ceb3d8e02a42a711c4b96213390b59bb8b4121e48b210be403591dafd4e987b4ce66ee1d6d919137e68166ae940180a3d254ca5537ca6fdad592e6269540107b3a2a231c61dff1432cebbf8d944d6ed57574d3e29c7bfa20fba9197ad699287568fe667d4dffe70e7bcf95c1a1a800d2da805cd57cdc8ddb7f7d96c860156197122da479a8e6d955c76ebc4432a4a6b9eec1e45da914c77bca89ef9c442e58f1588b3a38bfa8dd138f618e098f987d94ff3864e2e5090da6496666dbf029beb04054bc3ee417e59fd67b3cd4b3581744adea5c230f051bbfd602b8e94ad01b5289811e805001718f3037579c44e39d2e58808b76012f1452b784d960e18676032ba1acc8f0a2f43f0c4119d81a854ff0bced61b0402f3617b2baaf5912ae1c99cde35dd074ac7ea1238fb5e31a49c425bf7aa83c5b461bfae8842c7b172bf2c9d759ad5c02703da91bb352ee9b20ad9f569401718d615c95ebe7ebe8daf146d77b59b3deceffb67e4d3ca489e4975c1c9763a3612e87be30ddac6e8ad158778ad7fb9f8f02fe5e6057cc17644de962512911d404b59e033371452871cfc889e191382d4f95caa5dbc65e7dfece40d798b80b1d372720ab4736d71d5e78fe94b8f8bbcc11c9de94cfc3c23610b67a70e61fc2a5b091bc07824c1467440b5eb0de53dbca21cb114f59b3c808befd39f876777945b3f908b95d6a3afd61a99599ceeb533fdc36fc02ed996d942dfccedfbf7ee53cc5524afbfd58c0a6f8bad4a15b67fe25d4f44851275b8c828a91a0824c3f3b80ee6dff7f1cc210f3426c9f6969372ac225917306a967c572b87cf396f379aeca3f51c2241a2d8dc84909b3247c522e742bb33473204e4efa25f334add1199d3d3effd9e3bad76aeb78736c4c2a83858111f2c0bea4b2435a038b52fb4adfa151d75971d933f23df2aca55e649d7b4d2d35e4a7e2301f31d2bdbe3d9dfe55641bcaca90eaa084e0d95398f7b640971f886b360f2f2716cc98bf0679d06e38549148ed56ba144c598a962617128213c33b4d976a11cff009589ae9b1179ea037387435928c1ae2a2644ced552b5002b2b1045cd61b49bef9438df9272a99074f3524e543a24c53ff488556ba7f1f133b2320dd38ead27895945a50d1194e46c32234d90f08272a1375cc5aadf30bcd5dbcd0efdf8fb0531aad382609cec2e9c2a0c455a5c6be2d4025533ff3f7c2952577bbe14502315b4665e2ce59a3e16ab4dfb55ae94c25dbfea70cd310cd7ab5766db2ea7d7a07498d4d06c238920ca52bc2dd570dbaa729debf722f7e1bd3a38cfd5347971af4e6452b8ecd53fdba317dbfba97403ccd170a19acaf051519570943e9ca800e37dc286abeebf4134da43b80b7f3f53f0dd385566a177e04a769d8e493474cb611e063bed87f88693c93e7c8f1ec9a9e8314197a27627292a8d7cd86ce3eda6d537960a1338dc5eee35c20e9d925081d5220dc57bc8b8edf2354d461ff037a12650f8a10ff00c6a09fe1b8ecb5dce4ba37e7e0da9fb801b06c2910e4ed462968bcf033d2730652246a851311b6d9a93cf9ea517b57cec0d8ba15299ed6c057925f2bc26e22221eb276a8d1ebca05dd425af1023f1fb66fb50ae08f88d4feab11a7b15e8839ad565c0cb63564dbb26a9a3d173cd0b9a52ca1c936675153505eb7216c9b963c65c57295816ecb4f166cb14782af8e3541f2d050e9a6a872ef0a618b1c112f0de05cd62eb6954843c3ae3ae6a1c8a1dd2a381f96d2264c7377b29af1512e89e2bc12c9e348bbaf3d042180a94ed2106337e426e58ac11dac99cecbbdb4e7d739650070e80df298505e287bf23352b3392a43058603e48c20e9542f341eb89b5e365bfd1878e51c4f55be8e5fbf9a2036171249b4631d06831feeb4ab403f7ac351d09f50a361841a80d2444b5f5480c0c931a3261d36176e8cf5f2fbf32ede757ef859e00a4b4e841a63a4e65e7447c4dda23dc6b1cbf2c802f0b0bbf0855c8ff1cfbdfbcd02c462e307d33cbb272be2e6a0622a6a730654ba411aee57c575f6c374ee8b8cd62ba6f8161de46291efd62f5c8807bbf929ad94189d0d8de8915d8ee5d43a04c95c025c3c2f3d8ac31e031daed68ca4244732c13db58374efce6416bd45c4c29403a4813259c3d010a0b861d8e56d70460ef7d41e1667ef7a61deb7349f5862497bb4edd69ce3c8ce94863e7a19c8f150dc62d16d5f581a9d109f2e3d91aac1849c8016286102b97523b2dc3a0367f15c79649b0ccf6ec37e72a0bf804edc9b2b0ff21ebd72c8c4ba67dc36e478761e2a2fc2f4ee25bdab00880e85b815ff4707103c76aa4813d74aeb69035e1caeb46b4a51fe2dc9b3706f73478b7e411f7e9e81ceacbc27979bca251591a23be60cb2f00a8b4cc3c36f8e9b32350b0be73d7c29e0fdf63b053fd21c43b69c2e04b42badecfd8a7548a7d0b311f4e1d230d8a6c32f8bd7738e10cc0748cc44efb4ca8c9d5aae6de3e19b12fdcc597abb8dc209fffa9d5b7acdc044a97490b7877b2b13e754023853c55e674c067ed36d67db3b952563866698167eafa2d1878588ff0abb6bbe4e61b8f4f7db75e315a9cf5e39949f110b540120bc7b3bd84dd463d00df71332b01ab3304358dfc5a51d4b22a0997d851cb61e41d4e1a985e565d99eb8d8a8c1ea7b26b09cf3cddda7cc8669b77b8eeb70e0590f5f3ab2528b3e19e4d428f991a5df66cc73a821c501769494d1bba0108c8c894d91a58a59d432a43d8521a0bd616767d7158d77e530f3df4890cc71ddd0972318f04e6464d832291e55eab5d5f0f22e341e489a3c107c384f03b0c850a271d4bcee9591b332a884fccb6ec51f3b9363146d5cf918893fbdb78fef806181aa9f09c7f5e36cbca52500c85eb93bb84ad292363a6ce87e43145257b9df6a1f1db5574d3d7c6207da286105e92a3e0094f480a8db3e87a5c289525b0d18a7ee8bec7c13fbf923b9a14df4a66c55ddc68fc8f0ef2091f81d1296f8d4b278458c73ebc3d1fbb9b7ab138e9231986e9c9b83a599a2b399de243dc822196dc57e5ecd43f545233147f66fbed7451a4cfc4bc8faf720fe69efe335009d80543e22f3a898dcef26855bc86867f00d3556addffb5007c032640ba8b1cdd04d78405e2f2a2c213ef2c45b5ea711097753c15f028d4324a0fed31d7ad879302e9260601d03c9781f884cf858be31a49a55aef51955e1433036200ff55226227d991b8246d22e2e3a82ed9c54704b6fa8997bcd25451a2da4f92aef78a3e3a129a85cb076be89a5ae79f1081782f83f0044b76ae068c4860b5f315e3537b3ce24357402b18fa4c188f1a782775a8c16efb6bc868bd027fe79df5574df476357f3a00ab05894500c9964b14980983ea9e028b4b19951d25210d77a8c2513eec92856fbf402349a234944842063ad3cd2de842b14e016c13bd1ba0647f0c6cdf76be52b58504ce9b7725bd7b6c447060e949486ee3da6d9dc34ceeb2b79148a088a8abb7363fe3c25e96ab74970814f86a8f6392ad956dac9150ccf6b27e410c885053e313f5c9da25f52515f5b93bc4d592823063f84cf3d21404d4d6fed52025f3b653b82a3a273e9bb90f441998fac441e577ceaada944bbb1671e8f33b8dc3c19764b64485e0a7c095d0321a1c1388cdf7e4ca2a4f2a7ed49b6018550d2fbefc89559dbb525b31b9c136406ba347e3cea54af9515a3111d820931c234111c0570183e302ad9eef35d4c111904472cb5addbc2fb2a268747064d2f8c94eb9563bf93d4ce4fa91f908c3a81674d74f4b35394fc88f6b542fe87cc2ae3edff98e0f62c1aa0cc92d536cadec0e83eba7364c0c2f1e8193dd9d70454f4c95a3fdac00dda1362286aaad8ed86973e07a7bba0f92657f60997ded88248dc8738a468f36e7597f71d4b1fec4653c6dae5bc56e3d10289fa3a53bda1c84234945c303da1974a17aed860be63a69c16b5d7de6038b6e94437d3aa63a54dc639a60f69dd24857d86a617cfe837800cc6c5a03d3030fd7879d9a76cfe094f27d7db9bd2f0caed3f9b506c1d112f39410ec0b6f46d509ebeaeafbdf956e93cab08b62dddb118586d9b81c443dd930b1e5da20ea4b9b5803d3d834a577ee71e4cc5b4fca671d5125d528084cfd500380f64b284d3ebda1a2a733d92d6b47fc2ea6fb91b1c98292756468c2db73d33a60a43847003ee4e9c7cb7eac7cb0cb48b3ebd074c96ad146e711a863926d73d884dd48d0703200275be7365347b7a81527aabaa2dd1cf119ced298c902de0235ca3ac89c40b83ed1f8255aeb9581cdaf28e448ca8dd283b0e2a53d6e3f1c619787f067c9b6ac5d1288688be87b4948d4fd2152a40df68eaf4294c4273f893cd5d9737bbf59512d35eaf56dc80e0e4f406eb34abd669c2366f2eb8d5764acb515aae836b98e82c18eef37f1f1fa93e527d87b1fc13b853a9b5da40525131e2117931eda246d921d06fd457492b09ff8ffb2aad915aebe0d32ccca186e254d38845216d6676343250535f00f6722cbd1eb73a94b4857fc3b36f7406296345f1509226f12aed9959837ed7ec5b303ed5c03cd7cd78968c095e66dbade1c4b5bf69019d58c14f794c5bef306c44acc06dde8ab8d969789d67df964a8cc30e540b07bbd4e1f91e218422a699761f41d32b68f0878699895cec791a392222418e8ee7b8b27683471c42e8fe00126c14bcc9ca6e6c4861bc762ad2ac3be8b028328d8214e6101dd1fb8062114b1f56da52d015163a1e705f5e898148f6a77428a0cc2b48cdc61a672d4d9438f928f22934eb94948f43df9cd58ac36306a2577fde0ce5ee933c88da73f10992f91114fcb5d62fd7b2d7fc0c23fda74df67a6f1914407f9bc1ef4ecf8a1cde4ca6a549f3e05e23af1dfd083966ff2090efaf6c14845cf660c6fa4ba8f2cf62711e23c322b92f2efc9bdc1e079fb2b1f01958b09f0dd2e1de9a79db1d50428a9ca45ef739429dddb6c6515468c04f5eb841b1f11481c1a6edee6a5e3c6377810a0a871f99c2d3cdf22b8dfc16b74aac79ec25a3d77e06d272340bf69d78ab89f6d124eaee4d431a2675b9c319f530b05a18864c93ebfa521842f94f65dc799f911fa01c2ba3b3dffcc0903eeea10d1c4f3bd7b083ba762db8c2c3e37be24ca8039ea461cc447abfb98d596ef88f685bbe8bd00ce4ef4e63139b0bdf4961a7b349ebc42a0c146c5bb804be7c68435ee532df3c850c8f8234c60f6ecc921ef65c57a4d3fb4ffd08466bd06cc6b892c18b0c047c1b93bf32b8d2338995f1657eee140f0ecf1652d7d97e11c20e04fc9c843cb27074f405caa95fe93d23f7296f2285486384b99f9dcd0b8c2cd4c7fe236f563d2b414c0ccbe3fe242dc7899b11a3bdb838241ed1a078e082a3f0dd0017e7f51033ea648b1366f3e3557a966f3ac983654855e2ac3e43aa40ada283a6d71164a3b3e8a0adb745b77e37093c655020e1c75d330c00c9840af2ac72ecccbc0fe91ee3af7036ab6fb3deb9af5f73c4b4b5c65a1883af2267b43f5b4d3f685c66e226c1e6f05b2b33713010a18a3a78665bd1f8e4c9adbabccf5bfcc755743453ef319bed5c99978042c9229078e8a57030523517d8dda4986ee57fcd2a1ba03f52fe18fb9b1c29511331ead4f30527f98535f6a5507f53c6471612256a7c29e1f4b6678eae2238c66dba9a9c81f5052e7e4ec76c2acb34a25b36e64a46f5d0bc1800b77c98f91e398ffadafc5fe3dc6f15fb871e21ab307b01fb2d672e89bba1926c254ca97ac8013edbce4be2ad62890518d456a494b91002d0015d1a48212be2dc15e763b48d1dde231ccaf2c53073b6c39bec2b3e8b6e0b09d3a0c98cc4086192b971b4cda7b7737550e8d6634dc619713d7c7244049d9b41dacf67aa1f3da0db6a32978a81959bc036f8c5eaf153380611af34337551a82bf42a96bbead37fe21d8bcfc4ffd2ffc9aa61a3cf14c573904ec79110799440d30710328604f5ab0803b8d14e0b5d5a32c9fbb076c3a4ddf75fe43f16dbe3de6d9fe2635c60e5845542da959ee2676252f55c86123072ccb9e173a31a7ef0cb2b3702dfe0da380dbbd4d3fcac00fbb2ca0378693d512761ebfb077aa1408a09fcc1938e206ee87391171bde546302ae8a911fccac77cfb1a13c3b9f8053461300e9d2477e329f3c768dc95b6f3d18f940f3f886896aa7734560cf86008198a90af8e3c8163486b1e104e8f9f6228a9238d15d3bda2f81c19ab7d7435546873916652ee9ed4b43d64d5ca20785aaf880f0bb713fa273a2a2e8304cded6ce2bd64862b99f9cfc55f7ebefb15deb782dd0e0343190e6dbcc9adc152a8b99480ac4ab3c962e5fdffde4563fbefe3c7f2c72fa826784f63ababb06218768f4b6c09cb68008630cdda6cb9ede503f6b494d14ef0e2a1cdcc3bcb77c390c884f5bb2c25e194bd0bb651fa468a63e0d3a9bc0baedbcb0ea84500b8b43d2acb1a1456fe131972e93097ca42679e69723a3f254bbf4d0b498b519f41e6a37689a321bab19c0affc9bf68e6c861830ea5ed846c101ad9c6bc84dadb1ed03e3b7949011994fdf8a3aed564683a72bc2f9c9a53a1093840657c7a5854a8238ff269329722386bf9fffe7f77cc2eee6e660510b568563076248db4b77505baaa30036c195acc8824dd5ba61cd567eb8d094006cf4ac4ff213557fcf0fb21892d71af0e85a8437a380febd54ef3d5e544ecaf83250bc80159412fa7b25f86f21d3b10202d91a6d4dcaea11a334db952638b911e9895180d3af45f3555f15addc4e1283b5bcf2780819a5e607af429ed50709d087225b7c6dc0bd1be480d9b0f230384e86cfdc94c1feee37ef79fb148efba4fbbcfe9fa1aa2d48a557ad5a9b865e26aeff87d0c15bd73410f99b9e496145cc077d997dfe0e1d360ecb695b25688cd305ddc912ed38af7c4ba286bb6dc1d6df64958bc4635357f3773f7ea76fa3323c9a092f430c55179578368ef9dc9954de7af72c20ad17df6cac5ec72d632a2286e0a55269854ddaaac70eeab3c7e974fe6f73da8fecbc7bd45f2508419cdf87569481059db747d6dc6bb356c0931d7bd0111272ecbd0801bcd9ecd6b0d7152b921f3eba8ad2e6437d0045bffc45cbc3da37adfa5a0b29be0a8c8546d7c4c6721790df155f9ae38c4ee2f0aa56009c8eabfefce38dd3ad39a98bc1d34a1fb3ff93a21892e706b803ef1cfae2652ff0b12e74ceb341d7172882e571aa350236156498b17c9b5621b3905482fd78f979d69e91f74d9bbfd086f310d3b6521b826dcd1c622f5bdc185aeef174eb0dc4cca6990ea09e83ffa9e99a009cae11fe406e8880a9046df5fb81ebfdf4e3a421553b56e08c5eeb38dd09af4a912aac641301ef1095a245e15d137a633acb4e469315805e2766531722b8a2f875bfd8b6aaa0098e810c296e77f6682aa6a8b06c5ed850fcce929921be9f9d81f1fed8f993430efa8335f8ac5d08e8b355afc597be757c9d76c31e92352f1fc877961aa7e8ccfa9bcc5ac3dc59ff796b59dbc58f945a7283848b6552ae380b1df1a3c3e9d8b67e9458811b3053abf6fe7bff329e6e7df7c6f3d513fc9bcbfe6b42f2528602a1b4314ee9218fa1013a25194d405b3aef274d2203fd6f0567a7e5b498aa55478c5a544eeac6a3d9756cfbc0165427238b3d553ebdabc99dd575d3724d9c00f405f41fdd7d3244fd9820897a97c3a0fae469447f48a61822432643aa4e7f2a7f7be956675d1f460f111aa9e630730da9e0096caa13a054fe932146cc95f1b6d2671a5d2739538cc69f03457e302d998d89059e1a45707cc66a6ea8a94e17539e9a735a2c129fee395317d30feada724e72bd0527a3e30f8bc9b4477b8312efb9445622f0df496b6ce0f62db32b5e041be73b6d765c477f572e5f9e739a77a417ebeff4892243ac288aa3bf74b236e064a9c89106453e24311084e3d42cd748ca009d35817da8f93f18cb442a3e381d49ddd9622ca8f54a4eac8dbf6cf01106cd51800663829ee0fb534997900b9847e3f38a5637dbbd73dd83012ece0b350826b62e56e726c464cd8cf26fb5d77c8cb22379c2d21f54496d807d9234af9af9b65e7d1bc11b9fc7cbb398a9402347f8001d0de1a3031df0cc0322ed5f384bf57b76fc6b9c05f0b8aeec849632da59be5c6c75bbfbaa39fd76619f9ff3902e6d07160aaea2883b6bfeb267628b4d6f6d8ff47affb8174a7cf8e99ea9fdbc4fed743d8253a86d854123062dee12c9caa6053aa37d8844f76c230fd86ced8be208a52476bd7a9fcbbe76c05805462307d67d67e7be872244014cc50c94bd4cacca2473a44bc6fff19b2c1ac4da9299c396be479e13f99f10dd285fe143db45e621e94479a6bcf0854e4ac717e79b3180a56140d50492c8d44c1907713b3b54f571fe6287e2d7530b111fd4817c2d01aaa3861e7d212bfa225f2fcbf73462075d7f2e6654c7acf3aef64ba7a697df740ad4e9ddac9f1ebe8aa42f73994c41eb788f855a715bcb69a6f66538fee204b4606e81b8cc3b2947cf8d8d24bff7e3ceda4ec3508c53392def369596eb1937b7302952715a8af748a05dae24f512b10b78eee9784be25dd85d598e129284d971caf8cd7daa2c6648c183d4454df984047f9d0d2097cab7dbd1bd0b2754569c1b257092aac39103ea1c9229e46901535e77a570f0c214d026117d5464991c7f97bffa3ce179cbefaa0f7d65e0613f5ea5897dda14698ef3430a7dbd1f8c956f3949010925b1ef020370dc7ca9658b8213d6979151355e26d675fcd7bcc6e5ee72355a1ac6f38e2716773d21a4b856a8044974a32454ff9fd3f46278fb1021739b25a75d07c88170a13efda2d8671288f17bd82669e40f21bc9f86f8780b2958da335b820fb1a93689dd84796766cded39bd8725af0eb361eeac9c1a7f9475ce605a8c713d135e728d775db713291fc9d1b0e687cf8c1ba696106c1146cd3635f904780cf65aeee57ac82a5cb000f2bc2566456fcae946325600707059db7fd3dec2db0983dc9375f0d8471eabc748e6cb882d869d5865193e561a449147f44fc2cb069aebf07a2b1ba30966f20d97d8ce843337bf35213874ec328392cf7408284c8fb77e92f1d2eaaf2e8c968b7a205142ee267fe32c8fcdc2e69dd5aeacaf89e953ff790fbc816bd7c2c2e45183329a3c59cebe12ba8d19b1a358e67f4bf06c9b07bb41384d9eafb11cc1593feb6759bc0febd6ad8571f5ef88c4bac003430897dc19fb6d77d8f609b88d6ab4467e4e4b31bd0af289fc429afc58fbe394ce97dd44a5a3d03aae844ddb6711b4f67d2bdf88f3c604bf522184c2055daa0893d4a699c4336eabda303b3fdfaa930e22ae8989d37d5226588c712e635b9204a61d93e7fd3b06128e01e48e943050be4eae2d852c95d615c065276edd09c5ffff17f4da9ee0274faeba9c043f39a3f9ffc7b1b57fe5ce4d538974311cf876e708a2c752b0e1ec9c69f9f8c177d08b547888c659af4f4849cda3a8bb55e1ec279545c2d498e911e617ab5febcb06d7020a262f5944c18de0e392e82c265b00d11bf194793b478a02649c961784b925ddf07aea751b24d02c91a92d6f3c4eeeaf25b05bc5359dc6b088e1d26c322a45421619a0282d4e59944d4ef2e0755350a2b8b3a866f7b198199f7380bca110528c99170c8168f9a26f0da2e6c5d778332791a3d33d90bc487561911e269b6c6f33fa0eadcc02a943906779b734b8ead4ebe855090c98852788af3510eb95c928803e64a4b9970cef67003a9dfe0e28a61f1ea93b9ec240f449a338c2de8107298ed1b0fd7ba92bfccde6bf26ad4b0c70d9f30440beacdad4b3c81cb4d1e21ceb330c6ee8361d99281ef36a6a681a53505f333a64cfdd8ce2be3aa6ebc7661d29d3f31e724871f14f2a256dc6a47c13fb27c5d62dca45353cb9fb879c4e1e33f2d89fa025cc387068c37650ce1aa9542d2e063c09a2f4ae16a31640d7b905c7c80f00679f814518c9557e4bc87042e1d6f4ccff6d9fa13d0bdaff2510b5c4c6d7833df50d76250a6b25335117d8a3205b42f8341ec7c3a047401fbfbfa71f17639a804eb2be133e41ba6b511ae3e05b6fb33c91ebc6c870201c867131449e6d30523a3486c7168a0e23cb4a3268e6795ef6181ca84a5c67479eec4e160510c21f234afe322e65c700476a27fac73b2c0fbc627749c2af18d6d7fe21ff0558de1b92877c8d133bfe002c3f394a172c75219251a056e67223acb620d7f9fe996b119f0d60c09165b3a1a3236114c9d12b1c29eae7f911299940fee5c17205de200dfbee768cadb013838f4270b8b847951afb7b67f2d5ae240cd2bc6f1146eb35a9a6b7cc96b9f13cf7e346bffc2d9af2ef5e55c23b386a56ffe101dd3694771ae3e01bfc59b2602e1dee6de8513611c497f374d26e48bdaf0cd0c1c9689c92c9fe4cbde3aa3aec93ccd8ea4c2efcf50ec6894bdb14e75cd9eeca9b3ebd4c0d269e85cddcb9191521056e6a7951a698ef10e906e29a7e79aea4ae974b07d3793905f70e249d1044ffd75441d213ed7d44e9b1c71e3bc2ebad3d61d8894d9534ab5f0acb10444c6bf3a83e50b555b8f02cca04e7918825986386b0615024e0e155f560f6f659eef2618badf0bed607273f8a304848ff83d159fd44dbe54096d0fabaedd9e863a33d266726bd0b6fbd124ef900ff2e34388784c64babf6429bd533c9276a639d106fd643ff3d27d82c993b94dce11b9c7345d3fb328a3187624ac4c6e27dc70bad29ba81244ec782b3a77241a8b748c69ee79ce718760937706a049d3793999ea7b82672832190e311f0c0f70589c7859ee80236e319c10634c4be1dc6f0eb5c5900262e6c1564af002ee31a6a853a7b5a5620fc05937b2e166d70724dde1358bf89e4d4d7ffae23aaf4d57bfe2c2deb60b08b40f71400793304e1df69ff7add4f002c67a9b2f26c2ef0a35e9b9bb7d60cbc8c102eaf82faf425207f04386e599fafa78751fa94b90b593f4c0e7c9e40b65539ff77fb06c3e6c94763d52f7a77654bd2a0676bd5ac7cc2e0b71d6422ab13bb14fd6648bc11c89b2ee0807d8c42703688b00685f60e6e10f7c51bc7c04910331b8c64d636257198abdba13da1ac0127e7761e949ffa588e66edb0ca76d934476ab866e6c1cd60d3b56e301f43f676b26a2c2a892fc17f0585ff199e866f4cccc5f92ff232d7ce479a66afd2208076dbe0e67da315eea126b41d72892c23c7afff07304a4cf8261a11c43666deeddc89740f69ede4b140da0563e71f4d5c166f95b496a1674bb673f22139e1d667d8f47d642a4343fd6f41ca6a2a4513623929eef703e7703f79558f292b7854d0eb2ec2fb7ba7012993e3360986e6d3edd24e54551e9d026732445f375a321aae85b52d8e40490ff3412ab2f82af46b3d6213883479f0b96be02721ea832da96f160663524d1c9d7501f56633c81206b1dbd4bd381256a9d6efc40557bb1121af3c72bec97c22ad3e4db023dc23ea3c257e5b242b5204d435ca534853c6992d19165aae917572567ee0aeccb56d5e547b7dfb79b6d821cbca97b2cfac697c3c96df2210c43756cb5f710adb7747ca6e93c64ad61270af2a783965ec969a3a95da4d81312456f7ccffa0985cba7b7e2d7cd478718c857325541c44783df781bef4143de219d52785793c766bf7ab00667450da2a607deb4a77c12d5e915b15a26d625f585b0c6896716d5c6ffaaf66f3af270c2ac78ef6d61796045684e89a3f9376b6222b54cdc1ac5c08c05d63871e7a5f10f524a341c242f8230a1cf8a4d1ba3d8e7a31e76b5ce85c8485bd853a03b52ca3179202cf16929a22746a6c366ba561825b0f33a710b4302e1014d45952d804767235c483e593079413f80b9e61a27050fc8c9727b050f7ab0b65b8e94440d42a5715da32831e1a0f8e4d33faa1c5b205ac7f3bce2f3ada8e77ea742ac64dc9fbaf749b6e7c3cf81de57db4e97770bbadc1f5a710a982069f539d611113c921b739970a17c52cd255068cdabf74a32f3fa59c16b435a45aa14491dc7ef00bc1da37110b08ff54c1d6dc1ac9cb81dd5030c0a70393daeb9d754bd01b88396a1d626688a55861bd8c7f20a5608d53cf399b1b94b573a816f29c683da435f656020b6ab9ccbc1877204e2af93f39eff66edc742068e63f3283c38d35620c060ae32c857e1958abd53debaeb135d90befe3ee9e923a04f8aa76d12cfb513f233df4b5d879ac350f42f98f656a46ee08d78e3204b37ed37727beba8d3eed77dbc3b5f985757c5092917819958e9262585b47387da53178a785138042576039ab7c996f3ebfd6e4a41ffee0e632fc95d902bf88c42c9648acc9ed1bf90967f10ef5cbe0d913f97b4574d64ef31a368e2a2a24d049af096096a5da9f0b74eb2f3bf29fa8f57dbee17fcc562a4dad0e1914cf2ed19e6e68d768705e9d4d24e5385f4827274331572d0b14518a0ce50bb06286eb4e86bc7f71570155e83a9c248e0a2848aa28a107dac8c45b6ada5fbe622a0b94e42440e0513654ed8b46d5faa5ae3fd1993df20bb25d005fe254e94a0479686a3c8792e7b0c91832ade55e17298933fb0eb62c88111b8faecc55149591d399f316e12c476de26b4ab9edc8f2656968e88456a8f441156f4ac8d786e2be311852302a6ce1d938ee16fed71ac9961785fe5ecb8075480a42a788ebae8dcbdf0dfff47e7166e699d54d0ff4ba8c4e6dde7831bd88af7cdcb45e011405a7c9937f46c86c703aa9cc3d1fe1b4ac047bcfff547ce523e28d7eb0b469ed3e6e8cf4edf84b28304bed1b595bce15c2d8d466decadd453adde513608e441a020d5ca81af5e81cea4100b011b3a4276df61e7a843e25e590d4459e2a565c74155c99323967ed473f563c7f23659ffcb6ddaf6debe5cbf63048dfa6f72acaa510a07b83fe7091414185e69dfb76aab27071846e97cbd0c42deb486d5598525246eb6bf8c2cf17a26ca031280e2c1609f94a8ce7d5a55ecfaee95fe502ba75b22c02e15cd8455da4be8e34749933d8fd3a92e8c91545d8ae44c48caf76dac5af0cf4d585fb739cf006846ef28013d4833ceeb108d3c3d76e2ba675299264b3793aa99426fc117de43c5b26a39a6fec3f017c828c4878cb3de9c1cd3b4557b470470e5dd61638d222169b89129231f7c04d771a098e5d360afe15f00d1a3941001157b2d725668f09db8389ae017b884d82f31c5274fbcffb156687758760a7bf5efc21489f5588d5eff16aea78c961d16044978cd1e15d6b0520d509d64eb34d0acff27e9bbc843a5f07b050049478ee8b4800c3aa25b3c3986f90faee858390bd21d40a5ae5518d449f4349c33ed2ef77d4f594416df8b8aa4769f583790675c85b74977bbaca9eb0001fb4d38d004aadd2b1212d71824faf70eb35d37b88c1483e0c513351cc6a96f48da5e123bf23c7357d0881092ac97917a0fda04d68e919cdc14bfce9a504b59988e0744c527c6ca012fc0e806725d97e7196ed63467221bfae9bde78a3371ec3fabc52432ecf3add26e2d5740453975fa6ccba1a1ca64e1856280983dca770e5aec55a292dfc8d60c59150572417b9585f3d0d028f8ef54b879b983c673f36bf33c495691554c3dacb219d1b3aabb77c701a9fe2b79f3fec3985841c098db7f33c2f64a4637526df36d0497901bf17441b11df49af7afce7f11bb992429e049920a2ae93adf187dc9b584980cbe262893d6da020b3e84b11062ffb2eb4370fe7c68c5b2375bc5377c95f7d47b1fbe790a617df9d3311eb2855b091bfb3c4d5960ee7ab7e2ef833ccada31d0415fa56de62e33d3476050f322e40d898ab966aaa3faf29b7576233a5b597f05ab953ee157e8a9ae9ff7e7f4efcea426b2426b40df20ac9c56080050a88c4e0b627e7fcab72709618f23bc30f63215671650ad7055126df8e9d5894ff2129ebe0f2074ee60f412a0ea368a62186c1a2ce3c6173dffbfaadf941910a77d8d013637a510103fb781b4ad95c6320b1e259703e5147418e024b97a304175af6c7e2ba2708a2a7005768a6a475cdd8b65c37d882dd42a1f31c8c6797316d19396616888e57058c0fa70356520ceda8253badd156bad4cc74b63702f1132ce29dd711599ab957e4f09cda0f71808c45f6651c0282100398e0abab578cbe5aebebffd544824c336691fc6c2f0feb1907d708896e915999992725221023edd905c66fadd05156ddd39fc228302d1fbda83d3052bbf96a530ec951189b34ac51306f2a5cc4bbd4979f43c6855187a9bf115cbb15ad21bedc8a505493553bb9704118e52a803bde217803f2734877b625564b1d1390e5a7a0d7c6838d7c8a0f09b81e954209f315dfe476e95ef36c6350b913b748b69b9914fbbf4dbc4919133a890286565dc3d5b1ed0d491c673df11d6e82ff4bbe6298ee516d5a8096a332d6936906b35cf03b36a2df001f1cf58c7df5b4d1a37ec8c4163850a41019aa15e7b9cac356e87d0d3744e71498eea23100656721f41be651ac941355403e84975fc2163fde1ec199541ea9c0f45ad189a64b07a49218e387e553083f8f1a2096c8b55f21895451f4e3d607c845d5f86fffe034c29e6207603da460fbe69eec80968707ba7804b6e0fafa25a8ef4cac1fd4a7e000e90f89906aa586ee45b34aba766db57abf2ba7779c3e6d8e88095b4aec9f81f07ed616a58860282da9cbaaab5cdaee3b77cde4d3bc1f61616d8cfb095d05a360016630a723d2ee3fafbf74716ed97df36e709e9744876b5665ae84dd239daa58f7bc689bdb0214ecd7bac0d1f13e986ee03dc5b07efd92986924fe49535c550bd4efbd631b319d8cfa60ad000456c5c8351dd0c9c812b16cefea750d35989b2333953ac54ec64733ab3bf3b98bf62d4adc1c2389f9aceb7cfbe5b3526f161e4e1860fb043a483b36278c8c3fa2dfb21d2d216fe813f4fb0c96e1270e3feef00df3df0f25c0578c3eca37e925519cb8451b381b5f452e403b0a571e78c68cec23bcfa14b978dba5d0007b0a060bc0a6b6446c5bbcf6fba1f31d549f63c24e753ee851854110c463909facf7354fb30e2fc1cf2cf4782823505dd6ea6853990b40f7703738e186707afca1384d39cd30ff25bc3ac7476698739137683483cb9593a18f2e7a2195dbffaba168f51f3b82d4d9339a8914dff488354f71e6283c5bacffc5e5668745811f15f334080272f29715c8059c47911bfc8066c4feb9180d0e7ed1b6e5c4885f6db509feaf96381ef281f66aebb35b0f639be82d10280df678083eb412da66076c139f1789e5d91dd2aa099c31a719485a521d190a3556b1559cf5e5862064990c2540f70ec709b147f670ec4669a76b252d6c68e98ab9bead60028ac8f3598381798fee7e3bddccca417e9469d8219b9a2bd104b052126539ce27f44110ff3b310e3eeb6719226fff933a456817178ca865981bf6158475ad91c8306a98d9240aee4a5781ef5b548444ad513232062e5fc6a9c10cf41acd1a0fae4ca46cce55de26dbf1dfa1394555bf4907cbb88f23640906ec5595a12c00abefd823ea3c0c9e53dffacdc01678d379e399a285e9a6eeab11fd920da5d3f3fd4570296f35d1cabbf4d833d8370c7b7f1d68fa6c30dec51c3ae6224d419016aee99146eec748e71e5bba1f4ec07bd6b5ceef330f6cff719012e86be63be5f1c2676cb86345a543bb001e1e60fa1fe7726cbfae98d2d088f79b4e2ca7632de4dc31363b0cb1db17612126f3e0b7039bc9848b8375dfd67f672ce15e94592ce52b3d83ceb11457c226b711a6900430925a3d1007360c0bd113354c2a56092f62dea25f06c0a45657df4ebd6c93ceca91e6ad287698d9142e610dc31e0edc7e117e5967ca0dd7d72edbd1b0cccc9bd012866b6b42a00ec27332c53fb42d17782ea7448a188f1b1fc310003b3c08a4d0edd0d8e4514c0e8c6a743e484e67cc567043b11b7a28f664a390e35e375f3ea5f9af370db89008a9620124295bff6dcaad0aad978a90483089668530055ed01669494973a525e2507e368f41e35caa6c7a9b9a347678918c1464c51aeaded8d2fabac704b3497e4126aa80ffd8366d089eb829528436f8408691f64ae564c555afdb471ce9971c1476ff8e314e01d6300cd97e9666ea7d4ce91e7fb6c738b12cd6eec86f2ae8fa6faae03fc147fd4259cd8840c4316ccf1831120a441334075126d3cbe9c9ae2bc984c348384826527b2b9370751ccf1c5b8dbd508bfefcdaa7c09012c240eba8710200df8102df31d49e397bad7c41db3fd0b11e2d58d69c160b68edada2301cc4855b2bf751c07d5162b601427d2a70187bb4ccbf38a9bb509b1e95e34d8157552a4d51f052512c58b5a8fbdc7987e6e6d03ef303cb9544c28af612794f1ab3ac399053dac5a78ad0c159226c5de13280a45e315d02f9d57de65e343cba601e7f372562572890b2ccd0402bf174e91a49fd1a82b4d70f42e887bb2124beb514bd5dc178189826f5dc04996c8d0ab1e00333d1baad800e7dace5dac9b1a6d3e9eeddfb06eb9d021da3ee3e5b80d36f8e3e2babfe5e21411d29cc3a47ee5c033c5810cc6036eb7761ec2d570907f57a89432aa5ea3b18002aed45af1ff4eafba69bc2ba9fae1f5828c0d2fe13e17454436b98b9128612070fc42fdb4a83e3884dad5206fe49836206fff5aec8f36e468673a4d419988b1f8b0e370fde77db563e9f798977eacd1428cdcff4855ff025588630fbfd1dbdee213edf20143e7d87495919967da730e20d7369cf812a096a3a77bc3acc8fe2697778a1993e73b96b6e9cf5e2a680c4cf5045c19779af65b0c4c2101b8499b66635ac7b074de4827c937d4b2144deb344daf0f33552acb406e59e24e3f17e76683c5f264d0c12b3ed015e39c2129d0a2a7bf748800f3f29375ffe53a215f1ca76d4185eb6430fca52b1b4e8abaad6948f49bbe2f58ccb255444c2ea0617459bb1cd11c77573f29e128fff42b9d7383dee3036c7c34685de68488fba427066e6d184feaf9b6e3dca6ec4ee4bd87b59845461dc4c70a07befb2a17fbf5c4b127d8bb32cd2c09792a29a100b37ec0d62bedd9ab6a2a884fa47f7b2cb5dc91475e6a8bbe95de2b7c54b99975b86107d00fceec3bf785acd908059c71a0b37c4d57ecdf918dc567c235a252fc0d3e7311d5060bbda2fa2dcbb9e2a84ea50c2a1de298020eb63567bc730bc06ee0f610cd7ebe3bfea5477e4c76b686263bb3e240f73f80764e605aea1c767b31e2f77beb6250139feb949ba6af4e56ea5bd6b201596dfa861567cbdc9a048b79724b5f93d817c42a45989a7b7f8e49baecf6b5f81e5d778d17604194a803912a184631eaf6c918ed1aa34037ea37f15c2d1fd675847ba9b16119074ec58c856258ac12d0e680474723d0a1b41ad59adef9949369d9ba17e2d16935efc7f2c0bb24b1f933689df77e183dbc78d0d2bdd3bb021282562e9cae066c19c6ff6ed937586fc7834ce0f688ee770c42c1a8f042f1599968f080cb3f29bc2deb019cd061a210980483884cdeec6a54aeb69e198d394ec80bd3cdb6ff2e90e19b711dcc9fe73c7ac6ef3524eefe0e9b56ced894237ea0d7fc9c50d219e0b69b6624fb5c27bf938e655f2816b70336830b70c01df6f58fb07a0209d79da97f7bc73d56381648863ebe5e4e72469f8d02c227a640bc7b2a84fb0a3b628beaca66e29338c62e6cf134a13c5c0c76b06c9b1cd5166d8368575e19418a9f0b41eb646b66ca5de4f85e39b7183c2b2e39621d09e24b7c6a9c7a0b2f7843d1cd2288019e5935f0d959b431fca2ce45c6122a25f8451c3eff5b863652fe856f03e56f7ce669f9c2b20f4885a6514932091a3ad467ad73e7c4db7f7635f05520d172a55ae8e9bde7d4f0790f31ae469e9ff633b3dcd63bb4cc5776c1cfdd3ebb19faf5d37ec857aecd0c0a14f3f9ad791119a6e0861afc4a827c8873d9316af3babd298ae000584e4c947670e7cb888cd9af9d9fa36bb17cfcdb2be0e6423eb9948c7b08b8add3bc1b2578a185701db77a87c74b25a9d5a4dd1262942156504d288bf74975dde80531a29be7f3b9362a17d36916ed99295f01d25f423be0bcd24ae71b56b7835048407ae432c079551a7a9fdd9203b9bda4a9bbaa6f932512b23086053eb70e6db4feb5fc1dd3474c6e2755cd03812ca2f0ddd01fbc505a2a4b6d3653cede0bd63657358d713d2c076279a72597671e6b45ffc1d5ce0a11fb0a9312218999f432e64070ee505cc637ac54b2246975be748cd17983d2e8ebc63960093c238bcfa6f6d98e50ba2a5dd4acc357b77eb441862b59df2e8c7b12865b7f8d336deff4e42392e2340bc0ba27f3e221c96c4c98f09b3fa62def716896b7b685cd78a1304c131f1d7320646e9f0da60ee129bf56b760f569fd847553270ce60b6962bc4376758c099d3983667b3f4b37175e085e621b73d28a8884448b501ace6ecf3be8f5410e9560c4a153f773e5816a16d77791474dc02b5e44ca40f2b3fa0ba4cf69e1d3ed3ffa58bdd1976941cd88c7665d5f1a20293ae7281eb9c858f1ccafa6b9e2d16ddf14b0e8bc56910bd9c170a3f46969aeae83a6c2b7bb02b4651b90fe316c404e5e0b8cd6363d2933f53f2b6be570ad72ca7c0dd8909804deecc3b2c2abaf5dd695bb8085a7318c4b9a3f3468980e96526fb4b3a8bfbcd89232d4ade8ae14383aa254c4edc4448f75ba51ab1b63ecb8ff02587a0c25eb0976878ca245fa70d58bb8a56f9dc7f726adea49aa5eecf5087a85df330d9329b9089be25fe216f5746cff8ee17e22dc48268cfbff7db88df8f2048d666aee5a25fc64b2076e509cbeafea5362540cc154ffb85e022aed55f22c3a865706d00d8bf0508a12c4ab33bc7cc661b0de5281cb8a8b35215ea50ecee65fc42baf1e2ebfe549070e954e5280cccc113ea06e48c1abb208ba48c018e4b3bd214091958ea188273078f3f43ca9d482d1541027d235a291f72f5abbd6160be8bd9ea1e8e87daf3933e629d99a6f536ee85f4514fecf6a9be044df65ac8d2de6420bdaaff29ec2af590d304ede55cbefd0f1dfa012368fc7da4bcc43f4040a00606ed6e8cee7a1a733fb9f4e4a3d39dd62a53043c23fcb9ae0f260ca77525f1f8b9e4b53f1572fea0dd579f5d3de96cb300990d24ffd00c01a96a168425f538b7c0a04048e4bc559fadbf461dc10eb26105e1092e23c57b5c0fe906efbdc64cdd9d4daeab477eabd30ff426700650faf5aeab5a5edb39ad18a49697c1c29166a4ae704056f67d6f3fdf174d52a9ad8738947822a5d69f70c971f5d0759d663575495732bbe53900a7144934e11278a1471c29489196422e23e07f0954b8a7a0fe1262e611a962fae36c6893c8fc35606416b7049523a3b27f0aa3378e3ca888e56006dfeed47b1274b870ec2470a6c32a72ab831310e7884100cf1a9a87d045f8693a99ab2c6abab58c87d38943262059d36951401f2ecd0c2afd11ffbccf7b5eb3b45d848911c8f5da3ae10185de80a9001457cd03cf15f1e667d789c263e5b7ee8b95dbad22fd56df344b5a07cf1a84059ce5884040616f5163fe12acb2343a01c740bac58c3d45816f9113487851a3d67acc211626234678fec377f7afadee2687def5ef65f8d316c506ef07918a55bb919d04d95f4c2f37ba9f2ce1c9f65e9e435dc4049dea903f57ff9c609c0c6c9a8924470ae1bfe1cac21e9303d52006b88a2a21519c4ad0502b32451c840ebc0bf78a02ca51164df957b980b76131a21f0799f093773423695e89609b08699bcf66ea6c08909c9d1945727b6fab78d7348c046d2c925a90d14013e538d0fe5a3a6cb7bc05558a2caa384535ea01b1fa44f2f8d91a13c20c6fc796b7f4f3bd00530504497a33d0cd43d194a9d36443a167ab1381ba2ec4a6c5ea54bde58161f4d5e88cb944a99fa113a4738c9ba8d520727328d3035ab3a0294648a1e549885f8d060363b67e3b4d6c8e17063839700a878bb9e29415c6009d185b00616462ad8733abddc5fb66a13e2d492be440494af5fbd982c12ffff9ee7ed7613b942bfb40a871818980fafa794546bc62ad79aab949356cc6b6b4cfd5f13324e3fdcbceb213e9055bffb4ef67e7ecf4d78229bd2d4c4e817f3991f66446a9632d3f99c61a41ac708f0341a61839d426c6d07db2f30221d0a50937b0e64d2684f311f394017d1d9bb05ab63a0fdb95cb8dd8cf10bc217d601f0039f6953e01416a4a66c8b248871b7dcd93ccb0a756d3607dd81e0733f3d9c58da7883e2ff6044f978fb64debbf2468436fc576df84dc8d2a7acb2f6f94b923fe5f2c29e62eb6b2bb02a98ac4b44801d166dd9d3a45047060a83c13ea8a8d747e7416874d8f9de5b9e3711edf59bdb1a906ac6775a11e64461c51391d0e5900c35246d5898851fafec54ee6da841ac3239f515dec9084146fce2dc38062370ec7c67c690b598e34b3504f24856a4c92e9fc2dcd98682ad390ebf1569008d86a53d2cbb46dd6f48561d7e54eca5027e1cc68c9b104738b2c239d380a7806b10d799480fd17d534c3d33c183c184a2cb165ea017305e02a5a1418ac1f2b9e6f37fb2b06664220b1509b95db08472447b2364d324d4fbeb8a39bec86cf4c381b93b1f0fc2a3907f1dbca18a885f29ffc69612bc1ceb0aa65b0c86fc3425159ebb6c2d3410589c5bdad8c85b437e72b990ead2b0a656e1b18b864b6469c829dce5cc3ddd6a534f239f72e61fb41173305c0444cb7e71bf66301285a4b1c326013eb7650cb97bc33879fc53af139c5d65203a06565eb491623f9d01f38c20fad887477c3c897a58d75ce9ccf5b33c6e318b64914320a811292c8a5bdd7dade67fe6158ea9a452899ca8e363e7325026eced4d1f510f9fe99bb35ceaccde1284d1256e1c657478966af1f581fdde17cfa903108740ec643d438e23c7df661728410e26534bff2a629c42726e3cbbf0830fa6eecea92ee5336f7337959c22757c8a481442cb279f7b2ebf73d6207c87cbcc71fd4570936ff60cec2597d0caba6c24505a011120ff4359e77a35c704060ec09466dfde31c9a5552967c9d41d6b5484b9947a4c04866b085631f2c688f249e1a9cef8f8d7dfb0752b6d04c682e34f0f89368cd8ae6de1f46fa90dea736dc56c9565b3bc6ab1c99c1b219916a60cd7ef95162cc8e4c19ffc9dffc79a9fc7658af59db546103dca9fed676d9e246be5458972a5f9b7f991ef74bac17dbb6349b18a867055210e747fe10aa877790335b6e922617ca9a825093b9fa1d92a765421135f5322343d70d7a1eee85e25d43b30857f784de191fd209eb328ca17bcbbe17f9df9201585bd0fd5413173a5bc7e09b4d41b89e00c448bc590b5ea78d787eaa70e90ddeb7ec83df0f94766c7fce2dca41b45555210c3424a1ff71b924f5d374aaf0a28417f01f8fb38f507c9bdfcf2404717363263d4ba5ee2b57a588fafcfa81e77af210071e542150a5fcb5c84032cc8cecbac784ede31ccf78d25ace31595abe299c3a9143cf0e6a5421f98fc70d8b2a9d404f70d9464d38cec8518c678da77c6d32fc6732b82d9642162c9945b47237b1fa96f516a12d37711afa7ac3149de3e147b676fd2020a6f7340e1747878ff8339d0e436fe6c44b9cc13d66865f0ef78c0313b1a54964d932e0a255eeb788f9bec9c9d14cdb17ee4ab8a9415c6a516b298e5f2bb19aaea809677fe3ca1f6fe379d82af2255f3493873c3cca96b46c4252b29d997f7d8b05d83fd0db8ad58b374054671d9ba3372e7257e9795e5ed2b6c21b98f54416601ef5d22ba906b5dadeaf952b40b446b6965a0f84ccd93e11ee0462b75c357f1f47ed7efc519f7d3fae99f3eac2f3169183576d78718f5f07249622ba2853b03d99db24781d1336fa6bd039916f30ba736bda9482e6990d7a890dbadaa5c36fc2ea79a57e99d800d54b3db698adec96d75affd23acbb4e1a402c52ef59e48cc717a9fa04fea72577c6b6dc825d6bcf8b1ff4e2e1064e09de3cabfdeb9a804220055b5fd8fbc60d7c1db86d81d137a8545dd822f57fb054792dd5bc1a673d02351f0d09076fd99f394b107a8287e23fd47c684c09b1bfc7287753589c071f0360abc0b1870983828db840dec34ed2d3977a99880a512ecc0cbbd5a842c7597ba91bd10cf9b9d82b6565694db3b6bfe3049ecc0719eeac0ff956de008f1fc3e095acdd1b6d76567267fca8d0526ff198f8a7dee7af67bfb0f674c8c51e06da102aa08f0d73ca63cd1135c79b72fef4cf4b0ae5300194c91be269cf0e729b0ffe34ac3e87573520b9d7feeed33f7264ab19a1a9002a07a9459e74f3d4dbdb7010de67d56b49a7afd816e90bd8db3e282649cea4cf96e8044cc15a607a85969a5cb62052047bdd8716cc7800a0f4f92ee515acf1e068af64907542e0d833f4fcca81b88f4afc99daf777f44d7f1b7bc14fd5ac30aca0a3a1136d775f9be1e259e43a33efa92d8e2a38b6bbb1344cd3058b581a77e497ef6f747206887219eda379212aa893bd693ca74b98a8624567950afa8dc75b910f707d4227fe5f407ec06add953544054680a30e30e460afb165b739ce10a0d806d1ad369d17c2a9fa67ca49463bdbf5581518646a8a1f46e7c10d9311c5fd9519a040e88d67812ad7306ad13a6817fa91f016b9cd6321c28ddf7b57aa4d36c414d901d8b8350a4902da56af888988c543ff8d30881432710b0cd93913eebce252ada04a504b277b50793bffe780ec51681b73f38e6e098178a2319373c9aa32e57e5ecf5d53be5b41302b13cd4749ca062f71f5391e4a6302ce6a4021a5a2e7a7d7e537a4472cc90ff898577f9635ab57d918ea1443d1e94db1d4f42f16c0bf7b88086552a99ccecd153580b37a40d05dfceb922a740a435195f7d7095d9e136dbdb5c51154c2d98269ca29f796cecb7aaea9b8629280d722aea4d735e13ef5b50da91a51998077bec4d6630a7fa7ba6b996f55776beb117cce0f44d2de362d142411d44a12ccd690637a29642ecfa76d3515b651cb2b47eaca44f9ad4172069691f97d87cdf231867e651834b5baad1a87410e7188877a3a9bc30e7e7028f084f4f602095d22495b1b3789b8115277462fbee611fbce26602fc436e52782811a83fdddc29cd0948176e6ddc1fb20ef539f465dae209320bffc49dcbccd6141735bcde6e90dea25d313acc2159cef4a977feede337d126af12642570c3f3d1dafa4aa734a9ec97883aa7805563392ae3692448076039e95fdb23ad27293e2e044fe722e82f2a80f401c17b056445a27ee6525aa0280703e9ac24f666aa447727c8e0c2117fe84733106e8d8b6ef1ebd2ffdb464cb85e6537d3a1ce0daef079729e00b75dde985c8b4e5ff39ed768baf69bb6fba7cbc68346bab5e07e0cfcfdf17ea873db4a10b9a0845a7da2ee146c88739903a61e87da3974da83338e59db18eb7cdde16443271e204e5193a5a658105ad69608c28941a1a58be495fb5b66c2797083c4da316a566caf0fe9f0d122481313dcb40e45f6e73fcce912b08bf35b865780e92a86995fb169bd2564592a541009c460b2b8ef532ac4cb0a0c28f41e837ca4f296ae872d43d1639d7e880a539239838d15410422ac53debcef066781c9551a1d4245eefc618d5f819cc6de91fb6e3ab4cdd55baddaa5c4956092bf20fd39cd9f13f5970272329cefc904faf4b95682064f9e7c235160b17ff87ae8a452863170e6854b378a2cac06b1bcf6584057225e9e82cd76ebcbcf8978b89f95d1f80710f3f85eaae35d555aebf8b3a7dc192e9d035883e48bd1cedbb5dd70bc63053f1d3e2502c687da0b2b2d09ff95afe1d454a0165af4fe149c7e7708789a51771b383590f348d848222781f5d23a13d5d6a0768eaf16fabb4ae400103a8b68aaec5993315e5dce9150356d5a5d9ccf963f9971a22a431ce151a528f3627aa371295933d74da006a3604d20349d571a71dec3af79158a29863fb516a69ab2936f15ac5a1e8a1c901a30fd6efdfca1762e2ffc267551edc1fe582c58b1de134ddaddca936f338ce7a7c61d64553b371fea1d04703aa5a96798a360e39adff43f608b2cf3e626b6cad1b615b8225d51c99a8d91aad0e4275a3853d644e0c0453f634052891f77ce3766d133ce1b3685e82c993017f7e20bcfd9c3ff9e62207b889f2aad854b8b9353185d3ccca1af6f98a952f87ba45dd56856e8b91ba67b9e95663fb2ecfda1a953f1b373e731fe14514c1fe6feb9d7aefeb9c72e237fe750e286b021b12f2f3470775e38f86d99ae256b500ae06e6bd33851c5de8e49734919ad77a3dc99c04a916d75f64c8103bc513979ece37478f32ceb385ba987f616c79e35b8f419cf813a396f2f8638efadc6702424f25106cae8792ce089625982f8f6175a83c0d502567e24bd868305ef1c113a908382c35e51b3b2d3455973beb3c3dcb4b3f867e87bca3621e9edee712ec2eda06ef808d20aa88ea51c20a427a6e3b8d0d798cd46b4bab9f09c2371bbb479170d28e4cd5173fbfb32c58e3b33beb5cbac26aefa553e6bc98d049957d9d20ba6794b016edcf4059856b6b44602f5c91a397dc7dce701145c9a7512ffbcf5b8c5de35b9738c75227a2c2b86c6d00d595d13de5d63ba0c5313b327d626c46a1023b47a3414ba063e531316692afcb464898f30e334f2ad437cf2e78ede222bed0118b9378ebe5f2eebecfec51b55336c72af7cd7bd503b4e13ba507cc10aec9e3fab46a42fc93d841e7040c1c45757b2c9b75551aed45c39ae9a3be7ff2818378f89fcad04f1e4a7244cb0e8fea960466b6d67d023ca01b101d207e2b08e3091868b2dc882916fba7f4dc883a081e1446f48bff91499ed3ba6fda318c11a56d6e0df4628858e450de712a17b36bf959244aa7d5b71b4f83a19608701c55a1edcba3ce6cc5761ede1cbac28e48e96395e37996072b838aeaa1a507914060f9d835bc40962ee362055eaa07a36583e1f350b4efdac88aaf247554947620baefca68a740ac0693293d053b1154752af6395bea8ff05c867d3647b1fb5c6d8c2a6065c05338db99c4896fc9899632c73886a9fee155be0e2b012a1d31efcd96da2535271685386bb09037c363938cda4919cc0f0db76d9a0419bbd16ded970e9c2a8bdaa25c024e62621173de3ae3118d690db6b23bdf8965f599e70cdb4a44fe2d9334fe2dfc34fb63a0cab5afef9782c654a7ba5fc4abccbdfea0585b73066f105686199c5c3fd13191b305ffc9bba116e3063a01c2bdc0d6aca6d95a76a53d0d022c72d40b9c268ab0d5eb9fbbf781efa916d344eb4d22c2403b59a1655bc5827ffa5926945c2e13c5036711d3bacf35554325cd6a9a3f1da4687c3ecf20cb837433332cafefba6ee791bd78396ca64c752b0230515a89e5c5d584b6d2025ba090e0aaa6de2bd6c6bba32d4fcc8ce8cc040dacc0f75bbb1a43072ab981f222c4d48d5a888e856052b3ecd5ae5cde7c6ff6631cecb0e920f1db6a40d60fd37b5b4503a24f030dfdf94afd37f08d6244e4c37ed8d5ab3d229a314ffccc2d05c05d7a895a3b27b57c44b469c36e909d8bc5589af26a030ff9ec9f45d281b08e5176b119120d5c68841e94f2bc74a0e8818bbbdbeb3489a2036c2b457185f25b3f2a0f72d11a40e0f8431b67a559450ca9a3c3e8998500bbb746a7d15406a89f00aa486be36b7e0248dab71cc383a983701c770be9ea70332fe8839f34f33389182d3349b5be265efb0d9ece803faab889efde2c18fa37ff736bf4e011c9cdeb4a71e04397c7b67038a6a09853cd9045a83f2a36f7c62a5906787bc3347db0c6552e785493dbb4695119c45aba903d73f58379b46823033da9d5a74862f6694c98d507471f238fea16263cfcceb5f1061cc735d4f40ed5704435bb4659a58cb7c2bab516b7b46f7fc68263bad62f93559c7a5c6bef183942c6a651e64991056ab2b0fc6f103ad5c3a021b002e96f5c09981d75ced07f9750723fe002e043734d130d666e37fd72ec0414eff98054a77fb44ce0c1bea093b6d6922a2842ff9e333a4ce8b21695c9fc1f58116d71339e2b655541f2bbb8174ab0378b1f68469a0893c6a290a8462a4164c19b999efeaed49ffb337d4b786bf72597b4682906d4e7c58c1c50f024966e8a2441d08fcdc15fcaf388c3988314e93278d1fa39b91965c82829836d9c22587cdb7be2d518388ffbba61ae120e75e386f572408989b108f769c6ace10812cdac917764c0ac631f891e001977608e09dfebfbb1a390c84ca6bdb7d08bc23aac46ffe8e89616326573d6b861e7af102a9a09899e746821c62a70f7b6e47d9d99957a933784a66f71dab914094bd123f6b57b9bf0d8f942c754ed21180dd38d8559cd3d28036da5c821d67c3f33e32a95863554dcc5ad6a67cd2ed63afcd6661ffb8afbfd86e38d2a0882d7eb2c1995c3e8be9df3ef31c1ff92267e53f008109b59553a3794192f2b945fa28dd521e82dbd80071d1f8159ee0eaf7e04979c59643a410f69c16e038e9b9974a5d5f0d04db5320595e7286cc20a135f7c3f06855db3f985958de33c99724f34136dddcf4230f06ab0d6189150bd3ef4275c485d60f115c4027034423af8d595dfa719078629a171892e8e97ad817951a7d12dd0b6a070745f7f33d6708bd0e4bf96b62b3114b2c31d5646dc9783fc2b5c3d9c1871345e64442ea1dc274994355fe9e7bb477f4cc2f63dede30846d1f0333cdbcb3a2ce2685ab6d9ff5f9e8ac22526e353c1cb050386cd80157872e6fd33f3a352e127f9f03b0c58f306e2299ac54336192cb65d61459e8c5e4fdaf4e1f815f1dd35e598b187634b4b5a1d17e54ed3876882db49681a8b07564238fabdea7b481dec429d898771b6f10e3aef713cb52b432ff6647952595fa14ddb744b8b3baffcff95c69f86d98553c2274c061b24465145954f08fddc17fbd06024efdc59982f2413dc8a09bf84fd315be0bc4f9fc83f7308a57ded09451c07c7052685f43d8781ba6b820146efee62911a3cea2af607133f826abe189899aea8a554524bc90ea81c909598358ec6d841f5aa3d5aa38faf66a69eedcdefbad39100411667fca557d8e6a183a290fd6c1656eb67a3bad59b2628a40bfb7f16a60d565b4df7518f9ab1a3fda9acfff5994f3b48d4d303cdecfab18864933e1f2d77d9d07f32e0dfbea74984f5ebfe0e28f8ff0e3dc949f892b181898a70a61290473e3ff322511cb25018616b7830cf7828b539f1cda5eda421a77a4f34dc2ece3d012a7e031b3b3eaaf2520035d689a9d0b35f77a4d163d5ae33ca8ec8ab74f5f895a0062334d1aaaacf869d070b33803002a2c50e41c5dcb42af9a98b0972fbe0d9f543dbf92c79c4080f3f5b1cd3a7a13bab0c86d48b3cb3c0016939a3a1e875f0866bf0a053cb0cb527e89155221bfddcc8c2200b0b4fa887517bb0d6ef7417361cf685a81470b53aa90f22101aa3a926efe83f6f82def95a6fc0123a3e8ed577fecc958471860baa78134fd1ffa276f205f1f41292a45d74c143e0898789956a878660fb74f24b5ef5b7066f5568b1ad39ba66ee284efb6a3fb2e3cf06550af9223b198474158519dc30547005a12b095356d67612e7c7639f3efb9da9425f15e93d952097059e11d286a837e300e7c7c67da42c47e19c1c37f09c941654aec2ab75798207596e5fcb2dca0405821ddde4739d8bc7bcf402da11a46d5d7c8aedfd2e0d2c3e187a3db26b608c07addb5206ba6f1f1922ee3d5a689efc5aaf2becc6e6ac83c420f35346eafe9d65d9348c1baaa241f5e90a15b304008d258230edb9225a4f3f2f2c328100f0ae083b64c385bcbec52b1d263317a2543e27e1a8cfbcd425b6f13d4a7b5ba6b0009cdf99125219c29c97a108665880bbd9809857cb4441bb02caaf34f31cf6d2b751d98f3fa7e229f09aeba8da4cc396b132e678f2c3a1a71c4601259cfde243d13b1cabf650d5f5ef2faa3e2925d7bf7b1602f786474aa85600c48bc50d4c2ef126f88da7facc41631d91c7167675c4c7555aeab847095e73daef2b110213ee9abd1f43bcf074bf6214c8daf7ea4bd3dca44cc04dd106d4aa4e17c5556e524273d57621c4dfbad3fac05fbff48ce7479f4a34bf05d009c5aa5dc415403d903f18a62b527b646bb800596264cdd20f8663836e6ee4823eef83fc90b890b2ba1f441d6594e3a2b764202be34a15dc1c1a6399f9055a0751a5eb3eff25257262bf27e5c91d53cc33a8a0e3b4fd4be4954a61e912d02f7e42ca26579456305ef9d5edf57e65109d745cc6526326966ecdcdb23b690fac363d9a4e61501651e97ed3b164ec1d58daf30139fb4f5b856d001c82600084aac2f65a67752b44a64c65a9af1d9d050d884b6d3b0a6e495d08fdc5b67acc63152e6bb7b66558f0bcdd8cd52a3007082462bdf786b2d6596ad3e5d2e4efc80875f819f93377a9d2b7283ebbd98dcf462394b77ce792157b648469effbb6349c0af274eb6b005e71828b351f2aa0320c757374361d9be9e04d30ca24557d44fe0de0ddedcf59c7c22febac138bf5913c53681fcab740e09392a257276cb0a8538201bfd3a238a620fc714c981201755b0c047670cf0e1d2c8f9e116f19d711a5d43a78c77cc1e7084436d322b03b2d9eebda2094b01f61aa09345f870b60366c2e32f7c38bf57e95b7a76f7bd5ed902c9558f4f2b55b87933e043dacfb930dabca2d00ba026735cab72c2d10b9620912e6b48582e2088d919d36f84f2a376558595f434e27da3f516643eba5278009fc0af7585c52a20e333d80644e1800a8f9dbc619ca4d87d873474d27c70e018bbe694bee0928ddb5c2f88ed7b9d1ec75459d6e3d0d8dbc2dda88a0b35b16e443ec86c733d7f8fcc774f7f8400c64758aea438ec1f800fcc70af2511f54e174c101ee72a040028834bfac6bbf78b7c8c5ef1d6a3cca08df064601e4f4cafce2d26d334cd5baa401e89aade3b8dbe256b07b2b15da20ce83136d6a1fcd3a0545398d1a3ff27920df26a4ea53bd46b62eaa12212ab9b48150c7f26cc343939461051a1ed5a717ff7f3f8471c3b1c315cef2fa33f6fed031b480bd05a0b36592b4a061780dd5a1adb76471bf4c768f09dc422891398eabea866ebde0970cd634a8ac85e5ddac09909b00d5b024019dd0809fa622488196bda2c8501cac5415b2f42df1d4cec743b58cd36dd05769ba371e9626715fa6557e44126c0f6e3886c76ee182cdd8db6817ebf57ae3767679d5d347590ae28efa3d51ed844284dd7a3c6b8daf5cf17648bae74621ded8340444a98d36f9f86bd3b7ac5aebe7db2798f6871ee973c4e7146c2e5a6ada7bd4e081317edd6fa82840bb02737b25e2f2d37c145335feaf4bf7bcb863609e344422a75a33377de82db1d2e89156909667494c575afd7a30e570f571f45aa4b3eaa0544cb4971bdeb9495095903c05be6bd3d48b1a0f0eba67bdde5ed1004b270fdd3ca46a849be0c5427384cfb8b8827f36ca276b2e02b1ce4ebb4c3077f2402e08467b14dac8dd9137ff1f20b87d2fafe78b70bd250f273b46f2353606545a595fa8b0afe82ee588c9baeb579a9a0d68231c30317ceb06e2885e0be5bf9307ad62be3cc74ad21126f342474d5bbecf1b9df9efcf5240533ed19c4b952b04b6d2f57ad565596566cbb3d0935a9d7ef6af4215d067e682e7f194a17d7f537abf8509757bdcac47a0d264c089f8d31b8dc6ebd4c51e05a4a380213d72776b7375ef6759070ea6c4b0975ce483b365b1ad8925a7685c21aa1e38303a17a83db2500f2f1202366867a70aee4ffbb7f64f998ee79326a9e7d3f1895d5b39304e1fbe9a4e2a95063514e8db3640f1bc4b1018511512763184c49e69e6219a39aa0c65d9355564398c48bc665faf834e9d3b35e3c2794b8523a06ff580b73e93927c2ee2b5a68e7af12c0df76cfb72f24ba717cffc14592227f5f48726812f6d06e7108c61ff5e68c2a679a2cd1eccb9d6469fede21b6ac2bd188e1ac79e432cfd8fc06cfc2e9985f19ad1e9fc84649bb1d768dc85e9a8c74a283cba8140b3f13ae4e8a0e650abf6e946293d7fd8b3d98eb1a3365c68670eaa851318ea50b5f4ec499207acbf2c1e28e8239dcd832af6c9f050e01bd2d6a65b983b0952343aa5824df5b1dddf24af562a15e1efec94f38018e9e905b620ebaa2d4ecb671c9a668272148a1029020419900c32345fceb45621129206628ddaf4d460d097feb4524a7f543b087f55adaf6ce2404cdec2e0da4073bf158cb061a3cd2e2d6bc193edf35125e6380f3dd2a10269b94626477aa940d7f2c740c08d79ab83bbd5cbdc733d62b6f50ca08eddce08cb46fabb40d81599564756896a8c6b8474b86e194f34bc1664a8245d20358b9aa9b619d6befb9a1d2fa7f87cebce8518d618dc31ca6af00c30c875469990e62fa106756c984e8b384d1bcd169228e1e028b19b7bbe636c966f15f4993fa1d0bbac165b319e11b3bb653ff18c8e8e6e7c26f53a1918460b80c3466ae138301bc263fed9e59ed82488ed37d7ae370b323e2baa836d5bf87e4fade36e8182dd235b0fa38be1156d821048f06ee54707a8bd202d7fb6d73a37dc1079eb0d61249fb57bcdc51ba21a13f80889d270db7747cd95128a547700a32a4fa2c117c328c95ad81c7d57899a2d9cd01d795eb925b6928bc7148f56959a57db262d6c46f5926286ca0cc778179355c3dc0772e203925c72b16894e4eae48b628bacbac2f6d527fad457f167dc7fe20a27217fd253e5fb803a6d587a4177b90fd55e76e7ecea831043145f24160217dc2cdcde68b186eab6c78794d99f25abc4bf0b1b8f64df5b92f5c0583584ba0c7451216f5becba5ed663b49e5e9ba17418515e9b12702930561389aea4ca1d645d493003b88258587ce53f9de6c9bd1d29c39873a520515b7b9b734736eaba21860a5bc5802d524663ea0441e5f1a71417e5af8b036fffcc5aedb09abda12a88bc2c4cc1b3bcccdacece020fc1345809b9d659071021915dbf850f1f5807199d135558e1f37d5608163f3907ce1c0c3216e0468b62c2c5b2d4c026d343bcc6acf9e188bb474bda03331eb8c119b296f780cc4b6d108170849cbf802b85bf3b583a78186d1c76b4035556a5fbdf5b3d95d832265f5283665fb4d650b4c313924fbbd7161ef461887e4ee60ef0d26178c90cd8dd5bac26ca4231b172c86cff288be31b4875a7eaf94414010f1f8ce1ab2ea4a8ae51a4d7876414e04a6399e8b8c12c10de4a59a798ff5932454409a4d64e2cd28fc994aeb1f96ee241c7dc71f20a28e6ea3aac87008a1d071731baa37119377a938b6760e90e6ccf1ba26399ad1c5419722e0961dc16c194f6d8d0c921edcf271d84f1df7f20c9a8b390d7f5bd454181749002426fccf842f25b07c646c78071e6dbbf26c855bba2204e65503c453275d58d830b7fe5e04476fe1d7b88d726e4fee9dfd6f155c1082a6adb3dba9f81633d16d4585f15a71714072c38e97afafb9fdb85e5d18c2fc2be2f85fce80db35190ef850915e216c965b75a5d7b7d75e9436d1496d40f385bad871865b74c95144bbf5f4e733cf39a4667b3517a9b179fd60b6c7d02e4187bf266fbfcd3a555c61880b59ac3179e7248b4b501a1c8a67a87b627443ab9427d91695a1bbca27b09a0e88b2b9968c0f6872b67021dc6b93402699f7be2937fed5f5cc664afe57a68e9ef7811cfbf72116d6a4e050dc56db2a484ae22a2322a4b33aba2fe2d8f270f2ac6175a37fc05f936aa5a9502d718ea0519b063addb687b8a2945b1f7dcc1dc377709117d3c3fcfe406301c74442ad200d8fd72d7dad3a0ef34af37f444f373a6b296acb1c023d307eb9f33476465da6a5d4875b60eaaa6366c1e45c60cd043ed8348ebede7cb58ca8c4b823f0efdf9dcf3a24acbfaa23d9ca964110a656efe948aa8feaa172df11cc749af6d4808d0715c40cfc31ffc83c5dc26eea9b503300cf2821080584ace77c1c22992abd77c257b041bea87edff370bd857516dafcc998c27bfb2899f516e63cad2d4b97b58554d1f457dcb1a43bef41a9f9e00d1f1a9aa5488c006948efcec3e6183448e28ca9ec70f85d4afbc84f742f6d639d64bfd0e2c4721fb746f9f3d50794c5a51b6d8cf74c95396ee57c1131c5caf2bce0314a1a0c0edcae27fbd34ccb6db2f4755679ed7e21fe9fb4b6257afed28c86d9d000a3ad989996fda79cffdd125c36c0108a88215dd7b68e763efd14c8888e5ea7a7cafa842ae419d013e32550d467ec72facba1131a999fb973fdc77d76184c3876fff2220bc3f293baa14fcf8315a5dd87461aa446b1f585bf804f43eeebb45f755a49fd56a37108af205106994b0a30b92d853aca01b08edfdceba37460d785baa842a0e014143a6816943d4c746e339ae22fbcefad54cd876c9721f79cdc707b48b8282616560bb7245952aa5a0a80d0627677ce88296e5e8d91216d91aa6b980299a172456e8713a08f4cf7cb46df2244256f0747905c8f9490d2bc753f29f53eb0e32248d658338153a23586fc06cb41d93545da831cc73a97cac45983144efb09791820b68b5a05cbdb2967b0221be3cdd0bb3e493861cbe2b505cd296d71002ba11e3749f81ce84e4239172eb043ad04d83ab29cbc646f02a21cf22b63e28be274d71697e01d74c40bc0243859c74d2d6fcf45d2e6deae21931eba501007f11136a784e2743fb3b4c58a4c925933fcb6aae70006d7c9947db1d49e8ae26547ec64b77f8e58539800db9254fda6c0de54024a04edded1aa263b933c5db6de29ccd02ecebf204121636ca285a3f1358745ea28ef53b3cd260ef5a3dd5ad9a9f26a7bfc7a6fa68b8026bcdee553011bd9c1411f5138df449916a526f494dfa29d3f4d08fc5d76993cc2dc6a71fb94fae9958c95c684c69adc7a33af55a096ac14cdd99f8dc951e0ad53cb12a6e52c01bef466c313e806008a722e798d278104e056ed8701383c0d6960a85b203ab665be95650f03b45a2ae2b241fe194879cb4fbce18661ad70092fddb5979249a55060ade0148ccdbc5a1c47509199f539fd74e6c705ccec6ee6bcc07ecadfcbda99294ee8ec35fa2072547b3d54e8f339232e80e18e00d01abbefe55119c01084ad075b06fd573901551a1576f4df8c73a6b20160c63d98a8802079aa51391ae4fcf8ce138223547fa09065515756e4184c7f859b8d99f802d31e2da840ad0e13072e2d347dac094e8276249b1cb66b0ea95e79a255348ca1f5d9d6631994272fc1d25a2efb5dc9e5e3315eba7846e276ddb311bca3ecd13ceaf42f258dbad670f9228b9b62c9fc28df72cfc05dbd117d2f9a5f66ac329bfca68fd66af9bf6d49c52a4f5d35185dc7d19e3b1c1d9a4a2ff515a2b7ade65ce7dc7d84e8c7fb2013baa48501bb097e74aaa0f9a10e1ba698a15ad9c501cb1727c225f770b742bc101dcb45a1054e054d39c871c64bf44d3ddbc5ca6c20362e1709c096b554839937e72806ba932bbd348abd9201444423f210907b321d953756751926d59b2c3954c1d321d0a598237657a2b49865a14a21d50d2f7697649893325556ef9de9af181502296d9c9471c29750d00246ca90745bf393e4b40b045ce68351b7ef195c2cedfe60c4a643135d4b1c146a9f764a05588ea388fdbb7e0a07469d003f1c3817fe229d39acf69f9f63f9e9d203e8947f63639e8816d16f87a9062eaea6b1bf2d57f1dc7fb8e511df95bd34fc5f8e9e0fe705785859938ef704947aa68e192f44188ba2387e32acf6c356b0343d6791cc28887e258f855b5f22fd6b0c48f448a85695c19dd9e9d117b1345370fddfc3c0f074b8cda33e8b12b69a70cce686aab2fb702ad970d49058f9bb0195cf9dfc6486a3098c1c409bc66467732a948ee97453be7090beea529173bc69b86f906636c9a89a269d9106093218207e78307ce34b24f61cab92850ae7ae92abd89123d34696e3b86e6daf2cb27ca2e9c3574f3d7bb6f9903bed0d5a76fcf945967c8d02deee5e26023eec937dc4c665a3b95a46fe27a125ac513a1e9b6d97f4572435849683be2bd3a4f973be91a1298011fb9bad90981b351f20f2fecda24b6412bf688cd19331b4448606b86c204e9086bd60e2413474b522787128624ef3ed708f0cf82a474524506e97eaf27c3eee13d88befb324e0ee8cae3bd2f1bec9c95a717842b6fb6dcf74e678a6889f4d306b2889eb40d1eee501055cb0f2b68e6730b59fc89e27d8c0ccbc6dd57da3c990f0b1b7090ca5c5969bb546665d0981463b268bcf2d83725bd61114b66a2d21fa2ba183010f4aa075a2df40d2a4de6c73c56d57a915911752daa98eca7e64e62e72c80bfb4c5176e32ba239ea457ee72ee74960cdf7e91726724483739cd19572d0d14ed600be04bf25b54335315d2b07eddb30542d9d398a44e56d74f15d34dd073c4b87c0f05ac0446690c48e93e8f41085568f41754c27397b077550849265c03eac67ed953975c7a1d123cdd6bfc4da8c16ee85ca322f332d80b8c5638d0f25878d2f9664f43cc4efd190d3c57f2683933bee8d3c3ab25e145841019f657a8887c9691e35b352e1547c35db84fedbcf7b0f8f63982b8174f809f02a9944a79675ce2a6ad7a50a6cc380c386b1e13022bdd9408731354bf2fbd844d26a51758ee37c2090ca5d5c2cedc3490adb2b00beec91f7badceddf00b596da4371c5f21e7869c7d3ef02ebe332a24acc1333832bd64eae04d96eb77ff106a15d6f1275175b9c1e3e87a8017804b740dd544025d8069af671275c96c52fe85c56b0d55c83d127554a4a49cb104fcd1c069d35c600da83e26a785ec86f71190c67785640444e000d89d1b03a3594f2036f951b0ef2c31d9ac6149778615b1f96e9337a791f218b3d90ab77836a52c8ed4fbabbb145aa1e10edc237983538ae6232fd4590221f41cc87a9715ad3501225e44c047839f1149afc50e9f8d8e80ce85529148599305d51c4d84e4ef9e5216b3e1d86b536a36df872b0fbf57804ae7340c4a0f509adac8c646820c1f92dcdc9039b33abe70625331cfe9ad242a4944be9580b962948d7d1c9a8c2eee45c658991d1d9f5a7bd4008efabafcfa8500720ed95a42334e2df5b54ca6f0a6dc65763aadfb64d9ba32bc9a2b1e37e138dbb226dff4f6bc65c08a941129cff7505018c3ac2239ac9da7b3ce6619c23759e194b80eccba88e0bd6d033e15b896aa95b5e8b4fa63e89a41cf7f7a0f8237eb8078fd50408ebe041991d59cad3bd2da59050f3153a68555076b9dbc935bc69d8c6ba4a8497c2ee9031de0148827cffc5fc3df61bf2561679ae8241d3d0abd5dac562aa76b2c4b6e659013036c5b19aaa0bdabf15eeef12af1ee31bf607827b7a9ee7cfcc2dac3dc4d2045d67ecc0e54a948138bfea2488459c39c99f1a7ed5516fcf696815bc33b0704468d0507c26bfda6fd0e733db1239d73b6af42936e7ed4d9022d678706a76e8abdf94b51c9228148ed2cec6c6e10d22678c8a156205450a29cdfc54443018c3bb94000d106cd6d7c5fd98ff0e585854c3862ef19db40be044fe00b5411233a24f2be94d805517e9e55fb370f77eddbadaa9a299db7b704ab9ce9dc4be9a26c35b7f9fa1702836f8e5e4152ae1f27a380b44b66098ed1501e701c871be397da6c0032495450b36f4cd57804a989d71729b566010f1ed19d264b54d5b37a417863853f10e053fc8de35f8c684a488d4811f15c8ae270cb941f50e398f0e119dedaf8e937a72d54467eda18a7d73565bd5c0c694ff22f893acc77f7e500c43c91123e23af9edcee877531b6de04fae474b6c9452c8296433a82f99e46dcd0b6f8a9b13b943231c08598baea98baf13d86f5b5cdb8a2e20409b545272c3cf748d9a87cfac4b0e90d30f0dc401a83c4b564be0b92fd24fb50022c01d092f29562f2a1e6c481dd5f91a957116d7f55cff533b91fadbb8f5d15d38d67b03d7a5d95e380fa419ac06a1d2d4f59884ea6061c5f0660c631eb5fee35865e43381f13efb24791de1b6d69eeea23ca925633b99b5b98d22a0480ae4248174ba2328d9a47342a67db2ea7a9b48775db35c8be5dcc10f7dd84c158dbd4757b33900b164e621f1dbeae885dccc9d0a350b48a1e55f8757c978c34fe34a9bffb272394d6c03873ad6084810ffe8f5d1a3e272d56785f24b52f7b3e5cfc8944a22c9cd32973507497ba35a0462d46f0e674488d47f7d2a52a6921b3bbe9dbaef2958db56c874e6dcccc2499b7078b5c2d4143d964c1410c76426ea2a2160ffa27876dabedbedbb9ab4b00aabf90f8f70f2a851e441622e6b9413967e04c347aab7488f4760d3e8fe1a26b0f84a1ee5eb0aa541c9b8b3fcc5c499ba7bb24babfca2f1edc91a792580846619738a8cd6a956fee442d94992beaaa80e7e6be27f33a03c5e67766e3b04e57670209e22cd0ae0282a1aa7b65f4eeb48168d65ebe60145fb771a250b9f1c8f1d7abd3dc3b62c3bc864e1a4df1e2d36914b8172f2ce840bfe7c07db6205485aee0e095a193e695633bdd2eade76239137193afe18bb5986f03da97a7e0c2a9f4406b92497a6c942e84e72ba6bb7275e435182101c16651ca1d497e61d6bd9e1390c8d100305a890b3d54eac2449a6a261c26b9403257c4253644ada152634a99e20d8f909d753bee656296c2338282f0779330f2db7bf0ad7151ff0b1edca7f4e56ba9a0c1dd35861d43f5b3942445bf5b0df198bb93a3e7d69113d454e849571e5c80b855ab9c1a399291471c5053ab43969298bae96c65f2e0d990973b02bf3c5e4788577f14a7732bb67c9a9ccffc12e65f1fb5aa486e3ffd0f405ef6ef305f41d2e38bfdb9ac9e5d87ceafc0628f23c2fbb211c1b106e4a551f9f04974a1747212061940b2e3161b8a0901b926afa3618ee7f9ab2237a5b96765d201da1432193d54690190ce37b22853b8d8a03eb5a93776cee5903439ab358dc5c921247c92e4ead264b706542b9f66e743452a589efd8ac02b81ac9004252345f20afeb72c2548ad5c85fb428ccd0cd61782b5d84efa18d54f91d8c19ed5f746cb4cb8a0bdc087f3b1f0392ac959c1a04935c9a89145755fb462b34b79cb341150e06a4912157ce4e8e4f7b14b6254e0db2aa7f9c06280b28d32f9b617516d00b79b6445f3278b8fba13e18447070c77508c3c172c9a7bf302f39d9bf938e4fc8c4f3afb97984d7e7654ac7adb783f1cbb408ad80a768da3461cd87920052a16b806c4166c6bb91ca721af5b1249eb25eaf3f5996b3039f9535488d98d826db940109da1bd43abc8a7bda4e94024dd5ab0b65b7d1877fbb48d51484fda02e25571ca87da898572d98292267253e93760993235dc93b211d32324aed6c1e1bfcb6cf2260afe408161558ebd89beb20c957f057c82570db0fe3") r38 = syz_kvm_setup_syzos_vm$x86(r33, &(0x7f0000c00000/0x400000)=nil) r39 = syz_kvm_add_vcpu$x86(r38, &(0x7f0000016800)={0x0, &(0x7f0000016280)=[@nested_amd_clgi={0x17f, 0x10}, @nested_amd_invlpga={0x17d, 0x20, {0x58000, 0x50df}}, @nested_amd_vmload={0x182, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0xf, 0x9a97}}, @nested_amd_invlpga={0x17d, 0x20, {0xfec00000, 0x1781}}, @nested_amd_invlpga={0x17d, 0x20, {0x1000, 0x691}}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @nested_load_code={0x12e, 0x79, {0x0, "67470f487f05410fc7280f20d835080000000f22d88f2978cb3d080000000f20c035040000000f22c0c7442400d0f60000c744240200000000c7442406000000000f0114240f0095bffb0000b98b0000000f32430f01f8363e3e66440f383c6e0e"}}, @nested_amd_vmload={0x182, 0x18}, @nested_amd_invlpga={0x17d, 0x20, {0x1, 0x2a0c}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x0, @save_area=0x4a9, 0x5, 0xffffffff80000001, 0xd}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_amd_set_intercept={0x181, 0x30, {0x3, 0xff, 0x1, 0x1}}, @nested_vmresume={0x130, 0x18, 0x2}, @wrmsr={0x65, 0x20, {0xc001103a}}, @code={0xa, 0x64, {"c4a1f9e6530066baf80cb83c050c8aef66bafc0cb0eaeec4017a705e4702360f01c9b805000000b9000001000f01d9c48299f774fd26b9490300000f32c4c115faba6736c958b8010000000f01c164430f01ca"}}, @out_dx={0x6a, 0x28, {0xb7cb, 0x1, 0x9}}, @nested_load_syzos={0x136, 0x58, {0x2, 0x2, [@nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @control64=0x2006, 0x6, 0xdd07, 0x5}}]}}, @uexit={0x0, 0x18, 0x8}, @nested_load_syzos={0x136, 0x80, {0x0, 0x1ff, [@set_irq_handler={0xc8, 0x20, {0x6a}}, @nested_amd_stgi={0x17e, 0x10}, @nested_amd_clgi={0x17f, 0x10}, @set_irq_handler={0xc8, 0x20, {0x76, 0x1}}]}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @set_irq_handler={0xc8, 0x20, {0xcd, 0x2}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x96, 0x2, 0x9, 0x2}}, @cpuid={0x64, 0x18, {0x1, 0xffff}}, @code={0xa, 0x6c, {"410f013ac744240072000000c744240203000000c7442406000000000f011c24c7442400c7d2b538c744240239000000c7442406000000000f011c24b8010000000f01c1400f791666b8bc008ec026440f01c5410f01d00f080f09"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0xa2, 0x3, 0x40, 0x3}}, @wr_crn={0x67, 0x20, {0x2}}, @nested_amd_set_intercept={0x181, 0x30, {0x1, 0x8, 0x1, 0x1}}], 0x541}) r40 = mmap$KVM_VCPU(&(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x1, r39, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r40, 0x4) syz_kvm_assert_syzos_uexit$x86(r33, r40, 0x6) r41 = socketcall$auto_SYS_GETSOCKOPT(0xf, &(0x7f0000016840)=0x1000) syz_kvm_setup_cpu$ppc64(r33, r41, &(0x7f0000efc000/0x18000)=nil, &(0x7f0000016ac0)=[{0x0, &(0x7f0000016880)="a600c07f0000e03e0000f7620400f77a0000f7660500f7620005003f00001863000017930000e03e0000f7620400f77a0000f7660500f7620000003f00001863000017930000e03e0000f7620400f77a0000f7660900f7620000003fa3201863000017930000e03e0000f7620400f77a0000f7660d00f762ffff003f4b451863000017930000603c00006360040063780000636400f063600000803c0000846004008478000084640500846022000044e403007c0000003c0000006004000078000000645b9200600003203c00002160000020900000003c0000006004000078000000645b9200600000203c00002160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084645b92846022000044889c7f1385793c110000603c0000636004006378000063640cef6360ae43803c0b6984600400847832d2846464ab84609f20a03ca8eda5600400a578b640a564b1f3a5607295c03ce2a3c6600400c6780ab5c664b456c6607af7e03c4f1ee7600400e7786dafe764735de7606ed4003dea68086104000879843e08652b1e08610f08203d57992961040029792ea52965a33a296110da403d21f44a6104004a796b7d4a651ac94a617ad9603d84786b6104006b79f9f16b6562ee6b61220000448c30803dde998c6104008c79c3848c65c4008c61427ef31308db47fd6310e03fa71cff630400ff7b5816ff6760a0ff6326ffa17f", 0x214}], 0x1, 0x8, &(0x7f0000016b00)=[@featur1={0x1, 0x9}], 0x1) syz_kvm_setup_syzos_vm$x86(r41, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$KVM_EXIT_HYPERCALL(r40, 0x20, &(0x7f0000016b40)="e5b31e151b44d5a7e6d4318c23841cad911cec23f0d39a4bed977a0a13d9f9d106f592bf97ea28b048c1764155a698d413be9712ccb298c0b89ca67076be69d83491ff71bc7733d0", 0x0, 0x48) syz_mount_image$adfs(&(0x7f0000016bc0), &(0x7f0000016c00)='./file1\x00', 0x80828, &(0x7f0000016c40)={[{@othmask={'othmask', 0x3d, 0x6}}, {@uid={'uid', 0x3d, r12}}], [{@smackfstransmute={'smackfstransmute', 0x3d, 'wlan1\x00'}}]}, 0x0, 0x1010, &(0x7f0000016cc0)="$eJwAABD/7+DzLu5nJlfY4S8N7x7c7H1u6LgA+exdzvpOLzQAr7/rfNFAHfnAo2qv5nhO5QygY0GgGz/kSfj6xNYfxXqBteG7nY3Vty0ff23vxTYFz5UfxoeEobtaWv+1og3Yxk2dXn1o6J9IlvClC+R9nWENAi8UlxSASZiae36mhq8Kat6nAIGsC0+v7RYUEprkHeyLogLBn+MVGrdNeyBRrbDI7fMQy4hlDsd0m95OqrFRe5iM1xgZqwl0IMDrI4ZSv0jNKx9QDgV0rEp9L1So8BWushiPyaoTCz4e5Uj2yo8qTDvP2eRW7gNKBKwo7by8nVXMOs5q6SYOm+Iv0Ed+vcWM6nTFc5IcCKlso5ealIwWEVuGuuQLcntNAZUK0mwv1MdzFjUE5VpjCFUzeZ+Bqp6ZJW0ROky4mBP2IQpLyWkgiEeNDedVt0Cm3B5LNG+jOzCiZ2M9O3CSP6t1GXKptT/VKBXzkDe1PLRpcNjlA8RbX38YaiVLOImft3UbIXbJ6UCTwf56q7ri0xqqeaB2pnCyTqqt+4/2nIDcCY2VFHKbYFJiLhMICgn/lJc8JOQwYGp6OwNDTVu705XrFH7dmZ7I440NmPRWgJuf3PdCMNYezlwY2wQELRqQ8B8kFSjZfTgyz8Yg5Zc2+xG4MTaNRZo+JjSh39rorZs0LF1wrjL+8/xkDuEogTjaTnrvieMkLjxLU035BJKNxCGfdOmrYqrpWcQsn0vDpxuoPJyQKh3mDm5R5JllVa/1mJ41oob0oQMPhY7fxQIO5CgOclTrTC3mO9c9byvnmE0nx/oX6jmGDuuCW5EropfqF42lJmLHkixSlv2skDGhmYJkvwcaA3QaS/vpq0NF+CwKZ1yTb1vWiqPVYhq6kAPbzd+BmWbxJyaTCUc60UYku/9J+VLLGkEwgBjps7TEZGT/SjpJ/Kp+/sj4pOzilfGreaDQkRs+p6H3+CUiGT7uGxcegn3yO0D9dl2ZhxBU3AinBTK/+kXFCNs1kGUE+7HuSIzZguM+DYgxNwAqROiwIjcSewciAK2Wf9N9KI0y9VmbOZ1226Nt+2drpFz+eT7YQlDzHdnAEF0C6I3Ws1YBxQHwMmcgVGoi3kc2O4dpn7ShwIvxXyRKbT3d73cG057wE/lV8BKx2BhaAErPjDOQBPG+Yo+kAUvilaZnZwSn8Jl/Il8RVjaOBkKIm+MG8zn3zfsEQLK5nZmIXDY1Y9xY7k4Usib9kOQeGLC9uNH7N+D5GRPwPaIiyY32R4OrZIbQMRm8oggL72pGc6khaPF4ztTXMD0OWAr+FjIe7yRrNKkhlMJGWwV/O2P2ctHc/BEIxpG/+SNj7Y+nJFgpfqzUuRI0mkYxlaYYagpImXAN+kWFhLG9s0OpiMQ1ek2G/7xFDUuQWKDAyJEkjWxxfg7OlTaSfM5N+nHKE0JwqYkZCS/3Z2Yc9lf5QyzJCXNt6lETfjInwK26k5BWgCcRJDUE0+H/MTojXRdG0ky/GPg+rexrA4I5FUDtJGuo+U9iGviyo2anDfFO66SmwkayKqvCmNUcsokvPUX9VychADi26NGVAp6KNFS8rB4WPPs4ccGB/cBpnnIrdx/1VSDon2lIX6j0MP4qw7ANTOiIcyVCTp5d1kAfaZo3QgFDHzlSCor6MpPfSkGDc1X6AN5hNByYPhB+KDKiMY8iEMUQLWLg197oRysm60uJgZnvXypwo2fUAwuHZmFzxSYxVL39XtVy+ZC/zq5oMUJxgGghXOJ3qzbm3t2sl0hiwIpJsIavbCrltLkQbgqO9+gnrcqA/WYisTQqJmFhvF/VeL0uDW4f2JmfV7UK/7pDxcdXqmz51Fc75lwGUzrR9JcaT3RMS+6YSCUJeV7cgjxUjxAE+Mmg8joDl4OBzgKr7Yw0mfkILHHDiQiE0t6ZXyRFjmKpadhripIg9P6vf8H6ig6OQs7XYtR7UrB7UEtD0R9AJawbMG46HQuD1P91pkazs0+MGhbbzsC86JdV+KB6ypwnJi2LAVf2N9SSA94c/LIwNkE+jQvmU8OkJsKGUKfSzX7iKJnB0Pj7N2jIDRQWd+ByCo72c5juv62PcVDeC5nadSbu1qNH0cD93QZyMFiknlhFyBchzcqoJDmxFoPFtv0ajILAdfB3c7I00fgdnwyA1kgs0h805c9xWPYI1MrfwVefG2hkXh5QFWlOqEIH+kGkMGu2GmSHdrWnFANiGCSGwPNbGYPP26HXx1hOTFCX/7mNEtPQ6qFps3rYx0bYtpanB+RaP/D2sMkxjXEptqRsn4bebqtMicNbGFvGxpNGSieHgXvDzdj+jMa8PW+ueRmPh8cT4hGgxRh1I+oZTAj5ZXo43K6x63NGF9Wb9vih651f3BVcllqUwQjmwIs7Eu4rbrP/DwimvGEXUTmmRf3ztR1LcPhpxCn5Yit4GmH/AFOYTNyU0G4u3hcqqJPfT7kTxzB50dbbsAo+YHrHKliCAI1iYFUyS/PaxmtBOJSLxyp9bVmfXTeimZ1/W3m2jmuqR+uUpiNAbTXSzLwuBR6dv7V0jmL1Hez/fZuQGsJwG56GqBfsAENkI0zwdsTsYtUNb2CF/zeI6xDiVU82dP1hgLb0NIQEFMjLFTc4nL+V5aQVJrz03kirusjs0TfxDU7YmVs1qZGpkBeV6VBd4OK7lnJ1GsTp1lJcaUj4kv+/fRJYKLlO5akkR+Z3ztimgaLzbqaqnzi6b0YksDW/O4cElQc3R6Dvt06ScYinuhZKoTH5RRbUi1tXOLJilAvGhSKg0U66qxZ0SP352NG/zhRPjG2uKKpVjVfFNBDLI118dt9BUzHQxw2vQw4dfXZ5Wo/EPxttR6n17xqdTbvpC2EJqVIWLiqXWW8KYauUcvGWAXU5PV8slOLu/acjqsjI4JTDrowX1TO1G8kG78vov2HIYWadyuS3qWee1WJzPHrpfGGPMNV1dqs7H+Lacu9D9NSqrYgTaWrUhSDBHQsCfIHthMB+ixoSL10VCHAu2DEzsn9EUHaaMAheNyuZS2iCZ6Ou8oz56aCLrhm0t5VIKv94CyUr+KPvT1yfIK6+po48KKnXyeWalemDodSW2utjqCaLc3bjlCqyEmbuN047AWByKLJ1CeOtiegd9O/SQ4XfFaln5TDMTNyNvSHk8R7IyHrJxUpd2pbI026b0AbExUkZ1rxWsMgrXM+4Kc+puYlohv14Pip27mVXBmvX8wHm/xcn9cMPmO7AUtI22sX1cfHqmsIV0i+bw8EFJ1C2iRiB9FzzJ13usOTAWSqAt/VBQWFVw8fz/C+rgy4JFpsIyEEU+c7ozzOtGEXZnz1UKH6vnxuWQS82qdcKV+x+SxEhGUCi+E7hgDj+L9uwmYvxSU3ROChcPHbdlSurJ6JdOMpYdBIOd4sxcoubkW4E7gpGjH8v/1qw/bi3GnHWWEp9PHThPs+UvcTiQaNLjaXNy/mygcDnqR91PbrKqFA+lS8evPflnc068rr/5lFm7YLRAgPybtIhMxZ1cSR0Ne+9mKBqu+lvb+mWlAUP+B/QkEFLyd4hDgP3n4B570BA0Ym/AyqZf0OOE7XSRp4JaQDiuYYJn+h1r24mDDe+TKoImpQKwH5YSevAJ7zyifYV83MTBY9hNa8l+CX8XyjOd6f3MVDQBqBwMQ+c8h/FIHvEAKZp0etmEP0SZ4wdI6eENK9Gv38l2Fj1bsQZmNSxepZGFPK13e8vECMVNVPINct7gkpTEa441vJA9B9FMwAOm97YIke5BEPk7QLcrat9bOH0Mv4aNyy4E8Ma0T7Y3I7hW8b+KfmhvFuvz/RAVqy8vH7//qwyxRBdQ1B9nPL1QpynGJfBa+lxlrbafWkZmwn8Nq3Qew4YmsrFI2bREEQi85ZM1cgUkrJVCn9/F6bjj/m88+lyVVKX8ZchUpPg3XiPDYofdlJM9UxywD66ZJL5O0NomZuzB82le7sDmvXgMZwnYlyFiUSip8VW8JBhJMYctzhdH2UdjF/uI4HMF1GdIGCAmdbOft+bqP0CSSYw+G7G56aB+OApIJUBKN/vWYFKKSE3qhrn7islCofanfsBMSBfluYS0ReN/9T59a3ztoJwxIy0Z3IAyu5wn6NzPBepo6caNkGI7BIXmhoihku6wAly4Z41zm7oSm3x3JXFW9rzfOA/zPHwntvnziMbBkZHrsdM0ORaIk3UIeapRxmYoNRxcAzUemH9xyhlGPqIn/gHfDlQqw5ySsh924BD5pxtcdLAtgfkJ28Z7MAjYzSJXcW1pmsyPPu3ZtXcHDwwHA6+K0cXW/AZLz4swCUMy4B8DUZriwqFKAG88SwnDirP7jTHzRdu+bOLPVlcAImA9FZdAgI8QHMgg/9unXANWCMn4GSrM1YRDPNQekOgU48w2idM8EVqbo+YR6I55yuZYhzeNOG2AmPTrlPi/RDRs+91RCbu9xvB9w+y+zQhxCSbrbPBlZJV2KQPZuGQZMTuARhQDXgFnFKG/3qjuD7JC39qBsnyBnaOw9ysYwXFjRBcou7lMr4v+wITsxE6l1jmgciRAdn7CLtMY0H0ZhmqVrV3efe5KhAXXk7/pNYRlmdplCoFl3B8ZCE2ZJq7s13SyPg0cPy5WMQ/1j4NLBfPH/AHXMRh2DBCmj4I5HHOEn7MwydW7LMAzYbQCbyW2sAVx7Yp3sJ5pKRQ7SQiwjxrMR5mOgqQ4aogTr0LvHED4xh5sEpHdFiO2GW4pVEBfU6F5zCyANr9f0tefrSPNaczTct0Q8Doo0w4EwtTSjwux102iX46uWv6pAqZBURzXjWXz6atokVTFKch5TM0yExzYkX7LU2YYxA1c0wNaSu2lbxdx//2jnHmxnIbAaKDp5hLVaiLPnMM7mS56eY0PqPBj0J8AYTLRJBGiQHorAfoig5o8owdtkBtCYU70+CX2lbB/1geky36s/0qdukaxlxcUSdzBgukzD7qTGukVnZReLitvHUUsMmrSGIbvQ0xRx0VZ57PqZRGMlOQbmDujbnoqx+hNZdiwC1hyk74btWRYmANzjNiLm6IFu4YawCjBiIInpA5+8GXxdGQZ6rL39Q3bHU/ZvCyppWJkMyNgW4+rmuUplv6FzbtmHqdq3W1QXKzydm6rkzyKXU50Px/cktZlktrUExSKGSuMEfyYUT83ynuLaiw3obHNSsgVNCl1aSXiiVg2YDudR0oxMdQCn5GxpeFFPA8+N91Xrq9OomvQfpnNN1t9XVvwRMNzORED1ewBIei73znBodVO/0dzssMJbwctCGwCxkSGOwdY0VcyFjaT2aXmcpNOfykGqFYkGjbuy48+REaWwLH+c+qGwRi1FucoafT38WtXBUs+KSJLp/e+Z+opJ0Cf7bRY8YINw+dIpiY7sJy2IywyfPPgGv4y/Q31MrTq9KpTVOzJrMA2esB0gA1tBlbBafPddfjr/QndNIDyMnj6S/ImLD/UIG8ey67/EitGAMBAAD//4vg68M=") syz_open_dev$I2C(&(0x7f0000017d00), 0x9, 0x484580) r42 = getpgid(r16) syz_open_procfs(r42, &(0x7f0000017d40)='net/if_inet6\x00') syz_open_pts(r33, 0x208800) syz_pidfd_open(r19, 0x0) r43 = pkey_alloc(0x0, 0x1) syz_pkey_set(r43, 0x1) syz_read_part_table(0xa3, &(0x7f0000017d80)="$eJwAkwBs/6RRXCBt7GMlTq9EwjPgL5iXkmoXVekSpoe7ibH6oF/5D/ZAK8XpdW8CA5rjuSzcvCA++0N5lxGWHxXxqSl4LLmGp3bnsP5gYb0gZdymHwDFW8VDe5gP/DZ5nimHPbk4LNscZFNeCdt6zcNh8i/TsdVkCZ1V5euwB4WSzV6Wxd/mGwg2gTZ3887ZGxYH5DiblIuYQAEAAP//2jdIgw==") syz_socket_connect_nvme_tcp() r44 = syz_usb_connect(0x2, 0x745, &(0x7f0000017e40)={{0x12, 0x1, 0x200, 0x8d, 0xd8, 0x82, 0x10, 0x1bbb, 0x203, 0xa779, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x733, 0x3, 0xb, 0x1, 0x80, 0x1, "", [{{0x9, 0x4, 0x2, 0x5, 0x0, 0xf, 0xcd, 0x1f, 0xf3, [@cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '<'}, {0x5, 0x24, 0x0, 0x80}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x8, 0x3, 0x1}, {0x6, 0x24, 0x1a, 0x7, 0x6}, [@mbim_extended={0x8, 0x24, 0x1c, 0xc, 0x6, 0x122}, @country_functional={0x12, 0x24, 0x7, 0x8b, 0x7, [0xfff9, 0x5, 0x3, 0xad97, 0x3, 0x0]}, @mdlm_detail={0xac, 0x24, 0x13, 0xb, "784f7bf45593f2145d18e49bc52edb011422491eba8fc40ebed34d5d81304da0a35565ec2036117bec4b01ef8f75c9d54e74b45316d0e1672a97b631729bcb7dc99bde682891bd5954d945f412979ecae7ee086c3650d3f976a990edea932dc3085d9c08f20badcebf87a97ba36151788daa2e6be45675380139cb89a17f95a65c87a272b183873660c9b63cee55c43ae5df58b45fbe08f00a86c6b1dfbd517b7dcdca1c6c75cd37"}, @country_functional={0x6, 0x24, 0x7, 0x1, 0xa}]}, @hid_hid={0x9, 0x21, 0x9a, 0x8, 0x1, {0x22, 0x373}}]}}, {{0x9, 0x4, 0xb8, 0xc, 0xf, 0xc3, 0x47, 0xe8, 0x7f, [], [{{0x9, 0x5, 0x80, 0x2, 0x410, 0xd9, 0xf6, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x5, 0x2}]}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x2, 0x2, 0x6}}, {{0x9, 0x5, 0xb, 0x3, 0x1308e9cbc37c7b4d, 0x6, 0x8, 0x5, [@generic={0x82, 0x11, "45836f6c3f5125725ed5b96b96b2911adb85370ceb5989894bd83417ee42276ce80fe734db8d2d94f2fe8c75bfd042fb632cfa5d5254f9b0fadc885d628a0dc92e274c02cd3be0421b608e2c538de20b208eaaea7b51dc13bdf7f2e00a6cbd3030df9baca667e6ccc42bdc2f5d822a3fc298b060da91265dd01583221a09899f"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x8, 0x4, 0x1, 0xfc}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0xd7, 0x0, 0x0, [@generic={0xf6, 0x22, "67439d731f507017a62ab89eb7118e315aab47bce00cfe092f9b6b6527812c051d98789a341cd8579c0c0f64f353faa641372867640b733bac8b8800b7baf106d03b36b934ebf24e84f554e1489e48416547bb7c90482fa4706467390768598bfddeee37f96a286a2f726ed89e5cfeb0dca14945145d5727fbd9b2949f9528d01e948e6305191bbbdfe60f223ae3a19823ce4a8797df004c048b9c0d793d173e5a39afc5eafe8ed82b45d9ac82fdfd1ef590fa300f32a49684630a4b392ff580eeaeff43c607a95169525530c24b189dee913cf7b9e1c1bafb11771b05c784720c28eb001ad218d0a92c1e32071606734ed956b6"}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0xd57d}]}}, {{0x9, 0x5, 0x1, 0x0, 0x400, 0x93, 0xff, 0x5e, [@generic={0x9f, 0x22, "faae6b7b5cb60baabdbe69da80d6306cc5c48a7eeedd7a47a92b693f17794385e5df43428ff861b389fffa4e903a47cbec60c794d78a7287affd416273fae978b7313ebd0b4ba90d2c47c1a1a66f6a698dcad67c6b40c482a09d3b92c05422f1eeed158be373e6623f40f82b25697f8f7934c60a81a403f22d919166e011d31a6497a0c7a512e4ddd841b5441454c1e15d8a2ab3e78f86a5cf03e792e7"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x1, 0x9}]}}, {{0x9, 0x5, 0x3, 0xc, 0x10, 0xb, 0x3, 0x2, [@generic={0xb1, 0x0, "33e5f9756d19a3eb392ba45b9f381dc2b062ee3ce942a485e678a8ea13f6c9eac74ec9641b119d78a9e36b32327cfb535d6ee402917d7b92a3ef09a79323735dbed9b623ca4b83db0117d537e5c58c6405bb0fe33bda56ba384b95fd4687df0217b223a0a525062ef259591dba73db936a7f85b82dddced8216aa4bc4ed636a57fc6e683e3ceb10a63be63330c0ea4d2a5cff5db4ac71ac10cdce3f5bd50c29ca7d1558dc5ed7f06b21dd7ba9a0dc6"}]}}, {{0x9, 0x5, 0x5, 0x10, 0x8, 0xd4, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x0, 0x20a}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x5}]}}, {{0x9, 0x5, 0x5, 0x0, 0x8, 0x7, 0x7, 0x1, [@generic={0xd4, 0xf, "737d3a4315658a8ffad124ef25692125494e376089b70b3fa63c98d548319145d9a432c0a3a910835f2c89b97e7168de3f5a68fc6d3086b5abbd9cad99b9f57df66d7a2af8b11c90041dd44ea5cb90b08493f1cc38391ab393edca7afe19ada684d62c76028a4283d3f7c4b6a29530b4345f74fedf78709f1a6172ae091c181037aa8d41503c854f5d64a4e1772982edb2faeb1f1a4ffb5f1b62415e46f1bb27374d48245031d050dc5528c7d19e7d9f4f71983984e44a633575f1b792d06db2ada0ca60eb3896c7e517981d567fe7b58ad2"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x5, 0x47, 0xff}}, {{0x9, 0x5, 0xd, 0x4, 0x10, 0x9, 0x9, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x5, 0x1}, @generic={0x84, 0x4, "c25a3fb73a08d8b88a25e396fee4b018b4487bccabbffe8ac964097b47dd926e5cb685c9568c4738e1bc0972ad10f12789a9a8080d7a492630e9a155a12e267604f53773b1f3a603c19d4dc0f4c5ccee5e9571706e990dc862312fb3d26cc37b011d95f3159d13c4ac34ab084c1a0660509ae13fa6f84d6068b33e5ff1da2a32373a"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0xa, 0x8, 0x4}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0x6, 0x4, 0x96, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0xbe, 0xda}, @uac_iso={0x7, 0x25, 0x1, 0x8}]}}, {{0x9, 0x5, 0x8, 0x2, 0x10, 0xb, 0x5, 0x8f, [@generic={0x77, 0x53a54cd3d610e5f7, "e6da6832665e8fc36a0e8f94157f6a5fbd96ba6085fa6cc0de01635150751fa9080a8ce5aaa4e50bddbefe649a9885244d8fd877920b570d6913ac5ef74d87139a81215ace972e769b6e707e2102de593a661d408d0cbce385ecdc66d00e649dd5504e8b1f2aeedf02eb08bd9a2b2102f37927bfb9"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x40, 0x8000}]}}, {{0x9, 0x5, 0xd, 0xc, 0x40, 0x6, 0x0, 0x9}}]}}, {{0x9, 0x4, 0x1e, 0x8, 0x3, 0x90, 0x1b, 0x5d, 0x9, [@uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x3, 0x1, 0x0, 0x35, 0x8}, @format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x4, 0x3, 0x4, 0xf6, 0x80}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x35c6, 0x1, 0x3}]}, @uac_control={{0xa, 0x24, 0x1, 0x8001, 0x51}, [@feature_unit={0x9, 0x24, 0x6, 0x4, 0x3, 0x1, [0x4], 0x8}, @processing_unit={0xb, 0x24, 0x7, 0x4, 0x3, 0x9, "d6e5bec9"}, @processing_unit={0x9, 0x24, 0x7, 0x1, 0x1, 0x6, 'CO'}, @input_terminal={0xc, 0x24, 0x2, 0x2, 0x204, 0x5, 0x9, 0x9, 0x1, 0xd4}, @feature_unit={0x11, 0x24, 0x6, 0x5, 0x6, 0x5, [0x3, 0xa, 0x3, 0x9, 0x3], 0x3}, @extension_unit={0xd, 0x24, 0x8, 0x2, 0x5, 0xfa, "cf521fd9778e"}]}], [{{0x9, 0x5, 0x0, 0x1, 0x200, 0x3, 0x9, 0x6}}, {{0x9, 0x5, 0x1, 0x10, 0x0, 0x7, 0x3, 0x1}}, {{0x9, 0x5, 0x9, 0x3, 0x20, 0xf, 0x4, 0x5, [@generic={0x30, 0x30, "9af3fe7151c3b3ad7bd1a1c8e2ee7c9495bfb52094d1dc13f41f06a76b111ebf9089a2372b323499e81536ed22f6"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0xd, 0x1000}]}}]}}]}}]}}, &(0x7f00000187c0)={0xa, &(0x7f00000185c0)={0xa, 0x6, 0x200, 0xe, 0x7c, 0x5, 0x40, 0x6}, 0xec, &(0x7f0000018600)={0x5, 0xf, 0xec, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x7f, 0x4, 0x10}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x19, "3708892f9f7225be3a6009559965ad74"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x20, 0xc9, 0x3, 0x3, 0x8}, @generic={0xba, 0x10, 0x3, "2a0452f8e56ac2ffaee6cb1fc6faea4298664f032676da02ee36cac0df472c05b6a895c87b06145c8cb2bf1563d915fb7459dfa37e7b010a2307d76ed4c75a0c1962074d24f9836e05df965fdf4e2460076f7f109708230872abfc7b89d4e5e08d5d7b3b28be99666169e4beaa1ed7099d4ead2e0aeab9e01ff1bf20b59a78a6d9852989b4c4732550c70f843daa0c88d82ef806ece508cc9553fe8134cfadc5769bff046dca8f1fe031f25dbae923962256a0d962f081"}]}, 0x2, [{0x5f, &(0x7f0000018700)=@string={0x5f, 0x3, "159faef02b246dab7cba3efc4a7fed8d174bd706d48457f261ad8fe88dc0426fe71a32291ee93575bf347cbfc21323b208f15a792abbf3017092aa8e551fcbd851ca7390612f9e5848738c872b638738755adfa7d432eab1cdf11246e6"}}, {0x4, &(0x7f0000018780)=@lang_id={0x4, 0x3, 0x41d}}]}) r45 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000018800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r44, &(0x7f0000018a00)={0x2c, &(0x7f0000018880)={0x20, 0xa, 0x6, {0x6, 0x11, "11be6906"}}, &(0x7f00000188c0)={0x0, 0x3, 0x4b, @string={0x4b, 0x3, "54f166c504f790b8fd2167ab4d2207faf4e0d9b9068564c8fee82a31e2a56d9b863c4188c802bd1e737993ba22a323795cb0b4f4e94cb796758840f7c88898694a059be76c0285d691"}}, &(0x7f0000018940)={0x0, 0xf, 0x1a, {0x5, 0xf, 0x1a, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x4, 0xa, 0x4, 0x10}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0x6, 0x0, 0x1}]}}, &(0x7f0000018980)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7e, 0x0, 0x2, 0x7, "3c6895ab", "138253ae"}}, &(0x7f00000189c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xe, 0x1, 0xb5, 0x2, 0x6, 0x7, 0x9}}}, &(0x7f0000018e40)={0x84, &(0x7f0000018a40)={0x20, 0xc, 0x2, "d80b"}, &(0x7f0000018a80)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000018ac0)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000018b00)={0x20, 0x0, 0x4, {0x0, 0x2}}, &(0x7f0000018b40)={0x20, 0x0, 0x8, {0x1160, 0x2, [0x1e0ff]}}, &(0x7f0000018b80)={0x40, 0x7, 0x2}, &(0x7f0000018bc0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000018c00)={0x40, 0xb, 0x2, '~s'}, &(0x7f0000018c40)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000018c80)={0x40, 0x13, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x17}}, &(0x7f0000018cc0)={0x40, 0x17, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x3d}}, &(0x7f0000018d00)={0x40, 0x19, 0x2, "b362"}, &(0x7f0000018d40)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000018d80)={0x40, 0x1c, 0x1, 0xfa}, &(0x7f0000018dc0)={0x40, 0x1e, 0x1, 0x9}, &(0x7f0000018e00)={0x40, 0x21, 0x1, 0x8}}) syz_usb_disconnect(r45) syz_usb_ep_read(r45, 0xd2, 0xde, &(0x7f0000018f00)=""/222) r46 = syz_usb_connect$midi(0x0, 0xde, &(0x7f0000019000)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x10, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xcc, 0x1, 0x1, 0x9, 0x0, 0x9, "", {{{0x9, 0x4, 0x0, 0x0, 0x5, 0x1, 0x3, 0x0, 0xa, [@ms_header={0x7, 0x24, 0x1, 0x0, 0x7}, @midi_out_jack={0x11, 0x24, 0x3, 0x0, 0xf5, 0x5, [{0x4}, {0x7, 0x7}, {0xc1}, {0x3, 0x3}, {0x2, 0xc}], 0xd4}, @midi_out_jack={0x13, 0x24, 0x3, 0x2, 0xd, 0x6, [{0x13, 0x80}, {0x2, 0xe}, {0x1, 0x3}, {0x8, 0x7}, {0x7, 0x4}, {0xeb, 0x6}], 0x4}, @ms_header={0x7, 0x24, 0x1, 0x3, 0x7}, @midi_out_jack={0x9, 0x24, 0x3, 0x0, 0x6, 0x1, [{0x2, 0x53}]}], [{{0x9, 0x5, 0xc, 0x0, 0x8, 0x0, 0x3, 0xef, {0xf, 0x25, 0x1, 0xb, "8dca6f86ba1543f9fd5417"}}}, {{0x9, 0x5, 0x1, 0x2, 0x10, 0xa5, 0x8, 0x3, {0x13, 0x25, 0x1, 0xf, "fc2ab7fab02e86b9c83c1a1c2ee5ba"}}}, {{0x9, 0x5, 0xc, 0x8, 0x400, 0x3, 0x0, 0xbe, {0x13, 0x25, 0x1, 0xf, "d9811e1ed3642bab8c2a71bc25bf6c"}}}, {{0x9, 0x5, 0x3, 0x0, 0x3ff, 0x7f, 0x96, 0x7, {0xf, 0x25, 0x1, 0xb, "0ec3b8efc022fc1b474cae"}}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x18, 0x5, 0x3, {0xe, 0x25, 0x1, 0xa, "e3c106c54a63638a2e82"}}}]}}}}}]}}, &(0x7f0000019280)={0xa, &(0x7f0000019100)={0xa, 0x6, 0x110, 0x2, 0x2, 0x8, 0xff}, 0x3d, &(0x7f0000019140)={0x5, 0xf, 0x3d, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x40, 0xab, 0x3, 0x100}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "5699f3928d2d0a00633f2b02584c016a"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x0, 0x8, 0x6baa, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x6, 0x0, 0x98}, @ext_cap={0x7, 0x10, 0x2, 0x12, 0x5, 0x3, 0x4}]}, 0x1, [{0xc1, &(0x7f0000019180)=@string={0xc1, 0x3, "b64349de30b23e683c87b0fe59341d26e0e391acdf6ad0571acc05f8e5fcfdc3936c96d99906c4c1e5d9ce59609e60fc394029a19fec981cfde7e9d38c1465f6a04b5b0ee298f5f21e58f71b8f7100d1bc55ca97b1b3ab63485b92e16630ae0c539315c25cefc347d66d80c2531e81af67e179c16966bcb8e998e0cd1b3c2bdc6c049946edb3eaafbbd9b5f0fe7c5925b619e8e7cfce1a62c4d2ac459740065e9f9eb72202c0edae4bfcf5d11b9314581d63e688ec40c037a3c41c0220bb1a"}}]}) syz_usb_ep_write(r46, 0x3, 0x9, &(0x7f00000192c0)="b72534d84209a7a862") syz_usbip_server_init(0x1) csource_test.go:162: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_cachestat #define __NR_cachestat 451 #endif #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t user_addr; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint32_t flags; uint32_t resv1; uint64_t user_addr; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; static long io_uring_sqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_SQE << !!(params->flags & IORING_SETUP_SQE128); } static long io_uring_cqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_CQE << !!(params->flags & IORING_SETUP_CQE32); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0, volatile long a1) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + params->cq_off.ring_mask); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + params->cq_off.head); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; uint32_t cqe_off = params->cq_off.cqes + cq_head * io_uring_cqe_size(params); struct io_uring_cqe* cqe = (struct io_uring_cqe*)(ring_ptr + cqe_off); long res = (long)cqe->res; __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return res; } #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_params_ptr_out = (void**)a2; void** ring_ptr_out = (void**)a3; void** sqes_ptr_out = (void**)a4; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); *ring_params_ptr_out = (void*)setup_params; uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * io_uring_cqe_size(setup_params); uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * io_uring_sqe_size(setup_params); *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < setup_params->sq_entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; char* sqes_ptr = (char*)a2; char* sqe = (char*)a3; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + params->sq_off.ring_mask); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + params->sq_off.tail); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sqe_size = io_uring_sqe_size(params); char* sqe_dest = sqes_ptr + sq_tail * sqe_size; memcpy(sqe_dest, sqe, sqe_size); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_io_uring_modify_offsets(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* params = (char*)a0; char* ring_ptr = (char*)a1; uint32_t params_off = (uint32_t)a2; uint32_t value = (uint32_t)a3; uint32_t ring_off = *(uint32_t*)(params + params_off); *(uint32_t*)(ring_ptr + ring_off) = value; return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void mount_cgroups(const char* dir, const char** controllers, int count) { if (mkdir(dir, 0777)) { return; } char enabled[128] = {0}; int i = 0; for (; i < count; i++) { if (mount("none", dir, "cgroup", 0, controllers[i])) { continue; } umount(dir); strcat(enabled, ","); strcat(enabled, controllers[i]); } if (enabled[0] == 0) { if (rmdir(dir) && errno != EBUSY) exit(1); return; } if (mount("none", dir, "cgroup", 0, enabled + 1)) { if (rmdir(dir) && errno != EBUSY) exit(1); } if (chmod(dir, 0777)) { } } static void mount_cgroups2(const char** controllers, int count) { if (mkdir("/syzcgroup/unified", 0777)) { return; } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { if (rmdir("/syzcgroup/unified") && errno != EBUSY) exit(1); return; } if (chmod("/syzcgroup/unified", 0777)) { } int control = open("/syzcgroup/unified/cgroup.subtree_control", O_WRONLY); if (control == -1) return; int i; for (i = 0; i < count; i++) if (write(control, controllers[i], strlen(controllers[i])) < 0) { } close(control); } static void setup_cgroups() { const char* unified_controllers[] = {"+cpu", "+io", "+pids"}; const char* net_controllers[] = {"net", "net_prio", "devices", "blkio", "freezer"}; const char* cpu_controllers[] = {"cpuset", "cpuacct", "hugetlb", "rlimit", "memory"}; if (mkdir("/syzcgroup", 0777)) { return; } mount_cgroups2(unified_controllers, sizeof(unified_controllers) / sizeof(unified_controllers[0])); mount_cgroups("/syzcgroup/net", net_controllers, sizeof(net_controllers) / sizeof(net_controllers[0])); mount_cgroups("/syzcgroup/cpu", cpu_controllers, sizeof(cpu_controllers) / sizeof(cpu_controllers[0])); write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1"); } static void setup_cgroups_loop() { int pid = getpid(); char file[128]; char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); write_file(file, "32"); snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(file, sizeof(file), "%s/memory.soft_limit_in_bytes", cgroupdir); write_file(file, "%d", 299 << 20); snprintf(file, sizeof(file), "%s/memory.limit_in_bytes", cgroupdir); write_file(file, "%d", 300 << 20); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); } static void setup_cgroups_test() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (symlink(cgroupdir, "./cgroup")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.cpu")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.net")) { } } static void initialize_cgroups() { if (mkdir("./syz-tmp/newroot/syzcgroup", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/unified", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/cpu", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/net", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/syzcgroup/unified", "./syz-tmp/newroot/syzcgroup/unified", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/cpu", "./syz-tmp/newroot/syzcgroup/cpu", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/net", "./syz-tmp/newroot/syzcgroup/net", NULL, bind_mount_flags, NULL)) { } } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); initialize_cgroups(); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_loop() { setup_cgroups_loop(); } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setup_cgroups_test(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 74; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 56 ? 4000 : 0) + (call == 64 ? 200 : 0) + (call == 66 ? 3000 : 0) + (call == 67 ? 3000 : 0) + (call == 68 ? 300 : 0) + (call == 69 ? 300 : 0) + (call == 70 ? 300 : 0) + (call == 71 ? 3000 : 0) + (call == 72 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { setup_loop(); int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); break; case 2: *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } break; case 3: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); break; case 4: memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; break; case 5: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); break; case 6: syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); break; case 7: *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); break; case 8: *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; break; case 9: *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); break; case 11: memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); break; case 13: memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; break; case 14: memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); break; case 17: *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; break; case 18: memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; break; case 19: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; break; case 20: *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; break; case 21: *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } break; case 22: res = syscall(__NR_geteuid); if (res != -1) r[14] = res; break; case 23: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; break; case 24: *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } break; case 25: *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } break; case 26: *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; break; case 27: memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; break; case 28: res = syscall(__NR_getuid); if (res != -1) r[22] = res; break; case 29: res = syscall(__NR_getuid); if (res != -1) r[23] = res; break; case 30: memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; break; case 31: *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; break; case 32: *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; break; case 33: *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; break; case 34: *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; break; case 35: *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; break; case 36: memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); break; case 37: memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); break; case 38: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 39: *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } break; case 40: res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; break; case 41: res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; break; case 42: *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } break; case 43: syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); break; case 44: *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } break; case 45: *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); break; case 46: memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); break; case 47: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; break; case 48: *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; break; case 49: res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; break; case 50: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); break; case 51: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); break; case 52: *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; break; case 53: *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); break; case 54: syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); break; case 55: memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); break; case 56: memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); break; case 57: memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); break; case 58: res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; break; case 59: memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); break; case 60: syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); break; case 61: syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); break; case 62: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; break; case 63: syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); break; case 64: memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); break; case 65: syz_socket_connect_nvme_tcp(); break; case 66: *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; break; case 67: *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; break; case 68: *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); break; case 69: syz_usb_disconnect(/*fd=*/r[45]); break; case 70: syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); break; case 71: *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; break; case 72: memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); break; case 73: syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_cgroups(); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :7432:17: error: '__NR_socketcall' undeclared (first use in this function) :7432:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor31503811 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/0 (0.41s) csource_test.go:161: opts: {Threaded:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_io_uring_complete(0x0, 0x0) (fail_nth: 1) write$cgroup_type(r0, &(0x7f0000000000), 0x9) (async) cachestat(r0, &(0x7f0000000040)={0xffffffffffffffff}, &(0x7f0000000080), 0x0) (rerun: 4) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0xf503, 0x0) r1 = openat$bsg(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bsg/2:0:0:0\x00', 0x2000, 0x0) ioctl$AUTOFS_IOC_READY(r1, 0x9360, 0x76) setsockopt$pppl2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x0, 0x4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f0000000240)={0x6, 0xa, &(0x7f00000001c0)={0xfffffffffffffff7, 0x4, 0x7, 0x1, &(0x7f0000000100)=[0x4], 0xd8d, 0x40, 0x42, &(0x7f0000000140)="397015495b433e062b4ef549b056c6053006148248bee934bd6a208a2a61c79f4a49357e536538e086957c377ed1f5a646b74017e305842144812e9bba2901bf4411", 0x9, 0x1}, &(0x7f0000000200), 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f00000003c0)={0x6, 0xa, &(0x7f0000000340)={0x3, 0x72, 0x23, 0x8, &(0x7f0000000280)=[0x107c, 0x10001, 0x7, 0x5e, 0x50, 0x5, 0x4, 0x1], 0x80000000, 0x4000000, 0x7b, &(0x7f00000002c0)="318d74c326f1d0a1ddbde1b51264ef98bfda4fb69c29e7e26f55d00aa6bd2497e23c8495bbc94403a7cba75120bcaa832dd53aee8ea1a66a79dbbaf3f0e23210a900059df2ddaca7125bd90eb91fa2c9c8109eb62552e90a219ef966dcaa594c33a1e623bc0d18fe1db97c9eb7beab52ef03c21bf7e61449526687", 0x10, 0x80000000}, &(0x7f0000000380)={0x0}, 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_PVRTL_TLWRITEDATA(r0, 0xc0206440, &(0x7f0000000500)={0xf, 0x7, &(0x7f0000000480)={r2, 0x77, &(0x7f0000000400)="8e468e19aab047d4e00e0ed7fae1830e8eaa0f74bf5f1a071c66a6cd46197d7c22aa47147d723bee80238fd9e275b5c9ac9c8979f6fcbd068acc9469f561db806a720d53b1dc48320b365bad54f04e1acd0ad40862618d0e8953cd0202169e1549392bb2edd07d80fd37fce2f6f848013f383853951906"}, &(0x7f00000004c0), 0x14, 0x4}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x7, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1}, {0x3}, @device_a, @device_b, @from_mac=@broadcast, {0x9, 0x3}, "", @void, @value=@ver_80211n={0x0, 0x7ffe, 0x0, 0x3, 0x0, 0x3, 0x1, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x70, "387497a69841a2e528b4f29912f3dd10b50ba5a1e170cc5b6d1c7a78f57a5e0fcc9b2e9a5e87d25516580ea1f223f1317f86ecc39117cf0e535c2e2befcf11ff81999d1b87d9b198c803d72ad724e94c783ccac7763ad34e6f7491b3637ce2f46677a7612873ed0a3fb64c0b3d78503b"}]}, 0x9c) syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000140)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000180)='bpf_lsm_path_link\x00') r3 = syz_clone(0x40000000, &(0x7f00000001c0)="4998de6d85ea9e09841517b61ce22a88", 0x10, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)="b9662d100f99f4e91d1de2c980ce459994b046bfe06b9a28c60dea9680ab4bcc3f5d3397a5a251d7ba7693b7eb37177d030a2b3fce8a232e5b03f10a948052ee907fb32f575b2310fae99107f95ccab714722f59ecdb") r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000540)='./cgroup.net/syz1\x00', 0x200002, 0x0) r5 = syz_clone3(&(0x7f0000000580)={0x200, &(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)=0x0, {0x22}, &(0x7f00000003c0)=""/179, 0xb3, &(0x7f0000000480)=""/66, &(0x7f0000000500)=[r3], 0x1, {r4}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000600)='./file0\x00') syz_emit_ethernet(0x56, &(0x7f0000000640)={@broadcast, @remote, @void, {@canfd={0xd, {{0x0, 0x0, 0x1, 0x1}, 0x13, 0x0, 0x0, 0x0, "52ba74a68ef063725a233b9509b8fd57d58ee264c37d44cd7c1e1075f83d41720f374e7e3c9c01b86bfdba9077a2c5bd2b73eb43874764a25316bd3b28368a77"}}}}, &(0x7f00000006c0)={0x1, 0x1, [0x193, 0x6b4, 0xfe9, 0x1fd]}) syz_emit_vhci(&(0x7f0000000700)=@HCI_EVENT_PKT={0x4, @extended_inquiry_info={{0x2f, 0x4f7}, {0x5, [{@none, 0x0, 0x6, "d24446", 0x8, 0x5, "43ca60b9ed4eb6934c4457f2bc5aa0ae593beeed8a789aefcfb8ec83ec7529d54cba5b40db8e0bbc549bf2daad5883da0869b376fdc0e0cc708e0215c9ba10d54ce801346c9731123e8edc523098a8c4c4e09c8ca5afaa510b825705bfcb534ccb8161511b23c1ef7eac6690ff08a8b48fec50ca28d759369c7000689e8e5efa7d691c1c67b2d98dc9bce7fe04657d156d148fa4c0e8ed5df1b820ab6fbd4c2f10f692da5df9e9e9e7463f732b908fe70608b36c8d33664739b2fbd81806cff9b2a19fddeca0685d84a3b4fb6e4b2da14198bdccf86f6daabd361fe7a259ac83c1e9a1ae73429f5bd2465cab2487bdd0"}, {@none, 0x9, 0x6, "7aa2fc", 0x2, 0x5a, "052195f68d623e277339549cd0596ea8d93dcb3704365a1fe131001ddfc78677d59246b7163b2a857523bc03137c5e74d51f91c59eea5ec1c9003d000733a466a074866803d3394bea9a3b3d7e5d67755ff3abb6cf741dde943f2a053ad9b328d0c53cded27abd1cd237341fd89842736abc794f81576ed5b95189dd4794b90dfe6748ae5c405e0827a8439ca368fbd6ea5a49d147e5364c2ffe32013afa0b7b4017951cc96a1d5aab926c9a85ac3529020fc62b2b8faa56f674682b27d994bcb4746d7aa06ef430a6140eec740627569287c2abf99514a28751d16d3b7aec64c16a217bfe2b13bdaa911d976f481516"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x3, 0x5, "24b80f", 0x7, 0x7, "b3ada341371175469ded69ecf799e4a1194f89133c06019703d569cd1c29c53a302e49b159a78f22df58260ea65730f1d60ce2bffb5bb00da408a73ba94586b850c8bdc188017de780947019c1160e4de6a4bcff9679840ee2f1bec62851a512f73912564c278f8bcf11b2459af745c4e302f7542fb586c218df5d5d741dd3b331b090adf53a39e6d179f698937eaf1f296ed38be5f78009b5593fbad7ce8de3177e1b85401c9b10180116ab3dd2b79fb27cf6b781b02c10d92b9077231baff2d796bdd6a60934decbd4730b8cd3a7f5d73b9d56fd8fe4428a8ee6e9aab0f07a170ed8880da6937863d6e273a5a50847"}, {@none, 0x2, 0xc, "ea7fc4", 0x8df0, 0x6, "717a9cb0a4bb327cbcd40c45a41da58abafefc56db61d4de5f808e54dafa830d32821b9b3d09636dfb4f09884853b276996613006c4936095b667d41cadb7d45b307e434c15619b8d90319f2ffe145511dffdbe0c87aa2eea977359cba985c28336398cb6fe4939f4c70271bb9890a63ce61b91d2ff386c94b83c3fee9a43bb705eadc97907676652fe06cf8872966ee9d8cb21f242185448f0c688a9d0b6bb5923c37587850bae8b0438915fa4b062009eacb71d33909586de59d758a635e4e18f5c5fd4e4cd08134cf4af6e71c783cbc71ea85fbc2e67d8499622ac2460d44822b33339f122efe0f0b0c76b56c3473"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x10, 0x6, "c5ecb3", 0x7, 0x5, "230276296df7a839cdb0c698a3b6cebba6e7f8f843267597af962842e4a5f003617064f27e1db99a03c126776b86d3b4b4ba41356c681f7ba54c248e2ae9f43ef5aa08f30721c5fbb3d7a0fb95da303be2e2607d775877945e61f5c98b72e4bd3f5b92c3ebc55a167e4bab5f16468e5d14ce3c988f71872d0985a2f50374c672de1477f60bd549a28206d4100aab9c222ba3330476025534ba2faf03a5c7e8885fe8041fcc9bf6de815abf2e09175e1981f89551e9b5cb59bb493e950edfc5ea0036351e4978cd63c8a50646e7104756e20605773fbd3e7131b7a55d8b60086b4fceb02b3015ba49de2d541fb06a9d27"}]}}}, 0x4fa) syz_extract_tcp_res(&(0x7f0000000c00), 0x1, 0x5) msgctl$auto_MSG_STAT(0xab1, 0xb, &(0x7f0000002fc0)={{0x8001, 0xee00, 0xee00, 0xdaf9, 0xd56, 0x6, 0x7}, &(0x7f0000002f40)=0x6, &(0x7f0000002f80)=0x8, 0x9, 0x3, 0x6, 0x7, 0x101, 0x9, 0x3, 0x7, @inferred=r6, @raw}) stat$auto(&(0x7f0000003040)='./file0\x00', &(0x7f0000003080)={0xfffffffffffffffb, 0x2, 0x1, 0x7, 0xee01, 0xffffffffffffffff, 0x0, 0x74ff, 0x4, 0x9, 0x5, 0xc50, 0x3, 0xd, 0x5, 0x1650, 0x4}) fstat(r4, &(0x7f00000031c0)={0x0, 0x0, 0x0, 0x0, 0x0}) shmctl$auto_IPC_STAT(0x81, 0x2, &(0x7f0000003500)={{0x6, 0xee01, 0xffffffffffffffff, 0xe, 0x101, 0xf1, 0x40}, 0x287c, 0x6a1a, 0x2, 0x9, @inferred=r3, @inferred=r6, 0x0, 0x0, &(0x7f00000033c0)="056976a58633696b63367a4cb488b16ce85e89943e5f0928ec40d6d893807fa6c44c5d38daab118433a7e8f1c46e1f060f28165f41adb8e679cd9e46ac384774e56bca1880a690fc3f8ed5f124dd98467a33bb40cf191cfbb9590f59179bb611cce789225922a0ef4f2286f87f847214fe25618b989a0501e7eca7170a3913bc68b4539966e289ff94ac31e8823668bd0499d09b055c41410ba2f2101abaf7155399f97ee924e9277e6f54819f12fef3c5769378b344b6ff6409edc578c6c93accb0f08a5d8ffcab30cdbd713d1b93ee7b8eefdf77ea", &(0x7f00000034c0)="020c5a2af3"}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000004640)={{0x35cdee94, 0x0, 0xffffffffffffffff, 0x3, 0x6, 0x2, 0x80}, 0x3, 0x8, 0x7ff, 0x1, @inferred=r7, @inferred=r5, 0x9, 0x0, &(0x7f0000003580)="cd052c206f368b4a7d16e28cd36b1ea6d10dab7017b7d085ea27b3e3389d760d2277e20febc686f359d6083a629e7981089e0419c7b562dbbdc2e67c1e95104a390549c9371a4345f2aa7d8458094c6075b84d11486d27bf68233bb457eb106bab49a3fad299b590025e4fb5e43c712ad891f39138bdb922ea9d21b7cfc7c343f9a21496c66922cab8e66535337a89a717c354bf1846b506c234a3093d728c6baf272a6fa5153dc039f87e0a36744e1f80f2aac030e2f8ae6a7dbcd3f17bc68ad0b61ce31212c46edd615d571b338e22c0ed5d26f7bb2f365ecb2c432647a7c6d775b0e41db928f9e7b2af72d690acf8b2ad8c2e000505b6952c4ab9e2a8ecd07de44b2b48af7b894696ae567b6dd0a1f99b007a8fcf41db20827f58325a9e8812354425bdcc3f81f2d3863d7777fd80360eb8b9e77e47059a1d2265733c4a8a063b45ed0b8c2481e1cdeafddc5f42c931b3d3e710e4538bbad815479cd9afdc5cb44723026c4bc006e256f6f427042c6765a3b253e9356ca1ce45d9d83d5e111928b47a8ab8422b37e8c382436862c944e08ebbadd1a33686219ab8cf995c12a7ab7085a79a7d1ec3c6cd73a443cfceacbaca1d7fc0cf34d58c9277881f983746ff62fe41d0f4f7a12ff44f4ba5bf7d8935bf09a88ad98ea8a9124de178c28acdf1ba1a9734d6c225da591c229d313fcbda810b0f1057b0730a9572a807758defb579db3ad021ac316fb744a1582c16256ea1c6bfa26c73af1e2b6c4b8e7ef329e7cad7db91799dc044aecce5f06e803a4d85bcf5f45dc015d13e3f2c1892099ee653777ca5f6c92e41f4e30ba30f832703df08a416752b831b46c56563820fce5ed3421e9b2ed0a19c64e9b2bb8081ea08255fdad2f235e7bac68f946b3427a44a758e78dadd8e42a909a77851bf66b01e427c2fed94ffee1d65e21753b39bce8daac6d6f11696e003a5f3c21bf9d1cbf4bdb8f3cf5ae542fe7b255fb5ae7b184fb59db73550d293254277b4f94a71c93a909bbbfaf3df95c3e7c4170fe8b91f9ecb8673cb5492750edf45c76a20d94e21b0d3614d3a99f7c9e3978faf09e067f64926204cd090a9f115cbe7f727f5809976aabd337e8b2aee42a9bf68e2fccd4152b3d9831149d40c75469fd9b03fe1860dc1920ac7d869ed88d4148cb746f5eb32a2761eed4473c54315d0d91044b62a14537c825c8cf578fbd68cf8748d67722e27b81f9fbcc13271c23335057cabced862125f764f5321f59643514392b72e2de32b1a54e4096ef73d0692ec6a365c035d0cbfdf77ac650e7de4c3dcc5a2f60c4e08536e75ccd81a41425a1de44ea275baaa2a7cd16ef64b41cc71f856861217bf243e8f61c899f56f4c64e116e0bb020986eca1f2a0d8fe1ab5130b639a7db41b54fd262ac858452a2c79d82d99ae5979571701dbb30fc7aedf237dc785bea7576ede6cfe60c53d88db5e7db59b3214c8e7f081a61d3b699eeb802e6ef4e298b87ab22a20bb1f3e8e4f7fe56c318d4bfa3eb312b9f3e75957bf62647e309ca0a5f669cdedb2c309aa7245cc832077f641b2cece614f0938ec1d456600fa30064f249e2f8efbacbd9d2eb90e99fc0938edca24924edaed9fbc50b1292e6475a5b4f38bfd379401eeda87b2d17de03ceb23d788db69b548ae2456989b8a5189d3800203890eb9a0491a20f44603c881ffb0647e7ff291139e80a5c46aeb4322e59356d9fb1e6dd3dffefd4df3e35eac72f2921774771b8e288adb818c8560554a7ae3647ae49baa80776b747abc82dcf9e408e8fd14472d3a5d7ee014a7ba4374306a6eade2df580389cad9f548bc42769b27c8c4aefddbea9c3d89d9960551cfcbfe37c214cb5fb31d9835f1f8a8857e53b36e91bfe3a2e3559d3838050afd13bfc6924587c8d22c21c2df3cb2a0e06f01f23103c4b6955a985a7b26347a6a9d178e835e775365d41fe3443ae79970dac382a32a597c3d567d0511b5dcdb4ebd1271db6e675a4f343f9501f10ab4723738bebb6366241cd602673ff9c76912de6141c5cd4f2ef95e7efd66dd51b565dd50035f8f7e86b576d5129481ae75f7a9b7cf033a402502d5d1b5aa4115ba1b84f7f2cc284e3f636a234f40e0aa118c8f9d0ce6fb7ee613cc2f1cc7ecc2e264b2573ac3dc264aaa27643a483a1cb38e2b0237775ecaed626f7cb89bc563492ffe1e5ae6401cd82a9ad0fbc32f7b5bd3029bdab72a8d47f34b37011e9fba52075a56b89f2963edca796930a4998c755da0d251da985a1829cd10ce7665d2b364776bd6c76ef9978f800b453fa7c2704838dde05f2f6489f31e35f6d731c2678f3285070f297cb3bc03c0a012b22fca31295576acc3e679bbcba5fceb7ee7692749fcc58495614eb4a7f3a1fa7f21a655172da28ca916292dc7484834c31a3e5f54912f10271d5867e57bc46466d781bbb502ef32ed8b2b4452a58e212e7db8aee573dc6252142ec5bf2683ded9a58b60cf7883ef04bd502e3df2d621bec0e7fcaf6726e84fb1c6953722c7b8523d4cb6e4b55bc3d196c793c44858814b029eb23e8f80b66aefdd8be21541228608852fc354f75605aeefb828971defa68e28cdc694b24f2f461c707d27b98da4000f9c823ebb3384c50d6e41e5ddaa601b696f41a9ba4feee08852874bf0e31d20152895e1da84a94d529a194be53a886304e7e360a6a40d2d4074905bbfd06e3713375b31bcca23f4db67da9bf6920a5bb44885dcc3086ca7895c1069dd35f189e57ce60f8e0b0b5d337bd669d3deac1f0115570a5fa6505fac83c621c46f693d84dc77e2148e887a822d86c8c0ff4c00485c7f37a5198c69c881c158b744fd09cc76c0574f4acaad646204552774e98e17c3998e34e75628da2630a531cfe927d3c55ef02df3377eab25143589a50a07a32906e714ea42584b3d69d7ddda2fc0fa486a0e93baf78ff1b35d98c0823841230a26b52120a445115adb78d8fd99b71ab86bd27aaecd1659e89f99efa54f8764c2f4bc01975ace6f35d27c2d18c713a9947179211819dc42f7cf3fe6b546674f1446f0c81aa08277ec6b140e14b6e4360782bd17d03255208cac917a5f8ac03e6e8d13d0e62d11bf55d00b3f8f1e80b8551bd7b65b6284d1566cdfdf4307a5ee5ce8bdd6fd04a3edb4871ba97aa01d673af337698f0ada53cab9bdf9f631d0ccb7617ff13e0a3b3785ed26db722e163271b1f5e4690005249427bd44362c6631157286dbe4ac19620b55a64fa6958fe32ff13b1addfd7f56a16f79daf4e9278727578d0154118fe591a0d89af07d8bc3582cf51a01766d9c9ee3f8f80b58e86fdfbb4770e6cf2554b0d9e0769928c4a2f383aaa525ddf4734f4cb19996be80b4c91f91bbca6094ab910b665241e29b3d48784f80d32d2161347d2bfd791a66c6e824f2308b07f767250d11626dbdcc9613683e46cdc9903aa0848803b4a3dfb1fc9b350d47164ec59db3651e1f5f9a5cc1ad484654ac3a7f013badb6a0ab87effaffd526a53bead659a15dc2fd631dcd843ec341804a563d06ff6c5631dda5044b9a99dc77bc4a4fe326798d672d450727e81e491533e6a21121e3b8e5cde35fb84e74fe5011896235fe05f335bf12e317240191e742df9438752984fbc697a53b3950e26b3da9031dc234e843326d04fe096b1c89ce93bc6c5a60d7e6f0c5e8438fd10fa66b3eef5df79a3df515245e2f370b913b9333875906015460283f873b82b791fb4db71aa4f57d8182bd914613ba4d85f2490bb9bfc6940c5c4986c544308c3ac22b795fcb0b5a062d3a15ae30f6b7ac271bf9aac4bdcd949aaee1d7bdc8895eea12daea16185d869d6cbd971ccf16e4da5d70376437a20b6ea6c35c507eaee0a0221c70527d69c57eb3551c617320ed3f817ee2a69988120964b331137406dde202c243a91a0d810d1613ac8709b26a0eccddd7fc75a0d818276cb4953bb8057626f23b721d6073d76586397a8f05d060d4e2dfcf14de48fadaae6ecbd5fbfe958a2f931c531ea325182ed29872a3dfec469074bcdabb2a1a13fe24667efaaa26c50519aa9335d306fd23379939743a10ac90d3171b3bd06a5b463ad1b612ef3d54f53fddff55a8eaef0b6f78779d948f7aa4598a1dcf726aaa45b99da0bca196812f9c5998608489e80ddef13a4b8eb030c71742c304665e15a9f56a77679e7c4d70aa84a53466bc5f50d55a676eae3cdf862936c8b2f3451e2187b7ae8ae1446e090142cb89e4ee09e40cd4a0fe820ec28450ed7e7ae2e0e47a3d4054a4acf536e9a3efb8fbf5d0d6fbc69a51bad4a6723d62c8311ec224ecc71048bc16f9805d917a8a6294c038b2842d61de810db1b1a6f37720d3011f5e55803850b6aa0c4bab3c812cd7dbab18a732ac8e167c49ecc8359388a95080cb1d796c324f1a9c3795749a36682357601b260d85c710dd0c67173a8e4c1aa1e95ddb860e37c44c990ec5d11c0e71907c3e5e5fd247fa321de92db50684506e829447a8c85909d2397ec11bbe0613a4d8af44c209bc4570293e9cf7ba6f47754fd0506ec34af2f9ef20250edc01f97b8374d82c7509a231b0d5c9b085f9948efce68c5712f96afcf4f92a1eb34934b1d664344104337c2b5028c8c7d6d7e62e74cf283d61dac1ad8721505c4884a81cf692aa33f801cbc7eee1ae61bd4c96a4b1adb88f24b0a5e7815c537b25b8bc2ee283e4e05fa0f157f194f5b22d6d0267fb0fd5ab10be2230cd21f870e0e651b5747bb7f4593ef52c8a2e51d5093ee1405e49bba6b36cf97f0b2f7150a10ab7669478a4831f9c5ee6790e91e93b0e814bc314b062c68a3d36cf48da349b0223802722d76b8bde97982f78dddab064084b3eea0a335bd0dd8461b10581d4a9aa699d542dba4ca8464f62ad3b9cd7e82026a3fd15c2bdb3e30a7643e82f2c8e764498866989e2fe5a9e89c237404aad6b55c2be458e3f6547f727f0b2c9052de4839a6b5f03f5a788e5a14d8448ee25b3dff69002d5fda5cafe5bed8260285b61ce3c53c16288ef8af1759f631360aee3bdc5ebfc229b967d1937996553952409f5f5860820fdd2ed846dab931b2d19fdda50693a926a41e56060f2d6c13c125c0c4b08e475a992cce4b51e0f76ebc3c7362fb1bb0b9805332c162e1e09d1ff0eb73b24e40d6188136bbc6ef8a36f632ea32ea4c06199181dbb78f399f47dfb4633d0f0768ee3d33befdcc3c0fa089c2182d6a85b272135eae3436bfa09b18b1021f37097994ad71ac94c97448e2b252a758616c15f0966447de5d6487105fa408042c90a9a89ce90f0728d7d767c472f60a1740c77c0a64af3ad4f94544ebb3de794201d17d6399765e055a5b94d569c6618e114275cfe79c2636369424e01ca8b8e3a530b924316f43df7e43cd070d1b09e8cc184ac7ae979119aae40155a2a67329e18722c3dc72dee0049eb4c29b306dc81de1a1967cfe17e97ca476562cad43e84ab3ec6e76d358829baad982241d0db7445454f6a405405057b57fb93dfbdc8dae5b30c64cd220dc48fdb5667a3c065f4b308bd076f95c810e91d5b2b921126128520028a700e506da6c7617f624242a59b874d06040911d534a0e15a5195fd8d9cb465176275119540034892cc6e6aaf174b06435625f9bde8e699e28cbeed2b9ae0fc684cbd8c77bf838086450395f22cd025c70460394cc219789fc7568379df9856583f796c8a2944b857077bd29f5478e8b3bdf916e6d67963f8c039ba469b60d0a24edb6f9e00402b6f286d88a4fc10bf764d8c37252710cb47b5693708", &(0x7f0000004580)="820718733b49daf8ed80b0ed25772d57d77435ef1da1ca4f1930ad4e713b84d4c1a24c712f02e0b86d1842c164415aa9e490e6c8230a89e309faf07d239dd7cd35da5cb5f36919db06df51a5a9c5fc8049897d04bb731725ff5f5d98476e15b1dbab8cdc405c2c17365805e27a61a5f061e7ead100272fe2d9bd8cae4a261b451919ebb927204c1f63a8908147b99835ba994378a32f9f1103574a08934fbc79d31aaf13"}) r14 = geteuid() fstat(r4, &(0x7f00000046c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000004740)={0x600b, 0xf, {r3}, {0xee00}, 0x6, 0x3}) shmctl$auto(0x0, 0xb, &(0x7f00000048c0)={{0x1, 0x0, 0xee01, 0x3, 0x6, 0x10, 0x1}, 0xfffffffb, 0xffffffffffffffa8, 0x800100000, 0x0, @raw=0x6, @inferred=r5, 0x40, 0x0, &(0x7f0000004780)="1f8aa38b61938fb7299a96aee61f6cfc70190f9df301d40ccf557795fc00d7759efa4ad1661cbb0d54c310aabcc29285c2ce84fcbe97407d849edec2f598b205fa5ea2460d0f615ad87e7e2605e8101f58adb62e178c78c454580a55d63f5e1d11f932250d1fefd45195451588bf530d73d83076a93a289b613bc68b49905423d7d5ace8016292e80377fed1b58877d9c4d04ea05ba8", &(0x7f0000004840)="b7376d34b8a4cc32667d885991bbbc6828d08bd669e6af09fe1e55bb32d885d217afb95645976390dd7308c504c5d39953a783b065bd4f0a72bfaa176a0d2acee5c8e41ff9b692a41d010c7b3459f84c721cdc4c7dad40cdb171ae49a556c98b5eda14db8d4cdcc0b47fa75bc9faa171e68b700c4960222516f6d5"}) shmctl$auto_IPC_RMID(0xfff, 0x0, &(0x7f0000004a80)={{0x8, 0x0, 0xee00, 0x5c6, 0x1000, 0x2}, 0x326, 0x3, 0x3, 0x7, @raw=0x1, @inferred=r5, 0x300, 0x0, &(0x7f0000004940)="8d80000898d81f2a2a537fc21c52023bc6ee66954a12a93f2418cd8b0b69067e3ffbce8f5d7431e001ed255fb5ed784374aad30a67500f8f6c042bf9e6670660d425f7611c7ecdfc450c05ef9c0a65c62dc2215fec7c02b712de12f5053e2c3f60d780fafc4d1ac221ca0907542932889c", &(0x7f00000049c0)="9ccfda869deb661f5fc9ba8f62d29a4ea3be9286f77ef11178f96e25e8bd888ecc08d452e94731dc6e97d39ab9814eec357acbb7ad4232899315b74df9b4df71302a482e3c52fc988162d57139e691028753aa86b20cbc060ceaf9de31cfbdfadb2802232870090286f90b426c18866fb62bb4662ac9cf938b12c2b380a1324d8313575eadbcec1a33832733dc87a6f8ef25230fc815e2b6756e60144a41195769ee48e21d497f0eb19aa12419eb8045ac2cada387"}) lstat(&(0x7f0000004b00)='./file1\x00', &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r22 = getuid() r23 = getuid() stat$auto(&(0x7f0000004bc0)='./file0\x00', &(0x7f0000004c00)={0x2, 0x3, 0x5, 0x6, 0xee01, 0xee01, 0x0, 0x0, 0x1, 0x5f2b, 0xffff, 0x2, 0x8, 0x80000001, 0x5, 0xcc8, 0x6}) shmctl$auto_SHM_LOCK(0x6, 0xb, &(0x7f0000004dc0)={{0x2, 0xee00, 0xee00, 0x401, 0x9, 0x6, 0x8}, 0x0, 0x8, 0x101, 0x4, @raw=0xffffff46, @raw=0x8, 0x2, 0x0, &(0x7f0000004cc0)="00b8fcb8c51e1af15f5b1d2c15821bb8f4e846f20d662dad19a0e59429994859bb1d0b6c63ef694416acb494494c6618f98573d370cc435065ec4da9efd3f67626f44c18b96b", &(0x7f0000004d40)="23c6651878ddaa085ae0bdfb7ccbb08b71af34f9f1565e8ac77c5293baddfe69ea20aced26de58664b32ebf6f734d3f7f692065fe4f99ea283362b12f96cb972632e80273d014687"}) msgctl$auto_IPC_SET(0x1, 0x1, &(0x7f0000004ec0)={{0x0, 0xee00, 0x0, 0x19, 0x6, 0x7, 0x53}, &(0x7f0000004e40)=0x3, &(0x7f0000004e80)=0x5, 0x45, 0x38, 0x0, 0xffffffff80000000, 0x4, 0x42, 0x7, 0x2825, @raw=0xa21, @raw=0x1}) shmctl$auto_SHM_STAT_ANY(0x80, 0xf, &(0x7f0000005680)={{0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, 0x6, 0xa87, 0x6}, 0x5, 0x7, 0x6, 0x1, @inferred=r6, @raw=0x5, 0x4, 0x0, &(0x7f0000005480)="feedc6aeab06ac00e00a4726dffa893698621bfa7d41a1acc3b82488d27e0ad499d0f4717604496303a3c32eeeb44df079182f9c1f77ba86b5d75d3cfc32f45062e93e184cec890244b195f2cd11bb0a90f2a2d8f67cc5c0be21ff7a4f4d4a43b7fb2ba733040d26fae0fb332ccc405709c4b602936c96942a8eb5ae327c87db6f2f6f610f803cc6d8d2099ec2a87419cd0c206b74ac2497ac1f8b637cffd4427dae82e77beaf37ce6f5d2bddeb31944c36a67ec4346592b8b0a7f4f28c952c8f6bcbe0a5ec35aae354c1f9e66bfab1fa0f8fbe02e56af6ecce525617800b42e8cb5831e20ae90e73bdd29da4c8b8d1d00ad8e8e8d8f", &(0x7f0000005580)="48fe27d996540af39ee63ed5b8cfd8523c9eeea2a9f619601421c6140e3a984abc8a5f421ac2621ad09dcfe4b7038983e0e88240cf3dd61196976f836b58bc78e8d080446c8c46fa4d9a6b522942ef8d58f89f4010f6b62b5aff902753b62fb29fb8a8a3a475f3e0e445bc8a4fe018fb6a5e3c2d534aabd3b0915d7b065781ca8cdb3eb734016390638cde9640375b4dfc90c211603b5ea2bd44295750415067bc3f147a66d77dcfbf658480369e1d1f193dad08c00f36c99af5c1b52ff0a1f2e893841f1a2de097fb0e001abdb956f682de1ecfc1801ec9436f864d3abe6e7f9e332a32e9e5445d85ed613ba1d59a8ae483ad90"}) shmctl$auto_SHM_STAT_ANY(0x7ff, 0xf, &(0x7f0000005980)={{0x0, 0xee01, 0xee01, 0x80000001, 0xa, 0x9, 0x50f4}, 0x8, 0x8, 0x4, 0x7, @inferred=r6, @raw=0x8, 0x3, 0x0, &(0x7f0000005800)="db4118b7fc550b52eec4c59cf4b93c169cd2e4c6b1eb5a84e95bb2109386544d8185388c504c495c8ef8b3d196ce76844652a8d2eddb5eff1169a558d6e7c56d46aa70e6298fbfaf95fa39d53985944c382b26cb4ee51e021bebc6e6e80388", &(0x7f0000005880)="11d01feaa20648967b16d3e6cb0d4989e61fca36740792d8808f572be0b70dd4faaa5ece7385998367d7daf2350e52a74dde027c397711a18faa7b877c14e92f48636c7b021b50828c936f30bdec29c674139d1d64369d02d6df35bd75c54a729a1c28f94a00497c2912e4f73e55746dc437cfb64d826fb5dc13286f2d3dc8a354ee9576b8b37c407814e55241fd871608c599ddb5f980e7c01c23b02b738ce34dc1f4d5577f02c5537eec8d5c15f8c93a7d450b4701de03802241a34c3a07a378119cfbb34eebe8753a4851cae1a14a124749ed8caaec19d2220b21d71edd4085672238c4582dbe77ee258f7504e586845878a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f0000005a80)={{0x1d, 0xee00, 0xee01, 0x9, 0x7, 0x100, 0x1000}, 0x4, 0x400, 0x3, 0x9, @raw=0x9, @raw, 0x4c17, 0x0, &(0x7f0000005a00), &(0x7f0000005a40)="20fca2d9a84b149b22cc118629f244c8f9909cbe317ad4693e5c7ddacf6ff08ff96441b29c38fb9a6161aac42a96f4e5b9a9ed648ca3d600f7631486"}) syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000000c40)="555b078cdcafe3df82ab074500b854e053e9be2bdea67c3fdc61395f5bcf269a1a3db8dd7f3db0cbe3e9ee7f3fd773e57fb4f6aba53b0282ae6ab4f9b9d69d362ebd6f9917ffa585a5e2b1dd85afdc2e0b9fd07d2bb693d6871743b73eddf8e6cc6e58e502fb0d8d80fb48be00be3acfe35fd1fe21f97c598eca5e0546f3f6eec8f7e403e8a80b58fb34342e2fcf0eef3ba1644b262d0a877deba64622aeee38f1ef528cd836085fb4f8437ca36c3cc211980a6523fc6bd07c49747f5f9d6d79ca435f84f59af8bc5d7a76ad9a4d29e4c5eaf20cf5e373c2677a048b4a064b25c80e3c225aefc79861e39f8898dc749ed0432a3474299b350ffb0c53cf96ca64a127308b7a77f80ec1ad1ca74fc58f71803c787fc89820ce647e6eedc38451b70b1530cc7060d1b0727b74685e6adb3310cfa9ed5165e3d3e74a38a7b5f2502461b93d633693f3c9259d2fa0ad389f2496c5c2e3df9f85c1a8a858db4b7c5815fcbb656821e1844e7d6e0f3cfb64528f9662979ac9a8ec10eef0603b3d1d78d5d2a485486aa8cc310e490b9471ae127194151b732ed19d494ea63d2836519409a213425fe1005e46695f4b24be7b25829653e41c174b1bc69f108a076769c652405d436a7c698ac8e54a850c0ed0249a8250e5548869616b9a72f26cb97096cc66cbbf0317a17f96ee0bae08024d5b80dff8be40c822d850f749e7bf5433d252202b03583d8b87b5b707905e3c8461241fea66c5995a3de30ef8e33bf0c792f23a2643be67d8e077b16a84e52d80c3c3e8c3ba8e58d0683d00412b9f98732524113d24c89ebb020ba631c1618c7c1dedf18ee59c677e585299fc6bc060d5c3f57f9d529f93c37e086db0ed5993a05dabffbae7430f9e2060b0b6ce6b0b21fe6dcc4f4016d87a74d0fadd6f9f12b102f78ac94f2b846c2a7b9bc243c56b0fe4412f03af3372d356432cff83c2d7127fa0a972906d1674d7e55dac178901b661f1f1ef39e71725d89bc1e7ce8ac6a238a9b2115c6563f9c219934350cbff04bfed916653cdfd93c25ca0cfa1223bc85fd26dcb17e5302128fd819451d0b7f0854c7032849777d1828d483bc58b2b91f6e4eb2a902655a95b03fe2c86f0fba9fd2c677f6e5b6092179a5e84a67d881aab57dd2c3239a1db9b47f2b5f6ceeb79a58cd125e6147d2068ca21a0cac47b0c12f6683b7198f139f11206b28490f756e0bf1522195f14608d19ffb6a3ba85f0474431f71d1a38b492e386db9eb0dde55769c02f8757a4e14e93dc241f2dd5e6550e3d753c917bbc4e5b1a3385259163d664b0c72d85bf78354f18cb63f1fe0a337a07f2e78fd3f894ffeb85dace3f30277b5c0fdbb24f9bc354546de812ed5445f854888a038f0436c78b21230ca73e770b4d375ac60d302ad1629ed8c17a12765302add9819e9bdd1002ddf7d773d0d201e6af2bf8e58f68915dcdb80f4bdd731ca0544f9be29297219dd3422df4f2e436422f940d8fe072414e843894c01f43807c4dd4f7c5c1feb20d50f060ee1fe612229c2f49da21728952a0bef81b47fa85848f65ae3756706013095f1ff84e5e32216b94af2479eea8199710c015597b00a97be8b3ba52439b12e3f1948218e2816b75b684f3182b434e0ac0cb31a1a83f2c7bbddf280d1e4fd508c4b7a0fb0b664c613edb4c7ec7f48cdc9411a1af51c7f29564950417cacf4c848bc3c6c2ffb31759917a52510001afd9de6d6e9ddc26364353ea5070fc730b22d8f434ecc21247949f637d03d430a5fbc036bdaa3501d49d63df3238abc594a56443d05f53a557b1e04c54f5de091086a0cfe9f3707c74771d416cbd75c53e7456bac5adce640cd93c66c0ba2e59096c5e08cf2c9b96489e94f80652f905849e4f38997f0cd4e6cf1ad18a881e9e81ae732c284df254de3981606b021ef41da37176e9a0946ab80826dc7fb9e4b99bd9948bb0ee334a5db291ea58807cecd59f870c691385e27f18d74846d1eda220b9607aaf2e6fc0ae9eae57608e601df944d9ac45d62d796512903bff90d740ef9fcc40c3b3f273a2bdfa30143e90cda7116d8c68826e67ea0cf578f59231ca85f03f11b40d0631ab3473ca2ee53587dd4d8abc53c6069d56bd9bf7cc9f04d8982a4faeda89fbff8884251a1fcc5fef642a205299930ee6c9022223576888c491f796624d04d95a983e40b344e8f4c98eeb55e0ff116fcc8b4f296ddc2f11c9322786440e0ba622ed96dccb6bf682b97a2c7806474738e9cea364a22830235ca35c60ca4b0fd30f81c051b96c6798217c7985e7fdfb4fd804093266f0d3947bc1d5b3bd535cbd34bf07a3096f16da818cde06887e94257579f2c020cbcac1cb700d34472bac930130530f9d094483faf311194f9a9641925cdee88879d218b3beb83df4f33f5cb109cac0c7926ff1eb494ebfc58f22e513de376d1ea903e7aa65b8d182e5e38217e2d2c0b0cb392d44ad7684c229968e71a761b967e25a2883929e19bb5dfb053218139dc304eaeed9e15de1f0a9e6f04761c75f7299e6c0eccbf93cc101eb5b017c2d97273b2238d4481cbb5d244db8f1b329b8930545eaa4a36d59c37ddb37a610de3a79ddd8a31deb0b1bbb31d01eeeb78cf95acf3f2727b53b6236b07d490d86318297dad4f6b80107a031299fb52ac0610da5af4b71a8a71c486eda6e77c350224a9e246599d2f01790796a21c1c90dfb6e64c49d6fe4eeebe6d6b5192b6e130eeac673c4cf4669c046cec7388079d14b25992528e205a8663d429d8cea1fccdd3e538b97c635562f2e269588aa14b930a7408076298cc4deda70b3c26c42c67022c59e26f0bc4aecc43a956ac60230ba1b0681b8db4efd0ef133f099563d0f55b919f6437722c86b4a5f928a756b45a84f9c54dc2bdd79ae9da5a39b5993055bf774b129b468fd3885a5447052460d71a68cb96dedbdc4882e6f6a2b7f642627f3e7783accc8f22d29ac8a83788e64abd60619e2b13c483bb9f6442cd0a672dca719262f2e8b52d58efccabe63120fa955da00629888b0986aee3503f94d690115528ea414ff93fcfc487f4a3b0213798f27ce362eccfa775c9f841144ae5fe9c7d95b4657ea1067f12d1dee02f91178b113f7962073a3c98b91de9b47023a22059201bd495e7e2e4d3b3dec65ef29fe442e271f13870b0aed818352bc691b5d3917565bf8b66acb665805d937e6358791ed9060f261ca7e34f0e7286cf7563f57254a05b3ce5f175d8bca322cb31bf8de32eb0ef636da055f3e9eee3b7e36066fe10c45c7742c39732cc789af38cb737aa17898d31a20ceba6a89c7883519ce2171c6e7b19b34494a5806f99c26c5df8fd641a1be5e660ce887a78fb691a1016fdbf107bc92992a2b62dc3474316dd24f40ffe61bfa848f9790e725c0df3fa6d090fd3837e1a46bf58f3beef4ad7721951a977948b86cedc07a24b7f04be14df36dff71531ad715328d70a2fffb3b59439619826e0c26729da1aa66fb892b940f8be7ee4f227b43fbb43094c5086447c8b4dd7266f07bc79c28a9b4b0b511739d6894c0f2049f9b8357a2451bc96489c2fdb4c63fe6a151a11c7230474bf51f4d04b160a65c22104dfc2968a23e427bd97c4d2c0a5b359d59fb17b551f8905a4b6acab2444d66082cf5c64803f5afdd46f05735d18b5207a927ef34cc76a8ed3819c869541e06e50950d550c9b8f034d4a329a135afaa257d3bf25d36ac7c7ff9851ab9c386c9b16b7b111cfbfc39f19ec3b71ce4354036cfcffe36c87a8d6547006ab44f19320a35db003a6cce51e5338afdeaf6fb6ad3db60babb521ad56b080e5564413be596994afe9d4555f7b7530c4fb1ad9b55900c76ba404971d8e2726ac6480ec1e1b56f68600e790a32806f10ee8076ffbbe63130b72ae22f0a799a5658f272faed770f1c72e4b6c32fa19b6b9ec28cec7bfb3b0869e7f47bb32b631d440bb1504e927fbf0a752959c4a633459bd2d34926ada22b97716adc61470eda3a968b898982d896e77da47af7d489728ade3950575389af4883b21f53e9f49d4b4fec3c56b95fae00271b01fd3adac979baca1f9c3bd6f078424720f747591ea8dc7094c608b1476d1e1051a55bb1e59410ef9d8c29f00a6a4d9b3103a8d2aa087e91116fb3639758ad6f93ed0706bf993ece70e8ed75bea28970859c7256f972af862b45b42be15957e218fa65424aaf13c2a847ce1d40dab52ee757669245140c4346c581f2e9ab2e72b64428237250e14293517845568d20edb8b103106c4826621b6bb0756c1facd859509f9331d0a1aadee7adf134d463309811220e9bddf1dc6302ad89abab68e32fd5f7c27ca0b217d8c2ec342a2605fe54eed4321b34eaf54f8c2162d3bf5d7ace2429fbeb4ca187065026aa814a9833b6ee943d1d337de2d9ecdaab2cf4634c16a915e6a9648b368d8df8d6d2de477211214b3e8c291f16ed30ea38ff581b81899cd1c4a74bb338a6322003c9fcbf16a0acf0c67b97d85d55a6b81fb7536d434a0e499929e0da0ae31818da52cc252418802621cf28ee5cd555f13d4a0f6c4160b97016809ba75f3050c2ef1d3f90045e97f4ea5d03739a8c5ab3492f5dd5b167d8f5294961f942847d9550f11f73a8ff1b8b288d27a0fb759d86544691f9ee3f9ee48d0e573f21ccef4610302871c7aec559ade89511dd907580f8f0d119b8274f652f5e4c8a8d32f30f2443ebf4d9bc12486188c5af74f98d315495389f1030d45de4219caaeab035bd511afea18c8448bf8054debe9c747e60431d66015c62578a00dbdfc06a5dd527e31413e8df00420c332bb416db84200cb7e14708a137b75490d95ffd693c9bd215cf71c3f8e2d1aaabff3dd63cc2280ab6ea46a0390e7535635059d128b5a92f68673a058d963303e7e579cc16619d78c6db79e82621525aef9a8af30df9112ce2b68d568c39a8138ebe5d0c3c263802095c3c4fe2a9ba48d97f6df31126b64abdb37cf806b410aa9f32c8f20ab137e12da99f8f069607224ac1ccf610e3621245f7cf017f8bb1f5de00bedd6a66811b286a870a89c11308a35dfc58ba245e93c1d3a5ff010f8de2aa446a90d153b3e6f8d0725dab1ee435bab26a0842c572d388e2b62657c133e5ca2d47fec65561ab2a71c6d7fbdd24dbf050f6889d83227094178096996d856625ddcdbc236c0b5ed28e7cf718b4f80589d3deccee9e705436dde6455d8f0bea6fc4c3544df55dfda6d52deb921c0bcd96f8a0c5dd8ce9d38c00837a5628a3b25297cd3baa1490545b5ccb871c36ac1aac4c70b05aa459734aa523ecf9476d90e719baa1e03de3492c3bd10ee0290a6cbada7296b26f463bcb051b53f08e9a80c47157cb49b7ded5021121c04315fea9d4800dd2d623c91234f9cec3a787bc28f273b029cb66d5a05d5463116138fbc87579a71e0dbb29703867fa8b6921b6fe65a7d196e514d8a8c21ea85666da05b72c0b3dac144fe904d818431b5dc7a90cc3e252667de04bc61a19dca565f5a5c1f4216c69cbb59c71db52e28d85c137d2c48662d31813041b60653139bde9d2b5c472685bef177c2fa2bd8256b32afd598e4f8252c57cd0c4ea6f7df77631ecf00b0b6fae0582b3af17a577ba6fdadb8c2274b63c3a5cec2cf0f302dfdcaeb2a38e32573799803b73686f45ab885f43df4561624c347ab1115591aec423b09bfd69461723de7b10f9189dfec9f0b2d3b66cf8b1ae59db79fc2611a6556165c3fdd11e438081f2e7473d3c16ae567619e58e4e4d2433749b90eeaee1f4e5f9e2acc37c67bd22dd92b856ebabf04b094b8a87d386e44446bd32cd75b6dc352469907dd39ae2bd9c5f965c3f17af0b7785a5eaf4fe485d4c3116ae77a74ab165eaf4ce8fd8634adff390bee91b5b3017ea83c1b2ffd7d04dd0c4db625d6c4f99cadb2fc1df1df877a6c5ee056433494bcc7df92f0239afa2fe75ff141b2e74975fb80cf957c517375059a6a095d4b8a917b71d520a3603662dde20de7c739794b6ccdd18fd54c05ccc814471899c4d6214d8805bef7ba4a4de0e02e5675d5f8065ccb2242d51eba5cfe8ef3cd70b532f9a0bc22d9b64193c79b6ce468890e6fc7f69ae0cbd8e3a42ae06fda98bfc7e041716959e5aee95114643a308c433e40291c532fffea7c88de8e536119ada3c5289c9c57d1d47fa0626bef327fa8c1956760664f96a38538a818837e9c8a66acfa42e01d59fe39a9c7261a77dff5ac509205a25f7c7d56b275f65107c3a4fd26e8edc677eb9a4c9208051e521fb7c932bdf60fd69d10c92f9be092bd6eec68d05972f820058c531d12068e4975ccb0d4f03f88937dc178998a7d68d433079f51da4239a5f5fd4a563fe6a738245fbca5e6b0bd88abbd6eb9fd80931036b0234cf667a5340ec1667c5782de675ab47862018d94ae8b7de9320d381cb843b1a885ddaf31c3576f2cebb6ab9576c334d3d401fa61632dba1e6ccec915c4500f86ac289a1de6549f7ea276f9ff9008968ab31a7a648ecd6f36ed185afb3e9b34c9228e2d726944c33227a9e3d77e4d5be8bd850f310dda0fbc30aff3f5bf2f1ea3eed0ce2ff15a7c313cd87a79add3e290c2ecd764c455520d581e3af9ebe2c56d1deefafa8731bfb4906b74d13f2712048b41a5158cf3cdb815cd8d63c90124686dfb56734834e15534f2b8b7ee2b224eaf79515021de3156191677ca7fb47674292f4eded887f3a63baaf564e358ee2dfdf1273b373c3aab499f4bc548ede7512b5e22cbed7618b23bc64b46c8e6fba9bfeaa963b335de58d0d8b66324ba8f592529d12094d2266819296d395e7b3b0b2e715e7ed73fa8e2a1e151159ed41ecf754f73cf82168df0814aa0c6fd8b9988d208f66badbb90a54b7a9b311839cd6cbbf09280137677a984ddf87951a4713cdf7f494fb54e537d8f1628d794eef29ed26e31321ac41b9373dc1cd85e482d7e7bd56baefbda3e205c2d4855126dabd2e24446214a633eb311cc487b863f1115963a421afa61ae48832ebed5eaecdae72d27de0ce761736e1a71bccfd361c2c9dfce619609ebca1a0d4d8637546891df38f2597eaa1007db2d3f20ef9a6560c7163ed1ae4b55dea61c31fbfd2888460506dbb7af26c178cca34ead9de4f0b71a0f216df958fe4f385e2c5908a5a55fdc0322e2d9793f88fb6ad766ffe8e17b644964b2749e564abfe28692416c661a8ce570baf464d47a0f1288888949ee80b4a6260d0c6b4f7547fe01ddc10dadaed67f39be2a7a6f121cfcce49029bcca23f7e4985411b816fb9b6bceab0cd135cf71a7eb10c97146b3f342aabafaac9c2c690dcdfa46fc4d288623ce1d1385dded99715f351f39b58e0a7561ce85da8e85eed6ca8d4eeb9aa2bcb7cc77716caf84393b3acbb6fbd93d5e266f62d2346d5886c3c58ebd6f71da40e1e677beef215b19a9dfe52e0862d06f287c7240b470954cc00571dc40c2d6fe958291cd26fc28ea6013958d00b0a7f0191033b244a9cd146bbe14492e4799e9a20a2769f096915155594a63e3a53743b06e44723d7f40f45647314a7ba959201d2a1d6b45f65a49398338afc820c765ad7fb759a4a84088e0cabe2209f7fc39e5e5dc177213fbc12c8f1fa828401b10e394896a809576ec118ad715048c7f2f5a3317dbd2b25d7595f6a1a1331f978d313f6492bf81e7b7868ed984c40071d2085403a83b9894816149c61bafdb553c31303df5cd1e6a0e28d81a10d9430946b329725122b15a45f8ffccc5b66632ef9b3e6291b8807d7c2ecf361f9c33b22ec1b4e9b1c15d5b7f69d7e63afe29a91802af6c5b40c609197063cea2d2eb679244adcd981b719fb991231a18102bf4f3c31d3af4be37568b8e82c33ca8e438d9dc076fe17ff21b9f924c8d8a60652941046f085d861d338d376fbae91f85460c1b13e38bfc5b72cf19ed32d34bf85b2c132c23c4c25167be365368ee0cb3818a856d5140de04f9ae445abc2a3a96c23023bec32b22e3b3eed70c25af8c1bc5fdd6731fe4bf7d56a81a3f226a0e94422da5ca31a6f389f7f3c1bc3f8705de1dc0f656552af4684f3ec235d526cb64f19a5a91e8a29147e3f7e131107a13035b365a0d4018d0ba855da90b7fc001fa12d62a43522f1c45a93ede4c1084dbb1019ebd464b33c788f124683f99a8665026f5d87bae954eeec7684c631de38826afcde61fc3f2382e607a78a583075761f5ddf41233a727a15f75831e7206b3b2e8abc03a8ea7a3437091c55938bf16e5435f483fd9a34ed879df652009fcfc3ba60a287b2df77fe136dc6d1c9dc24beff56e888e5497fb91a733d58bca739521f7f1afa4f94ac1ea3bc8d2cce1689eb3a39b9bb81f96e9ac19646c58a4eb72d47f653b4a28b4c2b4340947226f0854c45f766c1ae65d630071acf04b899d1467b46057c335769c4dd23077fa6b08a7cd44cb3fadaffad334f030098158df1ec89dd77f36a95ab58c080f8601d939bb2e143ecae478c0ae46a797e88121844d81296d09421f25e27abb3e357fed43a4733e33dd21d90ab4af3f77b341c35ea8d7222f49dc24e92ee26f28b2127fccbfdd63e1fe24159010a23c885292b55c4b61a7a9066664555982e657744fe4286ce5a183ea22cc462721bf9e61fc78d5f2c814041331f09a01a958e2b64c5a0826a553a8b994d66dbe89faa6403bbe70adb3823a1b55276f089b4b3857f0a4db9e8915ba0fea98b8811775ca4b9508894dd78d80a20a9a9f89054babb1fae304509c1584d444a8aed1f5426c78010c8e8e9ad17b894fa5e3b8d6cf8a9a231fd5967094c78c7b88f8c7040b0984dfe878bb2958ca3991ed8effcce2348bc6ab9375e0f8c1954362cb3e697ae01cabb06655812ceab2eac9383e04efc1d60bec2f188faecf373ae812aeda6e7cfb7407f322c1333589334bcd7204ee02ad89678fc299717cc1317eb53112d95159c38d92d01a13beee3e3ce64a9500e694d253b7575d37d2ed5996809b02c1c4a485d4c0da6e845eca355593cf184627ddfba4df2519beed80c2c73f89c811a446d32fe22fd5733ac77c870f9c1e03734bc44316d1a390764c4ffd4f106811cf57c9f6578d8734d5f49d913cfbf2a83b2483541e6f9136d6bf7baee87702e4b1cbbaf7df3ff6a73eff013c289008d2af8816c3577e8409590adee6a174600aa5166596b4f68d61436b85c549e203ccded56548862c5fc4f3825927d63a18314f8d2fb11e67f545340cbef8247f7373c2028bb4052bb4f7980498472d38afb1e00d60a80096cdf005926cb18560810ae576667dafc0678d72e2392e1e026335f783056885576070f0b36a8c344139225f5332fc49c1e458dea366ffeb2cf12de967b556a13880ca41140d7e79fb5641f64491c8793319a2627fa4400a420e90fa69a1594cb6474907c9a4acf622f9f0c4b7c5a0eec093b6715edd0c97b2d9a7560601218e77784c97ddb1a457d1f6bf851f3bf2623d2f0b1ff7c1e4b85dba900a379d5846e783964a08b016af92cfe59bfd26c31d85939f60d3d66ffab18baf13ea4786710b00be25af314def3cc0996196ba40353d0c47702d033d466158cd1773ddef965db9df67fe1cf8b1db86c3e24a713402ba7d791979b46dca1ac2dfebc30f1a43a0fc3081e8aa7c0004083a4b032c353e702a947c801a6579896c8a8fc55edf38d81831c703d0c82debe598c0bd2f99de66502106341636ca9ebc1a3e0b039851caeece0bc96c9e3eef1cb303f454e46e30e650017cfc202d5369d23c6a4b85eb3a664e2b95cb71b20e31113d83d1301ce527c40a39485add09fb4b498745587009d452a5b09bc3572db3bf3b285ab978ebaf4a3af073323f5992bb630bf4fbccd1c18ed5544c55b3d1a3e26e05db7c7e60a570170cd0ef9f77a4742c6e2c08f3f2f8cd66dd5ae60b19b5fefbd72d5e57149c760b74ac805e574d8ff12a8c12cebc72e13c0ebe3f39380a93f29bc7fb5e28948f9ee2ac056fb4c0378f9d415173f961bb791ab5ddfdd2ed716802876698c7a9553a5fce4bf1610ead50b199e02ccbd26e00024564477c554a5ff50ee50b979d0cb4202ba603461d3426f06f4d00d4ab842dc52c3bb63e117e1cc9bf09c406c186d3a4109ad7eda0fcc1649c547b3b20ebe26e2d8180ae5e4f48a2e7fa4552c8d83165c3ea741643289543ec56877c56187775c67d9c172b5b9e7c838e195562b2f50bb086ef495a9c27f07ffbf1f9b6f05e476fec2d969a88fff5d36d2ee673230d79945798c2619d4b0f5e2732c5a9ad3abcb9c6119867682bf20f1bc987a9692b43eaf198e4c00b05fcf9bbd6d0613353bc1904515516d3af2d1cef4ffec791d9fdf2779df4c914cb8ff40ee2e1bedf974ef95b973f9a5b35b5615ed60798c28f4f8ab08e8881015baf88f9729985ce056badbd88b1fa6f440af1cf1e3812439b04408cc59f4a6dbe3ce4a443c476040ad018dd828a0aff7f972472087e4dc5fde232f655781dfc422ce402a9c036436f7e20119edf27ec00ed99dbc5a6d09d6bfdd3a60aed38ed14a78120d35e848fdc012ef1d559ae04e6c4dccabdd79e5d4c8dab901b58316966a215d45807246d7b62aaee760cfc5d907bd4ee2cd749b86d5b679c409668d7f34a7abfa895349fb9d9eb4765c9d39f201c407b0d5a89b3e6821696d00de3b1ef714a7f259dd94e1ac707421e4ba4fb345fb571a7851b9b24c7ee585de4107adea328e9c0118c9ce62652a64940d63819a70b726e8851d5eb673e98d33bb3c6ca62be5551cfd4ffa0e93595ca43877cd8890ee00d0e109143b2eb0c14d541eb9ad11cc08b91194f515a4479c4cf333c09853842cdd75414e7b7d6889142c2999dc0e8986b6a3ac6e0b3c030c943e985feca927dc9531670a23dc91172ac8d779d9acec6a79714d0a0b1611b23603797e2228c8db7706b38b008a83237f28ed4f45612dd9e685ccc2279c862ce2cd74e3326abd9db1a8ef7118cfc82db1609bec22dd0502a4dc32c269bdde84a9ee5b17adb45c012706e66047dc3605da9f169e20c73c7f764720129ac00b2aefb69812d72ff64d5874fce5aca4df68b78e7ccecb35aa76b5e767ae394b41beff86d1070b21157cf34359a167b7dea68abdd224878ce3d3818358b92a52e4f313ba3dfb8d97d87dcfb39ff438bdacd7a8a4f8c79d245e4b16f42634d5cb63d612ba9f019b6c06cbe5223f24c44d2e16d8ee4fecbfd941b248bb6eb63e0136dc82b9df74eff1ebf9f042dc9166a644eb84b44453587c405164f221bdc4ffb51c26d1cd1828f69edfebadbafd5e03d26bb6dcef5d4c6c7cf512e757609c9e52abc42f20d6b18c81b5bec2d5aaf546f1edaec291a7a18285499115dfd75319e9b6102030aab5c0995f6faea2f29fa41e7d5828bfa59fbfb181f96004a67336f98ba0badd72dbed7319f96c1bf8fd43d1c0bdf65cf244247586bf9f4cb3105b8c30388d67848c1a2867fb416e4d54b30f4b258cf605aeb72b9ed04d3ee7302c2e2b33c4afe3f88f3dc97c1cb1b0ea83cfe5d14ec93510359a324b54a53c74acdf9191f8684ec2f43ec6acc0b672b3bb5132172a6879441", 0x2000, &(0x7f0000005c40)={&(0x7f0000002c40)={0x50, 0x0, 0x3, {0x7, 0x2d, 0x9, 0xa, 0x6, 0x0, 0x9, 0x57b, 0x0, 0x0, 0x2, 0x7}}, &(0x7f0000002cc0)={0x18, 0x0, 0x8, {0x6}}, &(0x7f0000002d00)={0x18, 0x0, 0xa, {0x1}}, &(0x7f0000002d40)={0x18, 0x0, 0xffffffffffffffff, {0x6}}, &(0x7f0000002d80)={0x18, 0x0, 0x80000001, {0x3}}, &(0x7f0000002dc0)={0x28, 0xfffffffffffffffe, 0x6, {{0x9, 0x1, 0x2, r5}}}, &(0x7f0000002e00)={0x60, 0xffffffffffffffda, 0xfff, {{0x5, 0x0, 0x3, 0x1, 0x100, 0x8, 0x4, 0x4}}}, &(0x7f0000002e80)={0x18, 0x0, 0x5, {0x1}}, &(0x7f0000002ec0)={0x12, 0x0, 0x93, {'-\x00'}}, &(0x7f0000002f00)={0x20, 0x0, 0x3, {0x0, 0x5}}, &(0x7f0000003140)={0x78, 0xffffffffffffffda, 0x2, {0x5, 0x30c, 0x0, {0x3, 0x1ff, 0x6, 0x8, 0x3, 0x0, 0x400, 0x400, 0x362b, 0x2000, 0x5, r8, r9, 0x0, 0x2}}}, &(0x7f0000003240)={0x90, 0x0, 0x8001, {0x2, 0x1, 0x7fffffff, 0x9, 0xc0, 0x7, {0x1, 0xffffffff, 0x8, 0x7, 0xfffffffffffff801, 0x2, 0x8, 0x1ee, 0xff, 0xc000, 0xf, r10, 0x0, 0xac, 0x4}}}, &(0x7f0000003300)={0xb8, 0x0, 0x4, [{0x1, 0x2, 0x1, 0x101, '{'}, {0x6, 0x8, 0x12, 0xffd, './cgroup.net/syz1\x00'}, {0x2, 0x2, 0x4, 0x0, '!\']!'}, {0x2}, {0x6, 0x400, 0x4, 0x3006bd82, '\xd2}$/'}]}, &(0x7f0000004f40)={0x538, 0x0, 0x200, [{{0x4, 0x0, 0x8, 0xe9, 0x8, 0x8f62, {0x6, 0x9, 0xffffffff, 0x9b, 0x0, 0x8000, 0x0, 0x400, 0xef0, 0xa000, 0x10, r11, r13, 0x3, 0x3}}, {0x2, 0x9f3, 0x5, 0x4, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x4, 0x1, 0x1, 0x2, 0x100, 0xdde0, {0x3, 0x401, 0x5, 0xef, 0x4, 0xff, 0xf, 0x94, 0x4, 0x6000, 0x4a, r14, r15, 0x40, 0x81}}, {0x0, 0x2, 0x6, 0xf, '\x01\x01\x01\x01\x01\x01'}}, {{0x3, 0x2, 0x3, 0x7b, 0x3, 0x0, {0x4, 0x9, 0x692c, 0x7, 0x3, 0x0, 0x80000000, 0x2, 0x6, 0x6000, 0x0, r17, r18, 0xfffffbff}}, {0x1, 0x100000000, 0x12, 0x0, 'bpf_lsm_path_link\x00'}}, {{0x6, 0x1, 0x80000000, 0x1, 0x9, 0x9, {0x4, 0x400, 0x9, 0x9, 0x4c4, 0xc, 0x8000, 0x0, 0xf, 0xc000, 0x6, r20, r21, 0x99df, 0x2}}, {0x5, 0x8, 0x12, 0x2, 'bpf_lsm_path_link\x00'}}, {{0x5, 0x1, 0x4, 0xffffffff, 0x0, 0x6, {0x3, 0x0, 0x9, 0x2c3d, 0x6, 0x479, 0x6, 0x5, 0x7aa, 0x2000, 0x4a0b, r22, 0x0, 0xffff, 0x8}}, {0x3, 0x9, 0x1, 0x1ff, '$'}}, {{0x5, 0x1, 0x10000, 0xd, 0x1, 0x5, {0x3, 0xa967, 0x3, 0x0, 0x200, 0x8b8, 0x8, 0x1, 0x6, 0x4000, 0x8, 0xee00, 0x0, 0x2, 0x1}}, {0x3, 0x0, 0x12, 0x5, 'bpf_lsm_path_link\x00'}}, {{0x3, 0x3, 0x2, 0x3d5, 0x0, 0x1000, {0x4, 0x5, 0x0, 0x2, 0x7f, 0xd, 0xfffffffa, 0x117, 0x6, 0x2000, 0x3ff, r23, r24, 0xb737, 0xd}}, {0x5, 0xfffffffffffffff8, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}}, {{0x5, 0x3, 0x8, 0xd, 0x8000, 0x7ff, {0x1, 0x5, 0x4, 0xfffffffffffffffd, 0x0, 0xd, 0x7, 0x4, 0xef, 0x8000, 0x7, r25, r26, 0x8, 0x3}}, {0x2, 0x1, 0x0, 0x7}}]}, &(0x7f0000005700)={0xa0, 0x0, 0x73f5b767, {{0x5, 0x2, 0x5, 0x8001, 0x4c3, 0x2, {0x5, 0x7, 0x800, 0x5, 0xa, 0x1000, 0x7f, 0x9, 0x6, 0x1000, 0x0, r27, 0xffffffffffffffff, 0x8, 0x18}}, {0x0, 0xb}}}, &(0x7f00000057c0)={0x20, 0xfffffffffffffff5, 0x100000001, {0x1, 0x0, 0x9, 0x40000000}}, &(0x7f0000005b00)={0x130, 0x0, 0xffffffffffffff98, {0x2, 0xa, 0x0, '\x00', {0x200, 0x9, 0x400, 0x200, r28, r29, 0x8000, '\x00', 0x3, 0x9, 0x5, 0x6, {0xefac, 0x9}, {0x8, 0x7f}, {0x635, 0x5}, {0xf, 0x9}, 0x8001, 0xb, 0xd, 0x4dc9}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000005d00), r4) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r30 = syz_io_uring_setup(0x2407, &(0x7f0000005d40)={0x0, 0xf86d, 0x4, 0x0, 0x11b}, &(0x7f0000005dc0)=0x0, &(0x7f0000005e00), &(0x7f0000005e40)) r32 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x1000009, 0x8000, 0xffffffffffffffff, 0x0) r33 = syz_io_uring_complete(r31, r32) syz_io_uring_setup(0x29b9, &(0x7f0000005e80)={0x0, 0x64a3, 0x2006, 0x1, 0x3e2, 0x0, r30}, &(0x7f0000005f00)=0x0, &(0x7f0000005f40), &(0x7f0000005f80)=0x0) syz_io_uring_modify_offsets$flags(r34, r32, 0x38, 0x0) syz_io_uring_setup(0x48a, &(0x7f0000005fc0)={0x0, 0x1e2b, 0x800, 0x1, 0x2ab}, &(0x7f0000006040)=0x0, &(0x7f0000006080)=0x0, &(0x7f00000060c0)) syz_io_uring_submit(r36, r37, r35, &(0x7f0000006140)=@IORING_OP_ACCEPT={0xd, 0x24, 0x0, r33, &(0x7f0000006100), 0x0, 0x0, 0x81000, 0x1}) syz_kfuzztest_run(&(0x7f0000006180)='$', &(0x7f00000061c0)="a0bdfd577d9b7197f566393b228cca01c4385baa7bb418fa8f4f4d373fe58fb157b45a06ce1aa0aab1292a2a289ec83463278644d9a5c3b2419acc6bf9ff6dedd36c7c838e89a72a34ade91f58e37d884bf0cbc40df6eb8ad546eab730f20beba1d21deda9c9e181c8d866bff996c8563886c1e04f002fcc9415cbc094ac5b1a442980b176bff5d75d345e0a9aed8990a646d0c92e001a91a339a2304c26c5c0", 0xa0, &(0x7f0000006280)="3c31d6b003151438b96612be04a2bed8bea9be0bbaabbf63c2834fd7d23a61dfcc500a8f27028ff650839bf58b0558fcbd8f622167ed30faf626053a0298c9938199a79a9645e045d4381e8ecbe1f25d1e8141a6866bebeb104d7d1eaf9eb5830ddd952c26edc01118ee54afc9219c8ee67ac984b3bf34f659db3e896f8524bde94c7e22e6b01ad57f9edda0c017242686d911c5e75e0d60ac4508fb853e549065cd83eaf67aef8a89f5669d036ed9c63f09c5a94da9edaaf0582d73f29ec44592cbf969879b5f5eca1ec27b9ff3e426861ae8123c57cc9dde5713d5a37d552a83059ff0f0b4fa2f0ab66e426dd572415f1156e38f02b9d849c7bb9f8cfb6337bb5494addf226efad9d61dd3b407de131e140b4b8a2039aa09ac8a117bafb62261b6a07a06a04f68c5b3fda4ab7234ec1d890b9053282e252f2f475e7c8b0710834a30907ed1a79e0738ec3dbea0b36e78c835772d267b51969e3600d7af1d5d12ac96c0d16e9037e49c97c6b8ea8c00015aeb2c44070eac5c125ea5113227e242ad3c50c58d00f1d80809f62c64cb6898d0570fb51c5da14ccc27fb3804a24338ec5fcea02235dc77d304cbacd3ecb03a662d23e1c7ba46adb595075a01c65661b1a1ba0f86e50f36bb59f1ab4e483ffaaac688b8d4d29e445acf1930f9f9b34127c59a3b6682f53ba78b76fc2ac22ed046b7e08abc20f42f78a341afe95800ca073c8b90782112bcc64f078f58bf702da6de6af3c9da9fede5c1bfa5d1f488dd0095d324f0e03240d103c3973d8f05229182358fd160e41520cd42cd2c24abac126068c5b132c913b8c0eda44d5435119ddcd3ca2102f4c4cdf99c67ef97ef9f4f79398d415f35b7a95d3aa29588dc07d0b8516b91d153bb33736a011ac958500cea122ed4fe5e2ff807eaab692fe471a4cfa33ef687f718de420c8ef6f84c02406bee55966231da6b5bf3dd2a61c0c47a92e6398c0d452af5f1b46a6157f98ed0935411a2d9d33401655e28f68facd02b365479447c3eeb7545c977d00c328c78ccac39d2aa523d21fa90305420808c53edacf949c72f3a43a210b450bb27fc5330ad5b7a46aae99515a7b088af980a90b089357d23126aea3942a5539e513c261065055327a4bdaf6161b289f87ba2c513d22bf08dbe8953a6a740ec68130ac28173ea8a016b9a84633a17406d83bc02f6f06b7e8a7b90ce574de90884108aa54abbf6391cdbcae2a0aea44503b504aa9a0359c6eb68e242bad9e959b7ea93a74bbef1bafa9607b8d81edd3507e6e15b9d3e3a5df92d8e77568475b279b22fa1354e75e5948f2f051b01ad4164711537b79815d0e7f9d0106c32a2fb88746d5a3b6454cac3f1e1c1bcaa9ef662595479fcd75b204e35e593a776914fd9d25a0d7cfbe17a355547f56b712e4238a402e48881c99774f71f651c3394d398596dec218dce2e253e023f0f4fe4a001f58e2977127516c0f35f7e9c70a877de114aab4bbf0f1a8d5acec4dce590ee9398fc02afc83ad8f26bff8dc9915aac3d3aa267604e38ade6c96615caa3d1021b3859c1a20c2f0a7f30e33ec512247041388af88e86698c904642dfd6e6a5a878b1b668103e85d0d809c18ca2457f99cee0b69a7ebef439f82c3ae5055216795fd97b16dddb8f529e10b7d4faa64a01e1b3f942c462f06d260ce64f65fbd2cae88a4f0b75006f77da595c29a282f0443104c08e7144da74069fa22e4b0fc72bd78f4425aba6f5261d7e25552bbdc4674fb3653f8c2bac5a7e7e2ded7d52e0c0344b7629b0baf268714d338901fa68268f3be46ed2dd172bc84f627a58f95ef5945dd3ffd25b1adc744f33f3f37ab13b9a8fc5227d88b54ee9f5f5c4dcc5673823af3d80ffc5048c5978d0138e53b59d202011c8afe89be42b2f8dfa1dfae67b2dc98e9014599800dc200c09267ff48c2a178c8a6ffe8676b468c5f9e5769ad4094bc93b82c3048c9ffb317b227c3a43fab5d8c6ce1591ac7596b922ed54cf781470a5c96ca9af82f8827fe08c453f7e8c699bfd89c76591be39941b0f12e7b8849eb6ef322fe17ae8b6db3d9c4e0357da73309ac66c3a8c53a43cfcd746c8f3f936ae5b92ca0ac6dce8e15d0735687e166a3790e39d61efbd2437fe7308f3cb4e300f037dc688a5880df58472f305597263edac7726a086f8a1534e8aae3ccd98a4729c07e8aeff24995fceadfbf4e66901b80e632625ddcd5611ef9e91701394ee09c2fad9a80384ce899d3b6e14400a7ebcb97ce03f39e1a06d3c85bc96ee412304994a797f0fdb4b94a92db2cd7fd49ab6af1de388bd3ede5f1b580a1ff582b840039ce414476914e762698eed79e553f614fb92dd92e76dbf0d61b26acddcf6b7878f08ee8418742482b448000cb3b7d80618a556954b5e974a845e485ab6e62b3e09b8d2e5c1a177592d338328f10f9644769cbc72c12a96b12441f77c0891db41d84b3c13961431de4257df96d3b0d02c19870403f216cee6af1daec7589280146b73f000ff74f932a4be09d47f4773d3666d33aeb16e5c5b8044beeee4c26e62ade79d7adf54cbf5d17af26dd15833e4e0e15cb49ec7c8abdd7426cb75ae2664b5594d435cf2ab3cad63f9c0c6fa2d95eda6332782b2bc06f01b2e498c81a76d736e49b18714296f36eee325292691d77761a5485f3dc6eca28ba861dca79a880b37bffd0d72d253950946ba8548dbbe8b5233fd3d5fd9c428d1c7112923d3f6d9ff1e370ab7814e60164f8aededbe676f2aed19b3a56e427c9bc42dd64147ed60b0a533b65767bdc978eb737243709a3d902e874d879b5dcfc8078c73ba4b19087b285b6df2a6b82e5e85f131e158aa576af8b2a94f371f3211d0f40779793dd6c909fd8572f75a2cef9c3b31f48f09dcd104ae3a939008458b778e723537a60247e71c658dacf9a9849b9961155d35cee773f01f1b51a33b9a6deca480b4c5aeeba7389d7f24cfe046f33d36ac3e0a0116490a6893f01f45a02f47f0d5fdab5c764bbb3478372efaf575a0ad792e1e9413f44253da63b41d72bb7bc99cc298bf2560cae2be0c73e79772126394b6feaf31158d531e6271e4061ddaa88f0bd5983355b7ccc6fc14323c12d18fe6dc50d71939ffd778f4060af60591adf28708e0ef3ac865484f9cf4491a98c88df165d0e96ee4111573c0c8e86d6e2bb3460d7f51d7989c35ea05ebbd42ede06acf46abe60d10c92dff086b982c61e8e968e8b345ef1126ced1ec68331e83abe07f91e22d5e545b1dbc7bb9754a53215d3398c2aeb6c64fb1edbd3cc8b4689e0979ad42beb9a847fc3ed03aa001a42b3d5636810bfb0a0550f993fa1a31419c74adcd4cb3ee9a4f6b65d4ed8f0e4bcfb7c1aa7ef117487f62c595dd4f75ae8f64a964188f25fd2a91d3b773b8e459631bdcdb05318ed4961ed0352f10e08dd4fc80a37a1bdafe91aa6aeae70e63e7c089f86b57fc757280fe5b0fd4dec6e4d5d625f97bcb5ad86a89cdec3060869e53365350be21cbc01401e72af4ee1b2eb83fc9fe6a853799062b35f2289cabf7406216fc9d90e67b57e46909c90ea2f3b70772d15fb34f15f775f912d6b3ce6b10b360a945c91d18c84a7b601ebb231a4fa751d812a05fa2b795104e872c61f5c5f3cde042886015abc3db85f4a5e8bc9691f87029f135044deb0fbd8644552723e92282286b1a279bedb56c2fc092328583e7aea07abda5593c702ca4cb0e39ba16b2839756b0740c46c692c389ca40405fc19d7b839f51dc0f6b0b2155dee7e4c60aacabffac8a8ad68a7d3c0e52456fc051abc37922adf0e7c10bcf9dfd850d88c22f8e2154777eb57a4a30db4b9994ff94fa82a007dd05711da0af0426b7bad381816fc7878f51a1b7c8e2a50133178255e864b3631e9b77b5059db069e5ca7ad88924cb4f1a58129e1c899aae0e8bf760c52db31d399ab9554d10e7e94b82c2dc0a05b56b1cdbf48a2b4ee8845d51ed0438c27ec9f490bc518557234dd00cd6b031c74d69c4eb06320498a2c52982b6599ec9b06d722b1f83a36e62131470dc9e78c20089d13937f0fb7ac8313591f22fce68357be3549af620055c217a1cee6b9af48f8be4732b29d960c34eba193aa894b0f6aa0c91c8c27f070ddceb9d73f8834b3249ef03c9cca7d3d5bd7cf15e734c6a65a8f387c9a7c51e3db37d82c6f6d3b6be8328feea7bbc2601de9af9ba560ee27cbba3e2e38967d93f261b5155aa12eb9ae98640cb06fbf024b3b51b6337991194c5b12024592a81c6ff644ff35d5b19f287fa3c6bace4167e3d3ee14a1d52a4fecae1c4c2fd862bec826f988462b8c2a2259d37f5c8292bd6cbbe22a7bb58d5608dd5a5a9e1bb8cd586d894a53dc2598e3fdef678e7467372520510d6d41ab7ffe76ff020f85aa14399068c98b2f62eaf2cc45694284db21155ca1be2aefd2b121681473249c6ae483342e9f29b7597854e432ecffa14dc287670216dc67e3a5332437a837ab006c1b814aee71aea1d110b56d06d4db725f0ca737c95e32174813696da128753ec29fde16514e09cb7858c43e13c36d785b07038016974974e7463dd656e162087353a99b0ab3eed6493f1c8eaa8764cf1a37f667a12f326968bebc595abd62850ce0c977c260fe399bd1f4f88aba29539d30c6f25a19f21d53c9f77e1fe777c8113034bc6a37aac74f97648963e0d2e617786176f2d7ee559c9802b0f5596782e518e8592a3282a1f5defde775d71c3608d089e5ae98da176bcacdb55ab7e85f6dd571c80e95ff8e6071940828e3c81f5505224feed5ee0aa4ce8c67eabe138359b5cd88df7ecb3b3962ef175d25e98af33a5852fed2b5ef4617ade008055523829f98347d19f8ecca3181d49ac881252cceb3aca0786e39b8a8336755311bb1938043a4f1b0da621fe5370ceca0d011b1d5e8fd395e248d23368e0ded75d3c33a72a8c276d046927da59d7098e4776e3d6f054d35940efe40f9f8290ad287e5acd8e1dda73953e58df7bef8f6252aafe0e4bfef5ef727a4842b0a6192f70c0d3ec508e351c7455e059649d615dba9d7d60aefd061db25c28309d582c20a6e66d8792d76d19406a7f4250c0f61550869de107aae9c93d3abfe40f1003d088f28a60f25892b844a794feb7e94602909403341b39679e3b04f7b0e8de037f14686e78bfeba960a62183cfe920bc46d50d0f005a7f7f4850c213406cd49b578dea6d350b392b6cb084ec343f7056e7c6c9c48b2e095a1bec578eb413083d41072a55ebd278d37dfeb493c74fdaca9da1c3cc6e03201dfe1939b8377f9ba21791bc494f6048826f0b7ace207797b0d9ec3964aa184cfaeeec3fbc5a1dd35a833e4d389cea9e3ced435e00ef656ff0de644d6e25410bb2bd940ac08f76550116b53ed4fbefb112d58c2affd58692e35006f670432551f8aab3c2ca4336c90c787d41d2b7f95ea9440b17f019f88701a26c978aedee0de9603fd6f56b08e56bcd3ea055aa7883d0f8acd7f7de3498bba566c2c696cf17f931da1ae3347599e8be7e12a8067fe2dce14ab0fd6df97f1d10ad76dff5902e182746ffea03faf97552bf035f9e86ec23a8736f20031fe3310d1bee7876d36623b80e2641990f951cd56dbda61ca8aef2ba14d35fa8f495977ac3fd7aa810d065315ea8007c8ecd85acd6d65f2946911709b1ccd0e629f56e01b040efefd58f35adcd00dc49ff7717062b24635d2e5f1e9a7db8e3d5786680e396911924d6b5a6c2d1dfe98425dac3019a7d8673609027c064b60814ff45200f18d05c328bc346f41e5f5d68b66569418c3a9d9bd04cbffd13db9d231a405754ef6017c30cccb7e934ef268f9c89352920c765190ac8817f9f98b6715a9847be783cafa0a86d734373f51aa8854ec72c6539ae162504336e87ba7347d2d7f6a25bfc72560485008f3e73e09bc6259fc3f61bfd72cdfe475891c5423ac4f10fc5d95ce567486fb661e232542f1323b4ba00a54e6ace661f685fa324f8835697ac6970f1c2560f4c2ebe0c834887f715ace332763993b9310b52e178ea9c4a145bbae5d7baa9c6d968ccc50d3cbac54cfbec1d76fa2900fce631ba341bba565fdecff0b09167887b0bf10b6cf6deb6a8870eeb7dec9ca932a57764a6385ef07865c467ec89937d8e40f91cee87afa25cb2cb6220bd7b0d32526fec7fd4ff663e557bf0e4b6e8ca3bab3cd035baf775c495a127fc026248bafb4735df8cff8d6799778feca624bd86158960272dc75caffcfd4c389e51ba43ff6d72caa03a699ece23d67dd4681dafe73151feaa10de5073e32eb46bb5adca0ba62e8dd922c8c80c5a8008ec80b75e872f87314b202fbe4d662f065eea19686338da1189c8cfc91b7cc63c1d82c797f98243d79a916b1416be117771a533f197dfbc7a7dc7a407c322c2280668abe1770b3de472e3129dd35f19835da7cc6f4dd7ecc82d20ecd267ea64944a614cb80b0c735444b1d62bcc9b760d58405a438fde50b4608c75306b8588948dbd02db904e77e13406e49c4e3b2491331bab87400dc903187d1da30df2ba51f54cb1ba00534b367e4b176c6a7ade4e12150665b8631fa6ad2077595a27bb4cd3b7080b8cda31b90566c38e0217fd024c374c7eeacb92742772e86cc7cd5a7fc36198af615fcadb8105a4aa2a08c1724d21271ac3c2ce7518ea67323fd3fbf1c0386c97fefbcdbe2a6258f1e9d3c09a13b50136fe1fe5f98be367ee368a15cfafcb5d5ddc58538396d78ffc2e542add6122b6351eb3f58aaa72870e701231677bf6a5c2300abf5740a26668fede2034f504b004733d4d78a963f2d877304481cccd5d2d51802c1cdc50d5a6d30d39cf62b080b418ae316cd89b4983943d8d3863678d89029b61993b58a221139efbc22747ee0e2d71c6627d7f1a3f573413de3af9f51353061a06beddc9198f2a68b57af54997ecba8867f0d4abf53c5a2a70b69b901156c3d0168463c8ff6746a4a7e87de9ae82f0816918f5df295369038795cac58d7707ba1a23c9cf9a3829ed17fad094ea1f4ede9fdbe844fa251bed775a185cd25793f8886d8eaffdd467d0fd5409f268de34da59beb7caf16878c066bfd13b16c05e4712c0e89264eb83c2b420690f5dca4f23f3beff755e1f05d2ff467fd29e6770b19f9b89c3fbf29ec69d1c29c1b1695f97997a086a73c27fe70cb4ac633733fb6e9898d822403ea637a26be636c0662c91b5e4ab19f022994957522a4779375c86ccfd44af5f42a6b4fede96592468be15de60df5f6544d6c6012bd32866196a5638468f1dee9e70b87085066942eb40ce4727aab03003f4bfb216c7ae54a45f0fcc18c7007791b26782b110de1fefa77831a3fa943484f0db3265ea587afcfad2b66ffc922d6577fa36a24151069a410ad297416ddc8cf27be264ab8b943d6a855debf254ae75046a008c607d14367739a6a8e5e80a2490b3a4b45d147e4310eedfc08245cc08667b0d9d0b4f26e252d36e85a8545a3146028616b91971bc952aa4f962aaa067e0771f206e9a956135e5ca8a02bb02cfed9087d589c0c0ac361ec1fcd2fa54478319fbc1b6e3625719f4fa7cffc759ca5476e66ec9431219b9af288c74a748454d77ab790960652c2ce6313e85522072730e30f483598a2f28165681c7475e44640bbb06dbd89ca467e2ff9c3968941ee3f1853ee334bac3175dab98fc51833e3cc32262967cc703d5cbe768614a94b51eebcbea3f99e1bb5140b389451ca8d280b3027954f986ecc35d4f368a3ce962785534309754a50cb548c8b0605afc07f5a8f6d8ad42774fc6d2753296e89109a075209c1c72d4d8068ebe0971e45050c9379c219e0b966fc47906d59fab98360bed11d76398c72d9c6df63854428c841e5dfd57aaa438bf9b35058c3e5dd0bb5457d1387c41f12959bd53583900906a9febe491c8f29ff48690dc78c6c463cc07e9d8ccfdcca4c19f2bb4e20f64b3dc8d0897507d270e613cad6e2802d2c74d174cbd2a4ca7c7d5decb81ba028144be39102b59b634c2e9c7c1915fec3a0add2c71bf686a120b9712007bd8be7aa63b55855d6b75a49ae754cc4156b1ec741d8793154daa10b3238aa2c92b18c18c3a691cc9624464019fd130a193e9ab607f9981ded6a2ba12f043fba3df5378da5a1be9da3b99da3fe6dbfd6f7360915df1c6a8bfbd8602e7d75e92ea3d320e7a43712326317b3c627c503731b99ea669402cfb9d877a190890427ae90367cd100f30428f5228693308376e0437a530cf7fff01c2a8e23ee2a345f820f8e1edd2d52654e332b690776863006638414425201e43a041a54735afe266505fbe93ccc9481487e31b23aef7940eb15c366995f9df141e5069efe4a48be1a7d0d3a239a7c5366d2bc4e209fdbba85584760450324fc1e5b41976e1f90788be645940828df62732754ccc6a248b0c7c7ba01745fbb13cf426af87bd54977d59b6fefa32c294320d1fad0f3ddf09bbe14f7e3834ff4999114dbbce932ab628b269db47efc58a5588b9af3e5e7ad34398dd47e797be4ca027be70549d564386956cc4e4cf9ab4e80a56394d05bda246fa4c87c7c3982f3c0e65ca5cf8b3bd03c177d54779e9f42e74f1800006cbee91b07440512f8964657327a6ce76e851ff1e6592a238c427f5d96feb5a8da875bb2bb6e172f6724a46f000a58a687ef7220ad71d9195ee58bb653f4d3cb7f928e93bef0a56c9d8b659ecea7ce2514b648a46059fc3edb457dc6bc9f4a1ae7fd9916de52ea35e8efe966fe96cb60c63ba0e018f85066fef1e3452aea7b86a6889e4018528bd0d8977cef33042f08d09503fee8cdf53f3d303488c724ebde9fa0105a65b89c547490f515c5ac675e51bab8b75e3d0c3f76d1074f3c7827db85aeb48879ea3e6241b3649bdf2ccbbd5717a4e1c5657ee22ec43a90c9d620a3cf22385dd47593902572eca35b566ed70905f6c72120e14022db5f99f52c9ccfccae45e97aa2236c6126bd20517ac93f049c7917104ec1bab4a723fa00c01e5b451e6c1737ff6ef93fe6ce7b35f71d231ec3b60f85dc45bb6679671776b3c0707b8b628dba87e87d2c1e9f542df5855cdf97412eda3bc1b66fa1b46ab1454afeb88b968c2ec366e42edb519844e07d644f378f9894fd2007884e2e2c92579e41f6f63204742d3aa278e33bf76f7f6dc674dced943bf18f586559efeb20f54f1e72117019c25f5744dd2e72298f561326175dba9d679fdc26c0c807c7c213cd072a0c4010fece820f6462ef6280c3e6476c0e3a9ace1de26741b4269bf0abf36df607df7c9bc6d9de9d42937d0bb241f5fd36f7c3bdb418bfb96893be9e3c4a3cc7a4b40bcf04b43144bc6c7475a215df6b2f296c772f111fb5067f48cb5550a0dc48c5f6fb9eb83d9f8eb9afd10619e3cf7d87b2e3864c68a48e7773decad778fd43336ad802488f3e6a4a4d642c835bbc4bc779fb1f0f770c6f05ee6c2df5e21bb8b25862df4eca4cb5f8e6d52e2ca983c88d8cd548f6e336ae38e8970a8957fbaaea4b06ac1c973c3cad3e26eb0e26216926df865d368997f4998fec334add690370ac94e16e2cd3dae8ae92ff1a53c4cac5e073ce8e328a4ae53eb8d9710b23b06488e041c5b506ba3ef65e9d848332dafc59195f35710147a81a4cfc4a9cc00a4e42ed49eecb0ebe9369902fa4c4030a06c83a8106170ed1cb5aa1f780e1961d815d7c4a189d40ae8e696b059aabf7805c1238db442b024bfb98ec9d8dab7e2fa7a356b58162c319a25e758702b7c8813a9b5c7a70e701ca2f7375f1b9d905f7cb5c38771661db8131d2ca4da1e08ef41a548bb9426b5a9df43f6a00fc4ff9f225322c1e7b609dc99f5759256d0a8e84dfc2973489f37170a009b6e37971c7efefb57c444236d9f5196eefb43da82ba1aa70175c678300934423f1f75b79b193e6d1676eca62982758b78571901a74aa325ad866a7cdce8835a9f3ddedd2ef6b56f4a3daa2bd1debe33a2f363dc042b349097610595df334d6d15dfcdf7b8964df708643f1ae644d3f1789aac2cf69bdae8a447c925414fea9c45eef3e26e57323c92791d5d335710b4ab0b51da83f40aae8ed4870e9655876508d280cc4b837915ae0caeaa88df1ae8c6cd2d4f9a9a8ca75c1491cc316f9a5a2fa68f508bf980dc65236491e3995472b25c7f7a70ffdbb89104136cfca7f4fc01f147a698542ffd9694fea9717c70269d18fd0577f236eac614d2e20771d026aacb9d63943548bcb515f6219722b10811fd0c748ef5fa2c33bb8acf6c55178f839c72d3aeb5f0c72726fdb95ed5ad0a840754307b5791de1e066e5c6c1ae15c4e57b63abc32702952a1720f473b77f0ac82087719b7ce82c3daacde95b46d47a44a89e296b3cfe5fb592a7858aa0730dbc5c1300e4b04465cdccdd89a2fddd2b4ad4882bd2ea5a337ba299762f0d9d3cb3793302f1ab639797a5d4602e2abfc41431b04158a3d99b2ab30d8793944ec4ee01bb3f9fb490aaaa164bebf0361bfb88b76fa4f3e7fbb7bfa0042b81ba6335c29f2d0802c6604857684d47fff4ffe922b6a98dc4915b37d338de877e48d8aad5b9b071e9e16538a4ad6afcd3136fff076f2b5e8726c6b561f2aff14a296b77f1bf619eca7defe845d24673e3919e8682c9a9cd40babbeb4a521a8877f7243335dba7bc2ef5a3983bc4db3633e18a4ab93cc53d09eabb39f06bd7839060f56efa4285e22092f999c9b41a926523c125ee41925f618b3264708fd1a7de74a5c42e7240b9db15ad15ac1d15b828cec474f517c5c494cb91abd4882f75b0fbb552acdaeefcd60535229a1370680e54a7911aa14c226e489007723a62f24c1164defa51f1f2f4a1ad5fbb8410f0bc7a759cb1bd8d44a47f2516feabb4a0393f4d95a64b76d9529272303451f4191a2b7ec214f0c6027b369f87da3d4b82c8fb4fb0ae305ed8de6f7a4870441243dfe49965d2d27e68a98b4c45f38f55e8fe819fccc1ec58c4f7519c87fe8eb5b6faefcc65d0e6b81136c844421e8ef070193accc45e7a70b9cb0c33cc2c7121e4f7c7c74347a0453cff1ecf1cd8265bf2fd364b6bda8994345068972c772e9c5e90a2cba218d08bd946bc6e5af93bdd9cbd75b4d106b58a81bf144e7e2d2d7696f9476cef8b5bad3c08d7881f7577b30303097704ea382f8b4da2bd8202ba5ef113d6c0aade0076b213d89a6f49cb17f42f7d5f7fc1a222e79f5664dda24023ce39108ba987988b6d2fe2f162f26319aba13f7831e8d4ce6204e8e4e2d3dc35679e065a986a2e6759b3bcd5fdd2ddc82326b768323b57f3b7bddede273dbe9d69bd88bf63e25e81b77cb80aa50b8ddbb5e81eb987679e121e1d3a25f65c3f7b462f0a7d188421814cbce3195c37f2aa47615e258f050deebad7a700abaa6bd6e0651923ef7af808454b263417050af8903dd0729cfd08222f1e545773ca33132f065d2552caf5d82b5b272df91f172fd6780c1abd517a7f46572694a42d3fbfc12e5c0c37aaa082cb3c6aff88c047a5fe8e1d8a92bb3307cc21bc6fc3e440ade6e49d542041af75397608dcbdedea4dff521935bafd53f2a7550d726423545d7d17e0a34db154019462c1cae55d83e7f232eed4ba2bd8425682dcf89d70181b326a65a47d49bea9533d9684b97b0351f66353590763591b4d5ef8ef70014335d677de4872d3877a61f05de65061a0a0d97b1267b9c5e45176592a17b6291c8e98305dbb7b44f4e2b69d4251249210dfa4757ca013540b0ae3ef3f134dae3c1bb462e0204a8fcb1069f1673eead8e5feafdbb4c9c22fc9d0e6a4c56eb46b174ed884c736557f7b60cbba6a9a4b03102c11b09629f74f13cadf7ce7bf2c77d4de2ab63461fba4199ba61eab68b3331dafd8fbfb105ab21b6a5dd770372c09e23cadb64560c242f06006eaf0d937ea3043ab2d30092eb9d5e3d5a20d2553ec7a38de922dcb5e8b893d3953b3586baff0f11af2dcb1aa034be5b0a8b14ff802c41ad149afce5015d9045b3e1afc7e15231b2e4be17a9eb57949e6f5eb189773d9f465cd23fe2707ea0b2f15f968293b29475543d74e0a25067f19b8652b9890856ee9fa06cbef42415181695a8d0a1932b82fc7a88fa4500356e7af723534f0d7787daad0051a31cb54be90b52cf61b765f426bcb126b928382de48cf9e7c99765fac289b18ac20a1815daebf7a6a3236dd26f74e4eadf391898e05e050f68a7e564b2c2daeae18d06077c28633e72f121c3f88dbc3670992d4735d1f47131f09fe14e21fea8b52ba60b5740b873c3702826a7e38e25dca652f8e5b4274936b0d6f49f84282c42491f13f0cc006347b0c40a0eaacdb2cd8facf845fe86785ab6fb22f770f045c5a8617221ba84a003fa8b2a8fec44289932d9536179dded0cec31a0fbb9011bc4e2aa2bfefd298f681b1c9568f02eefb8afa91503c985d8b8d98966f45f7250f6e269ae1eb835a791c8877a1d8ceb0e7b794a7d45e51f80d22347522956c25c962f956847e243ba03842cddbd103d778735d08a3b770353e49514cc710a44de5e31cf5832c3f1ff01d4a5fcace8054de807227da77b665a386b0cf0d74a2c99392d65826c05704f3076a22dbc7dc4102a923b45fb6e5d3e2133ad68f1fa91653322a0cc5ea8bfa2ff90db9d9c9abe21a5523a1057ad2bfe25375db1721b48e61d93b30d9e8f59d77a3871f1fd02249c1e7ef717e16bbec7e194926f6e55ca88f3674a0de2fc8ab9a935b38ae1a8769c677b4d3ee9242c443f26c4678fe5f969589f3248036e0c5b901026e373fb4cecb92220044bd05267570ba905b745a517a74b833e51384f40d7c7ea3993bf791285b53d733932b7b5d4d2759c141a72ed6b0cbefd5ef4ad00d303d52c104000adb42acd04c6f96cbaf7a3cb88affdf2aef627e8c2e9d1fa9605780b690ae6ebe62fc6236bde847c7b0757c3449d18a7fa72fe1f3813504c08ee64ed086b604571996e9cdf798f59c05ca7fe7cdbbdce682cdfde25514d3ebef68728d325a2204b8e6b4f845957908939648b9d274e24802cbd6714fb4f54cf22920acc265705281f352b946ca49ec17f609d24b4d8ec05292586733f45a930b903578afd2b8b3a2120ae80dfd76dbbaa491601ace0512bc80d86a47fa297efb5684d6c4a1d0bd60faa9818fc2ab7430b6604c6689c288e36d93510d04c3499181b16b7b085f772a75444c93dd7b1a9f6d2e9e1a984053fbae7275e2dbed3bab060fc058958420b1f45601f773be1b9ec04a4d1e6125cc4905e55cb02f089d4d513393478ddecab5e9f3deb8b6fa9b36f8edeffc87c37e2c898744123132c0d438fd1e0d089272373bd7b651e32d11e2b35b7175f2dbddba02ed7e4c2bd4a5c458884bb8c1834559efd6a199d54a022530b5399de69817f7d5dc381484b56915ede6137862c9b0d884e3b0f9062a98d3a2e83e21752f03f5684b89899dcf3ce38218d5aa179e81798656a81e29c84cb64676b49858f91bf5cc1ed0d299e796c4c85e7b39c6b01f77e021ede52aaa1bd271219bf879304286ac3b836a75501327c7d5802c88c39470d2df0177c8f13162dab8b850c7a0eebdaf16126c5c7915adfaa5dcb8a1f206dba082511835a0312e175c78cea82c19aab518e638e849772ca13e717cd32fe15e6b062a19c5457e0e07e19f0791ef493f7e1dd8e24dbb0817b5ac872be428ebc98060bae73dac900e0b92be6fa4376932f32bbda59cb33a4220062c7575fda71056d339ddd2e774200101134b87fc72b7d86c053eb97eaa59b5e745d80ca50b045a0c8a206c4c65ee82122ff502d260e0ba8864e5fdd6a98f12836ee425cc389aef2633228f39d4f76369d69176fe115f7768abbce205b7b528c3a90eca5da1f2aac464665b928b2d1d8230e02c1eb2db4e5171a2ea77ac34f32df40178dbc235e955724da451780921aa10cdab492636c93a1305d26c0cd19853689b098b52f0b887241fe32833ca4f6ab0aabdb4be87a41aca4b31a4ab87b2ee112a9f659d14543698b8d45c8a2d8ced94fb4f5c134ee1cc133edd1ee70fcf636c97670919be73baa1b66d585a754643b71f6c48148a3bf65396c47957961ddbeb43f3d4f95d98f5132153b8520a8c6d148d9b4236acf5b39358e67034d5639448a12a42b25caba714cc3954b5a347a5e3ddab7ad1949bae1ebb632d20aedba02f38878509acb870da58131fc95cda93f951b003763b885d726ef7250e2d8fbf22a814cc58013618f28106f43af86a62619fa6e24587dee2d8f91bb4a8691330faa3b9dce747cf0f4a87dd735b4f1d214f79208cc12a7162ef101ce144fa220744286c3cc2ac8d61583cde2f2253484cfbb18425712f1f8969bdf779fcfc28ca94775add2c9eb9920ff4f55d872cb95ee69a6ae1ec394fd7910e08f77441f31d0a1dbed3ccf62df333dc301e71b1b877c4343845c6b8d496270e2f7306451b130c69116313c51c9d0e8946f5977ee2969a93701d7fae768f3dfb6adad4f3390de9f7bd8ca091b32fdd68ae647e3cc6f2abea807382206a84996287316c6b4fcec1c7f6873451f546855c67f33b3c318a1fc37fe0c80cc86616670b4d51e96307197f5f6713dd1eb23b55466b450f3e92faaaa49774206d3b57bbffa14df0efb04a6e34a1f6af845903354571933a8b43260d762abda1c033e5485e76f27dd28c1575355927b050b4856e49e1d8a8640898bb168d8c3a05392e4a4285d44b26f15bb60f36182be383ffb54082a71a8e59aab0861db87af02b34ea6c91927a4abd506f662d17c59ec215456f8100a5ec13eab566e50a863030f916383cf00a151102ddbf8b468f4008a60a26634d55afdbcdca2ddffab7efd6e8403de28d5a6cf3c139f90d21c3d51f380257e4f861e0cdf93943d0db926dc65eba8785643da0238a02f39a31f5eb1c3af6bad1a6a2af06ee2e001b11704858ed59c5bf8949182cde0398694e6101eb977a1f6d47de568784a4b186041980b21b11c58b40a893873424fd56e41fd781f79100b5549596c38de5e90646824da314666266107eeaaa8bad928fc776229a8bf85817d3dd01dbedc578bb94a00dc3137c93480f585786b0bd777e8eb25307ba253e8d8e4ebd8880f2a854bde70ecc8d0b79f8ebca5b790d649d7d55777a4ab3126dc7e0bfab9a2670fc374799387dd22226a48b22ad303c46e2298197f7887dc7355a90485700c296f330ba6618a9b6ad84236f6610444318975a7eb459efdbed9db51f36a9538e2c1be53671ab762d4109dc36fb7eeaebb80d10c6f98591a29ec8f9472cb56467b258ba53168c021a6a79c126c1c5bb600f9123d02e0d56d2345f6d2e7befb2b05e111807b4e03fe70244e45070dc407f32315227b7396e2ab97633b8079b4f61c4987f775e9460e47ec26d109464589b847d1d684bd8d30f7c699da25208fa6dfb9e6a9c9fdc38f19745aa0136e41b5b3d2c9c98b362492869e7e8573dfb42315544fbaeebfdaab3b9d68c7e6dff07f6c5a49f0432401201c27d1d23670d7186838f5b2f15bb6f9301896035c34bc10f6bda13e7a85dcdec1c140f4cef3b35eb52c46e5386d125c2c04d19a5b739a2c6d1cd0b5c9dfa085f07202b4dedcfcb04d9265fc56edf9eda488f303f59f3f9b2f45933aad543c0cb8cc21a72230f59a0429d17a6f73a7ea7eacbc9035c3db832174daf39931f321c40cdb716d69d83758ddf9bdbb004f5970026ecb78b7fa0ecb95b42ebdcd428423ef74d56314ed579b3031ce4858d9818a23eda71583b2552556eca75526acf679f50790fcf9b4286ab9f9e9db094c63cc53be2e6ba7ed70e0654eccb9e7b73b310f48d8857be68c00cc330a629757d5aede52890fab53f772eac290b766df53bb46f3b1205318ceddfcbfb2151e5548864389d8c0e11892f290356d141a03767eb295d4d37af299688277ec3f56b614a8f641357a475ebe362c14320a68e8b5af14ddb58634fca956f367af25b6a7703c8f01be59966cd2fa2567bd74fa992a148007fefeae41a6aaf3ba0cce34315f2e2314d3d1f533b90827c1ebf9e7fb835ed455c015a6d004f25480805423cc5df90742d1d271ad09c1cd84e4035afd0d334b5361360df0ddd089e91c48752f1695c0b2e48c52c3a9d86d3da167a272026e19b75f726cc92e7ab0fb1d101648529d150773ad57b0b4227cf6fbc9b0766fa9c326a6ec66d3f351f2e6ca1bbde52760805550e64a82daaf16efae7ef879036d121ad303c3a26f40fae2377afe742640e117fcf766dcd016afd3436fa24e4d0e201daff85087f84cd839fe6bd8aa1cead952a942142fa66b314b032364e93db2267bb5152f6a731285e602f1e513235317dcc39476b36804a0e3abd327d6c3980d61382f31aed40bf0d758182af3c942aa836332babf38644c313491aa13f3206f18e3c68553e8e64f0dfa580c4427882f6fb134b0d33e21c30a495ff4a9bcd0fbbb20adce22fb9c27cadbd2fc48a195274f480075a91f2264c496708481e8e3b668d41482ecc8d2aae7ac140e8df0af2aaaed234ef0eba355a4944f03370c5f788775dc858e09921c3ab2fb180ae771178f9f5de6759e890620a4975e420916d455b965d3a11e0be0e53807577903265ab93056b518c7c62da1385e26f4ee1c487213f6ac8f46890f98ae4dbc061ba1cd4f8957e6c0685d9aa5f3e62213db2c33b2d82529a030739f3cad9a7b39971c05af8b606826dd5ed5159e69d039ce6a46c9fd16ad459165c352f8ca296f5d0622e6221947c3a064415deb731ca0727bd87f56dd255327badb39718b48bebbea61a5922a24438a15fa82176241c1f43c65e4f5e5305a2931897230000764e64bd2ba15b61aa11c2004e43ed66b265c219c254df7421c5412dd7092cba2e3b00bf88a39ca483cf5ef9495e1941092ebc505ebbf93f452e24023d5f8b81c613014a14a59e78a8f50d617013d0df9263e33c479c5ad4dc4462772236819c674d7cac8b8e20b287d7a8b48824cdb795ae71ddeba2c9d20e39378c24bb24fa679910424bc1f6ba761b2c3800a625fc32bafdec7733bf02ad9125a4464c0b0cb49735c81839822a8035046634ebaa5147ea6aa37d8b24e03d866d7410c8f9cddf77ab08142c163f37d5b413807c29b18767e7d23d1de72a13f10799e40c8c41d388b4cce82c16b0cccbf5906de5cd5748671e16616bac19498560ffbfd73fd7664140c1829796b99985eca15344657d6cafcf3ad0ae94665eead0df85cfd69c9356907a5005807b77b80a14411023cde95031f23db51bf1d312244fc8feeedd8381a1b34b61f6f663274a64a6d35ed61d8312ccfc1f82809852b77a1f2d339559bbb65820d793b566de6aaeb0994ed9aae588e329dcd64f8f0502472f4965b686a0a12c7cbde7a8d0b86e81c569ab586b3d80a8b9998a5fab0f3cefd33067b69ab9dc66e66d12265c862197ae8fb1ef3d55f48b13ae86cc4c60e312c9b55111f17a40164682f6867ca9f9379796bb690cc14c22395396df33a066adae7547ea133174bccad28c533099daa1e9226ead7f965befea6a7eb0b3c3f5e95b378d70f0ca27691f17722e871f62b259966443645cf5ad5154026b02afd221d0dff6fc733d01edacf24310a0653ee6ae3d0190a3cb14286fbdd7e5adf365bdab69d4afb9a8065c4b6057502a8461cc614f22fafcc747fff299c4fca9064fd197a6d3c51472403e7e47812ca26a62f5ce0c83f60b2bc588bcf05bc57ab7fc41b7dd536d04aba50186c6715a1ede0e5ba5488a7ed542f0ffd875ed2cd704ba9be150fb616b7c77a54e58023344a870acf3a4000a1a8de623f34131ee7acefd53ce302c293ca9f2801944611ea3e5256b37976cf6c063582bc90054f4bfa4361df2bc8123022d0387e4300e0cea5fd87753c4618aa5112dfbf089d529f4564e20fdf43f2334b55e64297c84fee5b83a2ac4f598c55b6b7da4f443f7afb4e493738b536433cb1f5509d967933a30b6c3629dfa817e645b1f4f0b942c5711a7ff22f33a8ed5295887fc44866ea4a1a383c39368b11d16c7be67c7e789a0e58b7421a3a116894c3d88da9799435e8285b79325fd143074e3bd20ed02bdd0077339e8c594a9274c9ba6158e3d7bc37d74cc4d51dbab3ccd469de2b692b8547c332dc74a94161df076f63c61cf7c50541169516f302708f48e4973c4c0e8aa960c228fda374969b5d0d606fb96f6a8bcd57dbdfd0d09d71eb58d1c5cef93f023a63c54a4ad5df397618fd4e9a0b925bd2e260b879e14fc5092c5cd217e8fa90c274faba7cb8b0c347178145902b021b015edfcb0afe36c7929306212b048c16fc8db03e026178a4fab71b427eaca6459ae2c3b1a36cc610507319e6d7046c6daa76461d7d5e4a4bfe917da1187e76cf0fc49e84551d7fe6b75487256b3372278a78cef0b20e9b1d73e20dd7f3a1600c0483dddc807f48ad631eaea3e99f4560e64b788731cf9977d76d15a2320135e354669e825c7254ce250c405d3662329b6d33267a7268b64d4c392e9531df2d2d8de0f9f166d8f02e54876e8c626cc1566a3e3010843054b8b44ccb7cb45ed8b050901e09c5e2d44958b598307576c7160b927259b407a1e82b3c713e2de49a2de21f1e19d3f1c23369861585ad6dd802a67ca075c730f8078d848042533b1d4518cd4435fb7c5a58a2a957b559af12af0bd79bc2cdcd920167ba949b683ceeca6853402ab4d1cd7fda7d74ac47cdf8a188fbc1ef7ab59de8e189f25ce6b8d3126b31eb836495089b5ddd51863e6b1dbb33f1d37dc74851cb3b9e961fedba22ceab2d251d493f6351d44e3151176e9caf553cbb9212c4bbf9a3b4bc451d1c4351cc1d74582f49b6de28cc5ecee5f7724f634695d12a49c5ea57a5d089c421ac4cd4aa6c5d06843922c933b5ac0dcbed86e5cffa3403ce6db406e130e8219755eab1e37190e2c737a3f3865b9ca7925f50e4ee1c775357579e03ba0e7c0731ae9e62cf67901368d376510a68da69b22b5e60be93c75b34d0caa2cc4c327c72731a193c93947837bf41ec25c0cd50dde47d0740cae7a99117b76502191125c43be006e6b66c936a3f7e5a38806394a73e292e2e9d8aff930b4498d7cb0fb7d928ca84e8b33bd0ca7ba6153e5b0a44e149968665ec673b145950b3df23e2b141871f1a12bcde7cfd10e35e42bfc1247ad11f5b5b6b287ec2e45e09f090b0fdbeb4379219ed5ffed9d40c6dbc9a93498a8aeec7133af2b67a94b470a56e774d5bc6811401caebeeaa307c3edfca3bbd374837c5a29a1f6ba1a2ad05d60aa94d6ed8f20ac2ab7bb34c7cd0d3b585198867f83b35296aa25f7b3e0f1109288d9edc75b3b7827179eaa7267daa441844de39cd1cd2894adaf8c9b620af809f99b997e0b93f59affaa04c6224521159af9f3ec8dd58494c17c4ccef738db8a1752b298e340d254a8fca7edb6f6dfe338e87edda4672783f6b7335526abacb76ad482ed520484c47717bc1c774caae5d787c90dccf46245e7b6bc9d1092a9580ae4561266163cb9ae7e3956dfbf90a957d92c4f192f7b5d589ac0eff779ef3dd28fe124539729c8520f94c42bedb7d9dd77df55f3d33540868159bc1b5956018814b1d9cf51fb3969f87bf15f292c12cace26b16fa73e77f92333f756b1ad5feb8f6e005f464eabfe45ecff277fb37272118ea1e2d2ec655be3f6e45208490faa236cbb8c459a9829aeb155966db6fd80d85102bd9fa4d549bc3af927e227bcedc668b86a1c63ee7505f32ec7f53652cad65a71dc6893a8db3c80d00690683f97b47f4297ac1c9d92edffc70e3fae85448078b7a7223299d9de7211dde2a7b7a3bc0358c3d16da0953d347aba47522a5e060738d35dfdc14a3a64c8c694016e0daeaefaaf50bdab9d6b22a0abe2eeb63d18c2ade2da22db24479fb4dd3fe131cba41cda5f778ad2269f4eb8d59b01f5772d03d3b7368102684b40490da96a68c55b1a6c0e326e790d9329042d7f3f16a5d6294b3235b0c1ad2b3e10fc8d1b5a4deee6a8a310d2fc6fc904323d4aeda962232c7ff614fcf123ea7432dfb688ce725e0cc22b0471c255497137ab3dc1f23442dc0b980d7939c39157fcaca0c49e625694c923fdac5384346f32cd05dedb78c13aec24b43605e52f201dff1565e0f7a1b3d99288835b540ff45ddd41e8c9d81e23f305ea42c6c39a91e0b81ec2376f2257d3f31f594a387450e9fc82242c059758e515ec761b5011d89675b2414bc5f77412ccc8e8fd6b4ef0971df7b9ac67f18b3cd033f58f17ea3a29e9776d0608ffa1a5fec53ecbd7cc2546bbad131a2a3a71c141770b819959e4756472426cd9fa1a55e84c0af81a2467b785a88f31e09e58e7607088462fba2049a6d6d74a0b0bf89f616eef5f3fe6721dc09d3663236a2dffc81e7e2b9730b8fbbc2c88b039535770171fdd5f00c8be90109790564651b3f0955054f853aef59c91013f5a06f62cab6d9336e3223f82a725c8c39f6c9907f4606275a576c83bb5f46a55ca5ae6c19a327350345bc22e578db297e7f27653a6bc8eeddf3f4af44656264192fd44d9b03890826c6584f0384e6f1c431fb035156397f4a306637d78cc243f01e26e4fb2f189caeb114340909bbc051c222069507b5061c429fc1f072776274150d74422e8ecd1887d07a14869980ca19671a758d8316f08aa49ee03295364c6c62d9345a2bf2790becdc49ebcb6aca062d122eda3e60d45327efd3e5b97169cd09f9908482e1c25b1526acc2c958d0452cdb9eb69844a13a6cfab5f4da1cef21740348d7742f094bae5e98e86be11ffdd3d271eb6981245aa4111cc398af055a150cdb232f3d9528b7cb3230bd017e53020415ed11e54e40e60508f343123017e4331bb15335ee56e7b0a78f0d213c7fd8766b7bf3f74842ecff50e1e06711a35ff387ebb2e513318a082af84281885e5c94071cdb1da45fdcd819ce9130d8ea9a47969131feb78d765963a8eaaffb7c32d5a7467379fb01a41614fb6019cfcbdd60a0bd90eabc5c41e49fc49104fff6f84ca4a0d2ba395131ee859672bcf6bd3ee559a78317b978cfb23da854d8f6a6e2f02b92228ca77b287644a410e027297e6f3ffb69cd3688423160b2605437e8e6bdc693c3dad240ffb7c5443899b95f40473a8a0a84011efdc1666fc60cbe93c991185f472c489eeaf5b5e00c92aebe9e7831f5ab1902c7a12089764c8cce0f40a482e22bb49f91cabb65a09d31a22e128bfb2cdc07d94da808e112c7aa4566bac4309c9836ef6161766b69579924d1b55077dc78c8e755cdd501595ae6cb76bf9ffdddf0026a4d21e3d13a0b3721f8c0264be0504950c858074a765acb27a27a1a8d9cb88b55231032b8aa4d4655a9e84c78ce7c77beb824898fef25de99f73017cc69ab6ddeb00c86490229ab33d34394502ea9f88191a134736c8737edf1c08f3b9326cd481fb0a73f00ec45f71c8add20432fd03ebcaf327fff6561a24a301376f5018510d54a32a3d814d56a455d29eb5460dc61a3ba133e5ec403b2217ab5d4bda0fb0fa6bcddf3fca51379216cfdec4351c138357b33e1804ad699dcd1cd526f557f6c2ab6740543e8b55ad808d02804c3ed0fb4b7777d2ff96d77ce09b04293717e4146485dfdbc2fb6cbba6a029ba5cca1819dc0fa5fd64b7797f7a4263be15e9d238c66ea999a096041e1839ac22d1b862b211954148f3c8a8a24fcd6145cc69f8937ce61fa8d898ae20cd695cbe1d1a7e23dd3b7c2c5cc8ac62d1f54c76bc5c5baaab8746a70573682f9ebb8037f4ebe9f68b8367e8b84b10990684ab12b4b4e585d69ba03059c6022873956216c91de5abf79144f29afe7c129f1322394bc2ad2e2d2c42ddf19352d80aad0d106e0bde251baeaf735dc14cb639102c9be0f9a2e93913fa9b01abbc0f106d35d57d55a73df58fa8648d49cb95b12988f0ecff93c60abbfd8f1617200174b11c8bb3c8c08af5b16276698209e4196ce64ecdf952d0e6c7dbbb5c8b2cdb716443a4c18729c3e07aecdc3c8ee4a944c8262e2d115406b9375da6b68fa363570d61be6fb6164c5adf060e626d86f8185057ceee1ba17f5dd7ff4b1c0deb89caff703f164a0ed313faf74c137cef19cd006326317c10944b33f211a5ff15c7b7d97314034ad1a8880b9cec55623ac4198e895f381b90cc14c8a718ac3a5a9cab6b42b01759b17b164b4315dd0c3029ca1c6f3daf8e6016bf131bf9d700490aa766a01a00c7ae2f66b61b452beb22c5d9876397c74bf6eeed803ec20e110e80ef7e23073b6902ccfc705ab30e808ad8181426683241d79248698fa738dcbb9443833dbbedf0eb5ec922bbf3d5304bc302bc207ca414d6153e2ffee3b3b0265fb6a8123c5c84138e821aadb80b87bd3476dea01db482718591cfaab73d74110b69138c6b4a40a4abb9f74f6254202d70703c3457166688c1a3ab233499b80b07852ae0a3fdcf16fcf6d5aaeed1f38adc24df28b746fa5e6358f3c6ba37803895c9f6babfe05995fc93e12166d91f6e901a1b9788fdd583980721a54d725970530db5b15b079acdb26156019ae144ecaa6a0cb10f2a0ffd2e5125f42bae8b2d0d9326da8c581db24d522b4f78b273632b0ff3dd5c665c6259a6bd6d10b8941ab17159bf6883b14272725578f71d1eba05159a80d7bc20fee968acb0a48910a90e6d8a2aff8627fdcf338d6c1aa5a4ff5aa765cc898e8b2f088b0c00bd87280856600fcc9e788239e1b3dd935cb500665f7fd343f335ff7d4ca27cb5bf63b796cda1bca42d735bb067154a3437f0f919d224f214796ade16af67b7766579742192219cb7f82fe6f17e8316119cc6939c24647b79bead50a00dc4c2810779fecefc306883fa3e60ce4ede45c003492c298d5df014e7d134505f23e197e7f67c72c59d7bd9f73f1421de670d3007ab095198b355849f76b91a2b8a50912da8dcdeb7a9ea3bc75928d31129586217a89da4fa0df65d0bf868a20d71544ce577d83b1af47307e0a747f4ea6543a9b282f35824400ab8f774147d574b196e253167bb5560585aa8317dac0524abb28db0c93a732adcb7ca7df63eace24f77332afebfa6b1577fcd413cba95ce96513ca8a9fde1edd3a783ea6f611771f2af916db39155dd92da7f6c38cc69ccfd3fc44fee9faed1c824e67f4afe08d094f16d04bc8d5d6562bdf27a463cdfd223bb5ba5c537245e52095c0cf60c2f9e71f9d54cecf352cc86b7c632b0ef2218727a8c9f273335dae076387cbff6601e88fcfd876a279290ea6b5f3875e01a467343ec1813ecf2f1c1c2f06db7d5d5799a41c9cfb600d6c39409826e8db600f1253f731123a8f386c2a172c1a78c3c04e012a9a7d1337ef0c8b63d658e5545fea2bb1604d66845368bfc05c62ad00c0c1a812c0c034655e9f165c09241c6dead5cb45f7a1e022552216774a82eabfd3b28c76118edc6cda9f5590fd8303390d821c839b68e19cf9a9ea3e629b39651432bb709c0b36b7f4b9d3c2b452ce1d37ceaf9bcb017b8b6f06e7a96a06b2225167da1c8d4f8fcfd290cb7ab0e6d1a21863cbf9702040734c321ec3c8d994eb7ebd2e13273ae1b97341af081ee36e7bffd31deaed5a33c73360089edc5bffd91aede31de4425e4d4f27f1df9943d171baa42b0fde6913c5c94b563c62d4f2557d1ccd8cd5039b61e9fb9b9f2d75f3658eb8b27086d6bda75423d42a6e30e8b8ac3823cb961e02fe95c0abcdfe39ff65a81c4f35bd5d15e916f05b09771b5dd8927869aa192879bf5c110833b19e7f947093c122c256d9bf9bb7e90dc89ac6d413f4e8a6d2c48c5bc0f9df8b09d8b3fc5459d30600ebdd7d4c3f70151788a3db4f515073001f1a91e32a27f5b2e1e9e0b94ecee3a0d28e7ab7a0494b03fb2743cfceb102b247b7d290f4b06ac144c6056d0d90b52820f6c17d9e0c735914d09fc710d7fda95c1bac88c42ff3d79382f1d4e3d0f89ec618ff97adbaeeaf14f5e59b2acd34c5277091a06108ff6168229ca8ede9271ccd3d4c6ad17658d349235f7b09bafc5ba63ee91cf42b7de0c6a2ef77b8d187e82876e0470a915c6e8d38ec4dae55073e560be970bf9f38567c230a3fd4e1ecbd0a525fad9d243399fe9f004e38eb27ab5fd63ff7bca64e91d61d023fc7b62a2c57f8a8dc78410f0f2efbd62e15b05e1e236345f9dc500ff5a4fbd6e767eb1ab90c54c5c7ea110ca6819c744b55846d841322cd89d8a3466efddc02c67a03b1c166a46efaa3ea835760e2aaa162608fa3d438ed1acdfd526f206912199b13a8a493690cf4a76bfbedab0399b7fa83a143058dd060d32e0af65c4edd22e49472668bf814567302918e10f8972490546d04d47d0cb96b6f6e407e322cb44bc5983641b2df97870a7205148b7303830a7676ab9d0fdc354b273fa5ec3cc246032b1c9c1a8b1c3ab7f35775b121ada5cbf8c2cae2ea21f612af40dc0937c06a994362721d3e49785d7c9455563df722f2c52f1c58a1879f7cbd766b6f5aa57947ca90bf259f8a4ef90822832b9b1e0d538c2ec7b9e1a378186e8502948a8fe1853634dbcab869ce06be40dd5ca80e0b328238bc0be98573b81045a5e744909a8b41ca9afc39bde4e11a62cbd56f7b2f251cd93a26008003d69c22d6f5523e638523e57d93d3a403dac5ed36f57d060142e56d31ee2a06d43374d3a1a858f38a01848d2182da0fd1e846939a389d2f73589492801cdb3e7d68b57378f0b2e6f273f43f924f35ad03b6736a68c202fa664e78e0ed1343d347f2ccb7cc19f880943833976d6d1baee9a9a53c1045b34d9a44ad883849a24f4c2e8f87d96686047d9e6abfdbc97a97dce5c2c435c2a5628d9f5f6ad204bd9f5278bfe4b6f2fe2be04a0f936c69c272fef750079acaea645f75a371cfa94194b5cbd9cfc472a353ef953cb5a5a700eb34d486fcbdefe238e4e8c48c3fc53a7709065c3b63e89b7ceff7ef8c8b1bb987aaa7510ee5a6357c7cc137a1a1d9f4f6633372f180ce1536325a5174d1e30279c112e5ca1ead2368eec1a34649c28daff413d069e90cdce4f11bfbf1c1f6b51517e0d9f66f15f3ae78f88597b0ee0cb2b21757436f9dfe18332419fb37ef177f2901bf1655229114468217c9777f6902aa562693d47bdb9d0d0ef30b4af908ea3f43df77bb66d0f204357c38243dceeedcf49f028aed6798e10daa38804c9f1552debc9f80708b1659eba23e3de883e5074a2640f66277f02826d5a01cb29b45aac47ed3702af6813556c0bb317c46f8be2537f5f3d78c31688b923f8b5ac67c4ba9234f80e520491fe85706978fc9f7fee4146305f5af4cd2284b37a97e0fb3d5859bb291a1dfbe6fb5270ce52ca35804681dbc7e3f4bafc44651f6c6416443ef6c55f51d1bec228abe89192db2877a912f98e85fa83c05ed25f57f10012c5bb6b354aec5911ae8177454b8fdaa7c29cd28267fdeb4a68d3ab9c31f94eaacf193cd7a2318de182e3e4ffd5421376f1a55c523960ba860f5996a68945d4b246ddd6f435c885182dde0f37b24f97400dc1eb3178120135a5bf388c29ebbff4d9fd723873a3a281ddaf0769f2b555c8b1d7e0852359032567e894e2a358e7395869c7bb58f02f95ddd3fa006c2b45f86e337767c4aec68aa8aba68ee2d284c2a2fa16361473aa72426761513ca882ea912aadb30fcb506ea9de889a832d01226a5dcc0a84a26ab573cec31921d3b671e612b956a51a490cdc0087e489375a89fa24f546fb88669a4ab2567b721a008d51a0ec93b1a68c06edcb7c7742ec02d9ebc4f182c55d841e121eeb2b134444b79356213eeb896610e09df0600dfd4b63227d01f370c261330234f715a64f989e0102406befaf12d154b8990c3ce3724b1302d3b9042442f104fb63db0b157eafa1981add92c68653673f9dce53c1baf8918bcf8aa869713c2d2537920738cc8b1ffb72e66f6d7384150fe0a72d61b6cdbb41e3d1ea85722479d00a017a1b4f7763fdcc30f890ade976bec32ab50bcbc4ac52617ee37b1bd5bafbf37a1136bf63b07234165ec35a13f0533214d94172744fcf0677ab06d401c44898ac7e61a54f82ef002009eac9e9c7f62c1d2afd0d7acc826aa69da7b9a120217c8397a0fbba15ec7874a638f139b0c36b7a6437b668421c43218bc00880a8dc40ece0cbd8a259ca0637c324b878eb34939ea5bb354ff4fbafdc57f59761f7dbe0713e60c770e368feedbb64b71c3f469a16821a65dccd07d79fbdc15de50a00a12a9f181be9f4360c523efea8134fe74abbcc1b28346b1ccd55c9fbe824d4de84d94e2e798d95640e377883b3da1fc8b1698b55d39b945cd31517fd5f0677fa0fc5e940e8a86317a42d42950b817e107683474ecd96553ae201f98db8cbb775e6857a5c4bc9868793d980e4a0b184f3882d55d12b895132aab7ca015527c307cd34ca3f0a344c204429c0be3c4bfa692b3bf5659afdb94a9a69103980a7bdb206983860f57bbe43fa2f456432625cc6b05f662c73aea43c229ce840ab33a112149822f7125782ffcf42ecec2eb26f2166d419e1ee42f015c48ada2dda2c47ae5dc5726c3d1b52be5244f6a10263627fc079a888eac195e8affa6621ff01ce85b21c208297b78db9ab894649d83ba07677e40691e207bee5c8c1afc31cca222b126e0010c2cb8a8c4bb8df301cc8c2d53e92d68991abfaa7678ef9e9c6b60f16ee67b913e3e49dd4b8c2b43adeb3cf01064ca96b8bfbbb36c0a8418596107cd1eb8198c5fe7f2e601884d88fd1100b45343a572554ed5556123c42f220ddd6bc858f66125c3b84d4290a153d956a37b3beeaa680fcc58630023eaf42d2b62bf47aa55744dcfeeb857b82f9ce12f75680eccb940425a1de2fb2dd9a5139fd5e4030d18615802410e84281603264ab96e336fdd9a56b521699677a59c0fdf2faf7dde535bf3161220045de75a407922273cb78c27fe7099dcd54effca0522294ef03681aa43300ae1e5d4623676bbfc53a002653d6eae9d3c0db37594eda7117f16358afef343bc1b51d8bf6683bf7fec5c9c8193550c7c72a6893be769204a4b3466cf3adfa8504f98522e3b0f5f5fca92d60821ef0a0fc65747684021fd8b4602b9554c5457031c7990fa6f998e607c78db79cc0fa598bfbc5e280b0a4b5ee802e7258c0a2ea41638d9acff6dc40a6982610d539bde09857e940f774440d644779982b8f296fdd2a6d44c3bad450c6a277b1f414db3239dd877510a289da6d3d065727efcdac3961f943c24b02bee0e67d86a2b19ee166bb901c82c56a37b36428012ce3d9b7726ab33828960ce85c2633c34ac0bceabbcc695617f64bc554390bf3d9c7fb954d97fcaa442f02aee9554e69948e42e73cd0bb4596ceab1cd1e9d2231d663e6de9a303b813780139a28ec57d4a9e223451964ff7a9c09483a65c9b3c245640b376197f5f44b0ea0484752cfef5ee6f906db4e3fb54d2b2c47bbec54de329d67e5a97febab05c4dc05f2c54323746cd0465fa9938c2b3c3cb111a259dc86f9c74d5d7a4a5129d79779b2d1304fbfa6cad81b8e2777486bceb5784ffdf34c91e4bb5411a9d7bc628030e7a842303b78ae496add2beda69db5132b2241087e29409a242625ff4f1c2952f91675d7c7ccd23024bae4c45f328e96b7665d3a90efd13b59fb5b55a183f91eb624ece8229a95ff78499628b0b4c28dcc6db8b1827cfa860375f63143aed924630f4a007ff69c9b5006596fb7e1c60ff2a26c47f14b253df8f522b780b7a320008d7bbd888c84507511d6d89116afc3170740b3c8bff54449774c5abb162b6f761c56dbc0b5fee80daf96bff96d37ee387dd379328ef1dbecb0b0752b092780e7bd51924de13aa4f25df48098acd55b1b28504117b829eb983768fa10ebbb290dad24ec3292753af4e7b532ba4922e2ae19a16a2f67f719716dbc6387a7cb98474e581ee256a1ab139c79eaf9baeec733a0fd8f84937bcac2fad79b8634fd318c079b0e1723c2ff56834e310a9b7a1154e13c02e2f671e868fd67e431233cf7181874b1d56ef857baed0bd399e1593d9550a7a4dbb89867a64c96d2d5f6c12cb5488cf9ff369f985f7ac6015ae055adf5c881c8fc5aba32bbe4437e20e3d0d477cb0d9861e06290f7f9bd4e0d2332d96280a049fa2404abfba8945f385f9c7226543bedbe966bb20bdfd8ccbe786b6f003659f25a7a0ad767d754d9b0245bcc421e171c5e6101bee7a0091d60ddd6451d0aef28f533bfd4d42edf2c00ac47fe4873fdf9243afd435098b20403592521f2c07069503ecad6d1e9db00405b9269357e08ff51296dd268b1220a8eb3ef86859c2d8abb4a3c4b2afe477faed5bfe08c76c371fc55d9db73568703d7c3e50fd4e5e42107de711f7aa1d47708a1142ce38530fba9adcf8c769074af4fffd8b447160bc043ba2a4d6864c5c8351a1241e6d780e21c89020244d1393c6f8b09ec4ff7500a233fd0c4be8479151d83334fc46ba04995cf8adeed9fa9a2b0ae7a873bd4059d87321cbb8c524e5ed10741e9fe4e68c2e490237cf492d14513fbed68dfde05be69b91d6e2701101b7b989dce7e4a36d9e9f6155adec0470cba77334e6faf660868839ef9b309588ad403fdd6d398c777b47a8434e6ab077043b06f5e058826c5b9197f47ba9cf26e1a2fc89c3d489c311f4f26d78568a9d56e784acae708f83b8d43045a8218264e13b633d744d62f7a6bf6ee2fa81f7fe02c8430db09dcb7da2925407112dc5098ee93ecf3bdf8d116b47c19650730d38ec12a84c34684ef6063a1c741f932f3fb571a9820039f34ee17e4653de9e24ebf8223e245e1e36605769854c5fd1c6dc0716dbd95f4ea05672ee53f27470cb584b097958730016d824006b7f3dc5484dac5eda6939fb086db0c7f89d6a99825e7402b45d73aa5f3437a7df8cac98b65a73bd428a3b16bd805f409517ce8ee036bfcd046929700133334a329d03f213e67ef8b4caa197c48c7e9ca1495f2715866ad07dd605673e2c29cb8257fdd7b0a3fcfdf2396b34175e55c24cb8a269368b1e6869ec9d2973bf6ab29268dafda4159f9ca448de9fe25569c8f01ecfb8c36872be9fb51e133ff24ae2bcac35e874b808c7382794e07d6db152769910ac5e054f114b4dfb32d6222557f53ea4fe23013ea5394b9414e844189d1732ff21c3d82af46a11dbc302aef39532f903c3162fd9442046fbca555625a4f73c81c851f4483567c917ad80c0c46a005bac81b84be25c5c4780d61fd172f0f932d845004d4da9ea1eda9ab71c99536ccf23b6e605b02536c2cafbb8810cd7c7f3d9b02c8d43245c1779a0176fb45c5ce0f01620420ee2f1f0afd3749a802bf811670e8c4ef166912887f1f1acffa0685a1e840d0296eeff1dcafbf36c752bf351a12aec01e3bbd480374b8ffdf9e7992f38b37afe34983541d13097124edc084054ef6e6fcd12c18b43d50078dda3b88b5f554160b8b29c0cfeaa9abb39f325fb16e65f78f31fcd1880174cc8ff5946e242efc33fb83bab1f228505e81717b56d853f8b89e8b341d7bc23a8a11848e2bf648196a5038e31ee6f4ebaa96e62882d8b0bb118e82c51d0e4c73807f889bc186a46d1d0ed770493a894cefc18960060cea9caa45e9aa890afdfcc260b8f6508d60784c5bef72bea58ddd9a89adfb74b6d5892ee37fe4994e0f15c0fea821417d5909c33942efdab662a069a5e184ec151cb7e6b5b883b7500b6bb989afb9b25e6bf5c389dcbdfdb23905fa264e84dd2e390e281055b4c62b82a202b1444a89fea67755fcf36360fa6f4cbef4e8f0f67be28ea2acb49016eb1d273ca5c71691c4268d5ed5871dd732318518f057efd17b264ebac412688a1743cc6b476cc4b23c2c79a4c76f549284c9775a29b3c11e94b797ad19812183848963470aab980905b39452b168d0c10779e79026a0867a27837ea0963a3334ff1af31058c1b0ece060fc3c9e01053e6b15224f95a6f12dcb4b85c10e238c4ffd67eb6e4440dc4a55ef1bb094987e63cb59813d4b312c2643a99dfafca290907bd5b8cdd3dcdd8cb0e73787c226835455f365781b4e1ce95d02794d4790be80558e6eacb045e63fb531a0760c7b7cfcc4b10983e99942e737ae6fc99d287eaba65eaace905d1b77189d9a692b64c2e075e60ab2cf2dc48725016e4c8741b4dbfbfce54803bab6fff7dee6af90dcd39a142367cf3f64492d02acea7c753f9aa656514b5412f6dd90b9bbf77728b3044539d67994bd07a1dfc4ebed97e085b757073dc956f9a246b5aacb677bf79dd63e978dfa8834cb2f9d58fc999123de8185fe5780756b62293b707b9a892bc0fb031fa8c6a7af8a21625a45578b6d9bd38d40e0e2b1452a14165bc87f8044c9d47e774ec66de0bf97b59e4da7ba3cc9b6f92605e393c1da5c226e5c13ee32dfc0778567804eb3fc5fb63c6cf9c509884492a0c973e401b710a38eca1f8725b7daf90aa17e2f36104cf22952dce65fb70487f9c173693be0eacf47affbcbb810e6233884f8337c8bd1d24ca1cb7ee810fd10f08ba7095bf16f41e02ec4a78e771c6b3d9b658b2988a6cc1cafc59c67149324a67fdcf17ff917a798f7707459323c4cdf5b4c72a397d40bcac7e408cddd7a2fc7dbd82ad80791a0853c40e98a44e6b2c654fcbd3fe999c297396d132f87b3c25bbeca9f4f4b5cf3c4e55a6f1841b5b3b6836f71cc5a33a462be355e9c944a1246eb140d13743c5d8ed4ea1ffac12e5856b73b0b650649a9cdf2769802654c5808db95d01879c99c6832a059230c8abe730d960a33485484a6ecfca9286614c0917878d91064e8401638a898c60ec7afa7c218098bf3e4dcee138c2eabb106d860f50fc270135ba1e14502717edd1acfe17affbf9a67062d79e4a9f76d49a162f9f052cc10591881b983288ea56c6452045504c25878dbcd435a7c0b384df871f9ac4816d00fc75cfebd25d217e41058d5af03c68bc1e04e5608c00e9cd7dde2ab8a2adccfbf0eeca965310f6c8fbdef16d28ea8589c8eb7a1f389c82b3f1fe1aeac9cff77f5e990a17ee9feef0322c7e5c38e0a0499785fa0af62cfaeb3e80c0502d78268a9ebed605a365e12a0d983e8bf80d115b55301497b6bcaa5b2193596200e34adabbbf475346d6d35d9a3e4e60363ca9b4817219902c3c437a4918815f482016c5d83c5ff4076276924693369571f276431c643866ec415339a9c079089735d349f093fa46d94d0f77f307e262763f08207c9f9ef89ff3e3a35d740d4c50dc199f78a74898cd2dbd72ec026c97a3f06c8701054eeb3493216e9fe041b7839057a681b699862e1a1c21246021278dc7f271d02f1afdba385891b6c091949193ea6759127fe51d3791e83fb1567a3bea668a1915a8d74e4192069a0ad7bbddbea9ac8dd6fe6669b183f47aa5d7d1337c5871ec2053f661a50128327c847c2b40d031b4011561124bc01eb00c76851747a1a3cb5b6b44462033b8cd0a15fc1e958d9a755d93e8965f60f8b64e08992dd4d1d466e532de3489df5e99cffa3b1a3b215f83cdb07f371dc05ed58480c85654f5ca001e683359f13bcb436af1f7d65339ca08f5517708dbfd761f2f2bfcb95d9647d49d7321b06973543d83959bcf87b694ca4312c90e2234bc5f34a4e6acf4109ee7b30618636fb41ebef519e41534f6ab1b0268d964b1040dd99a6c63481c4f85e440a7d24908c53c9eaa7f8223a4c9283bee436b14d2263a4eb4d841809b3a6ada30a0ca74941c2c0e5f406b970cf0080234bdeb603898684bca4027f803363769620c96271d36637b8a409c52a08d54f7bc1c26438313522dbfd784a8840cfe36a9719171fc193deceab52922d443a28285e1ce654ce93f87ce673ee6a42f5685ff7cdc75290352e6d128c2591554306d70fd117e137a018b182c331bba74c8e57dc8b6ac21f90edf95d4ae408cef9488d6240b993b1b496371f6e9f4f7be9f0a2d8d0833b3372f1978812cd0042842071be0ca0883c70d928bf3cbc8694c4816d3d34f05419c8dd4e093fd16c3c9e8db47b71d8aea020ab1e58a8be69b78031f4369451ac7eaadce5292f3a92b564029ee97811f5870c844711cf5b12bd535b7cae6d36f087583ae4bf1392d9a2ab30222d97df83206f82e6af6f45bf393f10d511fe27e819738489d81c3c85fa9c7edf2e83ab0434e6ad3acb1ce6445125d8402a9c66eac24da22cf54791892fb5600b68e9ed903e448ef4354e103896e5cb83b6d30100743833a6f7a34fd8040ad2d7455d68df92d8e08bea26c4eb1974050c1775eb68f4bbc8e0f945783fbec38d9faeedb026c40b90b561aebf5f220baefe42a6a2bdcf3d843797e058f828223fc9e06136794abfd7d1201af01a1d89f3739fa2543d7e260dd9cb70e06f9b8c005d7530a5cd590720255a8fa520c8dda07437b010ec6a55565a3ed60ef206580f860ca7221183e09ccfa4f5c413f633aed9d1047ea92acbe4bda0cdc7d77c09f88da93e4f593b4d4b85332ae2d3e391276184b3cedac50b5ed485f1c2942aeaf03662a7493829f70c2a4f0c9e017e59e1895d53133858fdd05432ed5733d7d4e4bc77dce9884d6638f0b00d50452fdc596b170f322e53fe2a83fbeebfe039160816626dd68b86f9f5d8a87723833c7aa0f3a1a8cf3c45ca918495b051ccc168f0c7ce7cae1d9d1796c55943cdb80ea22d24b9c60d71b9a3d93b08f4dc04994b340d1b28fb7151c8ba6baa854b9aed90823697a8b4c6af792ce95e46ab465d24610244b6838cde96d7909cfd2b87bb29e4dde8dff3c55d47017d703e98731a106a02b4f144c1a0008c76c9dd2589dcf6fbe85790e35583747724e272f5079816a46de5718dbb1a04f3a3fa5c535b9bfe7735c19a926921189b55c404971f727045a3d25c626efb702ab77d435b7a155bdf26cbb453c8e206dd365a8a9f546680f8cb016f489b44dc45e1248d00158732519229adcc71e0874af80342e7f3f160fe8602f693539ed5e4daf340aef81f49eb19158a56f0fe0b82cdf5e5fc1e1fba5acf764dac0322f2045ca07cf5a3f299a81b643566706b3f438b0deacdfd6e6fae950da7564bb648980e8a192c72e964ceeae11c2870aa856eb10ef95e50a4c068c794ff87469f8f0517102232c4bb63307978301e7847a677d0d5143cea4b48c992cb9805b8d0edfd632c2f9dba7ec90fada957af13ff2537245721d54eac1bc0db4a8d0a2e145a46983fd38c13918b8a440f39ae0ce127ddbe14dacbeee89c5bec666767ec70423ef6e569255ffd12e47d53e349ccc351ca698d8b3661d325e2ebceedc5d7a87fd6822c1f9e95871459c9d080187366299ae5afeb647c1e7fc0fbd1790708be2c0d7d23e616cb8518c2823ad0d1585ffdaa69ccb6d5d8e20f804ec15ec27fe80b36d2da93e67a770143b8228a850401f3473649f8afcc77d6561ff84ebdb3d6a32ff4995d30fdd9c7dbc5a540d5a949e1cc93fd49f96589f27b3058b8a7ae6a9f5d1728327d9acb45b30a6f633ccd1030149bc861eff32cac2afff5264ebc8fde6cd114a2cc4b8d786c8258d80abf5ba929055709333706b2d62ad5a5c900dbb991e2aaa2bcc3df2e525784fe54b9a74144a4deeb1aea37f38ecffa92c68da3b8b779bc40628718cc7944cc5a2cc53471bfae347ddd3f706715996f97a4eacd50c79346b3141257ce0d397bb142494c20a3b9f4222736ac2c813f3a5d3c32775acd95420247007a96b4819563e228215a81d182ba05883bcabb95df9c3fccc88ab427ad2730ea34c1364b021526a486c541905c79e74cfa70cc45276b25cae146d56bc34a0d36ffc9697fcdc4bf9e3b219c32378150215dd84dddbc3994747f2dbbbfd4ab4118af750c91bbaea8a6b9ec6c52fc25519c5525142a571c675ec0148cb517bd04e28dd5c78f345c97b9fcd26a79bce1a03abb3b0e7a29af23c008f4b8b31e847b1d9cd49db847fd1573854a6ba0dc09f2618348f5e6560b44f349ac5855c711b0d64e676c06ff190a0e331a898c8df82badcfe15f44ddd112fcb232d4ecded2385b087f14bff11faba40f05751eb51c02c02d18aa57c785df57a392b8e38c8135b9c237709079e96a1d5a5518e16f0ef12f9cd6831be8fd50536a5f50673ba719039b1f480f782869031e93f342b3e389030f16ad0438c8eccf235c476eb0fb0f6f6154399cc63fdf8bf37b2c845728c72cb6bfc53af9d4cd7eca489fbf194e4cd53a205b88ae8e91f3712a968875a98424282fc3cdef7d2e91b1f0bf47e6e39fc99e99de37b4dd216951084ad6adc6897cb9e3f5bfddf10f6d5d2bc703d6ecde79019601b3bbff596ca1d487b5fd18ea05101705f571efac7f12e36193d359a4bda63752654993d954235e4720b6b704dd827967622c4ed59aeca0eb9d2f5a44b8263c63b81de7916ea6dc372cf512093e0edfaaea64ba20865da0e81fc171e0e1ef7f6f2e551b3f8698e83797cea76c6dad50066a233f760dd612ced521d29509fb161a4f7515c284c52a0d85e418e78a6ab1b8b8a61d123654e6273af6c7f6e1d21d5029b67b1138efc7163c90d831bb9be29374fa027257e5c1116f879e2842c26b415a9edcfdeed84c1a21791ed688a0f6b53a24ee5b5a7d265144afa694b9e55f7bc6e21622b456f2801cc0ce3099396ade05a3d9a802b027740e21bbfd89462263c2849d8f4b8ffa5efe85270d3c524f74bdec4f73d9995d945b613e30997a1ca9c1a41995666c7f355eb924f6f9e3ba61aa82b1f19968b0135fdebb9992b249089bbec408d16c5619a77fcf9500f434b78d6840a799625e9056b0712fa613ac98f2e87a2ea5d1c841c428b3d26329e566c63a990e8933f13dfea87e7dbad5195606842e4daa275f9e5ccd4d8065ea5b5bf721871274b69a17ec571c74ef097f70a9d751c1223cc905dc57f88824f97c7417ae95d3b5cba8aba3bdc591f4f30b730c5d641fccacfea3807d78cdc51846862957ef30684d28b355c9932172a7e9052e638df279ee7169052739a9a4d09263b38ecfe645119e603117cf3d91ee7207a44582659b7edcabcb36e8e7b4480b5d5c97511b5a932eb9774cd2fc485cadd7224c7e42e50330e50905e66259c93eea983ed2ab46562bc61c4158ee9493c1f21688a31a43a2b387c12668385275a809e58cce3266fd345af0945d499696f5e7728cc1ad496eea148d6e9a773fbe19a109e195f94089325c141ecc71799b7c4baf5913ee32e77b11f4b5ad5bff333c7b835459c8394b13fdceb71205a6a14e1378dfb2f5b851eec60dfe615a83cfb46ad464f7d81fc324e9c64e37da77a468aaca33ee1c6b9e023f794a29333e44f976974bd471f6de7bd3c4531281c9db3295fb3f1973f5935bae976eb01d8c2460a1ac4b76c3466015ab60cc1e1a7cc120bb192fa007d60d28daf109488bd97481e601a7b7da4b5d8f4b326a5f2aaa1f8966fc399540f4a6ae503296235a9c3e12e8fc11a7d9c00c557495af999f48b84404cdaf60870139d74787ea72f227ff71c695f030a6ca6a16c1a87d23f17f74d86a8e821c19c1605c33df17a29a9ce60bb3d4c1009b47a7024676cc9f33f15c67da462376fb66c0be90153814c65434fc27cd614aad56e3fbdaefb04e3f0e493bd73a475d2b359065bb7c9e4c12fada58db7bb9864c5817e145767e2e076e2f67a6524e929da9e804e8117a219b045d0a2ee4644177505ddb00e8f8c7e308589afffac5997f99567dd7a111d3786c24362ab682518e2a8fab4705b4e2a0260c940a79fe0d98001065f20359554213f836386aaf0256d27eb8cb98b79b3c7ee4e88d4465c684864a0010c9aa372442f0a5b3beeb69fd8d1d59031ac5b896028643404c890321c731765a9cce593d6fdb1cf8929c95a6999f99095e562703e09a06160c1855cc25a716e1f89064d8398bd23502df9e77adf019d480b214eaf749be2eff5303e69e788c0c4b5c2ff9fd2f46ff1818cebc529187dbd26e26a959152613af717b8e4f0a6abc0057e9a0b4b65321640879c32969ea554fdae8e3a9f0c2ca683d66d0ba422c6eb410f56ec587d17087e748d326dc451806deeb9a3680a8ba87f852735fcb6ed0b69553c71744d41e54548dd2caac534c8fb3177919ba38ae0969780adf1855b846670f656fdb76696f71d62d5c24f92c403a33cde67ba3006b59cc6ef4d5be3215c2ead981775b7fd919d7bd63011ec564dc2c01007586a0f2d85f5e91e9cbf172cae245ba6327ef8cc24d4a81ddddd627bae9d5ff9097362833a46bb3c17a8b12a7e20178628107bdc4f2a129b4f3484c57bb0ff7c3f1ce6e971f921d5b404c6ba40cb1280932ba3fa72cc4f2f4ec22bbe5fc77b1423413af799fcff52ad90ec545604ea8cbdcbc03e01746f866cb133a244968158d21e1a381213b24869cc96df17484c9b4a3978c69d8ae77bd88a23b5344e7ca2d611793fde3af93e56d5b511ba43fce33a8751bd2a6a9575aa65e8005d56211521c0e65b180c3622f68cfeadbc612547295b36890b6d021c15ecc37746f7d95d681c9b8010e8015600d0ba661d6372af0aa8864add01ccbd0d6a72adda5f2321c77564472997013e1d9bfd73754982536a03d23446689ee3c31d1a5546a09524f6da1ee9a5a4d5ae7cfe02f7dfcfcce35c902e52b8976ea6c8c1242ade460e660f0c56d844979eb2ac5bdf3847cfdff9c77b0bad795adaf775f5a12233a0e376c4a7e4342c8f4f5694f89f115236b53cd3ac6b0451f386f8f333864ed4941e8aee2e9d459ac3cee0e48c3a49efc83f4e8c223c142f8ce2b3d5a1d7c81dc6bce88e2a3ea9050772604c9d3ff6a4d4117102c792f61ba35411ac040c978c4fd55f54657e79760f5b3c117a6b669a68a1864738016df75aa2c4d85b8a9d2be6f02163dfef1ce6171124e2f12dd2ce23504674609b001d4355d5b7914ea92fc0cb8d3aa3280b7212fe83aa08c3c7ea5bd37063acbaad245631d672d6873efb16e525de5aaa69c4e46a244f47738b5bad9e5c9b9dd12c4c7b6715414101b634be3787135345bb2997d4ca99ea1d42c8765d841dfc9df4442ac7b09ef29991f857c73853d6a88193627977b69d125f569f5725f5cd740918c4ad2d33f7643daeb22fcea0363fa54b0d3f9ea1a45e046eec1a36ab69fadc7fad6f1e257941b5faef346e6b730bbe1d415296c8ac5c1883305750042214b1754426c132785b9fbe2fe834b24dcf3cf31b0601a2886852ac66dc932b14a38fede595c7fd551caffd2bc1739461701381a9930c917f3aa1e568823a6adc968c97dd92e9bf06a662114ad62657ed90794b0681bcab6ca2f8ed2cb406048c5042661788a8e99209212e0b60f5314a07d2b95a893853717443a0106e0e8114d3a5d6c6f0700102beca83250af679272de2045dd177f5fbb72f19b76d323f99ae22cce644d2250c87f7a1fb9824f97243c78b5558d55c9c661edb8abb213c361aeefa22463c84c0f268ffebb45df004a719bdee731a1b36ff440d7b957c5ede98e83cb9b4085fd5cf3c5a7d422932f2424f640e500b79f4a18975dad90be967108518e848d89c69ce9fb976a71c07f8664130b4aacbb9c189adc6735ccbe12d4211208a13f93538d73ce6baf1bab1b86a3e53bcc68a44279f0c782c6a4d95d0759fa0645d78ae69375868a2410054a9859b841a3ddf86ff0d5b3632bbe8fdfae3bc1caf183dc0a8043f48c28c187b8305c651c1439a1354f8a389cf81b83d42b7ff2d5c2f6193de0ea02a9031c1de6021c9cce7fbd3712ed58cfdd36b7f6704373b356a2389093494d6ffe53497e557a52035cb79feeae8c46243756bfbc1b42f682dcd3bdbabd3db5135c0a0998bd69fdfc354568584085c4e169e484ffbd120f3952503b45b2ced23f244f2b8dfa489b27011744de27d2897a2b8015015d0f6967a3bbeff0e1396a9d14d033ce281e8b3e7926fff65aec9153f109c9cd97c017f15ddd1deb32e0f385fe6420d0220c28d2e6028b5ad933d4628f0e19d24bc94d9dbb2dafbf385dd99ebbc9ac5c0a19e82e1030b26250a71ba88bff25532795afaefbadb6057d28ecb7b1e777e26bd27e6c712a0cac628faa0961555a72d1f02e3bbe78930ff3ff4f5cf4b332619bd6639a8c058c0d0ce8ff418accaacae74fcc9975fd1aaea2780f6c7c409b36cf77d7241c716def5bc3d81f3a3eb4924359a0b37be645380e419f27da47aad45c986d8c2b6f58f4d20277b7193cf31ae5f8c7696c3d4578842d2df631194b17719b3354166acf9b0024bf6db5f7722428dc746a8c4f3994a7a64ca834add0ad259a871ebd3010b8b742262348c6e3f62fd70d2e62ddee4c05817c900f37e9c917095bf6d88f7fd05b2621ca3f56290dbab090f36d268789b6ccf97c36b1a249f66fc08d83bce54f0a51f5364c4b8842ce136b76b39db979fe3aa3b312fdc0a4d98ba8bbf8a768531e170454ed7ea689b78de5860eb1bd5f39d55e15b97d0076f975d56a07261dd689e3c7d222998d9068f4d069e0649072a0816e89669bd2f46340070d3d53f5899f772b73983ad07be40b39a2159f4d786f9eb76547fcc66cc2a0bfbdc8b5877b8798793b1ff6ca7effdc8b434e218996d5bd0421bb365ada1d019496e92a755766dcfc0b2ce80fbb5be54f89f74ffb62e54e93bec1fe75c89f7adfd0222b3de821eeca84fff369ebef1c1d63f17aebcef66d55832e525ea1602cd34373ca352fd1ca62e5749436a6dc2642ae4714d5329f2d65451a6ae3245656d7910bb205af5b3f4724fc4cb300585fd7634972acc68875ee09067f1ab1615951e49db3941465908d95bddcca5865f17c069915929a33119d03b80e4ec896e05fcb889a0b96930e37ed24d24f4c4046129198b7e655346281829ccff597aa5023e09a92c6e01abc29fa898beef98a13ee02bbf45873b28b2fdd5a0f1c3b4d6377abcc224caf0719a819bba26e975df1db7d365cc47a7bd7f56eee5257655562761848da2e957ed4fe8fee65004129ea9b0a9304d917d07649784cc81edf3333096cfb653e5625be6dcefc7590b921402d5bb768634c29c015a5cca9c8c5845da848d34a6ebdd06d246ebf216c449a28964081b843ba5dffc093fec0aba7420f7b581816b0d5565f9b1b3d8c8f0b01cbc064e14447ad56a8e87bd1ccf9d99ae07e9494592a6308af9837d0ea7649886f87b3c28cff9a95e1219ccca6a6e261c0e8559519e6edc155dbdc59e21b097826d4cdf21023c2638c8a6e9fc61c46bb00d4954e7d06f1a62999cdce2411c4ab15c7d67e530bc51abd6f3cf74930c88433cee7a92347768ab7e01c5b0199d4c832e9855d8a828585662e6196bc19680d335be3a453324e5e42a918087ce2c05a25cc567cd84dcf17ed5d642ac05a648230f8d85d898e788efbe9e2b31c4303ea6dd51f0c48ddadf5dd23b5cac3e2525ae1fdf6103ee3ebe5a3fc359b9728c7a20fa0f76a5ce1437ad58edfa51afb8a452ebe806af610aa97590aed7c0e7b068d929873a813799524ea1d5d19b2542e86e19be2901f2c689b202ce76f3ab7e9f5b744700e7f2820d05e32c6892f8cd7765cb2fb7ef7bbd064f7c69630024d8209a36f2f696a4b851b279af6473d06725f50b7df7ff7bf7e02abb086bb53c774a592641d07fa438e669533a04de8d5721dfcfa648913677055a8522c19c1a195ba013968fd3bbe7b8828bb982aaac92fb528fe721f69211594bd545334e60859ae1fc4f49a8ba967b0dfc445e7fe148c117e0666e843b9678b40e7e6f019bae4777132b3ccb5fc4004bdd844f2d05791666219a14158f8e5c69ef6de58395b3f43365f3452d5b95ec3da11ea87f3fc7d2a1827e8d199f2601879657c45a55b2574e0385284440de020e0d256b59bedaf3996fe93d8e66a9f5392b91ad2aa6c766eb33c524af46b5529b1c6f89137003c469e0018ba7d3df98ef5ccf1e8f67326ff0d9c34b4c2b219cf248ac556dcaa909185fc87461a40a2e5b742d782d649083d1fb59923c7a41526ea268253b52c61552427f877325e4c3dffcd048bc4325de1a5b0bcf188adfc5176441fd3bfa40256a257cf81e3297fd06405157b46b3425589f5f082432b84a21e2cf31a502cc35a82b51272a17c4f9149ac936af8c2bfa2d85485baf308d425fa7dde3020e13f174558dbd7142c87f7e5da34458ba420c450e8762bc4dd7e4bf5008c9a71a168729f1a0387852318a06cf31a666ab357a3f76ea4c11e68094d76dd8f3da00ade556cb996db12bc9cdc09c38572f99fd71d0fb60adcb594607c774784ddb4fdc7586caa4d912ddf51f825e6628fbaffa24be7956a749cc0b8ce1dd4710ce481b955bd8d062ac46c4972da1107d3d2e237222af8a59bc0af648c02145b8ad705cfe9d80245b8502f403653d296bd0b9e2218999435789f532faa70c55733179ba9ba94a12fb4ac5911f3180d75212141ada6c6d2c139cc6945a76a5a4c5282b812930d6875e842c12e2f53a5e747e1c5d256bfa0bd0db52fe3e5c4eafa7b406be0bb9d3dde9821635e7c782796a0d1b69b4051ae5617958fb5b0b27d04de0fba5949c3c208e04cd9713b9f493472a2cb50873794b58f30ecd4f765b2da187bf7c4d5aa5e56e77b86f34a355dcda8f785814f8820854cd852c15ab44db555ca8b063a36b0f862d59a5bfe7355a0be38f441fdb7a0fc224b8ba32c0a106e558c382abb73d0660467fcd93133991a176809f59a8e10124b38a58c294531c7a2c1811cce21bed18b056003f6461ce706f74e7483252b4d3923a559f1fd4c64cebd47e5c119b14eb2b599e2247762ad4da73e9bb656c855f166c529367ede6351cbb1d332a34d19db7a6f4efde942dd239b8af53248a68c3c8c58e81856d5f99c74421af67eb817f06c016de2b2c875beae9e4d856c5a2e66451eb5d4c197fa5544d40d3e97202f3941156019b5c7f94b925110e33fb4454b0bd17c90679363849f6626d33d4a06560b807d1ea4f81dd3da3a999d2a2f184aef50abeec7138dee8a369dc7a864f79979604aa634e99340faeb4f5622addcbc4053e550ff00f01160a066e118bb278246632c0f1f2477d808e4db22291891856c704a4f0ec3d7ba22465f625324ec2407d48196edcba4c141999f2b842c9b861f66dd7a3ecafa9b03bea6e02d72bd7b19749e7fd85fdc1ece6093cc568426ea736d67fff9e96e91cf609459445df3195db038044885b2353302d4fd2b49e9da8adffb511145ccb4296a73ce358d5fdc6ccd8f3bebec92043b965bb48ab330b7449babdda709fc8d595758e2269b0edbc05711cee236b81c97f17bd310585afca387bcca73021a7b03a5e41d4cb49c870c3900cf364fda444a71bde673fa58bc86ee6542089e745d3fbbf536db08c739ae4dcd24155eb35fa52576ee75ff7b8d292e10fd2439c8a2fb543513192a8e2996b28e859a337393ddb0289e75cd4a586e1b5b91c2f93df2d0cdba868080ff0d0b5fba7facdc6cce40a396e782d870c477c92e36e4a2216f4c47d3d6dc7c8e70217a6550d0de89328f44bc5e802a950907bca1a98f47b46956f81b069cbd888ee74c9e9b991401d69bc4fb226956a82bbeeada7e350f2873b750d0f5bbfcd4ef3a8ed6426ef84bc3039ded99fa82c68282c5be8c874fbb504c20587566d966e55026c0223f5557a3cbf50eaeab7c8c75a1ea8d90ad458784cd6a241f212a34d56bf284a50c5026b605f9d72cc4d8f129dff55257a52feb4e8764673b9e8bebc4bdf4d0180b7d5c22fb8d4062900a6f0d5763228fbb10b3f734b2640e0fa538bda28947c6c51e845af30b3774c75e7599fa1243f618fdb812f9048466e97c2356d8ec39ff89e0cc182c696ae4b598caef5eb74d829239cbf604dd6a3f4b7a72e925c270631f77e31c5b9c9ef584b939cfc307cb6450c0f0e9d3f625d419a8acdc6d33ccc0ce0720bd4d321a451e2e43f4fe319bad5e70cf231cfa274e47557bb0003f81c749dad0690d567c55215683f4551709140d68944e81aa7e1b0cb8fddff7214497eb646e89b1dfedaef98dc4d953b826b90caee626045f4e530c9e95ea26daeed6165f7abb87a2674f680a04beb4674495ebd905502079c80cba23b55df66f303e44373326e5e319f2efce432f6069d27822080bb67a536f67fd9fe52f64693204c5742c4be9af8574676aa2dc445f54bac9e09988ffd829832863e682d3fbe17945f3420283b7eaf7604138aa453e2f429dfe3d0cd322a046ec7dd2793d2bdb63e04699701c7bcbe03ec7079b1836bf959ce71ade7090afb82012e2cf81528c6597c354ce9afb949ba164011af7c8c58eb90bf9f08a08b89bc61e3c4e54b9b0488aca3f0fc6b3e1aa27b81af27a2f7565696b491db1e02c59d2b0c7a46fba68d9f3969b24923e09ff45a1c1049c98cad4de9fcdc582cde68a6c811bab26f153bfcd0d8482eb0082b7a9b4ca54d5005824e63ed3320c5897234b3df93e4d8aaab28e369c08ed0e12c28e80a63823b5fbb88eff8880473d587fcb55b49455208c12cd79acd6ac88021ae38a15871af2fadf4a4df9fab50dcfa69f9b3f0ecfc805610af0969f81d705ed5c1a8cc677265386a83142ca67ebf388834b06f69e16573bc0fa203999148431505c8a2adc60ba9773943ecd23808adb857784aa255ffc85b320420eeaa704761695acdde1c449a56350d64dd21e617e17c5bada0730c74e6f8624265af5ec6e33910d9a06a13b438255c143ec31f22d2499a23fb4ea9295dd4d87a5b950d6b1120b7f8bab3b1fb89ae37f6e1ab81322a7f17d2e38685999dbfe5d1af79d1305b9af7619ddc29fb2309d30a07c134eca0d2464ca9456c7a2ffb6a8e08988adb97ace314f55569fb71b23841eb36b2a1e7b8c609e59684de61cfc89395f35ec520d8f2f074c7bda98c0b4a0b136fadb0eb979753b6208c8103ec509809c1c5d38b1a35af476135ef03a1040b7194ae3bf1111778335a86497bedc5728ad81dde257c67a665f708e7943cbb19a8d087c82d1368bef930f64800ca0df287da9f5f2452853c8097919c6654da842e6132b2dd9fd177fd9c33d8e98a6535905bd16c2bf4f6f00193672654dac93f748fa3bd9ec050a4bc5e2051c8a1bc6debfb81130f42b35ba7574802e7df72bf7356808f6c3f4db01dd38a1b77ceeb2196aaf53b486a90c74f7fdf713a4d5eee823b038d923f5fecad38e0a297d6facf6545ebd75822717dff90abc300e49d35ac1b6e1806a4173a10abd30924db647175cbc6a6fc03c91fc37243d2b86e9c10c0746bf59d3283b55f9a03ba8a544368bb1b9b285c383cd4a3bbb2dae4f12f716d83440a875aae1a77f20c5ec26d7192dc62c0d723fb74a9b383060f297465c9f660601a9370b5bd087ec825cf2efa15d238f235f0ce7bda6e28eeeafcd069a94364c4f948d843622900fda24b6fced2a19eb01874766c38fa62c4ae6bfdb70bb44f845990ec5450e16707232606de62c0bcd2c8c35772fe7ab807a78b1c8e8ea5e4a9497a878d65a1972fa344fbf06169f39de1f8c6fd2bcc626de0407523c8438cc2d6a7a418313a5bf4c6699c8fb49dd0f1f6c6a3190056c0fd28c7f3eb39927468be20f2467cbc98c9f997e95ee8caa9867f48beacc1fdc2976ca76cd2562d06fdf12603e6bc96590bd182ae304b9a91a4b79084942191798526b45d5e5b39fff83bfaa284d62a1035d2c65f8f3819f86eeba77a7fa37fe1ed7e110abf5cc99f04b88ffa056a40485177def2080bcd553580e396613a74b6185421193a0d857ff9edcd9812320aeab9f2d74d78637b193840037e879ac36ee001535f6b30675fdaa1399bfe9f9370bc308c217031e3c22db9d60892ca57ea5e9b5fd11087335874ffdc2c166c3f61000871891f16693543cd9bffc41e0d333396081f802ec2aca66b71ca3efab8004b576aa5bac42424e8fedbaea419d4a182599132dc0444319e90b71757c56e7712b5ca8461c73513977800e44dfdd404abb1c91a98d23f4b38e2ae967ebaa577de0f3b929e79012232466bc6cb362c75ca362ee19cc2769e2f36e6f061315a722c2cfdbf1cc39115c7505e7c107476c5e346c753952b537800658fcea4804f52eb1259857c35289035f0bc5909d8dc841b19d67b02c870295ac2c3774bc0c48870a2a87481f52920a85625fa7cc5fdbdc5aef3f6ced5f6bf13bfaab1990f8ccfbdb27ec4e247932826feacbe35a222998fd5b4f1fb769253dcb12a8bb5ab3910101dca59f6f2c0358e75be580674851e4bfce8db32627b2e3e8ca5ef51fd1efae58ef5c6e231bd82c51ad1de03395d7caea75521b16f13a87e89eb300f8580dbd4a8507f959cc1170a61e82a15c27d661e9dd2590307bbde5d120f8e49ff9503a7e0adc97c02c5cd3d31a9abb24b2d13582e846f6ae1f5d408e9fa74080582213c23d2be962aa37894e5ea0ff0b802579ae420e8f8af4809c3f842a4e8dd1d40bf7b20163c6fd4d9e759242c809252d6cf928f2beba93c26816c049305a021e865adc816b6ad6a14d0eb475798ed3a59af24f006cfbbe5115ca2f8aad096e623908c0e733ed8ce659acb3a1a5508e17a4ddebd3e21abd697d0a6e8b21875ea84115ed7cd0db8cbc7d4c0479bb63a5151744136f4678c72ca235c1dd08a016f4f11134a614ead7ba37e420b2d7a255c0f0c48de510759819823fea6c07d96aa09bd3ad8d553a531315254827dfa577fdf7724897106c8e54606e68e0e8655237d7e9026e16f6c4cffabf901c3ac4722c899b0003de84eaf7c38aefbe8966a4b686ac2d43f238f06ded2d4889e9ddcb7147add56aeb2da6c32094c0d31c55f3f151d556882a02dc2ef81c4dc9092cce1b8f27895c8f87bbb1dbc95ef92e7361a20e5fb352da4eccb7e6cfd22dfd93215ec1e948f54d93d3b995bc7dbb898f35f5676ace41cda50c1bc61bb2f192f575cc96a57ef93ae8240decb2a89deaa946bdc9c975439634a4c1c989cfff28af50a05ade7c9da957dd2169aa837936c8ab2c1f42cb5b8f980ad1b1049568aa677bf24ee051a0937356c9f6328f3942d06e519c17b0db0a89a71b886d0acec72903029ef723cc44bf5f91df28cd0481933778ffd317e8063c6fe73bbc53e94831b736f7a576b6943da9a7b8c41d863b0bb4218578f76f26f95c164971a8d0f11f3e6fa0fbfe485ae47378558be1488142ea88bbccb4cec4b73f166a3f16622f442c55db2efbe7b9a6c0c2ff18153268027c099a9a04211cbce48e84f663191ee0449624f6a5a900f9ac0d45867612ad56b53421ff143257f7cb5d07f45c7cc70ab4afa4a9785dccc126a85a4b46007e63c981c448a7e1c03835c3827ff471a70fd7b2b7f1bc33fe29f60dd889d300592bcdd7fa3660e8087ff92b301d20fd07096d461f6f4237564de9209ce08e427119c9b5fb0ec7848e2059b076a9d4358ad1e7132e87ea93f6c7f32525f7f82c5526d244188c73f3a7d17cdddde3a2896827a94ebc12435e60cd68121cfc9a5b8a5e26a8482b4c8aa06cf8e18bd876f52890cca4e5125e07e4bf13df5633deafaa5cc0da424e895482adf8889d9eb3c1eef93fe1fb0464c43b520ca084d320ffc7827b033edd9c11de7d75ba818f344ff7db2f05a49b9de2a506b3a71974b5ed80c296cb43513a98e2f067993b8e0f60f079c7fce2f76a005ffdbbecf1c8c779d2bbfb0585fb32a35fa9ef1ec5a814502c4d7f59a94ea436687ce9118ce17922e408b2e6116a439682cbe0dddcaab6d0937a898fc0432bad7cdb388fe7add9aa8c3cffd5b1edb010dd6268b03b4ed12038e6e5605a7908026db22e46621e47bedfd18fb0dda3cb80c79b88bdaef5f721dba6c62c2395291c4b85f3e587605dd8521454c890876dd2f66b9f1a16b16545c3065174889acbe0fef736ee131b12b8c597e168bc96ee68918cda9c4d6002a6d9ae5f5fd1661acd14e23ed7b16aa3355425713fb513ec6a01ab3a475dd7bc68317eb973a9b494314f88242d7e9f166f5babfcb47d9b0ac3dc021dfc19c144a70cbe3237c6429a957c5568bc241cd791a3da0282c996c62eb89f13252c082af7bdff10d63480e3eb491f6bef36dadb7d53a9561af3ad6fc1f24c0a6e08f0fa9703299fd7dcb71444902ed8266353bd642649afab8ed57583a547394083432aa0b441eba37f2a4a7dd2030bc3fc824e50840268aaa8015bc83aa276b1c65790eeceb78346a299d7c9aabea8604682f6504ca87dc162837d319c45b02303a75e64e2bf5b7437d3bfc41fe08b3bfaa5f4d65e8dbb4c82501f5a0057a7ac97e7509c8aadaa10f0a629e52f85b20093458c57ccacf377eb4559c29f91bf1cbb54f40b5dfd742e51f8714d386abd5644f73347c75726019ef53f359e4769b006f4943e002750e2c7dca3ef82efe27430f771ef03cd99758550971d4275de055bd8ddc58ae2bcfd872d5b0180c43f98f84c07f17939024fb4d192c268bfd9ec7e6b2ad25882aefab5908f15c7a5f424e2bddd7a5a99f4e2281750f634f7c713b573b4addeed4691a2f8d6d58060342a084abcfd5cb047709fb1cdaa26c221d06c11d27b9d035c11f84d37c44424b303923f7a75f6809d95b1e63059948b9c840bfd5289cbd6373e058d31fa0dd5d498d1dc52eaa1e1950c62e8e39c268891c789ccc62dbd43ed15c58a528c0d2e9e0acbdfa62f6d195d87b4bc27f180b84261f68b6768fe93d8160c1561a5489276477d182c4620b2c605b6bfcb67b9d884d407aa3cf64d18cbaf9c6ad63d2cd4367dcb18ad5ad5e2900c79b645347c5d8b2fd4329d4b9d632c6adba01dabff814c8f70fe0d31ebfc22711174985cadba0c9c6fb5b5396f32acac034802e14a8ded588c94da857e55372c96c0546b18e5a20de62764ea398cd1bb25c3accd4b9db4ec2f8c045788e0700f2868268e749486603232427afc6c867bf1829c17c991b158ab488e2525f31e4fbe680e29114f92bcf38cd77d9e9657794dc52ac0876db200d7c96179d37b81c6137a10d642461557dbfc7d062c8d851436ac65b6a0314c8d49d81d4a2f25ee961720528d2e83df64615bcd74e6f15f00218b85d2b0281989e3ecdbb3107b553a9a8a47feeaf9b67aefdb7c0e067b26fed87683eb4745137f79fc809b8409644effbcc4d695d480ce651bb5370780f280b3a39b75b92e5d1f75618a6af791da17af3563bd3cbf9e07e3650a6a2f602b736a82c2d1c66a115194a3fc7c9196344aa2437ea029b43ef34c20d3dbadcf37ff0839afd75afa59d205581668b7d302570bbce1ef4229a30fc40c528f3945def73d836aa752b42d7fad3a24bbb3ffbb3b4c834405d7a37e2fc3d51be6a8d3eed3df4d7dd6cf05737579d1073216937980919dbb5eb84f8067748b774066190d24bfea50913776711ea298f9d9b674fe24c504578c78c202b99f1c54bb4e8c36e6e44ee597b1e28671a4dbd0c4f5838610e651e41a5e4dad25863576a78948ba5ac8cc8455d3be91885641c61df09b8888e7bc13aa73d90d9d4c3f293edf721e2ad85248d10534de4bad0b4b23506407a63cdb951b2dfc8f53aadcc988fed0a7e72c11daab50b3061b1f10ac2a1cf665e13335e97ba94b3e19fbd19a4a955c45d0b47880aa756032090cfa7aa9bd3ddcb1b54d6e2b34e6292e04a3a3b4cbe33eddf72967e0718fb9140ed23e3e8b5bb7ef6cd6e017625e509c34637393ed5facbf844f658f93c4fb0ac49e5b9a3be0ff849334b996bc71135a9ddebc41bfe84e9e443d6a07fc6c3baff479e2ff21d729358de678c426bed7a351e413f6463df0efa7621c201e291bad012d4179af6cdbf44ef278f6e7449e7afe7c586f5a4cfdd3d610126b87104e85eee8af49220b0eced5d9a2c69ce9166d84d448f3aa75b0be354d73b3dbc066567569895963cd08354b2bdf7754e5983fa77b7f3214b0652832c2ad45444785723f8690da04530a4271730fc4a5062df6f69c1fb2a643f53e58b62031c0bccab7157b6c1e53f9ab458c794f167ef52e9725c1318229b0bd8f5450c3275992059e908e0d9b45a6fbee125be6a4a00f969d79193d6e9eb7cf21722ea7a78273b0e54031e0042922aa4f0202f08f44d1b8482b9879086973df08bd430b1390164418b2b4467414c13f595b252cad319f7c00bc46081c45ffcf67b9f78dca78533d85de75a0c6f601793d73eb68f3c49c59de831c14ea4c9d40bb42ccc948fc5bb9184c06af6f02d4cd8f71916fcbbb0878c210652815632f2fceb8256bda3d0d08b9057eadff67a89a75c38cd9eb76de790573ca24d8e59ab3ed8430c3915adb573d1b773f75b69bc14b7a16dc0b93f16d0ca8b52d1922beaed20ef6c8e383368e8338bdba0f4e2eccdcfb6b60940acd5a16f73fb94b9072248497d54a544a5d41dba271e482e73157fa6ae96cf124e9e5af7b5a170b6bed8d27ffed073657a72ab6ae25435a64049902575ca951f2c08dabb6da7b75616ff35fc783ad65ef76dbc442a6413745452495562b6e3ff9b94448bc56681258529f3783c3059d3cebb38ad3fb859478fcef3b3d990ef029c9f072e852098e26a2c0fd8cd87bfcb8c0a71d7ddfb650ca4c21d3effb6285ba0fb557f609486e57507211ccdc996b37f6b86c3bf3654aec8c65bcb430ea919914b1599d1974f33c579841d8dfadf714918c7a33b543d444c18f02dffd26aad5f95655ba73e79ac1b46f975c8d82641ce1765bf457ff4f25318d83acb1bd64cd99a3135780b06485feed02296e1f3c557124cf8081991d1999a86faf774c9e39e39ce85722a3f9334c5a89bc182fb038a95c25350b341b5f7630ff9b0fb1ac3d849d2153cdd8ea9d5942f1b9788e6a0ebc78a22722f8cf6f0db480d817992b5b1e0d008573286ae803d579e51953c8d1ff58d5d7c9f2aeb85340b1926967a6add3882da3106a234b481e6269e5409064d9ae31a4c85633b0d1f1c3007d68bfcd7008d2b5f6e71fc4a955df16fa0ff39bfe28680b3d7d5c3096aacd36f989ca0bb3f774b34410aa4abcf31eb441fb62e5d7998fcf3edf6af5b5940b2d41d272946d6f0f97489f9071847cd1cfa94523058f11a35c69e3e96e8e43e029cb583d6c94a487c11d6d627f55ff45a8178cfa72d552a991057f170d1f74b08e0359951bcf779799a5597eb7cc862c9f7308a77a9021b86096975a95f497d5a09923c2a1a5b504db622557da0d493ff664f334e2cc08d5de0ddd26186a363d5c1a0d983768d370e2e06e894193914b55226ce3899dfab0716af60f9c3ffd4062520a77b1b7aed42feed55d9c467b409f9aa0be4dd78a3653e76acf28e44a76be13363351f185640b203eb8a2a330b947ade25735a8344a78f72e2d65e83eac0b853a09ade046e4be744fd5afcfce2e913c97c5b5bf3eca7038d889a63af730b8c232252cd64982e1d8cc060db6b321e3a83d8a323c8becee4d9869dd93586ccd322eff33bbe608aca4d83b3ae1a010bcc23790342501df7b26675aefe411b37693a9250e232ff0c206f9bb6ea6614c8f3cfb6e26a74aab4ddd799e3f47cf6629c61ddea0d1e6db2b4831590e048bf36222fe40a41801aa5cdbb24a896791f5f1b3c9c0ce86df60568e726224056c5fac7b57630a5c3753f17bfe8723e90341c3a2c1a5c7258651d31564295bf6c9ba58910243210ddce4df640a34d4cc4617505046de43ebf8dd042bd208296ad504ee4c7d44f0ca94ac8704efaec6562309d0e0d93e7543a9babea16116303b6224c55e4d0c0806b51eaeb1220729f0816098f8e244993eece2dbda5c24d1c59c6115f85396ffdb07ee4a380c7cd7fe79b49e4b670afb3a0e41e3d66d5c1333726f66dd25cafd5b23f145290108d1e5afd60a458d43442b99b4238bd1b116e202c6f571f68efca8b3fe2ea271ee7103b18e8d62ae8fdc96b7e1f3ec6eea22bc199f0f6ee9236db27442450f32a0e852e5b4bfbb606bd4489fc2c7ca3d31a088ac3a0c7dad3b96202f7165d5a57f8299b6fb630510723281f3d1f84afab654a915a2b4cb493c36e8dde7e86b6ff91df2cb69537c54a4e9d612b84705bbe4421d0c3c7b438529aa4bc1d7eae152ea725fa8321ffce5b4acc33a768df68e304157a2792b3cc462db6ff41a25b5b0fe562e7bc476d0d6ffc3b7dae40c830fbf4ea43020fa38b7301c23753fca45a984081c3b5a744c2ba587843f130e89f1ae1f08b8c16281a39db3308587381203d34552df7df4a1e6d2aa4440e26594ffb0d7a0134012a20b420282f60aedfc1478eb0e13bb8927972265462a95d7fba87ea425249536caede0cb6783a62e8b554c7d7b28e6d13e6e1cde54ba20e71d4a6c818862a177f74b9490d6281ae92f242c16b23c22cdb5a3bc5fc511f1775f911426e3e545375e74371a7c2c40af71e93afd240f3f69d2a9e90d1dc3092f19c57efda9e62e8c52bcf9bcea806f93f950444bd413fdf0440453b08aac17655c4477f0debf54ae7660ef10e4172bf28b7db11a4498651bede28b8862c0c83089de0bf420e9d4567914f70da09bba4816b8e38c94bb81704117fa1b1500796b9c4ed2efde202aa7f1901c6f1b30c717fd37b705431189a13cc019e15ceb44289a29340ea876a5dc42adefd86062ef93889c28a05901ab38f4e6a480ee65d1e44920e53d886f29b3dcbd96fd6d3575cde377807d1ed9c3e19ed5e81bdaa9677c9ce8697ff0ea8fc3f7086c780246ff4ae8261c52315f6de7043a8fc02a8a4ca5bbe13b0f19783194c344a06412c44094e94d0317d77173a7e6ee50ced15e202d1e5c0cf616c31fae53f5179c8160091961b9aed1e25ea5eaecbd91425cad4839d12bf0cdf80e1f7a9e809a74dffb12ec0bdcc610a6d9225abee9927104b61076ec42d25a30e74d30652919746649a933a082fcfec0893c50aa1efdce1f58e2bf04fbfb0198d137c4f56bc146dcecea5bbd87c03197113f278da63cdfaa92bebda52e790fa7bc3dc6669e9c88d57710f9d99880638a6ced75b24270a7b3456f73a247eacdd179fce4f02403c7f62e2f178ece290179e2e475df82451b3d8043febf92978835df3b44843c8919a162e179806f2ebb5e6edf30aacab3b0b9e4ab944998febc6571710ff3473d12b7347748ba34cc4923d401592be6aae78ea79c3b3c67f2283c6da83e95c7b9b751778cac836ad9871ffd955d1c6fd46b56a1472763ce3b363484d59d35804d676a7697785efd41a2091adcd51e5adf5f85d173717d1f02a9f6ec1180cef6030f9e45658160263ff66a6f501fda4f3737377079c2f91f80a6e5ef168f0da3dbe74f8fecdc0f4946cf1495c17cc8491b4bf2f352469f34779ff1ecbfb6877cb721f7d684493b5649bea70cd72aa9f227fe499da899d8e48da04c5ec26789aa4f11426d8e862c86d37e8952ea3dfbea4018c86f99cc6561bd0722a38ad506fbf1604c049841367797da9abe8177049e1de504e58a7ca3b57ed631034a21de9aa31413a9773430723957bd10aa66f698c82c778819c169a07154b94c88dd16c2e3171c037580b3bce41002ff4e47137de29461b9f42995ece9ca71aec18d6689e8d6b155ec2f4d7f206c96a16cdad7c54177f2b71c5259990d5a1a3baf9f1abebff124c6655cbe8037da1b6993f76f1ec4d56dbe7284de6c1d56ba8a1ea414f1ebb8974189da7ca7f063048bd9024c9ee5379597c8bd07ff163fde33105ffc63bdfb4704df5d2365451e7913467da019eebcd7074d708b0eb179a6f43d3c54c2668e48f3d1481cd4e34e2a89ae6d8587786f6a252c928127876c4fc017e0a9bc311c05b2cb57532693541862ca177c43db9cf20ac23d70b0863e97d784e816a027f35d14df6314231808431f79fd634e415659831c1a7c1a3f0bd0b9f59a8bf960be5aa7a0a89092a2eb379dc267605cdd21985f0234124a451af03d43d3839c9684f642327598c4a7473851df6c571a3aa2ba5de935c84b3b85de07b05f2115d8f8ab6a00d68626e3302f1b94db85c4a54e99c001a2c4b1a97347c3a728be28d6164dfa6af6eeb7f33c5450e83b14e95d415adf68eca9b8de24e7da280f83990550ad2c0f26bb49a11f5aba092ebadbc342ccba765d7c250f3b0a8b941474a3288d023d89ad97cb051ce9f714188b8bfa9effc1b5ca679c7bc83d4018bb11616fc8fe56023cdbc8f79b01113ce029c408240f57f96a8ccbc58441d71951943464d3727754fe94b96e2d4b6f022edb3e9f719005aeb748a2c36466068703a8b36084c4e70a48a05099c85ebbf7f085cb12282df47305094d9ac48ec273c86352bc292630a138acaa25dfd972b54871a1829a6981bed62a169ad94b8372bd06fb2e4d4b329219a702a2f996896ea6f8e9414f81c52b6977f87b9d7db7f9ab9d69dcc1520e41b55fa9c1ab72960bbba6a1bd37cf412300e2d78265ea16de4ec4fcbf0e97460fb56cc92474c554b500d4c411f708ca7f69c0c9a4bb5a095a23ec79cde709321734deb3ff2aa49e8203333878964c75c16719b422bfa6089b290a764492df889c327158007f531742645af798045fc613093bf107d5cf11713843e6bf5028efb41cd0d1e93f988755b96b82f03bdabfe7df0c4633142289ab56f041cde764624ecb8c2cf0edee15730c8a2122caa9f17a8c7028bce989769ba0adb7e818daf94bc72b9ca2b22759d9f00b3feeaf34e86e11e832e8bdb65e5acce99894e0af49e5d3f9421fdef8c480d60c475287d1684d0e34e70d73b28b23faa058a79bf7216dbcfc19e3b23a401f59077a8a742154435300a4c3b2e9b6698f583d25b37a02b7bcc4891fbab6c9823668fe9f7a6c807cd800a84f037c75b4d615adbcbd6108a1068fa4f9d3d7eee4dfe892c766a80bd4dbe5872747ed4cc7412c0a4fc690b66baf1f0df077108e43af1267b89e71487545ea4f7ce85a7b26c5fe5f4846316fedcf53dd11618fd83f2b1407298b0a9e4d3141df0cf3ca2d9cc95d9410f279636c7fab11621d0c36a237e2ebe0cca8192cb66807f42e2d06d1856ef9e92021ab2d565467c3bdfac556c464b5dbf86fd363d793f121e38a41aa6e247012602788e702ca5760342cb98c350b880925e65e002e76bca785e480c7298a6ccc166fdbb0ee5ecdb06c2fa97ba9c5b280d5906b26760996de7275ae0983abc4a4b0a5c28deffd25839d249fffdb30dad88f3439d8e1d35f636b3d29878931974cebacfe9a24daa3a1e58cea1cacc056fc3d828d7218fe0a41778ad0998149c4541a75e9c03384a7339addf9076de2e9421e08b3b74d87a172db8deedd08acd1764fe581fde10f0fc4423c0f7cfb8a0f575010b0d8ae98f7996b6be9fc2ca5e1ee32be22d32be54109b1924d30d002d62a5c673acb8633ced10925a760acae277dc054444c9e0e68874845706b2b7d06fe49e734b569485c3d92cf6bfe9aab230504e824ef33a87d30b96bdffa15f115abed200f68f349fe6c83bed8107d77d8706e8834298d5a66aa969b588c524aac377508ea6720161bb639e2ca492961aeca5bcedb335213ac4806cb4f9e15c29974d89914d37622e6e33afb7e6be874c5ba87d81a0dd124f23d5c2fbe0093d1831f1e53f90ccf0be8175471afe4bc0568f2f45ef0496e31e2bd7cb8aa2aa1fcd339766eb93dc0d8485a1c5147885fab089dbc20bf6f7bd7a75c29a50f2446074b4be2cf6159fe895e1240b8f1e691a846ccb959b1b6685292ca705a4fc9e4bf6d48973d92fdb9b30c88f7fd598e5dda529cba13d3eaea932445e2976956721366c5ef08ca8a36ee8b50e1c46b356a8bc54c2fb8d504084659becd6b0f9713a1d4af10a335553112b570fbe607a957a9010825518d8e1305ab1b78ba600ff26858a41888b4ea91954f95d89d6cdefa4b33cd58213540bc88d9d9b1ff398faedf3ca63a2f32b3c6433490d34775bdc285d5fa9b6080179ece821b0ff387b477717eeaa0e6d948838ecc7721dcf7e78aff9d9a8efa04e86b9cbb5446fded59aa6f863e825f856753040f54322ac12dd565a184df38fca93be65be57ebb5022b83a8397d2f6f8a042da3a1299522c9956dd5437f8e06a8534a22b449e2ad49da6e8a5844f47cbc9b57294095540f4d112a81387be81fdc68261e6a765f005c671471c70a46dca20728c0500d2d07572024489b5ab7106ab9945b2cd8df14067bf79e3165cdf91839cffdfc529b7673c3df590066e3277613b721c66034817d8ac2dd45d705f1c13c2e1d7b4411f1a0cbe19e618f95dd453f9f91c97da4808985b01497cb58cd69e8819c56ca81dfdd33ad2e4408e5f1f665c4374edfbb3418baed831c31baac974609d3a05d9e703042b4fe1ec73d50f66a2ea3862137a694932373613a2786125fe8653f436114716ba583ae10c5e92d87aff4d151f81c8d6f06fd97a1df30c73cb22c996e0fd2739967df50b6fec03cac5351797425853c06adafc728af2ed39911cb97fb54e0f90a30eda99e33f9039fb973010c1ff6a95cee6e28af678bfbd9ecbbb03f8ac78657279e4d99163dd45f819e82fa6e2f5bb794e906c850cca0535f757f2867ed7d20f06469c6f0e95fad62eca4f1f79804bfbaa3e28430130301548fb13645cd675b2ffc98e70434907a7e626b94cab768c1f25dfd521c3e80b41844afe5c457d7224204d78358a91dfe5e2d792d7b7b410750e81f5e3c4b5507912b470d4035d9835afe05614a938dc790bb9b3bf3af7f66d83f3fa7427c0a0fcf17f10ff7f58649565048e34d8b91eadd75f04f46fa0f6f5f7ff74113f12581caf90205d953e8b5bc56a75db9d0aab414e3ed88a68b19eaa156896f14934865891ac39733a40ddbf08758b6d8eda59d64d71007ca3a7baff294d5cf869a6e43e0beb623b832d40fa6f6ac1c2f322faa4fab039be48cf309ff510b6cf8904201f322c8282d27b4c99cd85884cf092ffa7603cf51d5a1c7ebab48a95e43ad84a6c6a382090134b93f40f32fca940c7b292fcef6103692347bccf6f6efc3a64bb93ade7f98ac21d79d0a9db8a47286f8150f352d7f09cad3dec0736aa58c70e2edfc4a701493ef3f1060614ef285b25f0c39578b7b8ebdb0ac6090d51b531bcfbbe50c0fad3d946b510539ced58497bb99a198959590818b365dfe2ba1b0b77413773430821f143dac8da378ed430a56e9c909d8bd39e21ed648d89851fa4116a487c5418c08d6cdced8c01db6b00b0d77191f4bfb3dc837215f61b1703ceb3d8e02a42a711c4b96213390b59bb8b4121e48b210be403591dafd4e987b4ce66ee1d6d919137e68166ae940180a3d254ca5537ca6fdad592e6269540107b3a2a231c61dff1432cebbf8d944d6ed57574d3e29c7bfa20fba9197ad699287568fe667d4dffe70e7bcf95c1a1a800d2da805cd57cdc8ddb7f7d96c860156197122da479a8e6d955c76ebc4432a4a6b9eec1e45da914c77bca89ef9c442e58f1588b3a38bfa8dd138f618e098f987d94ff3864e2e5090da6496666dbf029beb04054bc3ee417e59fd67b3cd4b3581744adea5c230f051bbfd602b8e94ad01b5289811e805001718f3037579c44e39d2e58808b76012f1452b784d960e18676032ba1acc8f0a2f43f0c4119d81a854ff0bced61b0402f3617b2baaf5912ae1c99cde35dd074ac7ea1238fb5e31a49c425bf7aa83c5b461bfae8842c7b172bf2c9d759ad5c02703da91bb352ee9b20ad9f569401718d615c95ebe7ebe8daf146d77b59b3deceffb67e4d3ca489e4975c1c9763a3612e87be30ddac6e8ad158778ad7fb9f8f02fe5e6057cc17644de962512911d404b59e033371452871cfc889e191382d4f95caa5dbc65e7dfece40d798b80b1d372720ab4736d71d5e78fe94b8f8bbcc11c9de94cfc3c23610b67a70e61fc2a5b091bc07824c1467440b5eb0de53dbca21cb114f59b3c808befd39f876777945b3f908b95d6a3afd61a99599ceeb533fdc36fc02ed996d942dfccedfbf7ee53cc5524afbfd58c0a6f8bad4a15b67fe25d4f44851275b8c828a91a0824c3f3b80ee6dff7f1cc210f3426c9f6969372ac225917306a967c572b87cf396f379aeca3f51c2241a2d8dc84909b3247c522e742bb33473204e4efa25f334add1199d3d3effd9e3bad76aeb78736c4c2a83858111f2c0bea4b2435a038b52fb4adfa151d75971d933f23df2aca55e649d7b4d2d35e4a7e2301f31d2bdbe3d9dfe55641bcaca90eaa084e0d95398f7b640971f886b360f2f2716cc98bf0679d06e38549148ed56ba144c598a962617128213c33b4d976a11cff009589ae9b1179ea037387435928c1ae2a2644ced552b5002b2b1045cd61b49bef9438df9272a99074f3524e543a24c53ff488556ba7f1f133b2320dd38ead27895945a50d1194e46c32234d90f08272a1375cc5aadf30bcd5dbcd0efdf8fb0531aad382609cec2e9c2a0c455a5c6be2d4025533ff3f7c2952577bbe14502315b4665e2ce59a3e16ab4dfb55ae94c25dbfea70cd310cd7ab5766db2ea7d7a07498d4d06c238920ca52bc2dd570dbaa729debf722f7e1bd3a38cfd5347971af4e6452b8ecd53fdba317dbfba97403ccd170a19acaf051519570943e9ca800e37dc286abeebf4134da43b80b7f3f53f0dd385566a177e04a769d8e493474cb611e063bed87f88693c93e7c8f1ec9a9e8314197a27627292a8d7cd86ce3eda6d537960a1338dc5eee35c20e9d925081d5220dc57bc8b8edf2354d461ff037a12650f8a10ff00c6a09fe1b8ecb5dce4ba37e7e0da9fb801b06c2910e4ed462968bcf033d2730652246a851311b6d9a93cf9ea517b57cec0d8ba15299ed6c057925f2bc26e22221eb276a8d1ebca05dd425af1023f1fb66fb50ae08f88d4feab11a7b15e8839ad565c0cb63564dbb26a9a3d173cd0b9a52ca1c936675153505eb7216c9b963c65c57295816ecb4f166cb14782af8e3541f2d050e9a6a872ef0a618b1c112f0de05cd62eb6954843c3ae3ae6a1c8a1dd2a381f96d2264c7377b29af1512e89e2bc12c9e348bbaf3d042180a94ed2106337e426e58ac11dac99cecbbdb4e7d739650070e80df298505e287bf23352b3392a43058603e48c20e9542f341eb89b5e365bfd1878e51c4f55be8e5fbf9a2036171249b4631d06831feeb4ab403f7ac351d09f50a361841a80d2444b5f5480c0c931a3261d36176e8cf5f2fbf32ede757ef859e00a4b4e841a63a4e65e7447c4dda23dc6b1cbf2c802f0b0bbf0855c8ff1cfbdfbcd02c462e307d33cbb272be2e6a0622a6a730654ba411aee57c575f6c374ee8b8cd62ba6f8161de46291efd62f5c8807bbf929ad94189d0d8de8915d8ee5d43a04c95c025c3c2f3d8ac31e031daed68ca4244732c13db58374efce6416bd45c4c29403a4813259c3d010a0b861d8e56d70460ef7d41e1667ef7a61deb7349f5862497bb4edd69ce3c8ce94863e7a19c8f150dc62d16d5f581a9d109f2e3d91aac1849c8016286102b97523b2dc3a0367f15c79649b0ccf6ec37e72a0bf804edc9b2b0ff21ebd72c8c4ba67dc36e478761e2a2fc2f4ee25bdab00880e85b815ff4707103c76aa4813d74aeb69035e1caeb46b4a51fe2dc9b3706f73478b7e411f7e9e81ceacbc27979bca251591a23be60cb2f00a8b4cc3c36f8e9b32350b0be73d7c29e0fdf63b053fd21c43b69c2e04b42badecfd8a7548a7d0b311f4e1d230d8a6c32f8bd7738e10cc0748cc44efb4ca8c9d5aae6de3e19b12fdcc597abb8dc209fffa9d5b7acdc044a97490b7877b2b13e754023853c55e674c067ed36d67db3b952563866698167eafa2d1878588ff0abb6bbe4e61b8f4f7db75e315a9cf5e39949f110b540120bc7b3bd84dd463d00df71332b01ab3304358dfc5a51d4b22a0997d851cb61e41d4e1a985e565d99eb8d8a8c1ea7b26b09cf3cddda7cc8669b77b8eeb70e0590f5f3ab2528b3e19e4d428f991a5df66cc73a821c501769494d1bba0108c8c894d91a58a59d432a43d8521a0bd616767d7158d77e530f3df4890cc71ddd0972318f04e6464d832291e55eab5d5f0f22e341e489a3c107c384f03b0c850a271d4bcee9591b332a884fccb6ec51f3b9363146d5cf918893fbdb78fef806181aa9f09c7f5e36cbca52500c85eb93bb84ad292363a6ce87e43145257b9df6a1f1db5574d3d7c6207da286105e92a3e0094f480a8db3e87a5c289525b0d18a7ee8bec7c13fbf923b9a14df4a66c55ddc68fc8f0ef2091f81d1296f8d4b278458c73ebc3d1fbb9b7ab138e9231986e9c9b83a599a2b399de243dc822196dc57e5ecd43f545233147f66fbed7451a4cfc4bc8faf720fe69efe335009d80543e22f3a898dcef26855bc86867f00d3556addffb5007c032640ba8b1cdd04d78405e2f2a2c213ef2c45b5ea711097753c15f028d4324a0fed31d7ad879302e9260601d03c9781f884cf858be31a49a55aef51955e1433036200ff55226227d991b8246d22e2e3a82ed9c54704b6fa8997bcd25451a2da4f92aef78a3e3a129a85cb076be89a5ae79f1081782f83f0044b76ae068c4860b5f315e3537b3ce24357402b18fa4c188f1a782775a8c16efb6bc868bd027fe79df5574df476357f3a00ab05894500c9964b14980983ea9e028b4b19951d25210d77a8c2513eec92856fbf402349a234944842063ad3cd2de842b14e016c13bd1ba0647f0c6cdf76be52b58504ce9b7725bd7b6c447060e949486ee3da6d9dc34ceeb2b79148a088a8abb7363fe3c25e96ab74970814f86a8f6392ad956dac9150ccf6b27e410c885053e313f5c9da25f52515f5b93bc4d592823063f84cf3d21404d4d6fed52025f3b653b82a3a273e9bb90f441998fac441e577ceaada944bbb1671e8f33b8dc3c19764b64485e0a7c095d0321a1c1388cdf7e4ca2a4f2a7ed49b6018550d2fbefc89559dbb525b31b9c136406ba347e3cea54af9515a3111d820931c234111c0570183e302ad9eef35d4c111904472cb5addbc2fb2a268747064d2f8c94eb9563bf93d4ce4fa91f908c3a81674d74f4b35394fc88f6b542fe87cc2ae3edff98e0f62c1aa0cc92d536cadec0e83eba7364c0c2f1e8193dd9d70454f4c95a3fdac00dda1362286aaad8ed86973e07a7bba0f92657f60997ded88248dc8738a468f36e7597f71d4b1fec4653c6dae5bc56e3d10289fa3a53bda1c84234945c303da1974a17aed860be63a69c16b5d7de6038b6e94437d3aa63a54dc639a60f69dd24857d86a617cfe837800cc6c5a03d3030fd7879d9a76cfe094f27d7db9bd2f0caed3f9b506c1d112f39410ec0b6f46d509ebeaeafbdf956e93cab08b62dddb118586d9b81c443dd930b1e5da20ea4b9b5803d3d834a577ee71e4cc5b4fca671d5125d528084cfd500380f64b284d3ebda1a2a733d92d6b47fc2ea6fb91b1c98292756468c2db73d33a60a43847003ee4e9c7cb7eac7cb0cb48b3ebd074c96ad146e711a863926d73d884dd48d0703200275be7365347b7a81527aabaa2dd1cf119ced298c902de0235ca3ac89c40b83ed1f8255aeb9581cdaf28e448ca8dd283b0e2a53d6e3f1c619787f067c9b6ac5d1288688be87b4948d4fd2152a40df68eaf4294c4273f893cd5d9737bbf59512d35eaf56dc80e0e4f406eb34abd669c2366f2eb8d5764acb515aae836b98e82c18eef37f1f1fa93e527d87b1fc13b853a9b5da40525131e2117931eda246d921d06fd457492b09ff8ffb2aad915aebe0d32ccca186e254d38845216d6676343250535f00f6722cbd1eb73a94b4857fc3b36f7406296345f1509226f12aed9959837ed7ec5b303ed5c03cd7cd78968c095e66dbade1c4b5bf69019d58c14f794c5bef306c44acc06dde8ab8d969789d67df964a8cc30e540b07bbd4e1f91e218422a699761f41d32b68f0878699895cec791a392222418e8ee7b8b27683471c42e8fe00126c14bcc9ca6e6c4861bc762ad2ac3be8b028328d8214e6101dd1fb8062114b1f56da52d015163a1e705f5e898148f6a77428a0cc2b48cdc61a672d4d9438f928f22934eb94948f43df9cd58ac36306a2577fde0ce5ee933c88da73f10992f91114fcb5d62fd7b2d7fc0c23fda74df67a6f1914407f9bc1ef4ecf8a1cde4ca6a549f3e05e23af1dfd083966ff2090efaf6c14845cf660c6fa4ba8f2cf62711e23c322b92f2efc9bdc1e079fb2b1f01958b09f0dd2e1de9a79db1d50428a9ca45ef739429dddb6c6515468c04f5eb841b1f11481c1a6edee6a5e3c6377810a0a871f99c2d3cdf22b8dfc16b74aac79ec25a3d77e06d272340bf69d78ab89f6d124eaee4d431a2675b9c319f530b05a18864c93ebfa521842f94f65dc799f911fa01c2ba3b3dffcc0903eeea10d1c4f3bd7b083ba762db8c2c3e37be24ca8039ea461cc447abfb98d596ef88f685bbe8bd00ce4ef4e63139b0bdf4961a7b349ebc42a0c146c5bb804be7c68435ee532df3c850c8f8234c60f6ecc921ef65c57a4d3fb4ffd08466bd06cc6b892c18b0c047c1b93bf32b8d2338995f1657eee140f0ecf1652d7d97e11c20e04fc9c843cb27074f405caa95fe93d23f7296f2285486384b99f9dcd0b8c2cd4c7fe236f563d2b414c0ccbe3fe242dc7899b11a3bdb838241ed1a078e082a3f0dd0017e7f51033ea648b1366f3e3557a966f3ac983654855e2ac3e43aa40ada283a6d71164a3b3e8a0adb745b77e37093c655020e1c75d330c00c9840af2ac72ecccbc0fe91ee3af7036ab6fb3deb9af5f73c4b4b5c65a1883af2267b43f5b4d3f685c66e226c1e6f05b2b33713010a18a3a78665bd1f8e4c9adbabccf5bfcc755743453ef319bed5c99978042c9229078e8a57030523517d8dda4986ee57fcd2a1ba03f52fe18fb9b1c29511331ead4f30527f98535f6a5507f53c6471612256a7c29e1f4b6678eae2238c66dba9a9c81f5052e7e4ec76c2acb34a25b36e64a46f5d0bc1800b77c98f91e398ffadafc5fe3dc6f15fb871e21ab307b01fb2d672e89bba1926c254ca97ac8013edbce4be2ad62890518d456a494b91002d0015d1a48212be2dc15e763b48d1dde231ccaf2c53073b6c39bec2b3e8b6e0b09d3a0c98cc4086192b971b4cda7b7737550e8d6634dc619713d7c7244049d9b41dacf67aa1f3da0db6a32978a81959bc036f8c5eaf153380611af34337551a82bf42a96bbead37fe21d8bcfc4ffd2ffc9aa61a3cf14c573904ec79110799440d30710328604f5ab0803b8d14e0b5d5a32c9fbb076c3a4ddf75fe43f16dbe3de6d9fe2635c60e5845542da959ee2676252f55c86123072ccb9e173a31a7ef0cb2b3702dfe0da380dbbd4d3fcac00fbb2ca0378693d512761ebfb077aa1408a09fcc1938e206ee87391171bde546302ae8a911fccac77cfb1a13c3b9f8053461300e9d2477e329f3c768dc95b6f3d18f940f3f886896aa7734560cf86008198a90af8e3c8163486b1e104e8f9f6228a9238d15d3bda2f81c19ab7d7435546873916652ee9ed4b43d64d5ca20785aaf880f0bb713fa273a2a2e8304cded6ce2bd64862b99f9cfc55f7ebefb15deb782dd0e0343190e6dbcc9adc152a8b99480ac4ab3c962e5fdffde4563fbefe3c7f2c72fa826784f63ababb06218768f4b6c09cb68008630cdda6cb9ede503f6b494d14ef0e2a1cdcc3bcb77c390c884f5bb2c25e194bd0bb651fa468a63e0d3a9bc0baedbcb0ea84500b8b43d2acb1a1456fe131972e93097ca42679e69723a3f254bbf4d0b498b519f41e6a37689a321bab19c0affc9bf68e6c861830ea5ed846c101ad9c6bc84dadb1ed03e3b7949011994fdf8a3aed564683a72bc2f9c9a53a1093840657c7a5854a8238ff269329722386bf9fffe7f77cc2eee6e660510b568563076248db4b77505baaa30036c195acc8824dd5ba61cd567eb8d094006cf4ac4ff213557fcf0fb21892d71af0e85a8437a380febd54ef3d5e544ecaf83250bc80159412fa7b25f86f21d3b10202d91a6d4dcaea11a334db952638b911e9895180d3af45f3555f15addc4e1283b5bcf2780819a5e607af429ed50709d087225b7c6dc0bd1be480d9b0f230384e86cfdc94c1feee37ef79fb148efba4fbbcfe9fa1aa2d48a557ad5a9b865e26aeff87d0c15bd73410f99b9e496145cc077d997dfe0e1d360ecb695b25688cd305ddc912ed38af7c4ba286bb6dc1d6df64958bc4635357f3773f7ea76fa3323c9a092f430c55179578368ef9dc9954de7af72c20ad17df6cac5ec72d632a2286e0a55269854ddaaac70eeab3c7e974fe6f73da8fecbc7bd45f2508419cdf87569481059db747d6dc6bb356c0931d7bd0111272ecbd0801bcd9ecd6b0d7152b921f3eba8ad2e6437d0045bffc45cbc3da37adfa5a0b29be0a8c8546d7c4c6721790df155f9ae38c4ee2f0aa56009c8eabfefce38dd3ad39a98bc1d34a1fb3ff93a21892e706b803ef1cfae2652ff0b12e74ceb341d7172882e571aa350236156498b17c9b5621b3905482fd78f979d69e91f74d9bbfd086f310d3b6521b826dcd1c622f5bdc185aeef174eb0dc4cca6990ea09e83ffa9e99a009cae11fe406e8880a9046df5fb81ebfdf4e3a421553b56e08c5eeb38dd09af4a912aac641301ef1095a245e15d137a633acb4e469315805e2766531722b8a2f875bfd8b6aaa0098e810c296e77f6682aa6a8b06c5ed850fcce929921be9f9d81f1fed8f993430efa8335f8ac5d08e8b355afc597be757c9d76c31e92352f1fc877961aa7e8ccfa9bcc5ac3dc59ff796b59dbc58f945a7283848b6552ae380b1df1a3c3e9d8b67e9458811b3053abf6fe7bff329e6e7df7c6f3d513fc9bcbfe6b42f2528602a1b4314ee9218fa1013a25194d405b3aef274d2203fd6f0567a7e5b498aa55478c5a544eeac6a3d9756cfbc0165427238b3d553ebdabc99dd575d3724d9c00f405f41fdd7d3244fd9820897a97c3a0fae469447f48a61822432643aa4e7f2a7f7be956675d1f460f111aa9e630730da9e0096caa13a054fe932146cc95f1b6d2671a5d2739538cc69f03457e302d998d89059e1a45707cc66a6ea8a94e17539e9a735a2c129fee395317d30feada724e72bd0527a3e30f8bc9b4477b8312efb9445622f0df496b6ce0f62db32b5e041be73b6d765c477f572e5f9e739a77a417ebeff4892243ac288aa3bf74b236e064a9c89106453e24311084e3d42cd748ca009d35817da8f93f18cb442a3e381d49ddd9622ca8f54a4eac8dbf6cf01106cd51800663829ee0fb534997900b9847e3f38a5637dbbd73dd83012ece0b350826b62e56e726c464cd8cf26fb5d77c8cb22379c2d21f54496d807d9234af9af9b65e7d1bc11b9fc7cbb398a9402347f8001d0de1a3031df0cc0322ed5f384bf57b76fc6b9c05f0b8aeec849632da59be5c6c75bbfbaa39fd76619f9ff3902e6d07160aaea2883b6bfeb267628b4d6f6d8ff47affb8174a7cf8e99ea9fdbc4fed743d8253a86d854123062dee12c9caa6053aa37d8844f76c230fd86ced8be208a52476bd7a9fcbbe76c05805462307d67d67e7be872244014cc50c94bd4cacca2473a44bc6fff19b2c1ac4da9299c396be479e13f99f10dd285fe143db45e621e94479a6bcf0854e4ac717e79b3180a56140d50492c8d44c1907713b3b54f571fe6287e2d7530b111fd4817c2d01aaa3861e7d212bfa225f2fcbf73462075d7f2e6654c7acf3aef64ba7a697df740ad4e9ddac9f1ebe8aa42f73994c41eb788f855a715bcb69a6f66538fee204b4606e81b8cc3b2947cf8d8d24bff7e3ceda4ec3508c53392def369596eb1937b7302952715a8af748a05dae24f512b10b78eee9784be25dd85d598e129284d971caf8cd7daa2c6648c183d4454df984047f9d0d2097cab7dbd1bd0b2754569c1b257092aac39103ea1c9229e46901535e77a570f0c214d026117d5464991c7f97bffa3ce179cbefaa0f7d65e0613f5ea5897dda14698ef3430a7dbd1f8c956f3949010925b1ef020370dc7ca9658b8213d6979151355e26d675fcd7bcc6e5ee72355a1ac6f38e2716773d21a4b856a8044974a32454ff9fd3f46278fb1021739b25a75d07c88170a13efda2d8671288f17bd82669e40f21bc9f86f8780b2958da335b820fb1a93689dd84796766cded39bd8725af0eb361eeac9c1a7f9475ce605a8c713d135e728d775db713291fc9d1b0e687cf8c1ba696106c1146cd3635f904780cf65aeee57ac82a5cb000f2bc2566456fcae946325600707059db7fd3dec2db0983dc9375f0d8471eabc748e6cb882d869d5865193e561a449147f44fc2cb069aebf07a2b1ba30966f20d97d8ce843337bf35213874ec328392cf7408284c8fb77e92f1d2eaaf2e8c968b7a205142ee267fe32c8fcdc2e69dd5aeacaf89e953ff790fbc816bd7c2c2e45183329a3c59cebe12ba8d19b1a358e67f4bf06c9b07bb41384d9eafb11cc1593feb6759bc0febd6ad8571f5ef88c4bac003430897dc19fb6d77d8f609b88d6ab4467e4e4b31bd0af289fc429afc58fbe394ce97dd44a5a3d03aae844ddb6711b4f67d2bdf88f3c604bf522184c2055daa0893d4a699c4336eabda303b3fdfaa930e22ae8989d37d5226588c712e635b9204a61d93e7fd3b06128e01e48e943050be4eae2d852c95d615c065276edd09c5ffff17f4da9ee0274faeba9c043f39a3f9ffc7b1b57fe5ce4d538974311cf876e708a2c752b0e1ec9c69f9f8c177d08b547888c659af4f4849cda3a8bb55e1ec279545c2d498e911e617ab5febcb06d7020a262f5944c18de0e392e82c265b00d11bf194793b478a02649c961784b925ddf07aea751b24d02c91a92d6f3c4eeeaf25b05bc5359dc6b088e1d26c322a45421619a0282d4e59944d4ef2e0755350a2b8b3a866f7b198199f7380bca110528c99170c8168f9a26f0da2e6c5d778332791a3d33d90bc487561911e269b6c6f33fa0eadcc02a943906779b734b8ead4ebe855090c98852788af3510eb95c928803e64a4b9970cef67003a9dfe0e28a61f1ea93b9ec240f449a338c2de8107298ed1b0fd7ba92bfccde6bf26ad4b0c70d9f30440beacdad4b3c81cb4d1e21ceb330c6ee8361d99281ef36a6a681a53505f333a64cfdd8ce2be3aa6ebc7661d29d3f31e724871f14f2a256dc6a47c13fb27c5d62dca45353cb9fb879c4e1e33f2d89fa025cc387068c37650ce1aa9542d2e063c09a2f4ae16a31640d7b905c7c80f00679f814518c9557e4bc87042e1d6f4ccff6d9fa13d0bdaff2510b5c4c6d7833df50d76250a6b25335117d8a3205b42f8341ec7c3a047401fbfbfa71f17639a804eb2be133e41ba6b511ae3e05b6fb33c91ebc6c870201c867131449e6d30523a3486c7168a0e23cb4a3268e6795ef6181ca84a5c67479eec4e160510c21f234afe322e65c700476a27fac73b2c0fbc627749c2af18d6d7fe21ff0558de1b92877c8d133bfe002c3f394a172c75219251a056e67223acb620d7f9fe996b119f0d60c09165b3a1a3236114c9d12b1c29eae7f911299940fee5c17205de200dfbee768cadb013838f4270b8b847951afb7b67f2d5ae240cd2bc6f1146eb35a9a6b7cc96b9f13cf7e346bffc2d9af2ef5e55c23b386a56ffe101dd3694771ae3e01bfc59b2602e1dee6de8513611c497f374d26e48bdaf0cd0c1c9689c92c9fe4cbde3aa3aec93ccd8ea4c2efcf50ec6894bdb14e75cd9eeca9b3ebd4c0d269e85cddcb9191521056e6a7951a698ef10e906e29a7e79aea4ae974b07d3793905f70e249d1044ffd75441d213ed7d44e9b1c71e3bc2ebad3d61d8894d9534ab5f0acb10444c6bf3a83e50b555b8f02cca04e7918825986386b0615024e0e155f560f6f659eef2618badf0bed607273f8a304848ff83d159fd44dbe54096d0fabaedd9e863a33d266726bd0b6fbd124ef900ff2e34388784c64babf6429bd533c9276a639d106fd643ff3d27d82c993b94dce11b9c7345d3fb328a3187624ac4c6e27dc70bad29ba81244ec782b3a77241a8b748c69ee79ce718760937706a049d3793999ea7b82672832190e311f0c0f70589c7859ee80236e319c10634c4be1dc6f0eb5c5900262e6c1564af002ee31a6a853a7b5a5620fc05937b2e166d70724dde1358bf89e4d4d7ffae23aaf4d57bfe2c2deb60b08b40f71400793304e1df69ff7add4f002c67a9b2f26c2ef0a35e9b9bb7d60cbc8c102eaf82faf425207f04386e599fafa78751fa94b90b593f4c0e7c9e40b65539ff77fb06c3e6c94763d52f7a77654bd2a0676bd5ac7cc2e0b71d6422ab13bb14fd6648bc11c89b2ee0807d8c42703688b00685f60e6e10f7c51bc7c04910331b8c64d636257198abdba13da1ac0127e7761e949ffa588e66edb0ca76d934476ab866e6c1cd60d3b56e301f43f676b26a2c2a892fc17f0585ff199e866f4cccc5f92ff232d7ce479a66afd2208076dbe0e67da315eea126b41d72892c23c7afff07304a4cf8261a11c43666deeddc89740f69ede4b140da0563e71f4d5c166f95b496a1674bb673f22139e1d667d8f47d642a4343fd6f41ca6a2a4513623929eef703e7703f79558f292b7854d0eb2ec2fb7ba7012993e3360986e6d3edd24e54551e9d026732445f375a321aae85b52d8e40490ff3412ab2f82af46b3d6213883479f0b96be02721ea832da96f160663524d1c9d7501f56633c81206b1dbd4bd381256a9d6efc40557bb1121af3c72bec97c22ad3e4db023dc23ea3c257e5b242b5204d435ca534853c6992d19165aae917572567ee0aeccb56d5e547b7dfb79b6d821cbca97b2cfac697c3c96df2210c43756cb5f710adb7747ca6e93c64ad61270af2a783965ec969a3a95da4d81312456f7ccffa0985cba7b7e2d7cd478718c857325541c44783df781bef4143de219d52785793c766bf7ab00667450da2a607deb4a77c12d5e915b15a26d625f585b0c6896716d5c6ffaaf66f3af270c2ac78ef6d61796045684e89a3f9376b6222b54cdc1ac5c08c05d63871e7a5f10f524a341c242f8230a1cf8a4d1ba3d8e7a31e76b5ce85c8485bd853a03b52ca3179202cf16929a22746a6c366ba561825b0f33a710b4302e1014d45952d804767235c483e593079413f80b9e61a27050fc8c9727b050f7ab0b65b8e94440d42a5715da32831e1a0f8e4d33faa1c5b205ac7f3bce2f3ada8e77ea742ac64dc9fbaf749b6e7c3cf81de57db4e97770bbadc1f5a710a982069f539d611113c921b739970a17c52cd255068cdabf74a32f3fa59c16b435a45aa14491dc7ef00bc1da37110b08ff54c1d6dc1ac9cb81dd5030c0a70393daeb9d754bd01b88396a1d626688a55861bd8c7f20a5608d53cf399b1b94b573a816f29c683da435f656020b6ab9ccbc1877204e2af93f39eff66edc742068e63f3283c38d35620c060ae32c857e1958abd53debaeb135d90befe3ee9e923a04f8aa76d12cfb513f233df4b5d879ac350f42f98f656a46ee08d78e3204b37ed37727beba8d3eed77dbc3b5f985757c5092917819958e9262585b47387da53178a785138042576039ab7c996f3ebfd6e4a41ffee0e632fc95d902bf88c42c9648acc9ed1bf90967f10ef5cbe0d913f97b4574d64ef31a368e2a2a24d049af096096a5da9f0b74eb2f3bf29fa8f57dbee17fcc562a4dad0e1914cf2ed19e6e68d768705e9d4d24e5385f4827274331572d0b14518a0ce50bb06286eb4e86bc7f71570155e83a9c248e0a2848aa28a107dac8c45b6ada5fbe622a0b94e42440e0513654ed8b46d5faa5ae3fd1993df20bb25d005fe254e94a0479686a3c8792e7b0c91832ade55e17298933fb0eb62c88111b8faecc55149591d399f316e12c476de26b4ab9edc8f2656968e88456a8f441156f4ac8d786e2be311852302a6ce1d938ee16fed71ac9961785fe5ecb8075480a42a788ebae8dcbdf0dfff47e7166e699d54d0ff4ba8c4e6dde7831bd88af7cdcb45e011405a7c9937f46c86c703aa9cc3d1fe1b4ac047bcfff547ce523e28d7eb0b469ed3e6e8cf4edf84b28304bed1b595bce15c2d8d466decadd453adde513608e441a020d5ca81af5e81cea4100b011b3a4276df61e7a843e25e590d4459e2a565c74155c99323967ed473f563c7f23659ffcb6ddaf6debe5cbf63048dfa6f72acaa510a07b83fe7091414185e69dfb76aab27071846e97cbd0c42deb486d5598525246eb6bf8c2cf17a26ca031280e2c1609f94a8ce7d5a55ecfaee95fe502ba75b22c02e15cd8455da4be8e34749933d8fd3a92e8c91545d8ae44c48caf76dac5af0cf4d585fb739cf006846ef28013d4833ceeb108d3c3d76e2ba675299264b3793aa99426fc117de43c5b26a39a6fec3f017c828c4878cb3de9c1cd3b4557b470470e5dd61638d222169b89129231f7c04d771a098e5d360afe15f00d1a3941001157b2d725668f09db8389ae017b884d82f31c5274fbcffb156687758760a7bf5efc21489f5588d5eff16aea78c961d16044978cd1e15d6b0520d509d64eb34d0acff27e9bbc843a5f07b050049478ee8b4800c3aa25b3c3986f90faee858390bd21d40a5ae5518d449f4349c33ed2ef77d4f594416df8b8aa4769f583790675c85b74977bbaca9eb0001fb4d38d004aadd2b1212d71824faf70eb35d37b88c1483e0c513351cc6a96f48da5e123bf23c7357d0881092ac97917a0fda04d68e919cdc14bfce9a504b59988e0744c527c6ca012fc0e806725d97e7196ed63467221bfae9bde78a3371ec3fabc52432ecf3add26e2d5740453975fa6ccba1a1ca64e1856280983dca770e5aec55a292dfc8d60c59150572417b9585f3d0d028f8ef54b879b983c673f36bf33c495691554c3dacb219d1b3aabb77c701a9fe2b79f3fec3985841c098db7f33c2f64a4637526df36d0497901bf17441b11df49af7afce7f11bb992429e049920a2ae93adf187dc9b584980cbe262893d6da020b3e84b11062ffb2eb4370fe7c68c5b2375bc5377c95f7d47b1fbe790a617df9d3311eb2855b091bfb3c4d5960ee7ab7e2ef833ccada31d0415fa56de62e33d3476050f322e40d898ab966aaa3faf29b7576233a5b597f05ab953ee157e8a9ae9ff7e7f4efcea426b2426b40df20ac9c56080050a88c4e0b627e7fcab72709618f23bc30f63215671650ad7055126df8e9d5894ff2129ebe0f2074ee60f412a0ea368a62186c1a2ce3c6173dffbfaadf941910a77d8d013637a510103fb781b4ad95c6320b1e259703e5147418e024b97a304175af6c7e2ba2708a2a7005768a6a475cdd8b65c37d882dd42a1f31c8c6797316d19396616888e57058c0fa70356520ceda8253badd156bad4cc74b63702f1132ce29dd711599ab957e4f09cda0f71808c45f6651c0282100398e0abab578cbe5aebebffd544824c336691fc6c2f0feb1907d708896e915999992725221023edd905c66fadd05156ddd39fc228302d1fbda83d3052bbf96a530ec951189b34ac51306f2a5cc4bbd4979f43c6855187a9bf115cbb15ad21bedc8a505493553bb9704118e52a803bde217803f2734877b625564b1d1390e5a7a0d7c6838d7c8a0f09b81e954209f315dfe476e95ef36c6350b913b748b69b9914fbbf4dbc4919133a890286565dc3d5b1ed0d491c673df11d6e82ff4bbe6298ee516d5a8096a332d6936906b35cf03b36a2df001f1cf58c7df5b4d1a37ec8c4163850a41019aa15e7b9cac356e87d0d3744e71498eea23100656721f41be651ac941355403e84975fc2163fde1ec199541ea9c0f45ad189a64b07a49218e387e553083f8f1a2096c8b55f21895451f4e3d607c845d5f86fffe034c29e6207603da460fbe69eec80968707ba7804b6e0fafa25a8ef4cac1fd4a7e000e90f89906aa586ee45b34aba766db57abf2ba7779c3e6d8e88095b4aec9f81f07ed616a58860282da9cbaaab5cdaee3b77cde4d3bc1f61616d8cfb095d05a360016630a723d2ee3fafbf74716ed97df36e709e9744876b5665ae84dd239daa58f7bc689bdb0214ecd7bac0d1f13e986ee03dc5b07efd92986924fe49535c550bd4efbd631b319d8cfa60ad000456c5c8351dd0c9c812b16cefea750d35989b2333953ac54ec64733ab3bf3b98bf62d4adc1c2389f9aceb7cfbe5b3526f161e4e1860fb043a483b36278c8c3fa2dfb21d2d216fe813f4fb0c96e1270e3feef00df3df0f25c0578c3eca37e925519cb8451b381b5f452e403b0a571e78c68cec23bcfa14b978dba5d0007b0a060bc0a6b6446c5bbcf6fba1f31d549f63c24e753ee851854110c463909facf7354fb30e2fc1cf2cf4782823505dd6ea6853990b40f7703738e186707afca1384d39cd30ff25bc3ac7476698739137683483cb9593a18f2e7a2195dbffaba168f51f3b82d4d9339a8914dff488354f71e6283c5bacffc5e5668745811f15f334080272f29715c8059c47911bfc8066c4feb9180d0e7ed1b6e5c4885f6db509feaf96381ef281f66aebb35b0f639be82d10280df678083eb412da66076c139f1789e5d91dd2aa099c31a719485a521d190a3556b1559cf5e5862064990c2540f70ec709b147f670ec4669a76b252d6c68e98ab9bead60028ac8f3598381798fee7e3bddccca417e9469d8219b9a2bd104b052126539ce27f44110ff3b310e3eeb6719226fff933a456817178ca865981bf6158475ad91c8306a98d9240aee4a5781ef5b548444ad513232062e5fc6a9c10cf41acd1a0fae4ca46cce55de26dbf1dfa1394555bf4907cbb88f23640906ec5595a12c00abefd823ea3c0c9e53dffacdc01678d379e399a285e9a6eeab11fd920da5d3f3fd4570296f35d1cabbf4d833d8370c7b7f1d68fa6c30dec51c3ae6224d419016aee99146eec748e71e5bba1f4ec07bd6b5ceef330f6cff719012e86be63be5f1c2676cb86345a543bb001e1e60fa1fe7726cbfae98d2d088f79b4e2ca7632de4dc31363b0cb1db17612126f3e0b7039bc9848b8375dfd67f672ce15e94592ce52b3d83ceb11457c226b711a6900430925a3d1007360c0bd113354c2a56092f62dea25f06c0a45657df4ebd6c93ceca91e6ad287698d9142e610dc31e0edc7e117e5967ca0dd7d72edbd1b0cccc9bd012866b6b42a00ec27332c53fb42d17782ea7448a188f1b1fc310003b3c08a4d0edd0d8e4514c0e8c6a743e484e67cc567043b11b7a28f664a390e35e375f3ea5f9af370db89008a9620124295bff6dcaad0aad978a90483089668530055ed01669494973a525e2507e368f41e35caa6c7a9b9a347678918c1464c51aeaded8d2fabac704b3497e4126aa80ffd8366d089eb829528436f8408691f64ae564c555afdb471ce9971c1476ff8e314e01d6300cd97e9666ea7d4ce91e7fb6c738b12cd6eec86f2ae8fa6faae03fc147fd4259cd8840c4316ccf1831120a441334075126d3cbe9c9ae2bc984c348384826527b2b9370751ccf1c5b8dbd508bfefcdaa7c09012c240eba8710200df8102df31d49e397bad7c41db3fd0b11e2d58d69c160b68edada2301cc4855b2bf751c07d5162b601427d2a70187bb4ccbf38a9bb509b1e95e34d8157552a4d51f052512c58b5a8fbdc7987e6e6d03ef303cb9544c28af612794f1ab3ac399053dac5a78ad0c159226c5de13280a45e315d02f9d57de65e343cba601e7f372562572890b2ccd0402bf174e91a49fd1a82b4d70f42e887bb2124beb514bd5dc178189826f5dc04996c8d0ab1e00333d1baad800e7dace5dac9b1a6d3e9eeddfb06eb9d021da3ee3e5b80d36f8e3e2babfe5e21411d29cc3a47ee5c033c5810cc6036eb7761ec2d570907f57a89432aa5ea3b18002aed45af1ff4eafba69bc2ba9fae1f5828c0d2fe13e17454436b98b9128612070fc42fdb4a83e3884dad5206fe49836206fff5aec8f36e468673a4d419988b1f8b0e370fde77db563e9f798977eacd1428cdcff4855ff025588630fbfd1dbdee213edf20143e7d87495919967da730e20d7369cf812a096a3a77bc3acc8fe2697778a1993e73b96b6e9cf5e2a680c4cf5045c19779af65b0c4c2101b8499b66635ac7b074de4827c937d4b2144deb344daf0f33552acb406e59e24e3f17e76683c5f264d0c12b3ed015e39c2129d0a2a7bf748800f3f29375ffe53a215f1ca76d4185eb6430fca52b1b4e8abaad6948f49bbe2f58ccb255444c2ea0617459bb1cd11c77573f29e128fff42b9d7383dee3036c7c34685de68488fba427066e6d184feaf9b6e3dca6ec4ee4bd87b59845461dc4c70a07befb2a17fbf5c4b127d8bb32cd2c09792a29a100b37ec0d62bedd9ab6a2a884fa47f7b2cb5dc91475e6a8bbe95de2b7c54b99975b86107d00fceec3bf785acd908059c71a0b37c4d57ecdf918dc567c235a252fc0d3e7311d5060bbda2fa2dcbb9e2a84ea50c2a1de298020eb63567bc730bc06ee0f610cd7ebe3bfea5477e4c76b686263bb3e240f73f80764e605aea1c767b31e2f77beb6250139feb949ba6af4e56ea5bd6b201596dfa861567cbdc9a048b79724b5f93d817c42a45989a7b7f8e49baecf6b5f81e5d778d17604194a803912a184631eaf6c918ed1aa34037ea37f15c2d1fd675847ba9b16119074ec58c856258ac12d0e680474723d0a1b41ad59adef9949369d9ba17e2d16935efc7f2c0bb24b1f933689df77e183dbc78d0d2bdd3bb021282562e9cae066c19c6ff6ed937586fc7834ce0f688ee770c42c1a8f042f1599968f080cb3f29bc2deb019cd061a210980483884cdeec6a54aeb69e198d394ec80bd3cdb6ff2e90e19b711dcc9fe73c7ac6ef3524eefe0e9b56ced894237ea0d7fc9c50d219e0b69b6624fb5c27bf938e655f2816b70336830b70c01df6f58fb07a0209d79da97f7bc73d56381648863ebe5e4e72469f8d02c227a640bc7b2a84fb0a3b628beaca66e29338c62e6cf134a13c5c0c76b06c9b1cd5166d8368575e19418a9f0b41eb646b66ca5de4f85e39b7183c2b2e39621d09e24b7c6a9c7a0b2f7843d1cd2288019e5935f0d959b431fca2ce45c6122a25f8451c3eff5b863652fe856f03e56f7ce669f9c2b20f4885a6514932091a3ad467ad73e7c4db7f7635f05520d172a55ae8e9bde7d4f0790f31ae469e9ff633b3dcd63bb4cc5776c1cfdd3ebb19faf5d37ec857aecd0c0a14f3f9ad791119a6e0861afc4a827c8873d9316af3babd298ae000584e4c947670e7cb888cd9af9d9fa36bb17cfcdb2be0e6423eb9948c7b08b8add3bc1b2578a185701db77a87c74b25a9d5a4dd1262942156504d288bf74975dde80531a29be7f3b9362a17d36916ed99295f01d25f423be0bcd24ae71b56b7835048407ae432c079551a7a9fdd9203b9bda4a9bbaa6f932512b23086053eb70e6db4feb5fc1dd3474c6e2755cd03812ca2f0ddd01fbc505a2a4b6d3653cede0bd63657358d713d2c076279a72597671e6b45ffc1d5ce0a11fb0a9312218999f432e64070ee505cc637ac54b2246975be748cd17983d2e8ebc63960093c238bcfa6f6d98e50ba2a5dd4acc357b77eb441862b59df2e8c7b12865b7f8d336deff4e42392e2340bc0ba27f3e221c96c4c98f09b3fa62def716896b7b685cd78a1304c131f1d7320646e9f0da60ee129bf56b760f569fd847553270ce60b6962bc4376758c099d3983667b3f4b37175e085e621b73d28a8884448b501ace6ecf3be8f5410e9560c4a153f773e5816a16d77791474dc02b5e44ca40f2b3fa0ba4cf69e1d3ed3ffa58bdd1976941cd88c7665d5f1a20293ae7281eb9c858f1ccafa6b9e2d16ddf14b0e8bc56910bd9c170a3f46969aeae83a6c2b7bb02b4651b90fe316c404e5e0b8cd6363d2933f53f2b6be570ad72ca7c0dd8909804deecc3b2c2abaf5dd695bb8085a7318c4b9a3f3468980e96526fb4b3a8bfbcd89232d4ade8ae14383aa254c4edc4448f75ba51ab1b63ecb8ff02587a0c25eb0976878ca245fa70d58bb8a56f9dc7f726adea49aa5eecf5087a85df330d9329b9089be25fe216f5746cff8ee17e22dc48268cfbff7db88df8f2048d666aee5a25fc64b2076e509cbeafea5362540cc154ffb85e022aed55f22c3a865706d00d8bf0508a12c4ab33bc7cc661b0de5281cb8a8b35215ea50ecee65fc42baf1e2ebfe549070e954e5280cccc113ea06e48c1abb208ba48c018e4b3bd214091958ea188273078f3f43ca9d482d1541027d235a291f72f5abbd6160be8bd9ea1e8e87daf3933e629d99a6f536ee85f4514fecf6a9be044df65ac8d2de6420bdaaff29ec2af590d304ede55cbefd0f1dfa012368fc7da4bcc43f4040a00606ed6e8cee7a1a733fb9f4e4a3d39dd62a53043c23fcb9ae0f260ca77525f1f8b9e4b53f1572fea0dd579f5d3de96cb300990d24ffd00c01a96a168425f538b7c0a04048e4bc559fadbf461dc10eb26105e1092e23c57b5c0fe906efbdc64cdd9d4daeab477eabd30ff426700650faf5aeab5a5edb39ad18a49697c1c29166a4ae704056f67d6f3fdf174d52a9ad8738947822a5d69f70c971f5d0759d663575495732bbe53900a7144934e11278a1471c29489196422e23e07f0954b8a7a0fe1262e611a962fae36c6893c8fc35606416b7049523a3b27f0aa3378e3ca888e56006dfeed47b1274b870ec2470a6c32a72ab831310e7884100cf1a9a87d045f8693a99ab2c6abab58c87d38943262059d36951401f2ecd0c2afd11ffbccf7b5eb3b45d848911c8f5da3ae10185de80a9001457cd03cf15f1e667d789c263e5b7ee8b95dbad22fd56df344b5a07cf1a84059ce5884040616f5163fe12acb2343a01c740bac58c3d45816f9113487851a3d67acc211626234678fec377f7afadee2687def5ef65f8d316c506ef07918a55bb919d04d95f4c2f37ba9f2ce1c9f65e9e435dc4049dea903f57ff9c609c0c6c9a8924470ae1bfe1cac21e9303d52006b88a2a21519c4ad0502b32451c840ebc0bf78a02ca51164df957b980b76131a21f0799f093773423695e89609b08699bcf66ea6c08909c9d1945727b6fab78d7348c046d2c925a90d14013e538d0fe5a3a6cb7bc05558a2caa384535ea01b1fa44f2f8d91a13c20c6fc796b7f4f3bd00530504497a33d0cd43d194a9d36443a167ab1381ba2ec4a6c5ea54bde58161f4d5e88cb944a99fa113a4738c9ba8d520727328d3035ab3a0294648a1e549885f8d060363b67e3b4d6c8e17063839700a878bb9e29415c6009d185b00616462ad8733abddc5fb66a13e2d492be440494af5fbd982c12ffff9ee7ed7613b942bfb40a871818980fafa794546bc62ad79aab949356cc6b6b4cfd5f13324e3fdcbceb213e9055bffb4ef67e7ecf4d78229bd2d4c4e817f3991f66446a9632d3f99c61a41ac708f0341a61839d426c6d07db2f30221d0a50937b0e64d2684f311f394017d1d9bb05ab63a0fdb95cb8dd8cf10bc217d601f0039f6953e01416a4a66c8b248871b7dcd93ccb0a756d3607dd81e0733f3d9c58da7883e2ff6044f978fb64debbf2468436fc576df84dc8d2a7acb2f6f94b923fe5f2c29e62eb6b2bb02a98ac4b44801d166dd9d3a45047060a83c13ea8a8d747e7416874d8f9de5b9e3711edf59bdb1a906ac6775a11e64461c51391d0e5900c35246d5898851fafec54ee6da841ac3239f515dec9084146fce2dc38062370ec7c67c690b598e34b3504f24856a4c92e9fc2dcd98682ad390ebf1569008d86a53d2cbb46dd6f48561d7e54eca5027e1cc68c9b104738b2c239d380a7806b10d799480fd17d534c3d33c183c184a2cb165ea017305e02a5a1418ac1f2b9e6f37fb2b06664220b1509b95db08472447b2364d324d4fbeb8a39bec86cf4c381b93b1f0fc2a3907f1dbca18a885f29ffc69612bc1ceb0aa65b0c86fc3425159ebb6c2d3410589c5bdad8c85b437e72b990ead2b0a656e1b18b864b6469c829dce5cc3ddd6a534f239f72e61fb41173305c0444cb7e71bf66301285a4b1c326013eb7650cb97bc33879fc53af139c5d65203a06565eb491623f9d01f38c20fad887477c3c897a58d75ce9ccf5b33c6e318b64914320a811292c8a5bdd7dade67fe6158ea9a452899ca8e363e7325026eced4d1f510f9fe99bb35ceaccde1284d1256e1c657478966af1f581fdde17cfa903108740ec643d438e23c7df661728410e26534bff2a629c42726e3cbbf0830fa6eecea92ee5336f7337959c22757c8a481442cb279f7b2ebf73d6207c87cbcc71fd4570936ff60cec2597d0caba6c24505a011120ff4359e77a35c704060ec09466dfde31c9a5552967c9d41d6b5484b9947a4c04866b085631f2c688f249e1a9cef8f8d7dfb0752b6d04c682e34f0f89368cd8ae6de1f46fa90dea736dc56c9565b3bc6ab1c99c1b219916a60cd7ef95162cc8e4c19ffc9dffc79a9fc7658af59db546103dca9fed676d9e246be5458972a5f9b7f991ef74bac17dbb6349b18a867055210e747fe10aa877790335b6e922617ca9a825093b9fa1d92a765421135f5322343d70d7a1eee85e25d43b30857f784de191fd209eb328ca17bcbbe17f9df9201585bd0fd5413173a5bc7e09b4d41b89e00c448bc590b5ea78d787eaa70e90ddeb7ec83df0f94766c7fce2dca41b45555210c3424a1ff71b924f5d374aaf0a28417f01f8fb38f507c9bdfcf2404717363263d4ba5ee2b57a588fafcfa81e77af210071e542150a5fcb5c84032cc8cecbac784ede31ccf78d25ace31595abe299c3a9143cf0e6a5421f98fc70d8b2a9d404f70d9464d38cec8518c678da77c6d32fc6732b82d9642162c9945b47237b1fa96f516a12d37711afa7ac3149de3e147b676fd2020a6f7340e1747878ff8339d0e436fe6c44b9cc13d66865f0ef78c0313b1a54964d932e0a255eeb788f9bec9c9d14cdb17ee4ab8a9415c6a516b298e5f2bb19aaea809677fe3ca1f6fe379d82af2255f3493873c3cca96b46c4252b29d997f7d8b05d83fd0db8ad58b374054671d9ba3372e7257e9795e5ed2b6c21b98f54416601ef5d22ba906b5dadeaf952b40b446b6965a0f84ccd93e11ee0462b75c357f1f47ed7efc519f7d3fae99f3eac2f3169183576d78718f5f07249622ba2853b03d99db24781d1336fa6bd039916f30ba736bda9482e6990d7a890dbadaa5c36fc2ea79a57e99d800d54b3db698adec96d75affd23acbb4e1a402c52ef59e48cc717a9fa04fea72577c6b6dc825d6bcf8b1ff4e2e1064e09de3cabfdeb9a804220055b5fd8fbc60d7c1db86d81d137a8545dd822f57fb054792dd5bc1a673d02351f0d09076fd99f394b107a8287e23fd47c684c09b1bfc7287753589c071f0360abc0b1870983828db840dec34ed2d3977a99880a512ecc0cbbd5a842c7597ba91bd10cf9b9d82b6565694db3b6bfe3049ecc0719eeac0ff956de008f1fc3e095acdd1b6d76567267fca8d0526ff198f8a7dee7af67bfb0f674c8c51e06da102aa08f0d73ca63cd1135c79b72fef4cf4b0ae5300194c91be269cf0e729b0ffe34ac3e87573520b9d7feeed33f7264ab19a1a9002a07a9459e74f3d4dbdb7010de67d56b49a7afd816e90bd8db3e282649cea4cf96e8044cc15a607a85969a5cb62052047bdd8716cc7800a0f4f92ee515acf1e068af64907542e0d833f4fcca81b88f4afc99daf777f44d7f1b7bc14fd5ac30aca0a3a1136d775f9be1e259e43a33efa92d8e2a38b6bbb1344cd3058b581a77e497ef6f747206887219eda379212aa893bd693ca74b98a8624567950afa8dc75b910f707d4227fe5f407ec06add953544054680a30e30e460afb165b739ce10a0d806d1ad369d17c2a9fa67ca49463bdbf5581518646a8a1f46e7c10d9311c5fd9519a040e88d67812ad7306ad13a6817fa91f016b9cd6321c28ddf7b57aa4d36c414d901d8b8350a4902da56af888988c543ff8d30881432710b0cd93913eebce252ada04a504b277b50793bffe780ec51681b73f38e6e098178a2319373c9aa32e57e5ecf5d53be5b41302b13cd4749ca062f71f5391e4a6302ce6a4021a5a2e7a7d7e537a4472cc90ff898577f9635ab57d918ea1443d1e94db1d4f42f16c0bf7b88086552a99ccecd153580b37a40d05dfceb922a740a435195f7d7095d9e136dbdb5c51154c2d98269ca29f796cecb7aaea9b8629280d722aea4d735e13ef5b50da91a51998077bec4d6630a7fa7ba6b996f55776beb117cce0f44d2de362d142411d44a12ccd690637a29642ecfa76d3515b651cb2b47eaca44f9ad4172069691f97d87cdf231867e651834b5baad1a87410e7188877a3a9bc30e7e7028f084f4f602095d22495b1b3789b8115277462fbee611fbce26602fc436e52782811a83fdddc29cd0948176e6ddc1fb20ef539f465dae209320bffc49dcbccd6141735bcde6e90dea25d313acc2159cef4a977feede337d126af12642570c3f3d1dafa4aa734a9ec97883aa7805563392ae3692448076039e95fdb23ad27293e2e044fe722e82f2a80f401c17b056445a27ee6525aa0280703e9ac24f666aa447727c8e0c2117fe84733106e8d8b6ef1ebd2ffdb464cb85e6537d3a1ce0daef079729e00b75dde985c8b4e5ff39ed768baf69bb6fba7cbc68346bab5e07e0cfcfdf17ea873db4a10b9a0845a7da2ee146c88739903a61e87da3974da83338e59db18eb7cdde16443271e204e5193a5a658105ad69608c28941a1a58be495fb5b66c2797083c4da316a566caf0fe9f0d122481313dcb40e45f6e73fcce912b08bf35b865780e92a86995fb169bd2564592a541009c460b2b8ef532ac4cb0a0c28f41e837ca4f296ae872d43d1639d7e880a539239838d15410422ac53debcef066781c9551a1d4245eefc618d5f819cc6de91fb6e3ab4cdd55baddaa5c4956092bf20fd39cd9f13f5970272329cefc904faf4b95682064f9e7c235160b17ff87ae8a452863170e6854b378a2cac06b1bcf6584057225e9e82cd76ebcbcf8978b89f95d1f80710f3f85eaae35d555aebf8b3a7dc192e9d035883e48bd1cedbb5dd70bc63053f1d3e2502c687da0b2b2d09ff95afe1d454a0165af4fe149c7e7708789a51771b383590f348d848222781f5d23a13d5d6a0768eaf16fabb4ae400103a8b68aaec5993315e5dce9150356d5a5d9ccf963f9971a22a431ce151a528f3627aa371295933d74da006a3604d20349d571a71dec3af79158a29863fb516a69ab2936f15ac5a1e8a1c901a30fd6efdfca1762e2ffc267551edc1fe582c58b1de134ddaddca936f338ce7a7c61d64553b371fea1d04703aa5a96798a360e39adff43f608b2cf3e626b6cad1b615b8225d51c99a8d91aad0e4275a3853d644e0c0453f634052891f77ce3766d133ce1b3685e82c993017f7e20bcfd9c3ff9e62207b889f2aad854b8b9353185d3ccca1af6f98a952f87ba45dd56856e8b91ba67b9e95663fb2ecfda1a953f1b373e731fe14514c1fe6feb9d7aefeb9c72e237fe750e286b021b12f2f3470775e38f86d99ae256b500ae06e6bd33851c5de8e49734919ad77a3dc99c04a916d75f64c8103bc513979ece37478f32ceb385ba987f616c79e35b8f419cf813a396f2f8638efadc6702424f25106cae8792ce089625982f8f6175a83c0d502567e24bd868305ef1c113a908382c35e51b3b2d3455973beb3c3dcb4b3f867e87bca3621e9edee712ec2eda06ef808d20aa88ea51c20a427a6e3b8d0d798cd46b4bab9f09c2371bbb479170d28e4cd5173fbfb32c58e3b33beb5cbac26aefa553e6bc98d049957d9d20ba6794b016edcf4059856b6b44602f5c91a397dc7dce701145c9a7512ffbcf5b8c5de35b9738c75227a2c2b86c6d00d595d13de5d63ba0c5313b327d626c46a1023b47a3414ba063e531316692afcb464898f30e334f2ad437cf2e78ede222bed0118b9378ebe5f2eebecfec51b55336c72af7cd7bd503b4e13ba507cc10aec9e3fab46a42fc93d841e7040c1c45757b2c9b75551aed45c39ae9a3be7ff2818378f89fcad04f1e4a7244cb0e8fea960466b6d67d023ca01b101d207e2b08e3091868b2dc882916fba7f4dc883a081e1446f48bff91499ed3ba6fda318c11a56d6e0df4628858e450de712a17b36bf959244aa7d5b71b4f83a19608701c55a1edcba3ce6cc5761ede1cbac28e48e96395e37996072b838aeaa1a507914060f9d835bc40962ee362055eaa07a36583e1f350b4efdac88aaf247554947620baefca68a740ac0693293d053b1154752af6395bea8ff05c867d3647b1fb5c6d8c2a6065c05338db99c4896fc9899632c73886a9fee155be0e2b012a1d31efcd96da2535271685386bb09037c363938cda4919cc0f0db76d9a0419bbd16ded970e9c2a8bdaa25c024e62621173de3ae3118d690db6b23bdf8965f599e70cdb4a44fe2d9334fe2dfc34fb63a0cab5afef9782c654a7ba5fc4abccbdfea0585b73066f105686199c5c3fd13191b305ffc9bba116e3063a01c2bdc0d6aca6d95a76a53d0d022c72d40b9c268ab0d5eb9fbbf781efa916d344eb4d22c2403b59a1655bc5827ffa5926945c2e13c5036711d3bacf35554325cd6a9a3f1da4687c3ecf20cb837433332cafefba6ee791bd78396ca64c752b0230515a89e5c5d584b6d2025ba090e0aaa6de2bd6c6bba32d4fcc8ce8cc040dacc0f75bbb1a43072ab981f222c4d48d5a888e856052b3ecd5ae5cde7c6ff6631cecb0e920f1db6a40d60fd37b5b4503a24f030dfdf94afd37f08d6244e4c37ed8d5ab3d229a314ffccc2d05c05d7a895a3b27b57c44b469c36e909d8bc5589af26a030ff9ec9f45d281b08e5176b119120d5c68841e94f2bc74a0e8818bbbdbeb3489a2036c2b457185f25b3f2a0f72d11a40e0f8431b67a559450ca9a3c3e8998500bbb746a7d15406a89f00aa486be36b7e0248dab71cc383a983701c770be9ea70332fe8839f34f33389182d3349b5be265efb0d9ece803faab889efde2c18fa37ff736bf4e011c9cdeb4a71e04397c7b67038a6a09853cd9045a83f2a36f7c62a5906787bc3347db0c6552e785493dbb4695119c45aba903d73f58379b46823033da9d5a74862f6694c98d507471f238fea16263cfcceb5f1061cc735d4f40ed5704435bb4659a58cb7c2bab516b7b46f7fc68263bad62f93559c7a5c6bef183942c6a651e64991056ab2b0fc6f103ad5c3a021b002e96f5c09981d75ced07f9750723fe002e043734d130d666e37fd72ec0414eff98054a77fb44ce0c1bea093b6d6922a2842ff9e333a4ce8b21695c9fc1f58116d71339e2b655541f2bbb8174ab0378b1f68469a0893c6a290a8462a4164c19b999efeaed49ffb337d4b786bf72597b4682906d4e7c58c1c50f024966e8a2441d08fcdc15fcaf388c3988314e93278d1fa39b91965c82829836d9c22587cdb7be2d518388ffbba61ae120e75e386f572408989b108f769c6ace10812cdac917764c0ac631f891e001977608e09dfebfbb1a390c84ca6bdb7d08bc23aac46ffe8e89616326573d6b861e7af102a9a09899e746821c62a70f7b6e47d9d99957a933784a66f71dab914094bd123f6b57b9bf0d8f942c754ed21180dd38d8559cd3d28036da5c821d67c3f33e32a95863554dcc5ad6a67cd2ed63afcd6661ffb8afbfd86e38d2a0882d7eb2c1995c3e8be9df3ef31c1ff92267e53f008109b59553a3794192f2b945fa28dd521e82dbd80071d1f8159ee0eaf7e04979c59643a410f69c16e038e9b9974a5d5f0d04db5320595e7286cc20a135f7c3f06855db3f985958de33c99724f34136dddcf4230f06ab0d6189150bd3ef4275c485d60f115c4027034423af8d595dfa719078629a171892e8e97ad817951a7d12dd0b6a070745f7f33d6708bd0e4bf96b62b3114b2c31d5646dc9783fc2b5c3d9c1871345e64442ea1dc274994355fe9e7bb477f4cc2f63dede30846d1f0333cdbcb3a2ce2685ab6d9ff5f9e8ac22526e353c1cb050386cd80157872e6fd33f3a352e127f9f03b0c58f306e2299ac54336192cb65d61459e8c5e4fdaf4e1f815f1dd35e598b187634b4b5a1d17e54ed3876882db49681a8b07564238fabdea7b481dec429d898771b6f10e3aef713cb52b432ff6647952595fa14ddb744b8b3baffcff95c69f86d98553c2274c061b24465145954f08fddc17fbd06024efdc59982f2413dc8a09bf84fd315be0bc4f9fc83f7308a57ded09451c07c7052685f43d8781ba6b820146efee62911a3cea2af607133f826abe189899aea8a554524bc90ea81c909598358ec6d841f5aa3d5aa38faf66a69eedcdefbad39100411667fca557d8e6a183a290fd6c1656eb67a3bad59b2628a40bfb7f16a60d565b4df7518f9ab1a3fda9acfff5994f3b48d4d303cdecfab18864933e1f2d77d9d07f32e0dfbea74984f5ebfe0e28f8ff0e3dc949f892b181898a70a61290473e3ff322511cb25018616b7830cf7828b539f1cda5eda421a77a4f34dc2ece3d012a7e031b3b3eaaf2520035d689a9d0b35f77a4d163d5ae33ca8ec8ab74f5f895a0062334d1aaaacf869d070b33803002a2c50e41c5dcb42af9a98b0972fbe0d9f543dbf92c79c4080f3f5b1cd3a7a13bab0c86d48b3cb3c0016939a3a1e875f0866bf0a053cb0cb527e89155221bfddcc8c2200b0b4fa887517bb0d6ef7417361cf685a81470b53aa90f22101aa3a926efe83f6f82def95a6fc0123a3e8ed577fecc958471860baa78134fd1ffa276f205f1f41292a45d74c143e0898789956a878660fb74f24b5ef5b7066f5568b1ad39ba66ee284efb6a3fb2e3cf06550af9223b198474158519dc30547005a12b095356d67612e7c7639f3efb9da9425f15e93d952097059e11d286a837e300e7c7c67da42c47e19c1c37f09c941654aec2ab75798207596e5fcb2dca0405821ddde4739d8bc7bcf402da11a46d5d7c8aedfd2e0d2c3e187a3db26b608c07addb5206ba6f1f1922ee3d5a689efc5aaf2becc6e6ac83c420f35346eafe9d65d9348c1baaa241f5e90a15b304008d258230edb9225a4f3f2f2c328100f0ae083b64c385bcbec52b1d263317a2543e27e1a8cfbcd425b6f13d4a7b5ba6b0009cdf99125219c29c97a108665880bbd9809857cb4441bb02caaf34f31cf6d2b751d98f3fa7e229f09aeba8da4cc396b132e678f2c3a1a71c4601259cfde243d13b1cabf650d5f5ef2faa3e2925d7bf7b1602f786474aa85600c48bc50d4c2ef126f88da7facc41631d91c7167675c4c7555aeab847095e73daef2b110213ee9abd1f43bcf074bf6214c8daf7ea4bd3dca44cc04dd106d4aa4e17c5556e524273d57621c4dfbad3fac05fbff48ce7479f4a34bf05d009c5aa5dc415403d903f18a62b527b646bb800596264cdd20f8663836e6ee4823eef83fc90b890b2ba1f441d6594e3a2b764202be34a15dc1c1a6399f9055a0751a5eb3eff25257262bf27e5c91d53cc33a8a0e3b4fd4be4954a61e912d02f7e42ca26579456305ef9d5edf57e65109d745cc6526326966ecdcdb23b690fac363d9a4e61501651e97ed3b164ec1d58daf30139fb4f5b856d001c82600084aac2f65a67752b44a64c65a9af1d9d050d884b6d3b0a6e495d08fdc5b67acc63152e6bb7b66558f0bcdd8cd52a3007082462bdf786b2d6596ad3e5d2e4efc80875f819f93377a9d2b7283ebbd98dcf462394b77ce792157b648469effbb6349c0af274eb6b005e71828b351f2aa0320c757374361d9be9e04d30ca24557d44fe0de0ddedcf59c7c22febac138bf5913c53681fcab740e09392a257276cb0a8538201bfd3a238a620fc714c981201755b0c047670cf0e1d2c8f9e116f19d711a5d43a78c77cc1e7084436d322b03b2d9eebda2094b01f61aa09345f870b60366c2e32f7c38bf57e95b7a76f7bd5ed902c9558f4f2b55b87933e043dacfb930dabca2d00ba026735cab72c2d10b9620912e6b48582e2088d919d36f84f2a376558595f434e27da3f516643eba5278009fc0af7585c52a20e333d80644e1800a8f9dbc619ca4d87d873474d27c70e018bbe694bee0928ddb5c2f88ed7b9d1ec75459d6e3d0d8dbc2dda88a0b35b16e443ec86c733d7f8fcc774f7f8400c64758aea438ec1f800fcc70af2511f54e174c101ee72a040028834bfac6bbf78b7c8c5ef1d6a3cca08df064601e4f4cafce2d26d334cd5baa401e89aade3b8dbe256b07b2b15da20ce83136d6a1fcd3a0545398d1a3ff27920df26a4ea53bd46b62eaa12212ab9b48150c7f26cc343939461051a1ed5a717ff7f3f8471c3b1c315cef2fa33f6fed031b480bd05a0b36592b4a061780dd5a1adb76471bf4c768f09dc422891398eabea866ebde0970cd634a8ac85e5ddac09909b00d5b024019dd0809fa622488196bda2c8501cac5415b2f42df1d4cec743b58cd36dd05769ba371e9626715fa6557e44126c0f6e3886c76ee182cdd8db6817ebf57ae3767679d5d347590ae28efa3d51ed844284dd7a3c6b8daf5cf17648bae74621ded8340444a98d36f9f86bd3b7ac5aebe7db2798f6871ee973c4e7146c2e5a6ada7bd4e081317edd6fa82840bb02737b25e2f2d37c145335feaf4bf7bcb863609e344422a75a33377de82db1d2e89156909667494c575afd7a30e570f571f45aa4b3eaa0544cb4971bdeb9495095903c05be6bd3d48b1a0f0eba67bdde5ed1004b270fdd3ca46a849be0c5427384cfb8b8827f36ca276b2e02b1ce4ebb4c3077f2402e08467b14dac8dd9137ff1f20b87d2fafe78b70bd250f273b46f2353606545a595fa8b0afe82ee588c9baeb579a9a0d68231c30317ceb06e2885e0be5bf9307ad62be3cc74ad21126f342474d5bbecf1b9df9efcf5240533ed19c4b952b04b6d2f57ad565596566cbb3d0935a9d7ef6af4215d067e682e7f194a17d7f537abf8509757bdcac47a0d264c089f8d31b8dc6ebd4c51e05a4a380213d72776b7375ef6759070ea6c4b0975ce483b365b1ad8925a7685c21aa1e38303a17a83db2500f2f1202366867a70aee4ffbb7f64f998ee79326a9e7d3f1895d5b39304e1fbe9a4e2a95063514e8db3640f1bc4b1018511512763184c49e69e6219a39aa0c65d9355564398c48bc665faf834e9d3b35e3c2794b8523a06ff580b73e93927c2ee2b5a68e7af12c0df76cfb72f24ba717cffc14592227f5f48726812f6d06e7108c61ff5e68c2a679a2cd1eccb9d6469fede21b6ac2bd188e1ac79e432cfd8fc06cfc2e9985f19ad1e9fc84649bb1d768dc85e9a8c74a283cba8140b3f13ae4e8a0e650abf6e946293d7fd8b3d98eb1a3365c68670eaa851318ea50b5f4ec499207acbf2c1e28e8239dcd832af6c9f050e01bd2d6a65b983b0952343aa5824df5b1dddf24af562a15e1efec94f38018e9e905b620ebaa2d4ecb671c9a668272148a1029020419900c32345fceb45621129206628ddaf4d460d097feb4524a7f543b087f55adaf6ce2404cdec2e0da4073bf158cb061a3cd2e2d6bc193edf35125e6380f3dd2a10269b94626477aa940d7f2c740c08d79ab83bbd5cbdc733d62b6f50ca08eddce08cb46fabb40d81599564756896a8c6b8474b86e194f34bc1664a8245d20358b9aa9b619d6befb9a1d2fa7f87cebce8518d618dc31ca6af00c30c875469990e62fa106756c984e8b384d1bcd169228e1e028b19b7bbe636c966f15f4993fa1d0bbac165b319e11b3bb653ff18c8e8e6e7c26f53a1918460b80c3466ae138301bc263fed9e59ed82488ed37d7ae370b323e2baa836d5bf87e4fade36e8182dd235b0fa38be1156d821048f06ee54707a8bd202d7fb6d73a37dc1079eb0d61249fb57bcdc51ba21a13f80889d270db7747cd95128a547700a32a4fa2c117c328c95ad81c7d57899a2d9cd01d795eb925b6928bc7148f56959a57db262d6c46f5926286ca0cc778179355c3dc0772e203925c72b16894e4eae48b628bacbac2f6d527fad457f167dc7fe20a27217fd253e5fb803a6d587a4177b90fd55e76e7ecea831043145f24160217dc2cdcde68b186eab6c78794d99f25abc4bf0b1b8f64df5b92f5c0583584ba0c7451216f5becba5ed663b49e5e9ba17418515e9b12702930561389aea4ca1d645d493003b88258587ce53f9de6c9bd1d29c39873a520515b7b9b734736eaba21860a5bc5802d524663ea0441e5f1a71417e5af8b036fffcc5aedb09abda12a88bc2c4cc1b3bcccdacece020fc1345809b9d659071021915dbf850f1f5807199d135558e1f37d5608163f3907ce1c0c3216e0468b62c2c5b2d4c026d343bcc6acf9e188bb474bda03331eb8c119b296f780cc4b6d108170849cbf802b85bf3b583a78186d1c76b4035556a5fbdf5b3d95d832265f5283665fb4d650b4c313924fbbd7161ef461887e4ee60ef0d26178c90cd8dd5bac26ca4231b172c86cff288be31b4875a7eaf94414010f1f8ce1ab2ea4a8ae51a4d7876414e04a6399e8b8c12c10de4a59a798ff5932454409a4d64e2cd28fc994aeb1f96ee241c7dc71f20a28e6ea3aac87008a1d071731baa37119377a938b6760e90e6ccf1ba26399ad1c5419722e0961dc16c194f6d8d0c921edcf271d84f1df7f20c9a8b390d7f5bd454181749002426fccf842f25b07c646c78071e6dbbf26c855bba2204e65503c453275d58d830b7fe5e04476fe1d7b88d726e4fee9dfd6f155c1082a6adb3dba9f81633d16d4585f15a71714072c38e97afafb9fdb85e5d18c2fc2be2f85fce80db35190ef850915e216c965b75a5d7b7d75e9436d1496d40f385bad871865b74c95144bbf5f4e733cf39a4667b3517a9b179fd60b6c7d02e4187bf266fbfcd3a555c61880b59ac3179e7248b4b501a1c8a67a87b627443ab9427d91695a1bbca27b09a0e88b2b9968c0f6872b67021dc6b93402699f7be2937fed5f5cc664afe57a68e9ef7811cfbf72116d6a4e050dc56db2a484ae22a2322a4b33aba2fe2d8f270f2ac6175a37fc05f936aa5a9502d718ea0519b063addb687b8a2945b1f7dcc1dc377709117d3c3fcfe406301c74442ad200d8fd72d7dad3a0ef34af37f444f373a6b296acb1c023d307eb9f33476465da6a5d4875b60eaaa6366c1e45c60cd043ed8348ebede7cb58ca8c4b823f0efdf9dcf3a24acbfaa23d9ca964110a656efe948aa8feaa172df11cc749af6d4808d0715c40cfc31ffc83c5dc26eea9b503300cf2821080584ace77c1c22992abd77c257b041bea87edff370bd857516dafcc998c27bfb2899f516e63cad2d4b97b58554d1f457dcb1a43bef41a9f9e00d1f1a9aa5488c006948efcec3e6183448e28ca9ec70f85d4afbc84f742f6d639d64bfd0e2c4721fb746f9f3d50794c5a51b6d8cf74c95396ee57c1131c5caf2bce0314a1a0c0edcae27fbd34ccb6db2f4755679ed7e21fe9fb4b6257afed28c86d9d000a3ad989996fda79cffdd125c36c0108a88215dd7b68e763efd14c8888e5ea7a7cafa842ae419d013e32550d467ec72facba1131a999fb973fdc77d76184c3876fff2220bc3f293baa14fcf8315a5dd87461aa446b1f585bf804f43eeebb45f755a49fd56a37108af205106994b0a30b92d853aca01b08edfdceba37460d785baa842a0e014143a6816943d4c746e339ae22fbcefad54cd876c9721f79cdc707b48b8282616560bb7245952aa5a0a80d0627677ce88296e5e8d91216d91aa6b980299a172456e8713a08f4cf7cb46df2244256f0747905c8f9490d2bc753f29f53eb0e32248d658338153a23586fc06cb41d93545da831cc73a97cac45983144efb09791820b68b5a05cbdb2967b0221be3cdd0bb3e493861cbe2b505cd296d71002ba11e3749f81ce84e4239172eb043ad04d83ab29cbc646f02a21cf22b63e28be274d71697e01d74c40bc0243859c74d2d6fcf45d2e6deae21931eba501007f11136a784e2743fb3b4c58a4c925933fcb6aae70006d7c9947db1d49e8ae26547ec64b77f8e58539800db9254fda6c0de54024a04edded1aa263b933c5db6de29ccd02ecebf204121636ca285a3f1358745ea28ef53b3cd260ef5a3dd5ad9a9f26a7bfc7a6fa68b8026bcdee553011bd9c1411f5138df449916a526f494dfa29d3f4d08fc5d76993cc2dc6a71fb94fae9958c95c684c69adc7a33af55a096ac14cdd99f8dc951e0ad53cb12a6e52c01bef466c313e806008a722e798d278104e056ed8701383c0d6960a85b203ab665be95650f03b45a2ae2b241fe194879cb4fbce18661ad70092fddb5979249a55060ade0148ccdbc5a1c47509199f539fd74e6c705ccec6ee6bcc07ecadfcbda99294ee8ec35fa2072547b3d54e8f339232e80e18e00d01abbefe55119c01084ad075b06fd573901551a1576f4df8c73a6b20160c63d98a8802079aa51391ae4fcf8ce138223547fa09065515756e4184c7f859b8d99f802d31e2da840ad0e13072e2d347dac094e8276249b1cb66b0ea95e79a255348ca1f5d9d6631994272fc1d25a2efb5dc9e5e3315eba7846e276ddb311bca3ecd13ceaf42f258dbad670f9228b9b62c9fc28df72cfc05dbd117d2f9a5f66ac329bfca68fd66af9bf6d49c52a4f5d35185dc7d19e3b1c1d9a4a2ff515a2b7ade65ce7dc7d84e8c7fb2013baa48501bb097e74aaa0f9a10e1ba698a15ad9c501cb1727c225f770b742bc101dcb45a1054e054d39c871c64bf44d3ddbc5ca6c20362e1709c096b554839937e72806ba932bbd348abd9201444423f210907b321d953756751926d59b2c3954c1d321d0a598237657a2b49865a14a21d50d2f7697649893325556ef9de9af181502296d9c9471c29750d00246ca90745bf393e4b40b045ce68351b7ef195c2cedfe60c4a643135d4b1c146a9f764a05588ea388fdbb7e0a07469d003f1c3817fe229d39acf69f9f63f9e9d203e8947f63639e8816d16f87a9062eaea6b1bf2d57f1dc7fb8e511df95bd34fc5f8e9e0fe705785859938ef704947aa68e192f44188ba2387e32acf6c356b0343d6791cc28887e258f855b5f22fd6b0c48f448a85695c19dd9e9d117b1345370fddfc3c0f074b8cda33e8b12b69a70cce686aab2fb702ad970d49058f9bb0195cf9dfc6486a3098c1c409bc66467732a948ee97453be7090beea529173bc69b86f906636c9a89a269d9106093218207e78307ce34b24f61cab92850ae7ae92abd89123d34696e3b86e6daf2cb27ca2e9c3574f3d7bb6f9903bed0d5a76fcf945967c8d02deee5e26023eec937dc4c665a3b95a46fe27a125ac513a1e9b6d97f4572435849683be2bd3a4f973be91a1298011fb9bad90981b351f20f2fecda24b6412bf688cd19331b4448606b86c204e9086bd60e2413474b522787128624ef3ed708f0cf82a474524506e97eaf27c3eee13d88befb324e0ee8cae3bd2f1bec9c95a717842b6fb6dcf74e678a6889f4d306b2889eb40d1eee501055cb0f2b68e6730b59fc89e27d8c0ccbc6dd57da3c990f0b1b7090ca5c5969bb546665d0981463b268bcf2d83725bd61114b66a2d21fa2ba183010f4aa075a2df40d2a4de6c73c56d57a915911752daa98eca7e64e62e72c80bfb4c5176e32ba239ea457ee72ee74960cdf7e91726724483739cd19572d0d14ed600be04bf25b54335315d2b07eddb30542d9d398a44e56d74f15d34dd073c4b87c0f05ac0446690c48e93e8f41085568f41754c27397b077550849265c03eac67ed953975c7a1d123cdd6bfc4da8c16ee85ca322f332d80b8c5638d0f25878d2f9664f43cc4efd190d3c57f2683933bee8d3c3ab25e145841019f657a8887c9691e35b352e1547c35db84fedbcf7b0f8f63982b8174f809f02a9944a79675ce2a6ad7a50a6cc380c386b1e13022bdd9408731354bf2fbd844d26a51758ee37c2090ca5d5c2cedc3490adb2b00beec91f7badceddf00b596da4371c5f21e7869c7d3ef02ebe332a24acc1333832bd64eae04d96eb77ff106a15d6f1275175b9c1e3e87a8017804b740dd544025d8069af671275c96c52fe85c56b0d55c83d127554a4a49cb104fcd1c069d35c600da83e26a785ec86f71190c67785640444e000d89d1b03a3594f2036f951b0ef2c31d9ac6149778615b1f96e9337a791f218b3d90ab77836a52c8ed4fbabbb145aa1e10edc237983538ae6232fd4590221f41cc87a9715ad3501225e44c047839f1149afc50e9f8d8e80ce85529148599305d51c4d84e4ef9e5216b3e1d86b536a36df872b0fbf57804ae7340c4a0f509adac8c646820c1f92dcdc9039b33abe70625331cfe9ad242a4944be9580b962948d7d1c9a8c2eee45c658991d1d9f5a7bd4008efabafcfa8500720ed95a42334e2df5b54ca6f0a6dc65763aadfb64d9ba32bc9a2b1e37e138dbb226dff4f6bc65c08a941129cff7505018c3ac2239ac9da7b3ce6619c23759e194b80eccba88e0bd6d033e15b896aa95b5e8b4fa63e89a41cf7f7a0f8237eb8078fd50408ebe041991d59cad3bd2da59050f3153a68555076b9dbc935bc69d8c6ba4a8497c2ee9031de0148827cffc5fc3df61bf2561679ae8241d3d0abd5dac562aa76b2c4b6e659013036c5b19aaa0bdabf15eeef12af1ee31bf607827b7a9ee7cfcc2dac3dc4d2045d67ecc0e54a948138bfea2488459c39c99f1a7ed5516fcf696815bc33b0704468d0507c26bfda6fd0e733db1239d73b6af42936e7ed4d9022d678706a76e8abdf94b51c9228148ed2cec6c6e10d22678c8a156205450a29cdfc54443018c3bb94000d106cd6d7c5fd98ff0e585854c3862ef19db40be044fe00b5411233a24f2be94d805517e9e55fb370f77eddbadaa9a299db7b704ab9ce9dc4be9a26c35b7f9fa1702836f8e5e4152ae1f27a380b44b66098ed1501e701c871be397da6c0032495450b36f4cd57804a989d71729b566010f1ed19d264b54d5b37a417863853f10e053fc8de35f8c684a488d4811f15c8ae270cb941f50e398f0e119dedaf8e937a72d54467eda18a7d73565bd5c0c694ff22f893acc77f7e500c43c91123e23af9edcee877531b6de04fae474b6c9452c8296433a82f99e46dcd0b6f8a9b13b943231c08598baea98baf13d86f5b5cdb8a2e20409b545272c3cf748d9a87cfac4b0e90d30f0dc401a83c4b564be0b92fd24fb50022c01d092f29562f2a1e6c481dd5f91a957116d7f55cff533b91fadbb8f5d15d38d67b03d7a5d95e380fa419ac06a1d2d4f59884ea6061c5f0660c631eb5fee35865e43381f13efb24791de1b6d69eeea23ca925633b99b5b98d22a0480ae4248174ba2328d9a47342a67db2ea7a9b48775db35c8be5dcc10f7dd84c158dbd4757b33900b164e621f1dbeae885dccc9d0a350b48a1e55f8757c978c34fe34a9bffb272394d6c03873ad6084810ffe8f5d1a3e272d56785f24b52f7b3e5cfc8944a22c9cd32973507497ba35a0462d46f0e674488d47f7d2a52a6921b3bbe9dbaef2958db56c874e6dcccc2499b7078b5c2d4143d964c1410c76426ea2a2160ffa27876dabedbedbb9ab4b00aabf90f8f70f2a851e441622e6b9413967e04c347aab7488f4760d3e8fe1a26b0f84a1ee5eb0aa541c9b8b3fcc5c499ba7bb24babfca2f1edc91a792580846619738a8cd6a956fee442d94992beaaa80e7e6be27f33a03c5e67766e3b04e57670209e22cd0ae0282a1aa7b65f4eeb48168d65ebe60145fb771a250b9f1c8f1d7abd3dc3b62c3bc864e1a4df1e2d36914b8172f2ce840bfe7c07db6205485aee0e095a193e695633bdd2eade76239137193afe18bb5986f03da97a7e0c2a9f4406b92497a6c942e84e72ba6bb7275e435182101c16651ca1d497e61d6bd9e1390c8d100305a890b3d54eac2449a6a261c26b9403257c4253644ada152634a99e20d8f909d753bee656296c2338282f0779330f2db7bf0ad7151ff0b1edca7f4e56ba9a0c1dd35861d43f5b3942445bf5b0df198bb93a3e7d69113d454e849571e5c80b855ab9c1a399291471c5053ab43969298bae96c65f2e0d990973b02bf3c5e4788577f14a7732bb67c9a9ccffc12e65f1fb5aa486e3ffd0f405ef6ef305f41d2e38bfdb9ac9e5d87ceafc0628f23c2fbb211c1b106e4a551f9f04974a1747212061940b2e3161b8a0901b926afa3618ee7f9ab2237a5b96765d201da1432193d54690190ce37b22853b8d8a03eb5a93776cee5903439ab358dc5c921247c92e4ead264b706542b9f66e743452a589efd8ac02b81ac9004252345f20afeb72c2548ad5c85fb428ccd0cd61782b5d84efa18d54f91d8c19ed5f746cb4cb8a0bdc087f3b1f0392ac959c1a04935c9a89145755fb462b34b79cb341150e06a4912157ce4e8e4f7b14b6254e0db2aa7f9c06280b28d32f9b617516d00b79b6445f3278b8fba13e18447070c77508c3c172c9a7bf302f39d9bf938e4fc8c4f3afb97984d7e7654ac7adb783f1cbb408ad80a768da3461cd87920052a16b806c4166c6bb91ca721af5b1249eb25eaf3f5996b3039f9535488d98d826db940109da1bd43abc8a7bda4e94024dd5ab0b65b7d1877fbb48d51484fda02e25571ca87da898572d98292267253e93760993235dc93b211d32324aed6c1e1bfcb6cf2260afe408161558ebd89beb20c957f057c82570db0fe3") r38 = syz_kvm_setup_syzos_vm$x86(r33, &(0x7f0000c00000/0x400000)=nil) r39 = syz_kvm_add_vcpu$x86(r38, &(0x7f0000016800)={0x0, &(0x7f0000016280)=[@nested_amd_clgi={0x17f, 0x10}, @nested_amd_invlpga={0x17d, 0x20, {0x58000, 0x50df}}, @nested_amd_vmload={0x182, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0xf, 0x9a97}}, @nested_amd_invlpga={0x17d, 0x20, {0xfec00000, 0x1781}}, @nested_amd_invlpga={0x17d, 0x20, {0x1000, 0x691}}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @nested_load_code={0x12e, 0x79, {0x0, "67470f487f05410fc7280f20d835080000000f22d88f2978cb3d080000000f20c035040000000f22c0c7442400d0f60000c744240200000000c7442406000000000f0114240f0095bffb0000b98b0000000f32430f01f8363e3e66440f383c6e0e"}}, @nested_amd_vmload={0x182, 0x18}, @nested_amd_invlpga={0x17d, 0x20, {0x1, 0x2a0c}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x0, @save_area=0x4a9, 0x5, 0xffffffff80000001, 0xd}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_amd_set_intercept={0x181, 0x30, {0x3, 0xff, 0x1, 0x1}}, @nested_vmresume={0x130, 0x18, 0x2}, @wrmsr={0x65, 0x20, {0xc001103a}}, @code={0xa, 0x64, {"c4a1f9e6530066baf80cb83c050c8aef66bafc0cb0eaeec4017a705e4702360f01c9b805000000b9000001000f01d9c48299f774fd26b9490300000f32c4c115faba6736c958b8010000000f01c164430f01ca"}}, @out_dx={0x6a, 0x28, {0xb7cb, 0x1, 0x9}}, @nested_load_syzos={0x136, 0x58, {0x2, 0x2, [@nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @control64=0x2006, 0x6, 0xdd07, 0x5}}]}}, @uexit={0x0, 0x18, 0x8}, @nested_load_syzos={0x136, 0x80, {0x0, 0x1ff, [@set_irq_handler={0xc8, 0x20, {0x6a}}, @nested_amd_stgi={0x17e, 0x10}, @nested_amd_clgi={0x17f, 0x10}, @set_irq_handler={0xc8, 0x20, {0x76, 0x1}}]}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @set_irq_handler={0xc8, 0x20, {0xcd, 0x2}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x96, 0x2, 0x9, 0x2}}, @cpuid={0x64, 0x18, {0x1, 0xffff}}, @code={0xa, 0x6c, {"410f013ac744240072000000c744240203000000c7442406000000000f011c24c7442400c7d2b538c744240239000000c7442406000000000f011c24b8010000000f01c1400f791666b8bc008ec026440f01c5410f01d00f080f09"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0xa2, 0x3, 0x40, 0x3}}, @wr_crn={0x67, 0x20, {0x2}}, @nested_amd_set_intercept={0x181, 0x30, {0x1, 0x8, 0x1, 0x1}}], 0x541}) r40 = mmap$KVM_VCPU(&(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x1, r39, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r40, 0x4) syz_kvm_assert_syzos_uexit$x86(r33, r40, 0x6) r41 = socketcall$auto_SYS_GETSOCKOPT(0xf, &(0x7f0000016840)=0x1000) syz_kvm_setup_cpu$ppc64(r33, r41, &(0x7f0000efc000/0x18000)=nil, &(0x7f0000016ac0)=[{0x0, &(0x7f0000016880)="a600c07f0000e03e0000f7620400f77a0000f7660500f7620005003f00001863000017930000e03e0000f7620400f77a0000f7660500f7620000003f00001863000017930000e03e0000f7620400f77a0000f7660900f7620000003fa3201863000017930000e03e0000f7620400f77a0000f7660d00f762ffff003f4b451863000017930000603c00006360040063780000636400f063600000803c0000846004008478000084640500846022000044e403007c0000003c0000006004000078000000645b9200600003203c00002160000020900000003c0000006004000078000000645b9200600000203c00002160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084645b92846022000044889c7f1385793c110000603c0000636004006378000063640cef6360ae43803c0b6984600400847832d2846464ab84609f20a03ca8eda5600400a578b640a564b1f3a5607295c03ce2a3c6600400c6780ab5c664b456c6607af7e03c4f1ee7600400e7786dafe764735de7606ed4003dea68086104000879843e08652b1e08610f08203d57992961040029792ea52965a33a296110da403d21f44a6104004a796b7d4a651ac94a617ad9603d84786b6104006b79f9f16b6562ee6b61220000448c30803dde998c6104008c79c3848c65c4008c61427ef31308db47fd6310e03fa71cff630400ff7b5816ff6760a0ff6326ffa17f", 0x214}], 0x1, 0x8, &(0x7f0000016b00)=[@featur1={0x1, 0x9}], 0x1) syz_kvm_setup_syzos_vm$x86(r41, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$KVM_EXIT_HYPERCALL(r40, 0x20, &(0x7f0000016b40)="e5b31e151b44d5a7e6d4318c23841cad911cec23f0d39a4bed977a0a13d9f9d106f592bf97ea28b048c1764155a698d413be9712ccb298c0b89ca67076be69d83491ff71bc7733d0", 0x0, 0x48) syz_mount_image$adfs(&(0x7f0000016bc0), &(0x7f0000016c00)='./file1\x00', 0x80828, &(0x7f0000016c40)={[{@othmask={'othmask', 0x3d, 0x6}}, {@uid={'uid', 0x3d, r12}}], [{@smackfstransmute={'smackfstransmute', 0x3d, 'wlan1\x00'}}]}, 0x0, 0x1010, &(0x7f0000016cc0)="$eJwAABD/7+DzLu5nJlfY4S8N7x7c7H1u6LgA+exdzvpOLzQAr7/rfNFAHfnAo2qv5nhO5QygY0GgGz/kSfj6xNYfxXqBteG7nY3Vty0ff23vxTYFz5UfxoeEobtaWv+1og3Yxk2dXn1o6J9IlvClC+R9nWENAi8UlxSASZiae36mhq8Kat6nAIGsC0+v7RYUEprkHeyLogLBn+MVGrdNeyBRrbDI7fMQy4hlDsd0m95OqrFRe5iM1xgZqwl0IMDrI4ZSv0jNKx9QDgV0rEp9L1So8BWushiPyaoTCz4e5Uj2yo8qTDvP2eRW7gNKBKwo7by8nVXMOs5q6SYOm+Iv0Ed+vcWM6nTFc5IcCKlso5ealIwWEVuGuuQLcntNAZUK0mwv1MdzFjUE5VpjCFUzeZ+Bqp6ZJW0ROky4mBP2IQpLyWkgiEeNDedVt0Cm3B5LNG+jOzCiZ2M9O3CSP6t1GXKptT/VKBXzkDe1PLRpcNjlA8RbX38YaiVLOImft3UbIXbJ6UCTwf56q7ri0xqqeaB2pnCyTqqt+4/2nIDcCY2VFHKbYFJiLhMICgn/lJc8JOQwYGp6OwNDTVu705XrFH7dmZ7I440NmPRWgJuf3PdCMNYezlwY2wQELRqQ8B8kFSjZfTgyz8Yg5Zc2+xG4MTaNRZo+JjSh39rorZs0LF1wrjL+8/xkDuEogTjaTnrvieMkLjxLU035BJKNxCGfdOmrYqrpWcQsn0vDpxuoPJyQKh3mDm5R5JllVa/1mJ41oob0oQMPhY7fxQIO5CgOclTrTC3mO9c9byvnmE0nx/oX6jmGDuuCW5EropfqF42lJmLHkixSlv2skDGhmYJkvwcaA3QaS/vpq0NF+CwKZ1yTb1vWiqPVYhq6kAPbzd+BmWbxJyaTCUc60UYku/9J+VLLGkEwgBjps7TEZGT/SjpJ/Kp+/sj4pOzilfGreaDQkRs+p6H3+CUiGT7uGxcegn3yO0D9dl2ZhxBU3AinBTK/+kXFCNs1kGUE+7HuSIzZguM+DYgxNwAqROiwIjcSewciAK2Wf9N9KI0y9VmbOZ1226Nt+2drpFz+eT7YQlDzHdnAEF0C6I3Ws1YBxQHwMmcgVGoi3kc2O4dpn7ShwIvxXyRKbT3d73cG057wE/lV8BKx2BhaAErPjDOQBPG+Yo+kAUvilaZnZwSn8Jl/Il8RVjaOBkKIm+MG8zn3zfsEQLK5nZmIXDY1Y9xY7k4Usib9kOQeGLC9uNH7N+D5GRPwPaIiyY32R4OrZIbQMRm8oggL72pGc6khaPF4ztTXMD0OWAr+FjIe7yRrNKkhlMJGWwV/O2P2ctHc/BEIxpG/+SNj7Y+nJFgpfqzUuRI0mkYxlaYYagpImXAN+kWFhLG9s0OpiMQ1ek2G/7xFDUuQWKDAyJEkjWxxfg7OlTaSfM5N+nHKE0JwqYkZCS/3Z2Yc9lf5QyzJCXNt6lETfjInwK26k5BWgCcRJDUE0+H/MTojXRdG0ky/GPg+rexrA4I5FUDtJGuo+U9iGviyo2anDfFO66SmwkayKqvCmNUcsokvPUX9VychADi26NGVAp6KNFS8rB4WPPs4ccGB/cBpnnIrdx/1VSDon2lIX6j0MP4qw7ANTOiIcyVCTp5d1kAfaZo3QgFDHzlSCor6MpPfSkGDc1X6AN5hNByYPhB+KDKiMY8iEMUQLWLg197oRysm60uJgZnvXypwo2fUAwuHZmFzxSYxVL39XtVy+ZC/zq5oMUJxgGghXOJ3qzbm3t2sl0hiwIpJsIavbCrltLkQbgqO9+gnrcqA/WYisTQqJmFhvF/VeL0uDW4f2JmfV7UK/7pDxcdXqmz51Fc75lwGUzrR9JcaT3RMS+6YSCUJeV7cgjxUjxAE+Mmg8joDl4OBzgKr7Yw0mfkILHHDiQiE0t6ZXyRFjmKpadhripIg9P6vf8H6ig6OQs7XYtR7UrB7UEtD0R9AJawbMG46HQuD1P91pkazs0+MGhbbzsC86JdV+KB6ypwnJi2LAVf2N9SSA94c/LIwNkE+jQvmU8OkJsKGUKfSzX7iKJnB0Pj7N2jIDRQWd+ByCo72c5juv62PcVDeC5nadSbu1qNH0cD93QZyMFiknlhFyBchzcqoJDmxFoPFtv0ajILAdfB3c7I00fgdnwyA1kgs0h805c9xWPYI1MrfwVefG2hkXh5QFWlOqEIH+kGkMGu2GmSHdrWnFANiGCSGwPNbGYPP26HXx1hOTFCX/7mNEtPQ6qFps3rYx0bYtpanB+RaP/D2sMkxjXEptqRsn4bebqtMicNbGFvGxpNGSieHgXvDzdj+jMa8PW+ueRmPh8cT4hGgxRh1I+oZTAj5ZXo43K6x63NGF9Wb9vih651f3BVcllqUwQjmwIs7Eu4rbrP/DwimvGEXUTmmRf3ztR1LcPhpxCn5Yit4GmH/AFOYTNyU0G4u3hcqqJPfT7kTxzB50dbbsAo+YHrHKliCAI1iYFUyS/PaxmtBOJSLxyp9bVmfXTeimZ1/W3m2jmuqR+uUpiNAbTXSzLwuBR6dv7V0jmL1Hez/fZuQGsJwG56GqBfsAENkI0zwdsTsYtUNb2CF/zeI6xDiVU82dP1hgLb0NIQEFMjLFTc4nL+V5aQVJrz03kirusjs0TfxDU7YmVs1qZGpkBeV6VBd4OK7lnJ1GsTp1lJcaUj4kv+/fRJYKLlO5akkR+Z3ztimgaLzbqaqnzi6b0YksDW/O4cElQc3R6Dvt06ScYinuhZKoTH5RRbUi1tXOLJilAvGhSKg0U66qxZ0SP352NG/zhRPjG2uKKpVjVfFNBDLI118dt9BUzHQxw2vQw4dfXZ5Wo/EPxttR6n17xqdTbvpC2EJqVIWLiqXWW8KYauUcvGWAXU5PV8slOLu/acjqsjI4JTDrowX1TO1G8kG78vov2HIYWadyuS3qWee1WJzPHrpfGGPMNV1dqs7H+Lacu9D9NSqrYgTaWrUhSDBHQsCfIHthMB+ixoSL10VCHAu2DEzsn9EUHaaMAheNyuZS2iCZ6Ou8oz56aCLrhm0t5VIKv94CyUr+KPvT1yfIK6+po48KKnXyeWalemDodSW2utjqCaLc3bjlCqyEmbuN047AWByKLJ1CeOtiegd9O/SQ4XfFaln5TDMTNyNvSHk8R7IyHrJxUpd2pbI026b0AbExUkZ1rxWsMgrXM+4Kc+puYlohv14Pip27mVXBmvX8wHm/xcn9cMPmO7AUtI22sX1cfHqmsIV0i+bw8EFJ1C2iRiB9FzzJ13usOTAWSqAt/VBQWFVw8fz/C+rgy4JFpsIyEEU+c7ozzOtGEXZnz1UKH6vnxuWQS82qdcKV+x+SxEhGUCi+E7hgDj+L9uwmYvxSU3ROChcPHbdlSurJ6JdOMpYdBIOd4sxcoubkW4E7gpGjH8v/1qw/bi3GnHWWEp9PHThPs+UvcTiQaNLjaXNy/mygcDnqR91PbrKqFA+lS8evPflnc068rr/5lFm7YLRAgPybtIhMxZ1cSR0Ne+9mKBqu+lvb+mWlAUP+B/QkEFLyd4hDgP3n4B570BA0Ym/AyqZf0OOE7XSRp4JaQDiuYYJn+h1r24mDDe+TKoImpQKwH5YSevAJ7zyifYV83MTBY9hNa8l+CX8XyjOd6f3MVDQBqBwMQ+c8h/FIHvEAKZp0etmEP0SZ4wdI6eENK9Gv38l2Fj1bsQZmNSxepZGFPK13e8vECMVNVPINct7gkpTEa441vJA9B9FMwAOm97YIke5BEPk7QLcrat9bOH0Mv4aNyy4E8Ma0T7Y3I7hW8b+KfmhvFuvz/RAVqy8vH7//qwyxRBdQ1B9nPL1QpynGJfBa+lxlrbafWkZmwn8Nq3Qew4YmsrFI2bREEQi85ZM1cgUkrJVCn9/F6bjj/m88+lyVVKX8ZchUpPg3XiPDYofdlJM9UxywD66ZJL5O0NomZuzB82le7sDmvXgMZwnYlyFiUSip8VW8JBhJMYctzhdH2UdjF/uI4HMF1GdIGCAmdbOft+bqP0CSSYw+G7G56aB+OApIJUBKN/vWYFKKSE3qhrn7islCofanfsBMSBfluYS0ReN/9T59a3ztoJwxIy0Z3IAyu5wn6NzPBepo6caNkGI7BIXmhoihku6wAly4Z41zm7oSm3x3JXFW9rzfOA/zPHwntvnziMbBkZHrsdM0ORaIk3UIeapRxmYoNRxcAzUemH9xyhlGPqIn/gHfDlQqw5ySsh924BD5pxtcdLAtgfkJ28Z7MAjYzSJXcW1pmsyPPu3ZtXcHDwwHA6+K0cXW/AZLz4swCUMy4B8DUZriwqFKAG88SwnDirP7jTHzRdu+bOLPVlcAImA9FZdAgI8QHMgg/9unXANWCMn4GSrM1YRDPNQekOgU48w2idM8EVqbo+YR6I55yuZYhzeNOG2AmPTrlPi/RDRs+91RCbu9xvB9w+y+zQhxCSbrbPBlZJV2KQPZuGQZMTuARhQDXgFnFKG/3qjuD7JC39qBsnyBnaOw9ysYwXFjRBcou7lMr4v+wITsxE6l1jmgciRAdn7CLtMY0H0ZhmqVrV3efe5KhAXXk7/pNYRlmdplCoFl3B8ZCE2ZJq7s13SyPg0cPy5WMQ/1j4NLBfPH/AHXMRh2DBCmj4I5HHOEn7MwydW7LMAzYbQCbyW2sAVx7Yp3sJ5pKRQ7SQiwjxrMR5mOgqQ4aogTr0LvHED4xh5sEpHdFiO2GW4pVEBfU6F5zCyANr9f0tefrSPNaczTct0Q8Doo0w4EwtTSjwux102iX46uWv6pAqZBURzXjWXz6atokVTFKch5TM0yExzYkX7LU2YYxA1c0wNaSu2lbxdx//2jnHmxnIbAaKDp5hLVaiLPnMM7mS56eY0PqPBj0J8AYTLRJBGiQHorAfoig5o8owdtkBtCYU70+CX2lbB/1geky36s/0qdukaxlxcUSdzBgukzD7qTGukVnZReLitvHUUsMmrSGIbvQ0xRx0VZ57PqZRGMlOQbmDujbnoqx+hNZdiwC1hyk74btWRYmANzjNiLm6IFu4YawCjBiIInpA5+8GXxdGQZ6rL39Q3bHU/ZvCyppWJkMyNgW4+rmuUplv6FzbtmHqdq3W1QXKzydm6rkzyKXU50Px/cktZlktrUExSKGSuMEfyYUT83ynuLaiw3obHNSsgVNCl1aSXiiVg2YDudR0oxMdQCn5GxpeFFPA8+N91Xrq9OomvQfpnNN1t9XVvwRMNzORED1ewBIei73znBodVO/0dzssMJbwctCGwCxkSGOwdY0VcyFjaT2aXmcpNOfykGqFYkGjbuy48+REaWwLH+c+qGwRi1FucoafT38WtXBUs+KSJLp/e+Z+opJ0Cf7bRY8YINw+dIpiY7sJy2IywyfPPgGv4y/Q31MrTq9KpTVOzJrMA2esB0gA1tBlbBafPddfjr/QndNIDyMnj6S/ImLD/UIG8ey67/EitGAMBAAD//4vg68M=") syz_open_dev$I2C(&(0x7f0000017d00), 0x9, 0x484580) r42 = getpgid(r16) syz_open_procfs(r42, &(0x7f0000017d40)='net/if_inet6\x00') syz_open_pts(r33, 0x208800) syz_pidfd_open(r19, 0x0) r43 = pkey_alloc(0x0, 0x1) syz_pkey_set(r43, 0x1) syz_read_part_table(0xa3, &(0x7f0000017d80)="$eJwAkwBs/6RRXCBt7GMlTq9EwjPgL5iXkmoXVekSpoe7ibH6oF/5D/ZAK8XpdW8CA5rjuSzcvCA++0N5lxGWHxXxqSl4LLmGp3bnsP5gYb0gZdymHwDFW8VDe5gP/DZ5nimHPbk4LNscZFNeCdt6zcNh8i/TsdVkCZ1V5euwB4WSzV6Wxd/mGwg2gTZ3887ZGxYH5DiblIuYQAEAAP//2jdIgw==") syz_socket_connect_nvme_tcp() r44 = syz_usb_connect(0x2, 0x745, &(0x7f0000017e40)={{0x12, 0x1, 0x200, 0x8d, 0xd8, 0x82, 0x10, 0x1bbb, 0x203, 0xa779, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x733, 0x3, 0xb, 0x1, 0x80, 0x1, "", [{{0x9, 0x4, 0x2, 0x5, 0x0, 0xf, 0xcd, 0x1f, 0xf3, [@cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '<'}, {0x5, 0x24, 0x0, 0x80}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x8, 0x3, 0x1}, {0x6, 0x24, 0x1a, 0x7, 0x6}, [@mbim_extended={0x8, 0x24, 0x1c, 0xc, 0x6, 0x122}, @country_functional={0x12, 0x24, 0x7, 0x8b, 0x7, [0xfff9, 0x5, 0x3, 0xad97, 0x3, 0x0]}, @mdlm_detail={0xac, 0x24, 0x13, 0xb, "784f7bf45593f2145d18e49bc52edb011422491eba8fc40ebed34d5d81304da0a35565ec2036117bec4b01ef8f75c9d54e74b45316d0e1672a97b631729bcb7dc99bde682891bd5954d945f412979ecae7ee086c3650d3f976a990edea932dc3085d9c08f20badcebf87a97ba36151788daa2e6be45675380139cb89a17f95a65c87a272b183873660c9b63cee55c43ae5df58b45fbe08f00a86c6b1dfbd517b7dcdca1c6c75cd37"}, @country_functional={0x6, 0x24, 0x7, 0x1, 0xa}]}, @hid_hid={0x9, 0x21, 0x9a, 0x8, 0x1, {0x22, 0x373}}]}}, {{0x9, 0x4, 0xb8, 0xc, 0xf, 0xc3, 0x47, 0xe8, 0x7f, [], [{{0x9, 0x5, 0x80, 0x2, 0x410, 0xd9, 0xf6, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x5, 0x2}]}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x2, 0x2, 0x6}}, {{0x9, 0x5, 0xb, 0x3, 0x1308e9cbc37c7b4d, 0x6, 0x8, 0x5, [@generic={0x82, 0x11, "45836f6c3f5125725ed5b96b96b2911adb85370ceb5989894bd83417ee42276ce80fe734db8d2d94f2fe8c75bfd042fb632cfa5d5254f9b0fadc885d628a0dc92e274c02cd3be0421b608e2c538de20b208eaaea7b51dc13bdf7f2e00a6cbd3030df9baca667e6ccc42bdc2f5d822a3fc298b060da91265dd01583221a09899f"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x8, 0x4, 0x1, 0xfc}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0xd7, 0x0, 0x0, [@generic={0xf6, 0x22, "67439d731f507017a62ab89eb7118e315aab47bce00cfe092f9b6b6527812c051d98789a341cd8579c0c0f64f353faa641372867640b733bac8b8800b7baf106d03b36b934ebf24e84f554e1489e48416547bb7c90482fa4706467390768598bfddeee37f96a286a2f726ed89e5cfeb0dca14945145d5727fbd9b2949f9528d01e948e6305191bbbdfe60f223ae3a19823ce4a8797df004c048b9c0d793d173e5a39afc5eafe8ed82b45d9ac82fdfd1ef590fa300f32a49684630a4b392ff580eeaeff43c607a95169525530c24b189dee913cf7b9e1c1bafb11771b05c784720c28eb001ad218d0a92c1e32071606734ed956b6"}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0xd57d}]}}, {{0x9, 0x5, 0x1, 0x0, 0x400, 0x93, 0xff, 0x5e, [@generic={0x9f, 0x22, "faae6b7b5cb60baabdbe69da80d6306cc5c48a7eeedd7a47a92b693f17794385e5df43428ff861b389fffa4e903a47cbec60c794d78a7287affd416273fae978b7313ebd0b4ba90d2c47c1a1a66f6a698dcad67c6b40c482a09d3b92c05422f1eeed158be373e6623f40f82b25697f8f7934c60a81a403f22d919166e011d31a6497a0c7a512e4ddd841b5441454c1e15d8a2ab3e78f86a5cf03e792e7"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x1, 0x9}]}}, {{0x9, 0x5, 0x3, 0xc, 0x10, 0xb, 0x3, 0x2, [@generic={0xb1, 0x0, "33e5f9756d19a3eb392ba45b9f381dc2b062ee3ce942a485e678a8ea13f6c9eac74ec9641b119d78a9e36b32327cfb535d6ee402917d7b92a3ef09a79323735dbed9b623ca4b83db0117d537e5c58c6405bb0fe33bda56ba384b95fd4687df0217b223a0a525062ef259591dba73db936a7f85b82dddced8216aa4bc4ed636a57fc6e683e3ceb10a63be63330c0ea4d2a5cff5db4ac71ac10cdce3f5bd50c29ca7d1558dc5ed7f06b21dd7ba9a0dc6"}]}}, {{0x9, 0x5, 0x5, 0x10, 0x8, 0xd4, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x0, 0x20a}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x5}]}}, {{0x9, 0x5, 0x5, 0x0, 0x8, 0x7, 0x7, 0x1, [@generic={0xd4, 0xf, "737d3a4315658a8ffad124ef25692125494e376089b70b3fa63c98d548319145d9a432c0a3a910835f2c89b97e7168de3f5a68fc6d3086b5abbd9cad99b9f57df66d7a2af8b11c90041dd44ea5cb90b08493f1cc38391ab393edca7afe19ada684d62c76028a4283d3f7c4b6a29530b4345f74fedf78709f1a6172ae091c181037aa8d41503c854f5d64a4e1772982edb2faeb1f1a4ffb5f1b62415e46f1bb27374d48245031d050dc5528c7d19e7d9f4f71983984e44a633575f1b792d06db2ada0ca60eb3896c7e517981d567fe7b58ad2"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x5, 0x47, 0xff}}, {{0x9, 0x5, 0xd, 0x4, 0x10, 0x9, 0x9, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x5, 0x1}, @generic={0x84, 0x4, "c25a3fb73a08d8b88a25e396fee4b018b4487bccabbffe8ac964097b47dd926e5cb685c9568c4738e1bc0972ad10f12789a9a8080d7a492630e9a155a12e267604f53773b1f3a603c19d4dc0f4c5ccee5e9571706e990dc862312fb3d26cc37b011d95f3159d13c4ac34ab084c1a0660509ae13fa6f84d6068b33e5ff1da2a32373a"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0xa, 0x8, 0x4}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0x6, 0x4, 0x96, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0xbe, 0xda}, @uac_iso={0x7, 0x25, 0x1, 0x8}]}}, {{0x9, 0x5, 0x8, 0x2, 0x10, 0xb, 0x5, 0x8f, [@generic={0x77, 0x53a54cd3d610e5f7, "e6da6832665e8fc36a0e8f94157f6a5fbd96ba6085fa6cc0de01635150751fa9080a8ce5aaa4e50bddbefe649a9885244d8fd877920b570d6913ac5ef74d87139a81215ace972e769b6e707e2102de593a661d408d0cbce385ecdc66d00e649dd5504e8b1f2aeedf02eb08bd9a2b2102f37927bfb9"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x40, 0x8000}]}}, {{0x9, 0x5, 0xd, 0xc, 0x40, 0x6, 0x0, 0x9}}]}}, {{0x9, 0x4, 0x1e, 0x8, 0x3, 0x90, 0x1b, 0x5d, 0x9, [@uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x3, 0x1, 0x0, 0x35, 0x8}, @format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x4, 0x3, 0x4, 0xf6, 0x80}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x35c6, 0x1, 0x3}]}, @uac_control={{0xa, 0x24, 0x1, 0x8001, 0x51}, [@feature_unit={0x9, 0x24, 0x6, 0x4, 0x3, 0x1, [0x4], 0x8}, @processing_unit={0xb, 0x24, 0x7, 0x4, 0x3, 0x9, "d6e5bec9"}, @processing_unit={0x9, 0x24, 0x7, 0x1, 0x1, 0x6, 'CO'}, @input_terminal={0xc, 0x24, 0x2, 0x2, 0x204, 0x5, 0x9, 0x9, 0x1, 0xd4}, @feature_unit={0x11, 0x24, 0x6, 0x5, 0x6, 0x5, [0x3, 0xa, 0x3, 0x9, 0x3], 0x3}, @extension_unit={0xd, 0x24, 0x8, 0x2, 0x5, 0xfa, "cf521fd9778e"}]}], [{{0x9, 0x5, 0x0, 0x1, 0x200, 0x3, 0x9, 0x6}}, {{0x9, 0x5, 0x1, 0x10, 0x0, 0x7, 0x3, 0x1}}, {{0x9, 0x5, 0x9, 0x3, 0x20, 0xf, 0x4, 0x5, [@generic={0x30, 0x30, "9af3fe7151c3b3ad7bd1a1c8e2ee7c9495bfb52094d1dc13f41f06a76b111ebf9089a2372b323499e81536ed22f6"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0xd, 0x1000}]}}]}}]}}]}}, &(0x7f00000187c0)={0xa, &(0x7f00000185c0)={0xa, 0x6, 0x200, 0xe, 0x7c, 0x5, 0x40, 0x6}, 0xec, &(0x7f0000018600)={0x5, 0xf, 0xec, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x7f, 0x4, 0x10}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x19, "3708892f9f7225be3a6009559965ad74"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x20, 0xc9, 0x3, 0x3, 0x8}, @generic={0xba, 0x10, 0x3, "2a0452f8e56ac2ffaee6cb1fc6faea4298664f032676da02ee36cac0df472c05b6a895c87b06145c8cb2bf1563d915fb7459dfa37e7b010a2307d76ed4c75a0c1962074d24f9836e05df965fdf4e2460076f7f109708230872abfc7b89d4e5e08d5d7b3b28be99666169e4beaa1ed7099d4ead2e0aeab9e01ff1bf20b59a78a6d9852989b4c4732550c70f843daa0c88d82ef806ece508cc9553fe8134cfadc5769bff046dca8f1fe031f25dbae923962256a0d962f081"}]}, 0x2, [{0x5f, &(0x7f0000018700)=@string={0x5f, 0x3, "159faef02b246dab7cba3efc4a7fed8d174bd706d48457f261ad8fe88dc0426fe71a32291ee93575bf347cbfc21323b208f15a792abbf3017092aa8e551fcbd851ca7390612f9e5848738c872b638738755adfa7d432eab1cdf11246e6"}}, {0x4, &(0x7f0000018780)=@lang_id={0x4, 0x3, 0x41d}}]}) r45 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000018800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r44, &(0x7f0000018a00)={0x2c, &(0x7f0000018880)={0x20, 0xa, 0x6, {0x6, 0x11, "11be6906"}}, &(0x7f00000188c0)={0x0, 0x3, 0x4b, @string={0x4b, 0x3, "54f166c504f790b8fd2167ab4d2207faf4e0d9b9068564c8fee82a31e2a56d9b863c4188c802bd1e737993ba22a323795cb0b4f4e94cb796758840f7c88898694a059be76c0285d691"}}, &(0x7f0000018940)={0x0, 0xf, 0x1a, {0x5, 0xf, 0x1a, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x4, 0xa, 0x4, 0x10}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0x6, 0x0, 0x1}]}}, &(0x7f0000018980)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7e, 0x0, 0x2, 0x7, "3c6895ab", "138253ae"}}, &(0x7f00000189c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xe, 0x1, 0xb5, 0x2, 0x6, 0x7, 0x9}}}, &(0x7f0000018e40)={0x84, &(0x7f0000018a40)={0x20, 0xc, 0x2, "d80b"}, &(0x7f0000018a80)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000018ac0)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000018b00)={0x20, 0x0, 0x4, {0x0, 0x2}}, &(0x7f0000018b40)={0x20, 0x0, 0x8, {0x1160, 0x2, [0x1e0ff]}}, &(0x7f0000018b80)={0x40, 0x7, 0x2}, &(0x7f0000018bc0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000018c00)={0x40, 0xb, 0x2, '~s'}, &(0x7f0000018c40)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000018c80)={0x40, 0x13, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x17}}, &(0x7f0000018cc0)={0x40, 0x17, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x3d}}, &(0x7f0000018d00)={0x40, 0x19, 0x2, "b362"}, &(0x7f0000018d40)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000018d80)={0x40, 0x1c, 0x1, 0xfa}, &(0x7f0000018dc0)={0x40, 0x1e, 0x1, 0x9}, &(0x7f0000018e00)={0x40, 0x21, 0x1, 0x8}}) syz_usb_disconnect(r45) syz_usb_ep_read(r45, 0xd2, 0xde, &(0x7f0000018f00)=""/222) r46 = syz_usb_connect$midi(0x0, 0xde, &(0x7f0000019000)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x10, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xcc, 0x1, 0x1, 0x9, 0x0, 0x9, "", {{{0x9, 0x4, 0x0, 0x0, 0x5, 0x1, 0x3, 0x0, 0xa, [@ms_header={0x7, 0x24, 0x1, 0x0, 0x7}, @midi_out_jack={0x11, 0x24, 0x3, 0x0, 0xf5, 0x5, [{0x4}, {0x7, 0x7}, {0xc1}, {0x3, 0x3}, {0x2, 0xc}], 0xd4}, @midi_out_jack={0x13, 0x24, 0x3, 0x2, 0xd, 0x6, [{0x13, 0x80}, {0x2, 0xe}, {0x1, 0x3}, {0x8, 0x7}, {0x7, 0x4}, {0xeb, 0x6}], 0x4}, @ms_header={0x7, 0x24, 0x1, 0x3, 0x7}, @midi_out_jack={0x9, 0x24, 0x3, 0x0, 0x6, 0x1, [{0x2, 0x53}]}], [{{0x9, 0x5, 0xc, 0x0, 0x8, 0x0, 0x3, 0xef, {0xf, 0x25, 0x1, 0xb, "8dca6f86ba1543f9fd5417"}}}, {{0x9, 0x5, 0x1, 0x2, 0x10, 0xa5, 0x8, 0x3, {0x13, 0x25, 0x1, 0xf, "fc2ab7fab02e86b9c83c1a1c2ee5ba"}}}, {{0x9, 0x5, 0xc, 0x8, 0x400, 0x3, 0x0, 0xbe, {0x13, 0x25, 0x1, 0xf, "d9811e1ed3642bab8c2a71bc25bf6c"}}}, {{0x9, 0x5, 0x3, 0x0, 0x3ff, 0x7f, 0x96, 0x7, {0xf, 0x25, 0x1, 0xb, "0ec3b8efc022fc1b474cae"}}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x18, 0x5, 0x3, {0xe, 0x25, 0x1, 0xa, "e3c106c54a63638a2e82"}}}]}}}}}]}}, &(0x7f0000019280)={0xa, &(0x7f0000019100)={0xa, 0x6, 0x110, 0x2, 0x2, 0x8, 0xff}, 0x3d, &(0x7f0000019140)={0x5, 0xf, 0x3d, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x40, 0xab, 0x3, 0x100}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "5699f3928d2d0a00633f2b02584c016a"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x0, 0x8, 0x6baa, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x6, 0x0, 0x98}, @ext_cap={0x7, 0x10, 0x2, 0x12, 0x5, 0x3, 0x4}]}, 0x1, [{0xc1, &(0x7f0000019180)=@string={0xc1, 0x3, "b64349de30b23e683c87b0fe59341d26e0e391acdf6ad0571acc05f8e5fcfdc3936c96d99906c4c1e5d9ce59609e60fc394029a19fec981cfde7e9d38c1465f6a04b5b0ee298f5f21e58f71b8f7100d1bc55ca97b1b3ab63485b92e16630ae0c539315c25cefc347d66d80c2531e81af67e179c16966bcb8e998e0cd1b3c2bdc6c049946edb3eaafbbd9b5f0fe7c5925b619e8e7cfce1a62c4d2ac459740065e9f9eb72202c0edae4bfcf5d11b9314581d63e688ec40c037a3c41c0220bb1a"}}]}) syz_usb_ep_write(r46, 0x3, 0x9, &(0x7f00000192c0)="b72534d84209a7a862") syz_usbip_server_init(0x1) csource_test.go:162: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_cachestat #define __NR_cachestat 451 #endif #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t user_addr; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint32_t flags; uint32_t resv1; uint64_t user_addr; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; static long io_uring_sqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_SQE << !!(params->flags & IORING_SETUP_SQE128); } static long io_uring_cqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_CQE << !!(params->flags & IORING_SETUP_CQE32); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0, volatile long a1) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + params->cq_off.ring_mask); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + params->cq_off.head); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; uint32_t cqe_off = params->cq_off.cqes + cq_head * io_uring_cqe_size(params); struct io_uring_cqe* cqe = (struct io_uring_cqe*)(ring_ptr + cqe_off); long res = (long)cqe->res; __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return res; } #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_params_ptr_out = (void**)a2; void** ring_ptr_out = (void**)a3; void** sqes_ptr_out = (void**)a4; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); *ring_params_ptr_out = (void*)setup_params; uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * io_uring_cqe_size(setup_params); uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * io_uring_sqe_size(setup_params); *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < setup_params->sq_entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; char* sqes_ptr = (char*)a2; char* sqe = (char*)a3; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + params->sq_off.ring_mask); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + params->sq_off.tail); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sqe_size = io_uring_sqe_size(params); char* sqe_dest = sqes_ptr + sq_tail * sqe_size; memcpy(sqe_dest, sqe, sqe_size); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_io_uring_modify_offsets(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* params = (char*)a0; char* ring_ptr = (char*)a1; uint32_t params_off = (uint32_t)a2; uint32_t value = (uint32_t)a3; uint32_t ring_off = *(uint32_t*)(params + params_off); *(uint32_t*)(ring_ptr + ring_off) = value; return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {} inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } res = syscall(__NR_geteuid); if (res != -1) r[14] = res; res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; res = syscall(__NR_getuid); if (res != -1) r[22] = res; res = syscall(__NR_getuid); if (res != -1) r[23] = res; memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); syz_socket_connect_nvme_tcp(); *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); syz_usb_disconnect(/*fd=*/r[45]); syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_one': :7066:16: error: '__NR_socketcall' undeclared (first use in this function) :7066:16: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor3754408900 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/11 (0.41s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/21 (0.41s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/19 (0.41s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/22 (0.42s) csource_test.go:161: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:true USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_io_uring_complete(0x0, 0x0) (fail_nth: 1) write$cgroup_type(r0, &(0x7f0000000000), 0x9) (async) cachestat(r0, &(0x7f0000000040)={0xffffffffffffffff}, &(0x7f0000000080), 0x0) (rerun: 4) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0xf503, 0x0) r1 = openat$bsg(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bsg/2:0:0:0\x00', 0x2000, 0x0) ioctl$AUTOFS_IOC_READY(r1, 0x9360, 0x76) setsockopt$pppl2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x0, 0x4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f0000000240)={0x6, 0xa, &(0x7f00000001c0)={0xfffffffffffffff7, 0x4, 0x7, 0x1, &(0x7f0000000100)=[0x4], 0xd8d, 0x40, 0x42, &(0x7f0000000140)="397015495b433e062b4ef549b056c6053006148248bee934bd6a208a2a61c79f4a49357e536538e086957c377ed1f5a646b74017e305842144812e9bba2901bf4411", 0x9, 0x1}, &(0x7f0000000200), 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_MM_PHYSMEMNEWRAMBACKEDLOCKEDPMR(r0, 0xc0206440, &(0x7f00000003c0)={0x6, 0xa, &(0x7f0000000340)={0x3, 0x72, 0x23, 0x8, &(0x7f0000000280)=[0x107c, 0x10001, 0x7, 0x5e, 0x50, 0x5, 0x4, 0x1], 0x80000000, 0x4000000, 0x7b, &(0x7f00000002c0)="318d74c326f1d0a1ddbde1b51264ef98bfda4fb69c29e7e26f55d00aa6bd2497e23c8495bbc94403a7cba75120bcaa832dd53aee8ea1a66a79dbbaf3f0e23210a900059df2ddaca7125bd90eb91fa2c9c8109eb62552e90a219ef966dcaa594c33a1e623bc0d18fe1db97c9eb7beab52ef03c21bf7e61449526687", 0x10, 0x80000000}, &(0x7f0000000380)={0x0}, 0x3c, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_PVRTL_TLWRITEDATA(r0, 0xc0206440, &(0x7f0000000500)={0xf, 0x7, &(0x7f0000000480)={r2, 0x77, &(0x7f0000000400)="8e468e19aab047d4e00e0ed7fae1830e8eaa0f74bf5f1a071c66a6cd46197d7c22aa47147d723bee80238fd9e275b5c9ac9c8979f6fcbd068acc9469f561db806a720d53b1dc48320b365bad54f04e1acd0ad40862618d0e8953cd0202169e1549392bb2edd07d80fd37fce2f6f848013f383853951906"}, &(0x7f00000004c0), 0x14, 0x4}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x7, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1}, {0x3}, @device_a, @device_b, @from_mac=@broadcast, {0x9, 0x3}, "", @void, @value=@ver_80211n={0x0, 0x7ffe, 0x0, 0x3, 0x0, 0x3, 0x1, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x70, "387497a69841a2e528b4f29912f3dd10b50ba5a1e170cc5b6d1c7a78f57a5e0fcc9b2e9a5e87d25516580ea1f223f1317f86ecc39117cf0e535c2e2befcf11ff81999d1b87d9b198c803d72ad724e94c783ccac7763ad34e6f7491b3637ce2f46677a7612873ed0a3fb64c0b3d78503b"}]}, 0x9c) syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000140)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000180)='bpf_lsm_path_link\x00') r3 = syz_clone(0x40000000, &(0x7f00000001c0)="4998de6d85ea9e09841517b61ce22a88", 0x10, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)="b9662d100f99f4e91d1de2c980ce459994b046bfe06b9a28c60dea9680ab4bcc3f5d3397a5a251d7ba7693b7eb37177d030a2b3fce8a232e5b03f10a948052ee907fb32f575b2310fae99107f95ccab714722f59ecdb") r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000540)='./cgroup.net/syz1\x00', 0x200002, 0x0) r5 = syz_clone3(&(0x7f0000000580)={0x200, &(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)=0x0, {0x22}, &(0x7f00000003c0)=""/179, 0xb3, &(0x7f0000000480)=""/66, &(0x7f0000000500)=[r3], 0x1, {r4}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000600)='./file0\x00') syz_emit_ethernet(0x56, &(0x7f0000000640)={@broadcast, @remote, @void, {@canfd={0xd, {{0x0, 0x0, 0x1, 0x1}, 0x13, 0x0, 0x0, 0x0, "52ba74a68ef063725a233b9509b8fd57d58ee264c37d44cd7c1e1075f83d41720f374e7e3c9c01b86bfdba9077a2c5bd2b73eb43874764a25316bd3b28368a77"}}}}, &(0x7f00000006c0)={0x1, 0x1, [0x193, 0x6b4, 0xfe9, 0x1fd]}) syz_emit_vhci(&(0x7f0000000700)=@HCI_EVENT_PKT={0x4, @extended_inquiry_info={{0x2f, 0x4f7}, {0x5, [{@none, 0x0, 0x6, "d24446", 0x8, 0x5, "43ca60b9ed4eb6934c4457f2bc5aa0ae593beeed8a789aefcfb8ec83ec7529d54cba5b40db8e0bbc549bf2daad5883da0869b376fdc0e0cc708e0215c9ba10d54ce801346c9731123e8edc523098a8c4c4e09c8ca5afaa510b825705bfcb534ccb8161511b23c1ef7eac6690ff08a8b48fec50ca28d759369c7000689e8e5efa7d691c1c67b2d98dc9bce7fe04657d156d148fa4c0e8ed5df1b820ab6fbd4c2f10f692da5df9e9e9e7463f732b908fe70608b36c8d33664739b2fbd81806cff9b2a19fddeca0685d84a3b4fb6e4b2da14198bdccf86f6daabd361fe7a259ac83c1e9a1ae73429f5bd2465cab2487bdd0"}, {@none, 0x9, 0x6, "7aa2fc", 0x2, 0x5a, "052195f68d623e277339549cd0596ea8d93dcb3704365a1fe131001ddfc78677d59246b7163b2a857523bc03137c5e74d51f91c59eea5ec1c9003d000733a466a074866803d3394bea9a3b3d7e5d67755ff3abb6cf741dde943f2a053ad9b328d0c53cded27abd1cd237341fd89842736abc794f81576ed5b95189dd4794b90dfe6748ae5c405e0827a8439ca368fbd6ea5a49d147e5364c2ffe32013afa0b7b4017951cc96a1d5aab926c9a85ac3529020fc62b2b8faa56f674682b27d994bcb4746d7aa06ef430a6140eec740627569287c2abf99514a28751d16d3b7aec64c16a217bfe2b13bdaa911d976f481516"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x3, 0x5, "24b80f", 0x7, 0x7, "b3ada341371175469ded69ecf799e4a1194f89133c06019703d569cd1c29c53a302e49b159a78f22df58260ea65730f1d60ce2bffb5bb00da408a73ba94586b850c8bdc188017de780947019c1160e4de6a4bcff9679840ee2f1bec62851a512f73912564c278f8bcf11b2459af745c4e302f7542fb586c218df5d5d741dd3b331b090adf53a39e6d179f698937eaf1f296ed38be5f78009b5593fbad7ce8de3177e1b85401c9b10180116ab3dd2b79fb27cf6b781b02c10d92b9077231baff2d796bdd6a60934decbd4730b8cd3a7f5d73b9d56fd8fe4428a8ee6e9aab0f07a170ed8880da6937863d6e273a5a50847"}, {@none, 0x2, 0xc, "ea7fc4", 0x8df0, 0x6, "717a9cb0a4bb327cbcd40c45a41da58abafefc56db61d4de5f808e54dafa830d32821b9b3d09636dfb4f09884853b276996613006c4936095b667d41cadb7d45b307e434c15619b8d90319f2ffe145511dffdbe0c87aa2eea977359cba985c28336398cb6fe4939f4c70271bb9890a63ce61b91d2ff386c94b83c3fee9a43bb705eadc97907676652fe06cf8872966ee9d8cb21f242185448f0c688a9d0b6bb5923c37587850bae8b0438915fa4b062009eacb71d33909586de59d758a635e4e18f5c5fd4e4cd08134cf4af6e71c783cbc71ea85fbc2e67d8499622ac2460d44822b33339f122efe0f0b0c76b56c3473"}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x10, 0x6, "c5ecb3", 0x7, 0x5, "230276296df7a839cdb0c698a3b6cebba6e7f8f843267597af962842e4a5f003617064f27e1db99a03c126776b86d3b4b4ba41356c681f7ba54c248e2ae9f43ef5aa08f30721c5fbb3d7a0fb95da303be2e2607d775877945e61f5c98b72e4bd3f5b92c3ebc55a167e4bab5f16468e5d14ce3c988f71872d0985a2f50374c672de1477f60bd549a28206d4100aab9c222ba3330476025534ba2faf03a5c7e8885fe8041fcc9bf6de815abf2e09175e1981f89551e9b5cb59bb493e950edfc5ea0036351e4978cd63c8a50646e7104756e20605773fbd3e7131b7a55d8b60086b4fceb02b3015ba49de2d541fb06a9d27"}]}}}, 0x4fa) syz_extract_tcp_res(&(0x7f0000000c00), 0x1, 0x5) msgctl$auto_MSG_STAT(0xab1, 0xb, &(0x7f0000002fc0)={{0x8001, 0xee00, 0xee00, 0xdaf9, 0xd56, 0x6, 0x7}, &(0x7f0000002f40)=0x6, &(0x7f0000002f80)=0x8, 0x9, 0x3, 0x6, 0x7, 0x101, 0x9, 0x3, 0x7, @inferred=r6, @raw}) stat$auto(&(0x7f0000003040)='./file0\x00', &(0x7f0000003080)={0xfffffffffffffffb, 0x2, 0x1, 0x7, 0xee01, 0xffffffffffffffff, 0x0, 0x74ff, 0x4, 0x9, 0x5, 0xc50, 0x3, 0xd, 0x5, 0x1650, 0x4}) fstat(r4, &(0x7f00000031c0)={0x0, 0x0, 0x0, 0x0, 0x0}) shmctl$auto_IPC_STAT(0x81, 0x2, &(0x7f0000003500)={{0x6, 0xee01, 0xffffffffffffffff, 0xe, 0x101, 0xf1, 0x40}, 0x287c, 0x6a1a, 0x2, 0x9, @inferred=r3, @inferred=r6, 0x0, 0x0, &(0x7f00000033c0)="056976a58633696b63367a4cb488b16ce85e89943e5f0928ec40d6d893807fa6c44c5d38daab118433a7e8f1c46e1f060f28165f41adb8e679cd9e46ac384774e56bca1880a690fc3f8ed5f124dd98467a33bb40cf191cfbb9590f59179bb611cce789225922a0ef4f2286f87f847214fe25618b989a0501e7eca7170a3913bc68b4539966e289ff94ac31e8823668bd0499d09b055c41410ba2f2101abaf7155399f97ee924e9277e6f54819f12fef3c5769378b344b6ff6409edc578c6c93accb0f08a5d8ffcab30cdbd713d1b93ee7b8eefdf77ea", &(0x7f00000034c0)="020c5a2af3"}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000004640)={{0x35cdee94, 0x0, 0xffffffffffffffff, 0x3, 0x6, 0x2, 0x80}, 0x3, 0x8, 0x7ff, 0x1, @inferred=r7, @inferred=r5, 0x9, 0x0, &(0x7f0000003580)="cd052c206f368b4a7d16e28cd36b1ea6d10dab7017b7d085ea27b3e3389d760d2277e20febc686f359d6083a629e7981089e0419c7b562dbbdc2e67c1e95104a390549c9371a4345f2aa7d8458094c6075b84d11486d27bf68233bb457eb106bab49a3fad299b590025e4fb5e43c712ad891f39138bdb922ea9d21b7cfc7c343f9a21496c66922cab8e66535337a89a717c354bf1846b506c234a3093d728c6baf272a6fa5153dc039f87e0a36744e1f80f2aac030e2f8ae6a7dbcd3f17bc68ad0b61ce31212c46edd615d571b338e22c0ed5d26f7bb2f365ecb2c432647a7c6d775b0e41db928f9e7b2af72d690acf8b2ad8c2e000505b6952c4ab9e2a8ecd07de44b2b48af7b894696ae567b6dd0a1f99b007a8fcf41db20827f58325a9e8812354425bdcc3f81f2d3863d7777fd80360eb8b9e77e47059a1d2265733c4a8a063b45ed0b8c2481e1cdeafddc5f42c931b3d3e710e4538bbad815479cd9afdc5cb44723026c4bc006e256f6f427042c6765a3b253e9356ca1ce45d9d83d5e111928b47a8ab8422b37e8c382436862c944e08ebbadd1a33686219ab8cf995c12a7ab7085a79a7d1ec3c6cd73a443cfceacbaca1d7fc0cf34d58c9277881f983746ff62fe41d0f4f7a12ff44f4ba5bf7d8935bf09a88ad98ea8a9124de178c28acdf1ba1a9734d6c225da591c229d313fcbda810b0f1057b0730a9572a807758defb579db3ad021ac316fb744a1582c16256ea1c6bfa26c73af1e2b6c4b8e7ef329e7cad7db91799dc044aecce5f06e803a4d85bcf5f45dc015d13e3f2c1892099ee653777ca5f6c92e41f4e30ba30f832703df08a416752b831b46c56563820fce5ed3421e9b2ed0a19c64e9b2bb8081ea08255fdad2f235e7bac68f946b3427a44a758e78dadd8e42a909a77851bf66b01e427c2fed94ffee1d65e21753b39bce8daac6d6f11696e003a5f3c21bf9d1cbf4bdb8f3cf5ae542fe7b255fb5ae7b184fb59db73550d293254277b4f94a71c93a909bbbfaf3df95c3e7c4170fe8b91f9ecb8673cb5492750edf45c76a20d94e21b0d3614d3a99f7c9e3978faf09e067f64926204cd090a9f115cbe7f727f5809976aabd337e8b2aee42a9bf68e2fccd4152b3d9831149d40c75469fd9b03fe1860dc1920ac7d869ed88d4148cb746f5eb32a2761eed4473c54315d0d91044b62a14537c825c8cf578fbd68cf8748d67722e27b81f9fbcc13271c23335057cabced862125f764f5321f59643514392b72e2de32b1a54e4096ef73d0692ec6a365c035d0cbfdf77ac650e7de4c3dcc5a2f60c4e08536e75ccd81a41425a1de44ea275baaa2a7cd16ef64b41cc71f856861217bf243e8f61c899f56f4c64e116e0bb020986eca1f2a0d8fe1ab5130b639a7db41b54fd262ac858452a2c79d82d99ae5979571701dbb30fc7aedf237dc785bea7576ede6cfe60c53d88db5e7db59b3214c8e7f081a61d3b699eeb802e6ef4e298b87ab22a20bb1f3e8e4f7fe56c318d4bfa3eb312b9f3e75957bf62647e309ca0a5f669cdedb2c309aa7245cc832077f641b2cece614f0938ec1d456600fa30064f249e2f8efbacbd9d2eb90e99fc0938edca24924edaed9fbc50b1292e6475a5b4f38bfd379401eeda87b2d17de03ceb23d788db69b548ae2456989b8a5189d3800203890eb9a0491a20f44603c881ffb0647e7ff291139e80a5c46aeb4322e59356d9fb1e6dd3dffefd4df3e35eac72f2921774771b8e288adb818c8560554a7ae3647ae49baa80776b747abc82dcf9e408e8fd14472d3a5d7ee014a7ba4374306a6eade2df580389cad9f548bc42769b27c8c4aefddbea9c3d89d9960551cfcbfe37c214cb5fb31d9835f1f8a8857e53b36e91bfe3a2e3559d3838050afd13bfc6924587c8d22c21c2df3cb2a0e06f01f23103c4b6955a985a7b26347a6a9d178e835e775365d41fe3443ae79970dac382a32a597c3d567d0511b5dcdb4ebd1271db6e675a4f343f9501f10ab4723738bebb6366241cd602673ff9c76912de6141c5cd4f2ef95e7efd66dd51b565dd50035f8f7e86b576d5129481ae75f7a9b7cf033a402502d5d1b5aa4115ba1b84f7f2cc284e3f636a234f40e0aa118c8f9d0ce6fb7ee613cc2f1cc7ecc2e264b2573ac3dc264aaa27643a483a1cb38e2b0237775ecaed626f7cb89bc563492ffe1e5ae6401cd82a9ad0fbc32f7b5bd3029bdab72a8d47f34b37011e9fba52075a56b89f2963edca796930a4998c755da0d251da985a1829cd10ce7665d2b364776bd6c76ef9978f800b453fa7c2704838dde05f2f6489f31e35f6d731c2678f3285070f297cb3bc03c0a012b22fca31295576acc3e679bbcba5fceb7ee7692749fcc58495614eb4a7f3a1fa7f21a655172da28ca916292dc7484834c31a3e5f54912f10271d5867e57bc46466d781bbb502ef32ed8b2b4452a58e212e7db8aee573dc6252142ec5bf2683ded9a58b60cf7883ef04bd502e3df2d621bec0e7fcaf6726e84fb1c6953722c7b8523d4cb6e4b55bc3d196c793c44858814b029eb23e8f80b66aefdd8be21541228608852fc354f75605aeefb828971defa68e28cdc694b24f2f461c707d27b98da4000f9c823ebb3384c50d6e41e5ddaa601b696f41a9ba4feee08852874bf0e31d20152895e1da84a94d529a194be53a886304e7e360a6a40d2d4074905bbfd06e3713375b31bcca23f4db67da9bf6920a5bb44885dcc3086ca7895c1069dd35f189e57ce60f8e0b0b5d337bd669d3deac1f0115570a5fa6505fac83c621c46f693d84dc77e2148e887a822d86c8c0ff4c00485c7f37a5198c69c881c158b744fd09cc76c0574f4acaad646204552774e98e17c3998e34e75628da2630a531cfe927d3c55ef02df3377eab25143589a50a07a32906e714ea42584b3d69d7ddda2fc0fa486a0e93baf78ff1b35d98c0823841230a26b52120a445115adb78d8fd99b71ab86bd27aaecd1659e89f99efa54f8764c2f4bc01975ace6f35d27c2d18c713a9947179211819dc42f7cf3fe6b546674f1446f0c81aa08277ec6b140e14b6e4360782bd17d03255208cac917a5f8ac03e6e8d13d0e62d11bf55d00b3f8f1e80b8551bd7b65b6284d1566cdfdf4307a5ee5ce8bdd6fd04a3edb4871ba97aa01d673af337698f0ada53cab9bdf9f631d0ccb7617ff13e0a3b3785ed26db722e163271b1f5e4690005249427bd44362c6631157286dbe4ac19620b55a64fa6958fe32ff13b1addfd7f56a16f79daf4e9278727578d0154118fe591a0d89af07d8bc3582cf51a01766d9c9ee3f8f80b58e86fdfbb4770e6cf2554b0d9e0769928c4a2f383aaa525ddf4734f4cb19996be80b4c91f91bbca6094ab910b665241e29b3d48784f80d32d2161347d2bfd791a66c6e824f2308b07f767250d11626dbdcc9613683e46cdc9903aa0848803b4a3dfb1fc9b350d47164ec59db3651e1f5f9a5cc1ad484654ac3a7f013badb6a0ab87effaffd526a53bead659a15dc2fd631dcd843ec341804a563d06ff6c5631dda5044b9a99dc77bc4a4fe326798d672d450727e81e491533e6a21121e3b8e5cde35fb84e74fe5011896235fe05f335bf12e317240191e742df9438752984fbc697a53b3950e26b3da9031dc234e843326d04fe096b1c89ce93bc6c5a60d7e6f0c5e8438fd10fa66b3eef5df79a3df515245e2f370b913b9333875906015460283f873b82b791fb4db71aa4f57d8182bd914613ba4d85f2490bb9bfc6940c5c4986c544308c3ac22b795fcb0b5a062d3a15ae30f6b7ac271bf9aac4bdcd949aaee1d7bdc8895eea12daea16185d869d6cbd971ccf16e4da5d70376437a20b6ea6c35c507eaee0a0221c70527d69c57eb3551c617320ed3f817ee2a69988120964b331137406dde202c243a91a0d810d1613ac8709b26a0eccddd7fc75a0d818276cb4953bb8057626f23b721d6073d76586397a8f05d060d4e2dfcf14de48fadaae6ecbd5fbfe958a2f931c531ea325182ed29872a3dfec469074bcdabb2a1a13fe24667efaaa26c50519aa9335d306fd23379939743a10ac90d3171b3bd06a5b463ad1b612ef3d54f53fddff55a8eaef0b6f78779d948f7aa4598a1dcf726aaa45b99da0bca196812f9c5998608489e80ddef13a4b8eb030c71742c304665e15a9f56a77679e7c4d70aa84a53466bc5f50d55a676eae3cdf862936c8b2f3451e2187b7ae8ae1446e090142cb89e4ee09e40cd4a0fe820ec28450ed7e7ae2e0e47a3d4054a4acf536e9a3efb8fbf5d0d6fbc69a51bad4a6723d62c8311ec224ecc71048bc16f9805d917a8a6294c038b2842d61de810db1b1a6f37720d3011f5e55803850b6aa0c4bab3c812cd7dbab18a732ac8e167c49ecc8359388a95080cb1d796c324f1a9c3795749a36682357601b260d85c710dd0c67173a8e4c1aa1e95ddb860e37c44c990ec5d11c0e71907c3e5e5fd247fa321de92db50684506e829447a8c85909d2397ec11bbe0613a4d8af44c209bc4570293e9cf7ba6f47754fd0506ec34af2f9ef20250edc01f97b8374d82c7509a231b0d5c9b085f9948efce68c5712f96afcf4f92a1eb34934b1d664344104337c2b5028c8c7d6d7e62e74cf283d61dac1ad8721505c4884a81cf692aa33f801cbc7eee1ae61bd4c96a4b1adb88f24b0a5e7815c537b25b8bc2ee283e4e05fa0f157f194f5b22d6d0267fb0fd5ab10be2230cd21f870e0e651b5747bb7f4593ef52c8a2e51d5093ee1405e49bba6b36cf97f0b2f7150a10ab7669478a4831f9c5ee6790e91e93b0e814bc314b062c68a3d36cf48da349b0223802722d76b8bde97982f78dddab064084b3eea0a335bd0dd8461b10581d4a9aa699d542dba4ca8464f62ad3b9cd7e82026a3fd15c2bdb3e30a7643e82f2c8e764498866989e2fe5a9e89c237404aad6b55c2be458e3f6547f727f0b2c9052de4839a6b5f03f5a788e5a14d8448ee25b3dff69002d5fda5cafe5bed8260285b61ce3c53c16288ef8af1759f631360aee3bdc5ebfc229b967d1937996553952409f5f5860820fdd2ed846dab931b2d19fdda50693a926a41e56060f2d6c13c125c0c4b08e475a992cce4b51e0f76ebc3c7362fb1bb0b9805332c162e1e09d1ff0eb73b24e40d6188136bbc6ef8a36f632ea32ea4c06199181dbb78f399f47dfb4633d0f0768ee3d33befdcc3c0fa089c2182d6a85b272135eae3436bfa09b18b1021f37097994ad71ac94c97448e2b252a758616c15f0966447de5d6487105fa408042c90a9a89ce90f0728d7d767c472f60a1740c77c0a64af3ad4f94544ebb3de794201d17d6399765e055a5b94d569c6618e114275cfe79c2636369424e01ca8b8e3a530b924316f43df7e43cd070d1b09e8cc184ac7ae979119aae40155a2a67329e18722c3dc72dee0049eb4c29b306dc81de1a1967cfe17e97ca476562cad43e84ab3ec6e76d358829baad982241d0db7445454f6a405405057b57fb93dfbdc8dae5b30c64cd220dc48fdb5667a3c065f4b308bd076f95c810e91d5b2b921126128520028a700e506da6c7617f624242a59b874d06040911d534a0e15a5195fd8d9cb465176275119540034892cc6e6aaf174b06435625f9bde8e699e28cbeed2b9ae0fc684cbd8c77bf838086450395f22cd025c70460394cc219789fc7568379df9856583f796c8a2944b857077bd29f5478e8b3bdf916e6d67963f8c039ba469b60d0a24edb6f9e00402b6f286d88a4fc10bf764d8c37252710cb47b5693708", &(0x7f0000004580)="820718733b49daf8ed80b0ed25772d57d77435ef1da1ca4f1930ad4e713b84d4c1a24c712f02e0b86d1842c164415aa9e490e6c8230a89e309faf07d239dd7cd35da5cb5f36919db06df51a5a9c5fc8049897d04bb731725ff5f5d98476e15b1dbab8cdc405c2c17365805e27a61a5f061e7ead100272fe2d9bd8cae4a261b451919ebb927204c1f63a8908147b99835ba994378a32f9f1103574a08934fbc79d31aaf13"}) r14 = geteuid() fstat(r4, &(0x7f00000046c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(0xffffffffffffffff, 0xc0286405, &(0x7f0000004740)={0x600b, 0xf, {r3}, {0xee00}, 0x6, 0x3}) shmctl$auto(0x0, 0xb, &(0x7f00000048c0)={{0x1, 0x0, 0xee01, 0x3, 0x6, 0x10, 0x1}, 0xfffffffb, 0xffffffffffffffa8, 0x800100000, 0x0, @raw=0x6, @inferred=r5, 0x40, 0x0, &(0x7f0000004780)="1f8aa38b61938fb7299a96aee61f6cfc70190f9df301d40ccf557795fc00d7759efa4ad1661cbb0d54c310aabcc29285c2ce84fcbe97407d849edec2f598b205fa5ea2460d0f615ad87e7e2605e8101f58adb62e178c78c454580a55d63f5e1d11f932250d1fefd45195451588bf530d73d83076a93a289b613bc68b49905423d7d5ace8016292e80377fed1b58877d9c4d04ea05ba8", &(0x7f0000004840)="b7376d34b8a4cc32667d885991bbbc6828d08bd669e6af09fe1e55bb32d885d217afb95645976390dd7308c504c5d39953a783b065bd4f0a72bfaa176a0d2acee5c8e41ff9b692a41d010c7b3459f84c721cdc4c7dad40cdb171ae49a556c98b5eda14db8d4cdcc0b47fa75bc9faa171e68b700c4960222516f6d5"}) shmctl$auto_IPC_RMID(0xfff, 0x0, &(0x7f0000004a80)={{0x8, 0x0, 0xee00, 0x5c6, 0x1000, 0x2}, 0x326, 0x3, 0x3, 0x7, @raw=0x1, @inferred=r5, 0x300, 0x0, &(0x7f0000004940)="8d80000898d81f2a2a537fc21c52023bc6ee66954a12a93f2418cd8b0b69067e3ffbce8f5d7431e001ed255fb5ed784374aad30a67500f8f6c042bf9e6670660d425f7611c7ecdfc450c05ef9c0a65c62dc2215fec7c02b712de12f5053e2c3f60d780fafc4d1ac221ca0907542932889c", &(0x7f00000049c0)="9ccfda869deb661f5fc9ba8f62d29a4ea3be9286f77ef11178f96e25e8bd888ecc08d452e94731dc6e97d39ab9814eec357acbb7ad4232899315b74df9b4df71302a482e3c52fc988162d57139e691028753aa86b20cbc060ceaf9de31cfbdfadb2802232870090286f90b426c18866fb62bb4662ac9cf938b12c2b380a1324d8313575eadbcec1a33832733dc87a6f8ef25230fc815e2b6756e60144a41195769ee48e21d497f0eb19aa12419eb8045ac2cada387"}) lstat(&(0x7f0000004b00)='./file1\x00', &(0x7f0000004b40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r22 = getuid() r23 = getuid() stat$auto(&(0x7f0000004bc0)='./file0\x00', &(0x7f0000004c00)={0x2, 0x3, 0x5, 0x6, 0xee01, 0xee01, 0x0, 0x0, 0x1, 0x5f2b, 0xffff, 0x2, 0x8, 0x80000001, 0x5, 0xcc8, 0x6}) shmctl$auto_SHM_LOCK(0x6, 0xb, &(0x7f0000004dc0)={{0x2, 0xee00, 0xee00, 0x401, 0x9, 0x6, 0x8}, 0x0, 0x8, 0x101, 0x4, @raw=0xffffff46, @raw=0x8, 0x2, 0x0, &(0x7f0000004cc0)="00b8fcb8c51e1af15f5b1d2c15821bb8f4e846f20d662dad19a0e59429994859bb1d0b6c63ef694416acb494494c6618f98573d370cc435065ec4da9efd3f67626f44c18b96b", &(0x7f0000004d40)="23c6651878ddaa085ae0bdfb7ccbb08b71af34f9f1565e8ac77c5293baddfe69ea20aced26de58664b32ebf6f734d3f7f692065fe4f99ea283362b12f96cb972632e80273d014687"}) msgctl$auto_IPC_SET(0x1, 0x1, &(0x7f0000004ec0)={{0x0, 0xee00, 0x0, 0x19, 0x6, 0x7, 0x53}, &(0x7f0000004e40)=0x3, &(0x7f0000004e80)=0x5, 0x45, 0x38, 0x0, 0xffffffff80000000, 0x4, 0x42, 0x7, 0x2825, @raw=0xa21, @raw=0x1}) shmctl$auto_SHM_STAT_ANY(0x80, 0xf, &(0x7f0000005680)={{0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8, 0x6, 0xa87, 0x6}, 0x5, 0x7, 0x6, 0x1, @inferred=r6, @raw=0x5, 0x4, 0x0, &(0x7f0000005480)="feedc6aeab06ac00e00a4726dffa893698621bfa7d41a1acc3b82488d27e0ad499d0f4717604496303a3c32eeeb44df079182f9c1f77ba86b5d75d3cfc32f45062e93e184cec890244b195f2cd11bb0a90f2a2d8f67cc5c0be21ff7a4f4d4a43b7fb2ba733040d26fae0fb332ccc405709c4b602936c96942a8eb5ae327c87db6f2f6f610f803cc6d8d2099ec2a87419cd0c206b74ac2497ac1f8b637cffd4427dae82e77beaf37ce6f5d2bddeb31944c36a67ec4346592b8b0a7f4f28c952c8f6bcbe0a5ec35aae354c1f9e66bfab1fa0f8fbe02e56af6ecce525617800b42e8cb5831e20ae90e73bdd29da4c8b8d1d00ad8e8e8d8f", &(0x7f0000005580)="48fe27d996540af39ee63ed5b8cfd8523c9eeea2a9f619601421c6140e3a984abc8a5f421ac2621ad09dcfe4b7038983e0e88240cf3dd61196976f836b58bc78e8d080446c8c46fa4d9a6b522942ef8d58f89f4010f6b62b5aff902753b62fb29fb8a8a3a475f3e0e445bc8a4fe018fb6a5e3c2d534aabd3b0915d7b065781ca8cdb3eb734016390638cde9640375b4dfc90c211603b5ea2bd44295750415067bc3f147a66d77dcfbf658480369e1d1f193dad08c00f36c99af5c1b52ff0a1f2e893841f1a2de097fb0e001abdb956f682de1ecfc1801ec9436f864d3abe6e7f9e332a32e9e5445d85ed613ba1d59a8ae483ad90"}) shmctl$auto_SHM_STAT_ANY(0x7ff, 0xf, &(0x7f0000005980)={{0x0, 0xee01, 0xee01, 0x80000001, 0xa, 0x9, 0x50f4}, 0x8, 0x8, 0x4, 0x7, @inferred=r6, @raw=0x8, 0x3, 0x0, &(0x7f0000005800)="db4118b7fc550b52eec4c59cf4b93c169cd2e4c6b1eb5a84e95bb2109386544d8185388c504c495c8ef8b3d196ce76844652a8d2eddb5eff1169a558d6e7c56d46aa70e6298fbfaf95fa39d53985944c382b26cb4ee51e021bebc6e6e80388", &(0x7f0000005880)="11d01feaa20648967b16d3e6cb0d4989e61fca36740792d8808f572be0b70dd4faaa5ece7385998367d7daf2350e52a74dde027c397711a18faa7b877c14e92f48636c7b021b50828c936f30bdec29c674139d1d64369d02d6df35bd75c54a729a1c28f94a00497c2912e4f73e55746dc437cfb64d826fb5dc13286f2d3dc8a354ee9576b8b37c407814e55241fd871608c599ddb5f980e7c01c23b02b738ce34dc1f4d5577f02c5537eec8d5c15f8c93a7d450b4701de03802241a34c3a07a378119cfbb34eebe8753a4851cae1a14a124749ed8caaec19d2220b21d71edd4085672238c4582dbe77ee258f7504e586845878a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f0000005a80)={{0x1d, 0xee00, 0xee01, 0x9, 0x7, 0x100, 0x1000}, 0x4, 0x400, 0x3, 0x9, @raw=0x9, @raw, 0x4c17, 0x0, &(0x7f0000005a00), &(0x7f0000005a40)="20fca2d9a84b149b22cc118629f244c8f9909cbe317ad4693e5c7ddacf6ff08ff96441b29c38fb9a6161aac42a96f4e5b9a9ed648ca3d600f7631486"}) syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000000c40)="555b078cdcafe3df82ab074500b854e053e9be2bdea67c3fdc61395f5bcf269a1a3db8dd7f3db0cbe3e9ee7f3fd773e57fb4f6aba53b0282ae6ab4f9b9d69d362ebd6f9917ffa585a5e2b1dd85afdc2e0b9fd07d2bb693d6871743b73eddf8e6cc6e58e502fb0d8d80fb48be00be3acfe35fd1fe21f97c598eca5e0546f3f6eec8f7e403e8a80b58fb34342e2fcf0eef3ba1644b262d0a877deba64622aeee38f1ef528cd836085fb4f8437ca36c3cc211980a6523fc6bd07c49747f5f9d6d79ca435f84f59af8bc5d7a76ad9a4d29e4c5eaf20cf5e373c2677a048b4a064b25c80e3c225aefc79861e39f8898dc749ed0432a3474299b350ffb0c53cf96ca64a127308b7a77f80ec1ad1ca74fc58f71803c787fc89820ce647e6eedc38451b70b1530cc7060d1b0727b74685e6adb3310cfa9ed5165e3d3e74a38a7b5f2502461b93d633693f3c9259d2fa0ad389f2496c5c2e3df9f85c1a8a858db4b7c5815fcbb656821e1844e7d6e0f3cfb64528f9662979ac9a8ec10eef0603b3d1d78d5d2a485486aa8cc310e490b9471ae127194151b732ed19d494ea63d2836519409a213425fe1005e46695f4b24be7b25829653e41c174b1bc69f108a076769c652405d436a7c698ac8e54a850c0ed0249a8250e5548869616b9a72f26cb97096cc66cbbf0317a17f96ee0bae08024d5b80dff8be40c822d850f749e7bf5433d252202b03583d8b87b5b707905e3c8461241fea66c5995a3de30ef8e33bf0c792f23a2643be67d8e077b16a84e52d80c3c3e8c3ba8e58d0683d00412b9f98732524113d24c89ebb020ba631c1618c7c1dedf18ee59c677e585299fc6bc060d5c3f57f9d529f93c37e086db0ed5993a05dabffbae7430f9e2060b0b6ce6b0b21fe6dcc4f4016d87a74d0fadd6f9f12b102f78ac94f2b846c2a7b9bc243c56b0fe4412f03af3372d356432cff83c2d7127fa0a972906d1674d7e55dac178901b661f1f1ef39e71725d89bc1e7ce8ac6a238a9b2115c6563f9c219934350cbff04bfed916653cdfd93c25ca0cfa1223bc85fd26dcb17e5302128fd819451d0b7f0854c7032849777d1828d483bc58b2b91f6e4eb2a902655a95b03fe2c86f0fba9fd2c677f6e5b6092179a5e84a67d881aab57dd2c3239a1db9b47f2b5f6ceeb79a58cd125e6147d2068ca21a0cac47b0c12f6683b7198f139f11206b28490f756e0bf1522195f14608d19ffb6a3ba85f0474431f71d1a38b492e386db9eb0dde55769c02f8757a4e14e93dc241f2dd5e6550e3d753c917bbc4e5b1a3385259163d664b0c72d85bf78354f18cb63f1fe0a337a07f2e78fd3f894ffeb85dace3f30277b5c0fdbb24f9bc354546de812ed5445f854888a038f0436c78b21230ca73e770b4d375ac60d302ad1629ed8c17a12765302add9819e9bdd1002ddf7d773d0d201e6af2bf8e58f68915dcdb80f4bdd731ca0544f9be29297219dd3422df4f2e436422f940d8fe072414e843894c01f43807c4dd4f7c5c1feb20d50f060ee1fe612229c2f49da21728952a0bef81b47fa85848f65ae3756706013095f1ff84e5e32216b94af2479eea8199710c015597b00a97be8b3ba52439b12e3f1948218e2816b75b684f3182b434e0ac0cb31a1a83f2c7bbddf280d1e4fd508c4b7a0fb0b664c613edb4c7ec7f48cdc9411a1af51c7f29564950417cacf4c848bc3c6c2ffb31759917a52510001afd9de6d6e9ddc26364353ea5070fc730b22d8f434ecc21247949f637d03d430a5fbc036bdaa3501d49d63df3238abc594a56443d05f53a557b1e04c54f5de091086a0cfe9f3707c74771d416cbd75c53e7456bac5adce640cd93c66c0ba2e59096c5e08cf2c9b96489e94f80652f905849e4f38997f0cd4e6cf1ad18a881e9e81ae732c284df254de3981606b021ef41da37176e9a0946ab80826dc7fb9e4b99bd9948bb0ee334a5db291ea58807cecd59f870c691385e27f18d74846d1eda220b9607aaf2e6fc0ae9eae57608e601df944d9ac45d62d796512903bff90d740ef9fcc40c3b3f273a2bdfa30143e90cda7116d8c68826e67ea0cf578f59231ca85f03f11b40d0631ab3473ca2ee53587dd4d8abc53c6069d56bd9bf7cc9f04d8982a4faeda89fbff8884251a1fcc5fef642a205299930ee6c9022223576888c491f796624d04d95a983e40b344e8f4c98eeb55e0ff116fcc8b4f296ddc2f11c9322786440e0ba622ed96dccb6bf682b97a2c7806474738e9cea364a22830235ca35c60ca4b0fd30f81c051b96c6798217c7985e7fdfb4fd804093266f0d3947bc1d5b3bd535cbd34bf07a3096f16da818cde06887e94257579f2c020cbcac1cb700d34472bac930130530f9d094483faf311194f9a9641925cdee88879d218b3beb83df4f33f5cb109cac0c7926ff1eb494ebfc58f22e513de376d1ea903e7aa65b8d182e5e38217e2d2c0b0cb392d44ad7684c229968e71a761b967e25a2883929e19bb5dfb053218139dc304eaeed9e15de1f0a9e6f04761c75f7299e6c0eccbf93cc101eb5b017c2d97273b2238d4481cbb5d244db8f1b329b8930545eaa4a36d59c37ddb37a610de3a79ddd8a31deb0b1bbb31d01eeeb78cf95acf3f2727b53b6236b07d490d86318297dad4f6b80107a031299fb52ac0610da5af4b71a8a71c486eda6e77c350224a9e246599d2f01790796a21c1c90dfb6e64c49d6fe4eeebe6d6b5192b6e130eeac673c4cf4669c046cec7388079d14b25992528e205a8663d429d8cea1fccdd3e538b97c635562f2e269588aa14b930a7408076298cc4deda70b3c26c42c67022c59e26f0bc4aecc43a956ac60230ba1b0681b8db4efd0ef133f099563d0f55b919f6437722c86b4a5f928a756b45a84f9c54dc2bdd79ae9da5a39b5993055bf774b129b468fd3885a5447052460d71a68cb96dedbdc4882e6f6a2b7f642627f3e7783accc8f22d29ac8a83788e64abd60619e2b13c483bb9f6442cd0a672dca719262f2e8b52d58efccabe63120fa955da00629888b0986aee3503f94d690115528ea414ff93fcfc487f4a3b0213798f27ce362eccfa775c9f841144ae5fe9c7d95b4657ea1067f12d1dee02f91178b113f7962073a3c98b91de9b47023a22059201bd495e7e2e4d3b3dec65ef29fe442e271f13870b0aed818352bc691b5d3917565bf8b66acb665805d937e6358791ed9060f261ca7e34f0e7286cf7563f57254a05b3ce5f175d8bca322cb31bf8de32eb0ef636da055f3e9eee3b7e36066fe10c45c7742c39732cc789af38cb737aa17898d31a20ceba6a89c7883519ce2171c6e7b19b34494a5806f99c26c5df8fd641a1be5e660ce887a78fb691a1016fdbf107bc92992a2b62dc3474316dd24f40ffe61bfa848f9790e725c0df3fa6d090fd3837e1a46bf58f3beef4ad7721951a977948b86cedc07a24b7f04be14df36dff71531ad715328d70a2fffb3b59439619826e0c26729da1aa66fb892b940f8be7ee4f227b43fbb43094c5086447c8b4dd7266f07bc79c28a9b4b0b511739d6894c0f2049f9b8357a2451bc96489c2fdb4c63fe6a151a11c7230474bf51f4d04b160a65c22104dfc2968a23e427bd97c4d2c0a5b359d59fb17b551f8905a4b6acab2444d66082cf5c64803f5afdd46f05735d18b5207a927ef34cc76a8ed3819c869541e06e50950d550c9b8f034d4a329a135afaa257d3bf25d36ac7c7ff9851ab9c386c9b16b7b111cfbfc39f19ec3b71ce4354036cfcffe36c87a8d6547006ab44f19320a35db003a6cce51e5338afdeaf6fb6ad3db60babb521ad56b080e5564413be596994afe9d4555f7b7530c4fb1ad9b55900c76ba404971d8e2726ac6480ec1e1b56f68600e790a32806f10ee8076ffbbe63130b72ae22f0a799a5658f272faed770f1c72e4b6c32fa19b6b9ec28cec7bfb3b0869e7f47bb32b631d440bb1504e927fbf0a752959c4a633459bd2d34926ada22b97716adc61470eda3a968b898982d896e77da47af7d489728ade3950575389af4883b21f53e9f49d4b4fec3c56b95fae00271b01fd3adac979baca1f9c3bd6f078424720f747591ea8dc7094c608b1476d1e1051a55bb1e59410ef9d8c29f00a6a4d9b3103a8d2aa087e91116fb3639758ad6f93ed0706bf993ece70e8ed75bea28970859c7256f972af862b45b42be15957e218fa65424aaf13c2a847ce1d40dab52ee757669245140c4346c581f2e9ab2e72b64428237250e14293517845568d20edb8b103106c4826621b6bb0756c1facd859509f9331d0a1aadee7adf134d463309811220e9bddf1dc6302ad89abab68e32fd5f7c27ca0b217d8c2ec342a2605fe54eed4321b34eaf54f8c2162d3bf5d7ace2429fbeb4ca187065026aa814a9833b6ee943d1d337de2d9ecdaab2cf4634c16a915e6a9648b368d8df8d6d2de477211214b3e8c291f16ed30ea38ff581b81899cd1c4a74bb338a6322003c9fcbf16a0acf0c67b97d85d55a6b81fb7536d434a0e499929e0da0ae31818da52cc252418802621cf28ee5cd555f13d4a0f6c4160b97016809ba75f3050c2ef1d3f90045e97f4ea5d03739a8c5ab3492f5dd5b167d8f5294961f942847d9550f11f73a8ff1b8b288d27a0fb759d86544691f9ee3f9ee48d0e573f21ccef4610302871c7aec559ade89511dd907580f8f0d119b8274f652f5e4c8a8d32f30f2443ebf4d9bc12486188c5af74f98d315495389f1030d45de4219caaeab035bd511afea18c8448bf8054debe9c747e60431d66015c62578a00dbdfc06a5dd527e31413e8df00420c332bb416db84200cb7e14708a137b75490d95ffd693c9bd215cf71c3f8e2d1aaabff3dd63cc2280ab6ea46a0390e7535635059d128b5a92f68673a058d963303e7e579cc16619d78c6db79e82621525aef9a8af30df9112ce2b68d568c39a8138ebe5d0c3c263802095c3c4fe2a9ba48d97f6df31126b64abdb37cf806b410aa9f32c8f20ab137e12da99f8f069607224ac1ccf610e3621245f7cf017f8bb1f5de00bedd6a66811b286a870a89c11308a35dfc58ba245e93c1d3a5ff010f8de2aa446a90d153b3e6f8d0725dab1ee435bab26a0842c572d388e2b62657c133e5ca2d47fec65561ab2a71c6d7fbdd24dbf050f6889d83227094178096996d856625ddcdbc236c0b5ed28e7cf718b4f80589d3deccee9e705436dde6455d8f0bea6fc4c3544df55dfda6d52deb921c0bcd96f8a0c5dd8ce9d38c00837a5628a3b25297cd3baa1490545b5ccb871c36ac1aac4c70b05aa459734aa523ecf9476d90e719baa1e03de3492c3bd10ee0290a6cbada7296b26f463bcb051b53f08e9a80c47157cb49b7ded5021121c04315fea9d4800dd2d623c91234f9cec3a787bc28f273b029cb66d5a05d5463116138fbc87579a71e0dbb29703867fa8b6921b6fe65a7d196e514d8a8c21ea85666da05b72c0b3dac144fe904d818431b5dc7a90cc3e252667de04bc61a19dca565f5a5c1f4216c69cbb59c71db52e28d85c137d2c48662d31813041b60653139bde9d2b5c472685bef177c2fa2bd8256b32afd598e4f8252c57cd0c4ea6f7df77631ecf00b0b6fae0582b3af17a577ba6fdadb8c2274b63c3a5cec2cf0f302dfdcaeb2a38e32573799803b73686f45ab885f43df4561624c347ab1115591aec423b09bfd69461723de7b10f9189dfec9f0b2d3b66cf8b1ae59db79fc2611a6556165c3fdd11e438081f2e7473d3c16ae567619e58e4e4d2433749b90eeaee1f4e5f9e2acc37c67bd22dd92b856ebabf04b094b8a87d386e44446bd32cd75b6dc352469907dd39ae2bd9c5f965c3f17af0b7785a5eaf4fe485d4c3116ae77a74ab165eaf4ce8fd8634adff390bee91b5b3017ea83c1b2ffd7d04dd0c4db625d6c4f99cadb2fc1df1df877a6c5ee056433494bcc7df92f0239afa2fe75ff141b2e74975fb80cf957c517375059a6a095d4b8a917b71d520a3603662dde20de7c739794b6ccdd18fd54c05ccc814471899c4d6214d8805bef7ba4a4de0e02e5675d5f8065ccb2242d51eba5cfe8ef3cd70b532f9a0bc22d9b64193c79b6ce468890e6fc7f69ae0cbd8e3a42ae06fda98bfc7e041716959e5aee95114643a308c433e40291c532fffea7c88de8e536119ada3c5289c9c57d1d47fa0626bef327fa8c1956760664f96a38538a818837e9c8a66acfa42e01d59fe39a9c7261a77dff5ac509205a25f7c7d56b275f65107c3a4fd26e8edc677eb9a4c9208051e521fb7c932bdf60fd69d10c92f9be092bd6eec68d05972f820058c531d12068e4975ccb0d4f03f88937dc178998a7d68d433079f51da4239a5f5fd4a563fe6a738245fbca5e6b0bd88abbd6eb9fd80931036b0234cf667a5340ec1667c5782de675ab47862018d94ae8b7de9320d381cb843b1a885ddaf31c3576f2cebb6ab9576c334d3d401fa61632dba1e6ccec915c4500f86ac289a1de6549f7ea276f9ff9008968ab31a7a648ecd6f36ed185afb3e9b34c9228e2d726944c33227a9e3d77e4d5be8bd850f310dda0fbc30aff3f5bf2f1ea3eed0ce2ff15a7c313cd87a79add3e290c2ecd764c455520d581e3af9ebe2c56d1deefafa8731bfb4906b74d13f2712048b41a5158cf3cdb815cd8d63c90124686dfb56734834e15534f2b8b7ee2b224eaf79515021de3156191677ca7fb47674292f4eded887f3a63baaf564e358ee2dfdf1273b373c3aab499f4bc548ede7512b5e22cbed7618b23bc64b46c8e6fba9bfeaa963b335de58d0d8b66324ba8f592529d12094d2266819296d395e7b3b0b2e715e7ed73fa8e2a1e151159ed41ecf754f73cf82168df0814aa0c6fd8b9988d208f66badbb90a54b7a9b311839cd6cbbf09280137677a984ddf87951a4713cdf7f494fb54e537d8f1628d794eef29ed26e31321ac41b9373dc1cd85e482d7e7bd56baefbda3e205c2d4855126dabd2e24446214a633eb311cc487b863f1115963a421afa61ae48832ebed5eaecdae72d27de0ce761736e1a71bccfd361c2c9dfce619609ebca1a0d4d8637546891df38f2597eaa1007db2d3f20ef9a6560c7163ed1ae4b55dea61c31fbfd2888460506dbb7af26c178cca34ead9de4f0b71a0f216df958fe4f385e2c5908a5a55fdc0322e2d9793f88fb6ad766ffe8e17b644964b2749e564abfe28692416c661a8ce570baf464d47a0f1288888949ee80b4a6260d0c6b4f7547fe01ddc10dadaed67f39be2a7a6f121cfcce49029bcca23f7e4985411b816fb9b6bceab0cd135cf71a7eb10c97146b3f342aabafaac9c2c690dcdfa46fc4d288623ce1d1385dded99715f351f39b58e0a7561ce85da8e85eed6ca8d4eeb9aa2bcb7cc77716caf84393b3acbb6fbd93d5e266f62d2346d5886c3c58ebd6f71da40e1e677beef215b19a9dfe52e0862d06f287c7240b470954cc00571dc40c2d6fe958291cd26fc28ea6013958d00b0a7f0191033b244a9cd146bbe14492e4799e9a20a2769f096915155594a63e3a53743b06e44723d7f40f45647314a7ba959201d2a1d6b45f65a49398338afc820c765ad7fb759a4a84088e0cabe2209f7fc39e5e5dc177213fbc12c8f1fa828401b10e394896a809576ec118ad715048c7f2f5a3317dbd2b25d7595f6a1a1331f978d313f6492bf81e7b7868ed984c40071d2085403a83b9894816149c61bafdb553c31303df5cd1e6a0e28d81a10d9430946b329725122b15a45f8ffccc5b66632ef9b3e6291b8807d7c2ecf361f9c33b22ec1b4e9b1c15d5b7f69d7e63afe29a91802af6c5b40c609197063cea2d2eb679244adcd981b719fb991231a18102bf4f3c31d3af4be37568b8e82c33ca8e438d9dc076fe17ff21b9f924c8d8a60652941046f085d861d338d376fbae91f85460c1b13e38bfc5b72cf19ed32d34bf85b2c132c23c4c25167be365368ee0cb3818a856d5140de04f9ae445abc2a3a96c23023bec32b22e3b3eed70c25af8c1bc5fdd6731fe4bf7d56a81a3f226a0e94422da5ca31a6f389f7f3c1bc3f8705de1dc0f656552af4684f3ec235d526cb64f19a5a91e8a29147e3f7e131107a13035b365a0d4018d0ba855da90b7fc001fa12d62a43522f1c45a93ede4c1084dbb1019ebd464b33c788f124683f99a8665026f5d87bae954eeec7684c631de38826afcde61fc3f2382e607a78a583075761f5ddf41233a727a15f75831e7206b3b2e8abc03a8ea7a3437091c55938bf16e5435f483fd9a34ed879df652009fcfc3ba60a287b2df77fe136dc6d1c9dc24beff56e888e5497fb91a733d58bca739521f7f1afa4f94ac1ea3bc8d2cce1689eb3a39b9bb81f96e9ac19646c58a4eb72d47f653b4a28b4c2b4340947226f0854c45f766c1ae65d630071acf04b899d1467b46057c335769c4dd23077fa6b08a7cd44cb3fadaffad334f030098158df1ec89dd77f36a95ab58c080f8601d939bb2e143ecae478c0ae46a797e88121844d81296d09421f25e27abb3e357fed43a4733e33dd21d90ab4af3f77b341c35ea8d7222f49dc24e92ee26f28b2127fccbfdd63e1fe24159010a23c885292b55c4b61a7a9066664555982e657744fe4286ce5a183ea22cc462721bf9e61fc78d5f2c814041331f09a01a958e2b64c5a0826a553a8b994d66dbe89faa6403bbe70adb3823a1b55276f089b4b3857f0a4db9e8915ba0fea98b8811775ca4b9508894dd78d80a20a9a9f89054babb1fae304509c1584d444a8aed1f5426c78010c8e8e9ad17b894fa5e3b8d6cf8a9a231fd5967094c78c7b88f8c7040b0984dfe878bb2958ca3991ed8effcce2348bc6ab9375e0f8c1954362cb3e697ae01cabb06655812ceab2eac9383e04efc1d60bec2f188faecf373ae812aeda6e7cfb7407f322c1333589334bcd7204ee02ad89678fc299717cc1317eb53112d95159c38d92d01a13beee3e3ce64a9500e694d253b7575d37d2ed5996809b02c1c4a485d4c0da6e845eca355593cf184627ddfba4df2519beed80c2c73f89c811a446d32fe22fd5733ac77c870f9c1e03734bc44316d1a390764c4ffd4f106811cf57c9f6578d8734d5f49d913cfbf2a83b2483541e6f9136d6bf7baee87702e4b1cbbaf7df3ff6a73eff013c289008d2af8816c3577e8409590adee6a174600aa5166596b4f68d61436b85c549e203ccded56548862c5fc4f3825927d63a18314f8d2fb11e67f545340cbef8247f7373c2028bb4052bb4f7980498472d38afb1e00d60a80096cdf005926cb18560810ae576667dafc0678d72e2392e1e026335f783056885576070f0b36a8c344139225f5332fc49c1e458dea366ffeb2cf12de967b556a13880ca41140d7e79fb5641f64491c8793319a2627fa4400a420e90fa69a1594cb6474907c9a4acf622f9f0c4b7c5a0eec093b6715edd0c97b2d9a7560601218e77784c97ddb1a457d1f6bf851f3bf2623d2f0b1ff7c1e4b85dba900a379d5846e783964a08b016af92cfe59bfd26c31d85939f60d3d66ffab18baf13ea4786710b00be25af314def3cc0996196ba40353d0c47702d033d466158cd1773ddef965db9df67fe1cf8b1db86c3e24a713402ba7d791979b46dca1ac2dfebc30f1a43a0fc3081e8aa7c0004083a4b032c353e702a947c801a6579896c8a8fc55edf38d81831c703d0c82debe598c0bd2f99de66502106341636ca9ebc1a3e0b039851caeece0bc96c9e3eef1cb303f454e46e30e650017cfc202d5369d23c6a4b85eb3a664e2b95cb71b20e31113d83d1301ce527c40a39485add09fb4b498745587009d452a5b09bc3572db3bf3b285ab978ebaf4a3af073323f5992bb630bf4fbccd1c18ed5544c55b3d1a3e26e05db7c7e60a570170cd0ef9f77a4742c6e2c08f3f2f8cd66dd5ae60b19b5fefbd72d5e57149c760b74ac805e574d8ff12a8c12cebc72e13c0ebe3f39380a93f29bc7fb5e28948f9ee2ac056fb4c0378f9d415173f961bb791ab5ddfdd2ed716802876698c7a9553a5fce4bf1610ead50b199e02ccbd26e00024564477c554a5ff50ee50b979d0cb4202ba603461d3426f06f4d00d4ab842dc52c3bb63e117e1cc9bf09c406c186d3a4109ad7eda0fcc1649c547b3b20ebe26e2d8180ae5e4f48a2e7fa4552c8d83165c3ea741643289543ec56877c56187775c67d9c172b5b9e7c838e195562b2f50bb086ef495a9c27f07ffbf1f9b6f05e476fec2d969a88fff5d36d2ee673230d79945798c2619d4b0f5e2732c5a9ad3abcb9c6119867682bf20f1bc987a9692b43eaf198e4c00b05fcf9bbd6d0613353bc1904515516d3af2d1cef4ffec791d9fdf2779df4c914cb8ff40ee2e1bedf974ef95b973f9a5b35b5615ed60798c28f4f8ab08e8881015baf88f9729985ce056badbd88b1fa6f440af1cf1e3812439b04408cc59f4a6dbe3ce4a443c476040ad018dd828a0aff7f972472087e4dc5fde232f655781dfc422ce402a9c036436f7e20119edf27ec00ed99dbc5a6d09d6bfdd3a60aed38ed14a78120d35e848fdc012ef1d559ae04e6c4dccabdd79e5d4c8dab901b58316966a215d45807246d7b62aaee760cfc5d907bd4ee2cd749b86d5b679c409668d7f34a7abfa895349fb9d9eb4765c9d39f201c407b0d5a89b3e6821696d00de3b1ef714a7f259dd94e1ac707421e4ba4fb345fb571a7851b9b24c7ee585de4107adea328e9c0118c9ce62652a64940d63819a70b726e8851d5eb673e98d33bb3c6ca62be5551cfd4ffa0e93595ca43877cd8890ee00d0e109143b2eb0c14d541eb9ad11cc08b91194f515a4479c4cf333c09853842cdd75414e7b7d6889142c2999dc0e8986b6a3ac6e0b3c030c943e985feca927dc9531670a23dc91172ac8d779d9acec6a79714d0a0b1611b23603797e2228c8db7706b38b008a83237f28ed4f45612dd9e685ccc2279c862ce2cd74e3326abd9db1a8ef7118cfc82db1609bec22dd0502a4dc32c269bdde84a9ee5b17adb45c012706e66047dc3605da9f169e20c73c7f764720129ac00b2aefb69812d72ff64d5874fce5aca4df68b78e7ccecb35aa76b5e767ae394b41beff86d1070b21157cf34359a167b7dea68abdd224878ce3d3818358b92a52e4f313ba3dfb8d97d87dcfb39ff438bdacd7a8a4f8c79d245e4b16f42634d5cb63d612ba9f019b6c06cbe5223f24c44d2e16d8ee4fecbfd941b248bb6eb63e0136dc82b9df74eff1ebf9f042dc9166a644eb84b44453587c405164f221bdc4ffb51c26d1cd1828f69edfebadbafd5e03d26bb6dcef5d4c6c7cf512e757609c9e52abc42f20d6b18c81b5bec2d5aaf546f1edaec291a7a18285499115dfd75319e9b6102030aab5c0995f6faea2f29fa41e7d5828bfa59fbfb181f96004a67336f98ba0badd72dbed7319f96c1bf8fd43d1c0bdf65cf244247586bf9f4cb3105b8c30388d67848c1a2867fb416e4d54b30f4b258cf605aeb72b9ed04d3ee7302c2e2b33c4afe3f88f3dc97c1cb1b0ea83cfe5d14ec93510359a324b54a53c74acdf9191f8684ec2f43ec6acc0b672b3bb5132172a6879441", 0x2000, &(0x7f0000005c40)={&(0x7f0000002c40)={0x50, 0x0, 0x3, {0x7, 0x2d, 0x9, 0xa, 0x6, 0x0, 0x9, 0x57b, 0x0, 0x0, 0x2, 0x7}}, &(0x7f0000002cc0)={0x18, 0x0, 0x8, {0x6}}, &(0x7f0000002d00)={0x18, 0x0, 0xa, {0x1}}, &(0x7f0000002d40)={0x18, 0x0, 0xffffffffffffffff, {0x6}}, &(0x7f0000002d80)={0x18, 0x0, 0x80000001, {0x3}}, &(0x7f0000002dc0)={0x28, 0xfffffffffffffffe, 0x6, {{0x9, 0x1, 0x2, r5}}}, &(0x7f0000002e00)={0x60, 0xffffffffffffffda, 0xfff, {{0x5, 0x0, 0x3, 0x1, 0x100, 0x8, 0x4, 0x4}}}, &(0x7f0000002e80)={0x18, 0x0, 0x5, {0x1}}, &(0x7f0000002ec0)={0x12, 0x0, 0x93, {'-\x00'}}, &(0x7f0000002f00)={0x20, 0x0, 0x3, {0x0, 0x5}}, &(0x7f0000003140)={0x78, 0xffffffffffffffda, 0x2, {0x5, 0x30c, 0x0, {0x3, 0x1ff, 0x6, 0x8, 0x3, 0x0, 0x400, 0x400, 0x362b, 0x2000, 0x5, r8, r9, 0x0, 0x2}}}, &(0x7f0000003240)={0x90, 0x0, 0x8001, {0x2, 0x1, 0x7fffffff, 0x9, 0xc0, 0x7, {0x1, 0xffffffff, 0x8, 0x7, 0xfffffffffffff801, 0x2, 0x8, 0x1ee, 0xff, 0xc000, 0xf, r10, 0x0, 0xac, 0x4}}}, &(0x7f0000003300)={0xb8, 0x0, 0x4, [{0x1, 0x2, 0x1, 0x101, '{'}, {0x6, 0x8, 0x12, 0xffd, './cgroup.net/syz1\x00'}, {0x2, 0x2, 0x4, 0x0, '!\']!'}, {0x2}, {0x6, 0x400, 0x4, 0x3006bd82, '\xd2}$/'}]}, &(0x7f0000004f40)={0x538, 0x0, 0x200, [{{0x4, 0x0, 0x8, 0xe9, 0x8, 0x8f62, {0x6, 0x9, 0xffffffff, 0x9b, 0x0, 0x8000, 0x0, 0x400, 0xef0, 0xa000, 0x10, r11, r13, 0x3, 0x3}}, {0x2, 0x9f3, 0x5, 0x4, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x4, 0x1, 0x1, 0x2, 0x100, 0xdde0, {0x3, 0x401, 0x5, 0xef, 0x4, 0xff, 0xf, 0x94, 0x4, 0x6000, 0x4a, r14, r15, 0x40, 0x81}}, {0x0, 0x2, 0x6, 0xf, '\x01\x01\x01\x01\x01\x01'}}, {{0x3, 0x2, 0x3, 0x7b, 0x3, 0x0, {0x4, 0x9, 0x692c, 0x7, 0x3, 0x0, 0x80000000, 0x2, 0x6, 0x6000, 0x0, r17, r18, 0xfffffbff}}, {0x1, 0x100000000, 0x12, 0x0, 'bpf_lsm_path_link\x00'}}, {{0x6, 0x1, 0x80000000, 0x1, 0x9, 0x9, {0x4, 0x400, 0x9, 0x9, 0x4c4, 0xc, 0x8000, 0x0, 0xf, 0xc000, 0x6, r20, r21, 0x99df, 0x2}}, {0x5, 0x8, 0x12, 0x2, 'bpf_lsm_path_link\x00'}}, {{0x5, 0x1, 0x4, 0xffffffff, 0x0, 0x6, {0x3, 0x0, 0x9, 0x2c3d, 0x6, 0x479, 0x6, 0x5, 0x7aa, 0x2000, 0x4a0b, r22, 0x0, 0xffff, 0x8}}, {0x3, 0x9, 0x1, 0x1ff, '$'}}, {{0x5, 0x1, 0x10000, 0xd, 0x1, 0x5, {0x3, 0xa967, 0x3, 0x0, 0x200, 0x8b8, 0x8, 0x1, 0x6, 0x4000, 0x8, 0xee00, 0x0, 0x2, 0x1}}, {0x3, 0x0, 0x12, 0x5, 'bpf_lsm_path_link\x00'}}, {{0x3, 0x3, 0x2, 0x3d5, 0x0, 0x1000, {0x4, 0x5, 0x0, 0x2, 0x7f, 0xd, 0xfffffffa, 0x117, 0x6, 0x2000, 0x3ff, r23, r24, 0xb737, 0xd}}, {0x5, 0xfffffffffffffff8, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}}, {{0x5, 0x3, 0x8, 0xd, 0x8000, 0x7ff, {0x1, 0x5, 0x4, 0xfffffffffffffffd, 0x0, 0xd, 0x7, 0x4, 0xef, 0x8000, 0x7, r25, r26, 0x8, 0x3}}, {0x2, 0x1, 0x0, 0x7}}]}, &(0x7f0000005700)={0xa0, 0x0, 0x73f5b767, {{0x5, 0x2, 0x5, 0x8001, 0x4c3, 0x2, {0x5, 0x7, 0x800, 0x5, 0xa, 0x1000, 0x7f, 0x9, 0x6, 0x1000, 0x0, r27, 0xffffffffffffffff, 0x8, 0x18}}, {0x0, 0xb}}}, &(0x7f00000057c0)={0x20, 0xfffffffffffffff5, 0x100000001, {0x1, 0x0, 0x9, 0x40000000}}, &(0x7f0000005b00)={0x130, 0x0, 0xffffffffffffff98, {0x2, 0xa, 0x0, '\x00', {0x200, 0x9, 0x400, 0x200, r28, r29, 0x8000, '\x00', 0x3, 0x9, 0x5, 0x6, {0xefac, 0x9}, {0x8, 0x7f}, {0x635, 0x5}, {0xf, 0x9}, 0x8001, 0xb, 0xd, 0x4dc9}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000005d00), r4) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r30 = syz_io_uring_setup(0x2407, &(0x7f0000005d40)={0x0, 0xf86d, 0x4, 0x0, 0x11b}, &(0x7f0000005dc0)=0x0, &(0x7f0000005e00), &(0x7f0000005e40)) r32 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x1000009, 0x8000, 0xffffffffffffffff, 0x0) r33 = syz_io_uring_complete(r31, r32) syz_io_uring_setup(0x29b9, &(0x7f0000005e80)={0x0, 0x64a3, 0x2006, 0x1, 0x3e2, 0x0, r30}, &(0x7f0000005f00)=0x0, &(0x7f0000005f40), &(0x7f0000005f80)=0x0) syz_io_uring_modify_offsets$flags(r34, r32, 0x38, 0x0) syz_io_uring_setup(0x48a, &(0x7f0000005fc0)={0x0, 0x1e2b, 0x800, 0x1, 0x2ab}, &(0x7f0000006040)=0x0, &(0x7f0000006080)=0x0, &(0x7f00000060c0)) syz_io_uring_submit(r36, r37, r35, &(0x7f0000006140)=@IORING_OP_ACCEPT={0xd, 0x24, 0x0, r33, &(0x7f0000006100), 0x0, 0x0, 0x81000, 0x1}) syz_kfuzztest_run(&(0x7f0000006180)='$', &(0x7f00000061c0)="a0bdfd577d9b7197f566393b228cca01c4385baa7bb418fa8f4f4d373fe58fb157b45a06ce1aa0aab1292a2a289ec83463278644d9a5c3b2419acc6bf9ff6dedd36c7c838e89a72a34ade91f58e37d884bf0cbc40df6eb8ad546eab730f20beba1d21deda9c9e181c8d866bff996c8563886c1e04f002fcc9415cbc094ac5b1a442980b176bff5d75d345e0a9aed8990a646d0c92e001a91a339a2304c26c5c0", 0xa0, &(0x7f0000006280)="3c31d6b003151438b96612be04a2bed8bea9be0bbaabbf63c2834fd7d23a61dfcc500a8f27028ff650839bf58b0558fcbd8f622167ed30faf626053a0298c9938199a79a9645e045d4381e8ecbe1f25d1e8141a6866bebeb104d7d1eaf9eb5830ddd952c26edc01118ee54afc9219c8ee67ac984b3bf34f659db3e896f8524bde94c7e22e6b01ad57f9edda0c017242686d911c5e75e0d60ac4508fb853e549065cd83eaf67aef8a89f5669d036ed9c63f09c5a94da9edaaf0582d73f29ec44592cbf969879b5f5eca1ec27b9ff3e426861ae8123c57cc9dde5713d5a37d552a83059ff0f0b4fa2f0ab66e426dd572415f1156e38f02b9d849c7bb9f8cfb6337bb5494addf226efad9d61dd3b407de131e140b4b8a2039aa09ac8a117bafb62261b6a07a06a04f68c5b3fda4ab7234ec1d890b9053282e252f2f475e7c8b0710834a30907ed1a79e0738ec3dbea0b36e78c835772d267b51969e3600d7af1d5d12ac96c0d16e9037e49c97c6b8ea8c00015aeb2c44070eac5c125ea5113227e242ad3c50c58d00f1d80809f62c64cb6898d0570fb51c5da14ccc27fb3804a24338ec5fcea02235dc77d304cbacd3ecb03a662d23e1c7ba46adb595075a01c65661b1a1ba0f86e50f36bb59f1ab4e483ffaaac688b8d4d29e445acf1930f9f9b34127c59a3b6682f53ba78b76fc2ac22ed046b7e08abc20f42f78a341afe95800ca073c8b90782112bcc64f078f58bf702da6de6af3c9da9fede5c1bfa5d1f488dd0095d324f0e03240d103c3973d8f05229182358fd160e41520cd42cd2c24abac126068c5b132c913b8c0eda44d5435119ddcd3ca2102f4c4cdf99c67ef97ef9f4f79398d415f35b7a95d3aa29588dc07d0b8516b91d153bb33736a011ac958500cea122ed4fe5e2ff807eaab692fe471a4cfa33ef687f718de420c8ef6f84c02406bee55966231da6b5bf3dd2a61c0c47a92e6398c0d452af5f1b46a6157f98ed0935411a2d9d33401655e28f68facd02b365479447c3eeb7545c977d00c328c78ccac39d2aa523d21fa90305420808c53edacf949c72f3a43a210b450bb27fc5330ad5b7a46aae99515a7b088af980a90b089357d23126aea3942a5539e513c261065055327a4bdaf6161b289f87ba2c513d22bf08dbe8953a6a740ec68130ac28173ea8a016b9a84633a17406d83bc02f6f06b7e8a7b90ce574de90884108aa54abbf6391cdbcae2a0aea44503b504aa9a0359c6eb68e242bad9e959b7ea93a74bbef1bafa9607b8d81edd3507e6e15b9d3e3a5df92d8e77568475b279b22fa1354e75e5948f2f051b01ad4164711537b79815d0e7f9d0106c32a2fb88746d5a3b6454cac3f1e1c1bcaa9ef662595479fcd75b204e35e593a776914fd9d25a0d7cfbe17a355547f56b712e4238a402e48881c99774f71f651c3394d398596dec218dce2e253e023f0f4fe4a001f58e2977127516c0f35f7e9c70a877de114aab4bbf0f1a8d5acec4dce590ee9398fc02afc83ad8f26bff8dc9915aac3d3aa267604e38ade6c96615caa3d1021b3859c1a20c2f0a7f30e33ec512247041388af88e86698c904642dfd6e6a5a878b1b668103e85d0d809c18ca2457f99cee0b69a7ebef439f82c3ae5055216795fd97b16dddb8f529e10b7d4faa64a01e1b3f942c462f06d260ce64f65fbd2cae88a4f0b75006f77da595c29a282f0443104c08e7144da74069fa22e4b0fc72bd78f4425aba6f5261d7e25552bbdc4674fb3653f8c2bac5a7e7e2ded7d52e0c0344b7629b0baf268714d338901fa68268f3be46ed2dd172bc84f627a58f95ef5945dd3ffd25b1adc744f33f3f37ab13b9a8fc5227d88b54ee9f5f5c4dcc5673823af3d80ffc5048c5978d0138e53b59d202011c8afe89be42b2f8dfa1dfae67b2dc98e9014599800dc200c09267ff48c2a178c8a6ffe8676b468c5f9e5769ad4094bc93b82c3048c9ffb317b227c3a43fab5d8c6ce1591ac7596b922ed54cf781470a5c96ca9af82f8827fe08c453f7e8c699bfd89c76591be39941b0f12e7b8849eb6ef322fe17ae8b6db3d9c4e0357da73309ac66c3a8c53a43cfcd746c8f3f936ae5b92ca0ac6dce8e15d0735687e166a3790e39d61efbd2437fe7308f3cb4e300f037dc688a5880df58472f305597263edac7726a086f8a1534e8aae3ccd98a4729c07e8aeff24995fceadfbf4e66901b80e632625ddcd5611ef9e91701394ee09c2fad9a80384ce899d3b6e14400a7ebcb97ce03f39e1a06d3c85bc96ee412304994a797f0fdb4b94a92db2cd7fd49ab6af1de388bd3ede5f1b580a1ff582b840039ce414476914e762698eed79e553f614fb92dd92e76dbf0d61b26acddcf6b7878f08ee8418742482b448000cb3b7d80618a556954b5e974a845e485ab6e62b3e09b8d2e5c1a177592d338328f10f9644769cbc72c12a96b12441f77c0891db41d84b3c13961431de4257df96d3b0d02c19870403f216cee6af1daec7589280146b73f000ff74f932a4be09d47f4773d3666d33aeb16e5c5b8044beeee4c26e62ade79d7adf54cbf5d17af26dd15833e4e0e15cb49ec7c8abdd7426cb75ae2664b5594d435cf2ab3cad63f9c0c6fa2d95eda6332782b2bc06f01b2e498c81a76d736e49b18714296f36eee325292691d77761a5485f3dc6eca28ba861dca79a880b37bffd0d72d253950946ba8548dbbe8b5233fd3d5fd9c428d1c7112923d3f6d9ff1e370ab7814e60164f8aededbe676f2aed19b3a56e427c9bc42dd64147ed60b0a533b65767bdc978eb737243709a3d902e874d879b5dcfc8078c73ba4b19087b285b6df2a6b82e5e85f131e158aa576af8b2a94f371f3211d0f40779793dd6c909fd8572f75a2cef9c3b31f48f09dcd104ae3a939008458b778e723537a60247e71c658dacf9a9849b9961155d35cee773f01f1b51a33b9a6deca480b4c5aeeba7389d7f24cfe046f33d36ac3e0a0116490a6893f01f45a02f47f0d5fdab5c764bbb3478372efaf575a0ad792e1e9413f44253da63b41d72bb7bc99cc298bf2560cae2be0c73e79772126394b6feaf31158d531e6271e4061ddaa88f0bd5983355b7ccc6fc14323c12d18fe6dc50d71939ffd778f4060af60591adf28708e0ef3ac865484f9cf4491a98c88df165d0e96ee4111573c0c8e86d6e2bb3460d7f51d7989c35ea05ebbd42ede06acf46abe60d10c92dff086b982c61e8e968e8b345ef1126ced1ec68331e83abe07f91e22d5e545b1dbc7bb9754a53215d3398c2aeb6c64fb1edbd3cc8b4689e0979ad42beb9a847fc3ed03aa001a42b3d5636810bfb0a0550f993fa1a31419c74adcd4cb3ee9a4f6b65d4ed8f0e4bcfb7c1aa7ef117487f62c595dd4f75ae8f64a964188f25fd2a91d3b773b8e459631bdcdb05318ed4961ed0352f10e08dd4fc80a37a1bdafe91aa6aeae70e63e7c089f86b57fc757280fe5b0fd4dec6e4d5d625f97bcb5ad86a89cdec3060869e53365350be21cbc01401e72af4ee1b2eb83fc9fe6a853799062b35f2289cabf7406216fc9d90e67b57e46909c90ea2f3b70772d15fb34f15f775f912d6b3ce6b10b360a945c91d18c84a7b601ebb231a4fa751d812a05fa2b795104e872c61f5c5f3cde042886015abc3db85f4a5e8bc9691f87029f135044deb0fbd8644552723e92282286b1a279bedb56c2fc092328583e7aea07abda5593c702ca4cb0e39ba16b2839756b0740c46c692c389ca40405fc19d7b839f51dc0f6b0b2155dee7e4c60aacabffac8a8ad68a7d3c0e52456fc051abc37922adf0e7c10bcf9dfd850d88c22f8e2154777eb57a4a30db4b9994ff94fa82a007dd05711da0af0426b7bad381816fc7878f51a1b7c8e2a50133178255e864b3631e9b77b5059db069e5ca7ad88924cb4f1a58129e1c899aae0e8bf760c52db31d399ab9554d10e7e94b82c2dc0a05b56b1cdbf48a2b4ee8845d51ed0438c27ec9f490bc518557234dd00cd6b031c74d69c4eb06320498a2c52982b6599ec9b06d722b1f83a36e62131470dc9e78c20089d13937f0fb7ac8313591f22fce68357be3549af620055c217a1cee6b9af48f8be4732b29d960c34eba193aa894b0f6aa0c91c8c27f070ddceb9d73f8834b3249ef03c9cca7d3d5bd7cf15e734c6a65a8f387c9a7c51e3db37d82c6f6d3b6be8328feea7bbc2601de9af9ba560ee27cbba3e2e38967d93f261b5155aa12eb9ae98640cb06fbf024b3b51b6337991194c5b12024592a81c6ff644ff35d5b19f287fa3c6bace4167e3d3ee14a1d52a4fecae1c4c2fd862bec826f988462b8c2a2259d37f5c8292bd6cbbe22a7bb58d5608dd5a5a9e1bb8cd586d894a53dc2598e3fdef678e7467372520510d6d41ab7ffe76ff020f85aa14399068c98b2f62eaf2cc45694284db21155ca1be2aefd2b121681473249c6ae483342e9f29b7597854e432ecffa14dc287670216dc67e3a5332437a837ab006c1b814aee71aea1d110b56d06d4db725f0ca737c95e32174813696da128753ec29fde16514e09cb7858c43e13c36d785b07038016974974e7463dd656e162087353a99b0ab3eed6493f1c8eaa8764cf1a37f667a12f326968bebc595abd62850ce0c977c260fe399bd1f4f88aba29539d30c6f25a19f21d53c9f77e1fe777c8113034bc6a37aac74f97648963e0d2e617786176f2d7ee559c9802b0f5596782e518e8592a3282a1f5defde775d71c3608d089e5ae98da176bcacdb55ab7e85f6dd571c80e95ff8e6071940828e3c81f5505224feed5ee0aa4ce8c67eabe138359b5cd88df7ecb3b3962ef175d25e98af33a5852fed2b5ef4617ade008055523829f98347d19f8ecca3181d49ac881252cceb3aca0786e39b8a8336755311bb1938043a4f1b0da621fe5370ceca0d011b1d5e8fd395e248d23368e0ded75d3c33a72a8c276d046927da59d7098e4776e3d6f054d35940efe40f9f8290ad287e5acd8e1dda73953e58df7bef8f6252aafe0e4bfef5ef727a4842b0a6192f70c0d3ec508e351c7455e059649d615dba9d7d60aefd061db25c28309d582c20a6e66d8792d76d19406a7f4250c0f61550869de107aae9c93d3abfe40f1003d088f28a60f25892b844a794feb7e94602909403341b39679e3b04f7b0e8de037f14686e78bfeba960a62183cfe920bc46d50d0f005a7f7f4850c213406cd49b578dea6d350b392b6cb084ec343f7056e7c6c9c48b2e095a1bec578eb413083d41072a55ebd278d37dfeb493c74fdaca9da1c3cc6e03201dfe1939b8377f9ba21791bc494f6048826f0b7ace207797b0d9ec3964aa184cfaeeec3fbc5a1dd35a833e4d389cea9e3ced435e00ef656ff0de644d6e25410bb2bd940ac08f76550116b53ed4fbefb112d58c2affd58692e35006f670432551f8aab3c2ca4336c90c787d41d2b7f95ea9440b17f019f88701a26c978aedee0de9603fd6f56b08e56bcd3ea055aa7883d0f8acd7f7de3498bba566c2c696cf17f931da1ae3347599e8be7e12a8067fe2dce14ab0fd6df97f1d10ad76dff5902e182746ffea03faf97552bf035f9e86ec23a8736f20031fe3310d1bee7876d36623b80e2641990f951cd56dbda61ca8aef2ba14d35fa8f495977ac3fd7aa810d065315ea8007c8ecd85acd6d65f2946911709b1ccd0e629f56e01b040efefd58f35adcd00dc49ff7717062b24635d2e5f1e9a7db8e3d5786680e396911924d6b5a6c2d1dfe98425dac3019a7d8673609027c064b60814ff45200f18d05c328bc346f41e5f5d68b66569418c3a9d9bd04cbffd13db9d231a405754ef6017c30cccb7e934ef268f9c89352920c765190ac8817f9f98b6715a9847be783cafa0a86d734373f51aa8854ec72c6539ae162504336e87ba7347d2d7f6a25bfc72560485008f3e73e09bc6259fc3f61bfd72cdfe475891c5423ac4f10fc5d95ce567486fb661e232542f1323b4ba00a54e6ace661f685fa324f8835697ac6970f1c2560f4c2ebe0c834887f715ace332763993b9310b52e178ea9c4a145bbae5d7baa9c6d968ccc50d3cbac54cfbec1d76fa2900fce631ba341bba565fdecff0b09167887b0bf10b6cf6deb6a8870eeb7dec9ca932a57764a6385ef07865c467ec89937d8e40f91cee87afa25cb2cb6220bd7b0d32526fec7fd4ff663e557bf0e4b6e8ca3bab3cd035baf775c495a127fc026248bafb4735df8cff8d6799778feca624bd86158960272dc75caffcfd4c389e51ba43ff6d72caa03a699ece23d67dd4681dafe73151feaa10de5073e32eb46bb5adca0ba62e8dd922c8c80c5a8008ec80b75e872f87314b202fbe4d662f065eea19686338da1189c8cfc91b7cc63c1d82c797f98243d79a916b1416be117771a533f197dfbc7a7dc7a407c322c2280668abe1770b3de472e3129dd35f19835da7cc6f4dd7ecc82d20ecd267ea64944a614cb80b0c735444b1d62bcc9b760d58405a438fde50b4608c75306b8588948dbd02db904e77e13406e49c4e3b2491331bab87400dc903187d1da30df2ba51f54cb1ba00534b367e4b176c6a7ade4e12150665b8631fa6ad2077595a27bb4cd3b7080b8cda31b90566c38e0217fd024c374c7eeacb92742772e86cc7cd5a7fc36198af615fcadb8105a4aa2a08c1724d21271ac3c2ce7518ea67323fd3fbf1c0386c97fefbcdbe2a6258f1e9d3c09a13b50136fe1fe5f98be367ee368a15cfafcb5d5ddc58538396d78ffc2e542add6122b6351eb3f58aaa72870e701231677bf6a5c2300abf5740a26668fede2034f504b004733d4d78a963f2d877304481cccd5d2d51802c1cdc50d5a6d30d39cf62b080b418ae316cd89b4983943d8d3863678d89029b61993b58a221139efbc22747ee0e2d71c6627d7f1a3f573413de3af9f51353061a06beddc9198f2a68b57af54997ecba8867f0d4abf53c5a2a70b69b901156c3d0168463c8ff6746a4a7e87de9ae82f0816918f5df295369038795cac58d7707ba1a23c9cf9a3829ed17fad094ea1f4ede9fdbe844fa251bed775a185cd25793f8886d8eaffdd467d0fd5409f268de34da59beb7caf16878c066bfd13b16c05e4712c0e89264eb83c2b420690f5dca4f23f3beff755e1f05d2ff467fd29e6770b19f9b89c3fbf29ec69d1c29c1b1695f97997a086a73c27fe70cb4ac633733fb6e9898d822403ea637a26be636c0662c91b5e4ab19f022994957522a4779375c86ccfd44af5f42a6b4fede96592468be15de60df5f6544d6c6012bd32866196a5638468f1dee9e70b87085066942eb40ce4727aab03003f4bfb216c7ae54a45f0fcc18c7007791b26782b110de1fefa77831a3fa943484f0db3265ea587afcfad2b66ffc922d6577fa36a24151069a410ad297416ddc8cf27be264ab8b943d6a855debf254ae75046a008c607d14367739a6a8e5e80a2490b3a4b45d147e4310eedfc08245cc08667b0d9d0b4f26e252d36e85a8545a3146028616b91971bc952aa4f962aaa067e0771f206e9a956135e5ca8a02bb02cfed9087d589c0c0ac361ec1fcd2fa54478319fbc1b6e3625719f4fa7cffc759ca5476e66ec9431219b9af288c74a748454d77ab790960652c2ce6313e85522072730e30f483598a2f28165681c7475e44640bbb06dbd89ca467e2ff9c3968941ee3f1853ee334bac3175dab98fc51833e3cc32262967cc703d5cbe768614a94b51eebcbea3f99e1bb5140b389451ca8d280b3027954f986ecc35d4f368a3ce962785534309754a50cb548c8b0605afc07f5a8f6d8ad42774fc6d2753296e89109a075209c1c72d4d8068ebe0971e45050c9379c219e0b966fc47906d59fab98360bed11d76398c72d9c6df63854428c841e5dfd57aaa438bf9b35058c3e5dd0bb5457d1387c41f12959bd53583900906a9febe491c8f29ff48690dc78c6c463cc07e9d8ccfdcca4c19f2bb4e20f64b3dc8d0897507d270e613cad6e2802d2c74d174cbd2a4ca7c7d5decb81ba028144be39102b59b634c2e9c7c1915fec3a0add2c71bf686a120b9712007bd8be7aa63b55855d6b75a49ae754cc4156b1ec741d8793154daa10b3238aa2c92b18c18c3a691cc9624464019fd130a193e9ab607f9981ded6a2ba12f043fba3df5378da5a1be9da3b99da3fe6dbfd6f7360915df1c6a8bfbd8602e7d75e92ea3d320e7a43712326317b3c627c503731b99ea669402cfb9d877a190890427ae90367cd100f30428f5228693308376e0437a530cf7fff01c2a8e23ee2a345f820f8e1edd2d52654e332b690776863006638414425201e43a041a54735afe266505fbe93ccc9481487e31b23aef7940eb15c366995f9df141e5069efe4a48be1a7d0d3a239a7c5366d2bc4e209fdbba85584760450324fc1e5b41976e1f90788be645940828df62732754ccc6a248b0c7c7ba01745fbb13cf426af87bd54977d59b6fefa32c294320d1fad0f3ddf09bbe14f7e3834ff4999114dbbce932ab628b269db47efc58a5588b9af3e5e7ad34398dd47e797be4ca027be70549d564386956cc4e4cf9ab4e80a56394d05bda246fa4c87c7c3982f3c0e65ca5cf8b3bd03c177d54779e9f42e74f1800006cbee91b07440512f8964657327a6ce76e851ff1e6592a238c427f5d96feb5a8da875bb2bb6e172f6724a46f000a58a687ef7220ad71d9195ee58bb653f4d3cb7f928e93bef0a56c9d8b659ecea7ce2514b648a46059fc3edb457dc6bc9f4a1ae7fd9916de52ea35e8efe966fe96cb60c63ba0e018f85066fef1e3452aea7b86a6889e4018528bd0d8977cef33042f08d09503fee8cdf53f3d303488c724ebde9fa0105a65b89c547490f515c5ac675e51bab8b75e3d0c3f76d1074f3c7827db85aeb48879ea3e6241b3649bdf2ccbbd5717a4e1c5657ee22ec43a90c9d620a3cf22385dd47593902572eca35b566ed70905f6c72120e14022db5f99f52c9ccfccae45e97aa2236c6126bd20517ac93f049c7917104ec1bab4a723fa00c01e5b451e6c1737ff6ef93fe6ce7b35f71d231ec3b60f85dc45bb6679671776b3c0707b8b628dba87e87d2c1e9f542df5855cdf97412eda3bc1b66fa1b46ab1454afeb88b968c2ec366e42edb519844e07d644f378f9894fd2007884e2e2c92579e41f6f63204742d3aa278e33bf76f7f6dc674dced943bf18f586559efeb20f54f1e72117019c25f5744dd2e72298f561326175dba9d679fdc26c0c807c7c213cd072a0c4010fece820f6462ef6280c3e6476c0e3a9ace1de26741b4269bf0abf36df607df7c9bc6d9de9d42937d0bb241f5fd36f7c3bdb418bfb96893be9e3c4a3cc7a4b40bcf04b43144bc6c7475a215df6b2f296c772f111fb5067f48cb5550a0dc48c5f6fb9eb83d9f8eb9afd10619e3cf7d87b2e3864c68a48e7773decad778fd43336ad802488f3e6a4a4d642c835bbc4bc779fb1f0f770c6f05ee6c2df5e21bb8b25862df4eca4cb5f8e6d52e2ca983c88d8cd548f6e336ae38e8970a8957fbaaea4b06ac1c973c3cad3e26eb0e26216926df865d368997f4998fec334add690370ac94e16e2cd3dae8ae92ff1a53c4cac5e073ce8e328a4ae53eb8d9710b23b06488e041c5b506ba3ef65e9d848332dafc59195f35710147a81a4cfc4a9cc00a4e42ed49eecb0ebe9369902fa4c4030a06c83a8106170ed1cb5aa1f780e1961d815d7c4a189d40ae8e696b059aabf7805c1238db442b024bfb98ec9d8dab7e2fa7a356b58162c319a25e758702b7c8813a9b5c7a70e701ca2f7375f1b9d905f7cb5c38771661db8131d2ca4da1e08ef41a548bb9426b5a9df43f6a00fc4ff9f225322c1e7b609dc99f5759256d0a8e84dfc2973489f37170a009b6e37971c7efefb57c444236d9f5196eefb43da82ba1aa70175c678300934423f1f75b79b193e6d1676eca62982758b78571901a74aa325ad866a7cdce8835a9f3ddedd2ef6b56f4a3daa2bd1debe33a2f363dc042b349097610595df334d6d15dfcdf7b8964df708643f1ae644d3f1789aac2cf69bdae8a447c925414fea9c45eef3e26e57323c92791d5d335710b4ab0b51da83f40aae8ed4870e9655876508d280cc4b837915ae0caeaa88df1ae8c6cd2d4f9a9a8ca75c1491cc316f9a5a2fa68f508bf980dc65236491e3995472b25c7f7a70ffdbb89104136cfca7f4fc01f147a698542ffd9694fea9717c70269d18fd0577f236eac614d2e20771d026aacb9d63943548bcb515f6219722b10811fd0c748ef5fa2c33bb8acf6c55178f839c72d3aeb5f0c72726fdb95ed5ad0a840754307b5791de1e066e5c6c1ae15c4e57b63abc32702952a1720f473b77f0ac82087719b7ce82c3daacde95b46d47a44a89e296b3cfe5fb592a7858aa0730dbc5c1300e4b04465cdccdd89a2fddd2b4ad4882bd2ea5a337ba299762f0d9d3cb3793302f1ab639797a5d4602e2abfc41431b04158a3d99b2ab30d8793944ec4ee01bb3f9fb490aaaa164bebf0361bfb88b76fa4f3e7fbb7bfa0042b81ba6335c29f2d0802c6604857684d47fff4ffe922b6a98dc4915b37d338de877e48d8aad5b9b071e9e16538a4ad6afcd3136fff076f2b5e8726c6b561f2aff14a296b77f1bf619eca7defe845d24673e3919e8682c9a9cd40babbeb4a521a8877f7243335dba7bc2ef5a3983bc4db3633e18a4ab93cc53d09eabb39f06bd7839060f56efa4285e22092f999c9b41a926523c125ee41925f618b3264708fd1a7de74a5c42e7240b9db15ad15ac1d15b828cec474f517c5c494cb91abd4882f75b0fbb552acdaeefcd60535229a1370680e54a7911aa14c226e489007723a62f24c1164defa51f1f2f4a1ad5fbb8410f0bc7a759cb1bd8d44a47f2516feabb4a0393f4d95a64b76d9529272303451f4191a2b7ec214f0c6027b369f87da3d4b82c8fb4fb0ae305ed8de6f7a4870441243dfe49965d2d27e68a98b4c45f38f55e8fe819fccc1ec58c4f7519c87fe8eb5b6faefcc65d0e6b81136c844421e8ef070193accc45e7a70b9cb0c33cc2c7121e4f7c7c74347a0453cff1ecf1cd8265bf2fd364b6bda8994345068972c772e9c5e90a2cba218d08bd946bc6e5af93bdd9cbd75b4d106b58a81bf144e7e2d2d7696f9476cef8b5bad3c08d7881f7577b30303097704ea382f8b4da2bd8202ba5ef113d6c0aade0076b213d89a6f49cb17f42f7d5f7fc1a222e79f5664dda24023ce39108ba987988b6d2fe2f162f26319aba13f7831e8d4ce6204e8e4e2d3dc35679e065a986a2e6759b3bcd5fdd2ddc82326b768323b57f3b7bddede273dbe9d69bd88bf63e25e81b77cb80aa50b8ddbb5e81eb987679e121e1d3a25f65c3f7b462f0a7d188421814cbce3195c37f2aa47615e258f050deebad7a700abaa6bd6e0651923ef7af808454b263417050af8903dd0729cfd08222f1e545773ca33132f065d2552caf5d82b5b272df91f172fd6780c1abd517a7f46572694a42d3fbfc12e5c0c37aaa082cb3c6aff88c047a5fe8e1d8a92bb3307cc21bc6fc3e440ade6e49d542041af75397608dcbdedea4dff521935bafd53f2a7550d726423545d7d17e0a34db154019462c1cae55d83e7f232eed4ba2bd8425682dcf89d70181b326a65a47d49bea9533d9684b97b0351f66353590763591b4d5ef8ef70014335d677de4872d3877a61f05de65061a0a0d97b1267b9c5e45176592a17b6291c8e98305dbb7b44f4e2b69d4251249210dfa4757ca013540b0ae3ef3f134dae3c1bb462e0204a8fcb1069f1673eead8e5feafdbb4c9c22fc9d0e6a4c56eb46b174ed884c736557f7b60cbba6a9a4b03102c11b09629f74f13cadf7ce7bf2c77d4de2ab63461fba4199ba61eab68b3331dafd8fbfb105ab21b6a5dd770372c09e23cadb64560c242f06006eaf0d937ea3043ab2d30092eb9d5e3d5a20d2553ec7a38de922dcb5e8b893d3953b3586baff0f11af2dcb1aa034be5b0a8b14ff802c41ad149afce5015d9045b3e1afc7e15231b2e4be17a9eb57949e6f5eb189773d9f465cd23fe2707ea0b2f15f968293b29475543d74e0a25067f19b8652b9890856ee9fa06cbef42415181695a8d0a1932b82fc7a88fa4500356e7af723534f0d7787daad0051a31cb54be90b52cf61b765f426bcb126b928382de48cf9e7c99765fac289b18ac20a1815daebf7a6a3236dd26f74e4eadf391898e05e050f68a7e564b2c2daeae18d06077c28633e72f121c3f88dbc3670992d4735d1f47131f09fe14e21fea8b52ba60b5740b873c3702826a7e38e25dca652f8e5b4274936b0d6f49f84282c42491f13f0cc006347b0c40a0eaacdb2cd8facf845fe86785ab6fb22f770f045c5a8617221ba84a003fa8b2a8fec44289932d9536179dded0cec31a0fbb9011bc4e2aa2bfefd298f681b1c9568f02eefb8afa91503c985d8b8d98966f45f7250f6e269ae1eb835a791c8877a1d8ceb0e7b794a7d45e51f80d22347522956c25c962f956847e243ba03842cddbd103d778735d08a3b770353e49514cc710a44de5e31cf5832c3f1ff01d4a5fcace8054de807227da77b665a386b0cf0d74a2c99392d65826c05704f3076a22dbc7dc4102a923b45fb6e5d3e2133ad68f1fa91653322a0cc5ea8bfa2ff90db9d9c9abe21a5523a1057ad2bfe25375db1721b48e61d93b30d9e8f59d77a3871f1fd02249c1e7ef717e16bbec7e194926f6e55ca88f3674a0de2fc8ab9a935b38ae1a8769c677b4d3ee9242c443f26c4678fe5f969589f3248036e0c5b901026e373fb4cecb92220044bd05267570ba905b745a517a74b833e51384f40d7c7ea3993bf791285b53d733932b7b5d4d2759c141a72ed6b0cbefd5ef4ad00d303d52c104000adb42acd04c6f96cbaf7a3cb88affdf2aef627e8c2e9d1fa9605780b690ae6ebe62fc6236bde847c7b0757c3449d18a7fa72fe1f3813504c08ee64ed086b604571996e9cdf798f59c05ca7fe7cdbbdce682cdfde25514d3ebef68728d325a2204b8e6b4f845957908939648b9d274e24802cbd6714fb4f54cf22920acc265705281f352b946ca49ec17f609d24b4d8ec05292586733f45a930b903578afd2b8b3a2120ae80dfd76dbbaa491601ace0512bc80d86a47fa297efb5684d6c4a1d0bd60faa9818fc2ab7430b6604c6689c288e36d93510d04c3499181b16b7b085f772a75444c93dd7b1a9f6d2e9e1a984053fbae7275e2dbed3bab060fc058958420b1f45601f773be1b9ec04a4d1e6125cc4905e55cb02f089d4d513393478ddecab5e9f3deb8b6fa9b36f8edeffc87c37e2c898744123132c0d438fd1e0d089272373bd7b651e32d11e2b35b7175f2dbddba02ed7e4c2bd4a5c458884bb8c1834559efd6a199d54a022530b5399de69817f7d5dc381484b56915ede6137862c9b0d884e3b0f9062a98d3a2e83e21752f03f5684b89899dcf3ce38218d5aa179e81798656a81e29c84cb64676b49858f91bf5cc1ed0d299e796c4c85e7b39c6b01f77e021ede52aaa1bd271219bf879304286ac3b836a75501327c7d5802c88c39470d2df0177c8f13162dab8b850c7a0eebdaf16126c5c7915adfaa5dcb8a1f206dba082511835a0312e175c78cea82c19aab518e638e849772ca13e717cd32fe15e6b062a19c5457e0e07e19f0791ef493f7e1dd8e24dbb0817b5ac872be428ebc98060bae73dac900e0b92be6fa4376932f32bbda59cb33a4220062c7575fda71056d339ddd2e774200101134b87fc72b7d86c053eb97eaa59b5e745d80ca50b045a0c8a206c4c65ee82122ff502d260e0ba8864e5fdd6a98f12836ee425cc389aef2633228f39d4f76369d69176fe115f7768abbce205b7b528c3a90eca5da1f2aac464665b928b2d1d8230e02c1eb2db4e5171a2ea77ac34f32df40178dbc235e955724da451780921aa10cdab492636c93a1305d26c0cd19853689b098b52f0b887241fe32833ca4f6ab0aabdb4be87a41aca4b31a4ab87b2ee112a9f659d14543698b8d45c8a2d8ced94fb4f5c134ee1cc133edd1ee70fcf636c97670919be73baa1b66d585a754643b71f6c48148a3bf65396c47957961ddbeb43f3d4f95d98f5132153b8520a8c6d148d9b4236acf5b39358e67034d5639448a12a42b25caba714cc3954b5a347a5e3ddab7ad1949bae1ebb632d20aedba02f38878509acb870da58131fc95cda93f951b003763b885d726ef7250e2d8fbf22a814cc58013618f28106f43af86a62619fa6e24587dee2d8f91bb4a8691330faa3b9dce747cf0f4a87dd735b4f1d214f79208cc12a7162ef101ce144fa220744286c3cc2ac8d61583cde2f2253484cfbb18425712f1f8969bdf779fcfc28ca94775add2c9eb9920ff4f55d872cb95ee69a6ae1ec394fd7910e08f77441f31d0a1dbed3ccf62df333dc301e71b1b877c4343845c6b8d496270e2f7306451b130c69116313c51c9d0e8946f5977ee2969a93701d7fae768f3dfb6adad4f3390de9f7bd8ca091b32fdd68ae647e3cc6f2abea807382206a84996287316c6b4fcec1c7f6873451f546855c67f33b3c318a1fc37fe0c80cc86616670b4d51e96307197f5f6713dd1eb23b55466b450f3e92faaaa49774206d3b57bbffa14df0efb04a6e34a1f6af845903354571933a8b43260d762abda1c033e5485e76f27dd28c1575355927b050b4856e49e1d8a8640898bb168d8c3a05392e4a4285d44b26f15bb60f36182be383ffb54082a71a8e59aab0861db87af02b34ea6c91927a4abd506f662d17c59ec215456f8100a5ec13eab566e50a863030f916383cf00a151102ddbf8b468f4008a60a26634d55afdbcdca2ddffab7efd6e8403de28d5a6cf3c139f90d21c3d51f380257e4f861e0cdf93943d0db926dc65eba8785643da0238a02f39a31f5eb1c3af6bad1a6a2af06ee2e001b11704858ed59c5bf8949182cde0398694e6101eb977a1f6d47de568784a4b186041980b21b11c58b40a893873424fd56e41fd781f79100b5549596c38de5e90646824da314666266107eeaaa8bad928fc776229a8bf85817d3dd01dbedc578bb94a00dc3137c93480f585786b0bd777e8eb25307ba253e8d8e4ebd8880f2a854bde70ecc8d0b79f8ebca5b790d649d7d55777a4ab3126dc7e0bfab9a2670fc374799387dd22226a48b22ad303c46e2298197f7887dc7355a90485700c296f330ba6618a9b6ad84236f6610444318975a7eb459efdbed9db51f36a9538e2c1be53671ab762d4109dc36fb7eeaebb80d10c6f98591a29ec8f9472cb56467b258ba53168c021a6a79c126c1c5bb600f9123d02e0d56d2345f6d2e7befb2b05e111807b4e03fe70244e45070dc407f32315227b7396e2ab97633b8079b4f61c4987f775e9460e47ec26d109464589b847d1d684bd8d30f7c699da25208fa6dfb9e6a9c9fdc38f19745aa0136e41b5b3d2c9c98b362492869e7e8573dfb42315544fbaeebfdaab3b9d68c7e6dff07f6c5a49f0432401201c27d1d23670d7186838f5b2f15bb6f9301896035c34bc10f6bda13e7a85dcdec1c140f4cef3b35eb52c46e5386d125c2c04d19a5b739a2c6d1cd0b5c9dfa085f07202b4dedcfcb04d9265fc56edf9eda488f303f59f3f9b2f45933aad543c0cb8cc21a72230f59a0429d17a6f73a7ea7eacbc9035c3db832174daf39931f321c40cdb716d69d83758ddf9bdbb004f5970026ecb78b7fa0ecb95b42ebdcd428423ef74d56314ed579b3031ce4858d9818a23eda71583b2552556eca75526acf679f50790fcf9b4286ab9f9e9db094c63cc53be2e6ba7ed70e0654eccb9e7b73b310f48d8857be68c00cc330a629757d5aede52890fab53f772eac290b766df53bb46f3b1205318ceddfcbfb2151e5548864389d8c0e11892f290356d141a03767eb295d4d37af299688277ec3f56b614a8f641357a475ebe362c14320a68e8b5af14ddb58634fca956f367af25b6a7703c8f01be59966cd2fa2567bd74fa992a148007fefeae41a6aaf3ba0cce34315f2e2314d3d1f533b90827c1ebf9e7fb835ed455c015a6d004f25480805423cc5df90742d1d271ad09c1cd84e4035afd0d334b5361360df0ddd089e91c48752f1695c0b2e48c52c3a9d86d3da167a272026e19b75f726cc92e7ab0fb1d101648529d150773ad57b0b4227cf6fbc9b0766fa9c326a6ec66d3f351f2e6ca1bbde52760805550e64a82daaf16efae7ef879036d121ad303c3a26f40fae2377afe742640e117fcf766dcd016afd3436fa24e4d0e201daff85087f84cd839fe6bd8aa1cead952a942142fa66b314b032364e93db2267bb5152f6a731285e602f1e513235317dcc39476b36804a0e3abd327d6c3980d61382f31aed40bf0d758182af3c942aa836332babf38644c313491aa13f3206f18e3c68553e8e64f0dfa580c4427882f6fb134b0d33e21c30a495ff4a9bcd0fbbb20adce22fb9c27cadbd2fc48a195274f480075a91f2264c496708481e8e3b668d41482ecc8d2aae7ac140e8df0af2aaaed234ef0eba355a4944f03370c5f788775dc858e09921c3ab2fb180ae771178f9f5de6759e890620a4975e420916d455b965d3a11e0be0e53807577903265ab93056b518c7c62da1385e26f4ee1c487213f6ac8f46890f98ae4dbc061ba1cd4f8957e6c0685d9aa5f3e62213db2c33b2d82529a030739f3cad9a7b39971c05af8b606826dd5ed5159e69d039ce6a46c9fd16ad459165c352f8ca296f5d0622e6221947c3a064415deb731ca0727bd87f56dd255327badb39718b48bebbea61a5922a24438a15fa82176241c1f43c65e4f5e5305a2931897230000764e64bd2ba15b61aa11c2004e43ed66b265c219c254df7421c5412dd7092cba2e3b00bf88a39ca483cf5ef9495e1941092ebc505ebbf93f452e24023d5f8b81c613014a14a59e78a8f50d617013d0df9263e33c479c5ad4dc4462772236819c674d7cac8b8e20b287d7a8b48824cdb795ae71ddeba2c9d20e39378c24bb24fa679910424bc1f6ba761b2c3800a625fc32bafdec7733bf02ad9125a4464c0b0cb49735c81839822a8035046634ebaa5147ea6aa37d8b24e03d866d7410c8f9cddf77ab08142c163f37d5b413807c29b18767e7d23d1de72a13f10799e40c8c41d388b4cce82c16b0cccbf5906de5cd5748671e16616bac19498560ffbfd73fd7664140c1829796b99985eca15344657d6cafcf3ad0ae94665eead0df85cfd69c9356907a5005807b77b80a14411023cde95031f23db51bf1d312244fc8feeedd8381a1b34b61f6f663274a64a6d35ed61d8312ccfc1f82809852b77a1f2d339559bbb65820d793b566de6aaeb0994ed9aae588e329dcd64f8f0502472f4965b686a0a12c7cbde7a8d0b86e81c569ab586b3d80a8b9998a5fab0f3cefd33067b69ab9dc66e66d12265c862197ae8fb1ef3d55f48b13ae86cc4c60e312c9b55111f17a40164682f6867ca9f9379796bb690cc14c22395396df33a066adae7547ea133174bccad28c533099daa1e9226ead7f965befea6a7eb0b3c3f5e95b378d70f0ca27691f17722e871f62b259966443645cf5ad5154026b02afd221d0dff6fc733d01edacf24310a0653ee6ae3d0190a3cb14286fbdd7e5adf365bdab69d4afb9a8065c4b6057502a8461cc614f22fafcc747fff299c4fca9064fd197a6d3c51472403e7e47812ca26a62f5ce0c83f60b2bc588bcf05bc57ab7fc41b7dd536d04aba50186c6715a1ede0e5ba5488a7ed542f0ffd875ed2cd704ba9be150fb616b7c77a54e58023344a870acf3a4000a1a8de623f34131ee7acefd53ce302c293ca9f2801944611ea3e5256b37976cf6c063582bc90054f4bfa4361df2bc8123022d0387e4300e0cea5fd87753c4618aa5112dfbf089d529f4564e20fdf43f2334b55e64297c84fee5b83a2ac4f598c55b6b7da4f443f7afb4e493738b536433cb1f5509d967933a30b6c3629dfa817e645b1f4f0b942c5711a7ff22f33a8ed5295887fc44866ea4a1a383c39368b11d16c7be67c7e789a0e58b7421a3a116894c3d88da9799435e8285b79325fd143074e3bd20ed02bdd0077339e8c594a9274c9ba6158e3d7bc37d74cc4d51dbab3ccd469de2b692b8547c332dc74a94161df076f63c61cf7c50541169516f302708f48e4973c4c0e8aa960c228fda374969b5d0d606fb96f6a8bcd57dbdfd0d09d71eb58d1c5cef93f023a63c54a4ad5df397618fd4e9a0b925bd2e260b879e14fc5092c5cd217e8fa90c274faba7cb8b0c347178145902b021b015edfcb0afe36c7929306212b048c16fc8db03e026178a4fab71b427eaca6459ae2c3b1a36cc610507319e6d7046c6daa76461d7d5e4a4bfe917da1187e76cf0fc49e84551d7fe6b75487256b3372278a78cef0b20e9b1d73e20dd7f3a1600c0483dddc807f48ad631eaea3e99f4560e64b788731cf9977d76d15a2320135e354669e825c7254ce250c405d3662329b6d33267a7268b64d4c392e9531df2d2d8de0f9f166d8f02e54876e8c626cc1566a3e3010843054b8b44ccb7cb45ed8b050901e09c5e2d44958b598307576c7160b927259b407a1e82b3c713e2de49a2de21f1e19d3f1c23369861585ad6dd802a67ca075c730f8078d848042533b1d4518cd4435fb7c5a58a2a957b559af12af0bd79bc2cdcd920167ba949b683ceeca6853402ab4d1cd7fda7d74ac47cdf8a188fbc1ef7ab59de8e189f25ce6b8d3126b31eb836495089b5ddd51863e6b1dbb33f1d37dc74851cb3b9e961fedba22ceab2d251d493f6351d44e3151176e9caf553cbb9212c4bbf9a3b4bc451d1c4351cc1d74582f49b6de28cc5ecee5f7724f634695d12a49c5ea57a5d089c421ac4cd4aa6c5d06843922c933b5ac0dcbed86e5cffa3403ce6db406e130e8219755eab1e37190e2c737a3f3865b9ca7925f50e4ee1c775357579e03ba0e7c0731ae9e62cf67901368d376510a68da69b22b5e60be93c75b34d0caa2cc4c327c72731a193c93947837bf41ec25c0cd50dde47d0740cae7a99117b76502191125c43be006e6b66c936a3f7e5a38806394a73e292e2e9d8aff930b4498d7cb0fb7d928ca84e8b33bd0ca7ba6153e5b0a44e149968665ec673b145950b3df23e2b141871f1a12bcde7cfd10e35e42bfc1247ad11f5b5b6b287ec2e45e09f090b0fdbeb4379219ed5ffed9d40c6dbc9a93498a8aeec7133af2b67a94b470a56e774d5bc6811401caebeeaa307c3edfca3bbd374837c5a29a1f6ba1a2ad05d60aa94d6ed8f20ac2ab7bb34c7cd0d3b585198867f83b35296aa25f7b3e0f1109288d9edc75b3b7827179eaa7267daa441844de39cd1cd2894adaf8c9b620af809f99b997e0b93f59affaa04c6224521159af9f3ec8dd58494c17c4ccef738db8a1752b298e340d254a8fca7edb6f6dfe338e87edda4672783f6b7335526abacb76ad482ed520484c47717bc1c774caae5d787c90dccf46245e7b6bc9d1092a9580ae4561266163cb9ae7e3956dfbf90a957d92c4f192f7b5d589ac0eff779ef3dd28fe124539729c8520f94c42bedb7d9dd77df55f3d33540868159bc1b5956018814b1d9cf51fb3969f87bf15f292c12cace26b16fa73e77f92333f756b1ad5feb8f6e005f464eabfe45ecff277fb37272118ea1e2d2ec655be3f6e45208490faa236cbb8c459a9829aeb155966db6fd80d85102bd9fa4d549bc3af927e227bcedc668b86a1c63ee7505f32ec7f53652cad65a71dc6893a8db3c80d00690683f97b47f4297ac1c9d92edffc70e3fae85448078b7a7223299d9de7211dde2a7b7a3bc0358c3d16da0953d347aba47522a5e060738d35dfdc14a3a64c8c694016e0daeaefaaf50bdab9d6b22a0abe2eeb63d18c2ade2da22db24479fb4dd3fe131cba41cda5f778ad2269f4eb8d59b01f5772d03d3b7368102684b40490da96a68c55b1a6c0e326e790d9329042d7f3f16a5d6294b3235b0c1ad2b3e10fc8d1b5a4deee6a8a310d2fc6fc904323d4aeda962232c7ff614fcf123ea7432dfb688ce725e0cc22b0471c255497137ab3dc1f23442dc0b980d7939c39157fcaca0c49e625694c923fdac5384346f32cd05dedb78c13aec24b43605e52f201dff1565e0f7a1b3d99288835b540ff45ddd41e8c9d81e23f305ea42c6c39a91e0b81ec2376f2257d3f31f594a387450e9fc82242c059758e515ec761b5011d89675b2414bc5f77412ccc8e8fd6b4ef0971df7b9ac67f18b3cd033f58f17ea3a29e9776d0608ffa1a5fec53ecbd7cc2546bbad131a2a3a71c141770b819959e4756472426cd9fa1a55e84c0af81a2467b785a88f31e09e58e7607088462fba2049a6d6d74a0b0bf89f616eef5f3fe6721dc09d3663236a2dffc81e7e2b9730b8fbbc2c88b039535770171fdd5f00c8be90109790564651b3f0955054f853aef59c91013f5a06f62cab6d9336e3223f82a725c8c39f6c9907f4606275a576c83bb5f46a55ca5ae6c19a327350345bc22e578db297e7f27653a6bc8eeddf3f4af44656264192fd44d9b03890826c6584f0384e6f1c431fb035156397f4a306637d78cc243f01e26e4fb2f189caeb114340909bbc051c222069507b5061c429fc1f072776274150d74422e8ecd1887d07a14869980ca19671a758d8316f08aa49ee03295364c6c62d9345a2bf2790becdc49ebcb6aca062d122eda3e60d45327efd3e5b97169cd09f9908482e1c25b1526acc2c958d0452cdb9eb69844a13a6cfab5f4da1cef21740348d7742f094bae5e98e86be11ffdd3d271eb6981245aa4111cc398af055a150cdb232f3d9528b7cb3230bd017e53020415ed11e54e40e60508f343123017e4331bb15335ee56e7b0a78f0d213c7fd8766b7bf3f74842ecff50e1e06711a35ff387ebb2e513318a082af84281885e5c94071cdb1da45fdcd819ce9130d8ea9a47969131feb78d765963a8eaaffb7c32d5a7467379fb01a41614fb6019cfcbdd60a0bd90eabc5c41e49fc49104fff6f84ca4a0d2ba395131ee859672bcf6bd3ee559a78317b978cfb23da854d8f6a6e2f02b92228ca77b287644a410e027297e6f3ffb69cd3688423160b2605437e8e6bdc693c3dad240ffb7c5443899b95f40473a8a0a84011efdc1666fc60cbe93c991185f472c489eeaf5b5e00c92aebe9e7831f5ab1902c7a12089764c8cce0f40a482e22bb49f91cabb65a09d31a22e128bfb2cdc07d94da808e112c7aa4566bac4309c9836ef6161766b69579924d1b55077dc78c8e755cdd501595ae6cb76bf9ffdddf0026a4d21e3d13a0b3721f8c0264be0504950c858074a765acb27a27a1a8d9cb88b55231032b8aa4d4655a9e84c78ce7c77beb824898fef25de99f73017cc69ab6ddeb00c86490229ab33d34394502ea9f88191a134736c8737edf1c08f3b9326cd481fb0a73f00ec45f71c8add20432fd03ebcaf327fff6561a24a301376f5018510d54a32a3d814d56a455d29eb5460dc61a3ba133e5ec403b2217ab5d4bda0fb0fa6bcddf3fca51379216cfdec4351c138357b33e1804ad699dcd1cd526f557f6c2ab6740543e8b55ad808d02804c3ed0fb4b7777d2ff96d77ce09b04293717e4146485dfdbc2fb6cbba6a029ba5cca1819dc0fa5fd64b7797f7a4263be15e9d238c66ea999a096041e1839ac22d1b862b211954148f3c8a8a24fcd6145cc69f8937ce61fa8d898ae20cd695cbe1d1a7e23dd3b7c2c5cc8ac62d1f54c76bc5c5baaab8746a70573682f9ebb8037f4ebe9f68b8367e8b84b10990684ab12b4b4e585d69ba03059c6022873956216c91de5abf79144f29afe7c129f1322394bc2ad2e2d2c42ddf19352d80aad0d106e0bde251baeaf735dc14cb639102c9be0f9a2e93913fa9b01abbc0f106d35d57d55a73df58fa8648d49cb95b12988f0ecff93c60abbfd8f1617200174b11c8bb3c8c08af5b16276698209e4196ce64ecdf952d0e6c7dbbb5c8b2cdb716443a4c18729c3e07aecdc3c8ee4a944c8262e2d115406b9375da6b68fa363570d61be6fb6164c5adf060e626d86f8185057ceee1ba17f5dd7ff4b1c0deb89caff703f164a0ed313faf74c137cef19cd006326317c10944b33f211a5ff15c7b7d97314034ad1a8880b9cec55623ac4198e895f381b90cc14c8a718ac3a5a9cab6b42b01759b17b164b4315dd0c3029ca1c6f3daf8e6016bf131bf9d700490aa766a01a00c7ae2f66b61b452beb22c5d9876397c74bf6eeed803ec20e110e80ef7e23073b6902ccfc705ab30e808ad8181426683241d79248698fa738dcbb9443833dbbedf0eb5ec922bbf3d5304bc302bc207ca414d6153e2ffee3b3b0265fb6a8123c5c84138e821aadb80b87bd3476dea01db482718591cfaab73d74110b69138c6b4a40a4abb9f74f6254202d70703c3457166688c1a3ab233499b80b07852ae0a3fdcf16fcf6d5aaeed1f38adc24df28b746fa5e6358f3c6ba37803895c9f6babfe05995fc93e12166d91f6e901a1b9788fdd583980721a54d725970530db5b15b079acdb26156019ae144ecaa6a0cb10f2a0ffd2e5125f42bae8b2d0d9326da8c581db24d522b4f78b273632b0ff3dd5c665c6259a6bd6d10b8941ab17159bf6883b14272725578f71d1eba05159a80d7bc20fee968acb0a48910a90e6d8a2aff8627fdcf338d6c1aa5a4ff5aa765cc898e8b2f088b0c00bd87280856600fcc9e788239e1b3dd935cb500665f7fd343f335ff7d4ca27cb5bf63b796cda1bca42d735bb067154a3437f0f919d224f214796ade16af67b7766579742192219cb7f82fe6f17e8316119cc6939c24647b79bead50a00dc4c2810779fecefc306883fa3e60ce4ede45c003492c298d5df014e7d134505f23e197e7f67c72c59d7bd9f73f1421de670d3007ab095198b355849f76b91a2b8a50912da8dcdeb7a9ea3bc75928d31129586217a89da4fa0df65d0bf868a20d71544ce577d83b1af47307e0a747f4ea6543a9b282f35824400ab8f774147d574b196e253167bb5560585aa8317dac0524abb28db0c93a732adcb7ca7df63eace24f77332afebfa6b1577fcd413cba95ce96513ca8a9fde1edd3a783ea6f611771f2af916db39155dd92da7f6c38cc69ccfd3fc44fee9faed1c824e67f4afe08d094f16d04bc8d5d6562bdf27a463cdfd223bb5ba5c537245e52095c0cf60c2f9e71f9d54cecf352cc86b7c632b0ef2218727a8c9f273335dae076387cbff6601e88fcfd876a279290ea6b5f3875e01a467343ec1813ecf2f1c1c2f06db7d5d5799a41c9cfb600d6c39409826e8db600f1253f731123a8f386c2a172c1a78c3c04e012a9a7d1337ef0c8b63d658e5545fea2bb1604d66845368bfc05c62ad00c0c1a812c0c034655e9f165c09241c6dead5cb45f7a1e022552216774a82eabfd3b28c76118edc6cda9f5590fd8303390d821c839b68e19cf9a9ea3e629b39651432bb709c0b36b7f4b9d3c2b452ce1d37ceaf9bcb017b8b6f06e7a96a06b2225167da1c8d4f8fcfd290cb7ab0e6d1a21863cbf9702040734c321ec3c8d994eb7ebd2e13273ae1b97341af081ee36e7bffd31deaed5a33c73360089edc5bffd91aede31de4425e4d4f27f1df9943d171baa42b0fde6913c5c94b563c62d4f2557d1ccd8cd5039b61e9fb9b9f2d75f3658eb8b27086d6bda75423d42a6e30e8b8ac3823cb961e02fe95c0abcdfe39ff65a81c4f35bd5d15e916f05b09771b5dd8927869aa192879bf5c110833b19e7f947093c122c256d9bf9bb7e90dc89ac6d413f4e8a6d2c48c5bc0f9df8b09d8b3fc5459d30600ebdd7d4c3f70151788a3db4f515073001f1a91e32a27f5b2e1e9e0b94ecee3a0d28e7ab7a0494b03fb2743cfceb102b247b7d290f4b06ac144c6056d0d90b52820f6c17d9e0c735914d09fc710d7fda95c1bac88c42ff3d79382f1d4e3d0f89ec618ff97adbaeeaf14f5e59b2acd34c5277091a06108ff6168229ca8ede9271ccd3d4c6ad17658d349235f7b09bafc5ba63ee91cf42b7de0c6a2ef77b8d187e82876e0470a915c6e8d38ec4dae55073e560be970bf9f38567c230a3fd4e1ecbd0a525fad9d243399fe9f004e38eb27ab5fd63ff7bca64e91d61d023fc7b62a2c57f8a8dc78410f0f2efbd62e15b05e1e236345f9dc500ff5a4fbd6e767eb1ab90c54c5c7ea110ca6819c744b55846d841322cd89d8a3466efddc02c67a03b1c166a46efaa3ea835760e2aaa162608fa3d438ed1acdfd526f206912199b13a8a493690cf4a76bfbedab0399b7fa83a143058dd060d32e0af65c4edd22e49472668bf814567302918e10f8972490546d04d47d0cb96b6f6e407e322cb44bc5983641b2df97870a7205148b7303830a7676ab9d0fdc354b273fa5ec3cc246032b1c9c1a8b1c3ab7f35775b121ada5cbf8c2cae2ea21f612af40dc0937c06a994362721d3e49785d7c9455563df722f2c52f1c58a1879f7cbd766b6f5aa57947ca90bf259f8a4ef90822832b9b1e0d538c2ec7b9e1a378186e8502948a8fe1853634dbcab869ce06be40dd5ca80e0b328238bc0be98573b81045a5e744909a8b41ca9afc39bde4e11a62cbd56f7b2f251cd93a26008003d69c22d6f5523e638523e57d93d3a403dac5ed36f57d060142e56d31ee2a06d43374d3a1a858f38a01848d2182da0fd1e846939a389d2f73589492801cdb3e7d68b57378f0b2e6f273f43f924f35ad03b6736a68c202fa664e78e0ed1343d347f2ccb7cc19f880943833976d6d1baee9a9a53c1045b34d9a44ad883849a24f4c2e8f87d96686047d9e6abfdbc97a97dce5c2c435c2a5628d9f5f6ad204bd9f5278bfe4b6f2fe2be04a0f936c69c272fef750079acaea645f75a371cfa94194b5cbd9cfc472a353ef953cb5a5a700eb34d486fcbdefe238e4e8c48c3fc53a7709065c3b63e89b7ceff7ef8c8b1bb987aaa7510ee5a6357c7cc137a1a1d9f4f6633372f180ce1536325a5174d1e30279c112e5ca1ead2368eec1a34649c28daff413d069e90cdce4f11bfbf1c1f6b51517e0d9f66f15f3ae78f88597b0ee0cb2b21757436f9dfe18332419fb37ef177f2901bf1655229114468217c9777f6902aa562693d47bdb9d0d0ef30b4af908ea3f43df77bb66d0f204357c38243dceeedcf49f028aed6798e10daa38804c9f1552debc9f80708b1659eba23e3de883e5074a2640f66277f02826d5a01cb29b45aac47ed3702af6813556c0bb317c46f8be2537f5f3d78c31688b923f8b5ac67c4ba9234f80e520491fe85706978fc9f7fee4146305f5af4cd2284b37a97e0fb3d5859bb291a1dfbe6fb5270ce52ca35804681dbc7e3f4bafc44651f6c6416443ef6c55f51d1bec228abe89192db2877a912f98e85fa83c05ed25f57f10012c5bb6b354aec5911ae8177454b8fdaa7c29cd28267fdeb4a68d3ab9c31f94eaacf193cd7a2318de182e3e4ffd5421376f1a55c523960ba860f5996a68945d4b246ddd6f435c885182dde0f37b24f97400dc1eb3178120135a5bf388c29ebbff4d9fd723873a3a281ddaf0769f2b555c8b1d7e0852359032567e894e2a358e7395869c7bb58f02f95ddd3fa006c2b45f86e337767c4aec68aa8aba68ee2d284c2a2fa16361473aa72426761513ca882ea912aadb30fcb506ea9de889a832d01226a5dcc0a84a26ab573cec31921d3b671e612b956a51a490cdc0087e489375a89fa24f546fb88669a4ab2567b721a008d51a0ec93b1a68c06edcb7c7742ec02d9ebc4f182c55d841e121eeb2b134444b79356213eeb896610e09df0600dfd4b63227d01f370c261330234f715a64f989e0102406befaf12d154b8990c3ce3724b1302d3b9042442f104fb63db0b157eafa1981add92c68653673f9dce53c1baf8918bcf8aa869713c2d2537920738cc8b1ffb72e66f6d7384150fe0a72d61b6cdbb41e3d1ea85722479d00a017a1b4f7763fdcc30f890ade976bec32ab50bcbc4ac52617ee37b1bd5bafbf37a1136bf63b07234165ec35a13f0533214d94172744fcf0677ab06d401c44898ac7e61a54f82ef002009eac9e9c7f62c1d2afd0d7acc826aa69da7b9a120217c8397a0fbba15ec7874a638f139b0c36b7a6437b668421c43218bc00880a8dc40ece0cbd8a259ca0637c324b878eb34939ea5bb354ff4fbafdc57f59761f7dbe0713e60c770e368feedbb64b71c3f469a16821a65dccd07d79fbdc15de50a00a12a9f181be9f4360c523efea8134fe74abbcc1b28346b1ccd55c9fbe824d4de84d94e2e798d95640e377883b3da1fc8b1698b55d39b945cd31517fd5f0677fa0fc5e940e8a86317a42d42950b817e107683474ecd96553ae201f98db8cbb775e6857a5c4bc9868793d980e4a0b184f3882d55d12b895132aab7ca015527c307cd34ca3f0a344c204429c0be3c4bfa692b3bf5659afdb94a9a69103980a7bdb206983860f57bbe43fa2f456432625cc6b05f662c73aea43c229ce840ab33a112149822f7125782ffcf42ecec2eb26f2166d419e1ee42f015c48ada2dda2c47ae5dc5726c3d1b52be5244f6a10263627fc079a888eac195e8affa6621ff01ce85b21c208297b78db9ab894649d83ba07677e40691e207bee5c8c1afc31cca222b126e0010c2cb8a8c4bb8df301cc8c2d53e92d68991abfaa7678ef9e9c6b60f16ee67b913e3e49dd4b8c2b43adeb3cf01064ca96b8bfbbb36c0a8418596107cd1eb8198c5fe7f2e601884d88fd1100b45343a572554ed5556123c42f220ddd6bc858f66125c3b84d4290a153d956a37b3beeaa680fcc58630023eaf42d2b62bf47aa55744dcfeeb857b82f9ce12f75680eccb940425a1de2fb2dd9a5139fd5e4030d18615802410e84281603264ab96e336fdd9a56b521699677a59c0fdf2faf7dde535bf3161220045de75a407922273cb78c27fe7099dcd54effca0522294ef03681aa43300ae1e5d4623676bbfc53a002653d6eae9d3c0db37594eda7117f16358afef343bc1b51d8bf6683bf7fec5c9c8193550c7c72a6893be769204a4b3466cf3adfa8504f98522e3b0f5f5fca92d60821ef0a0fc65747684021fd8b4602b9554c5457031c7990fa6f998e607c78db79cc0fa598bfbc5e280b0a4b5ee802e7258c0a2ea41638d9acff6dc40a6982610d539bde09857e940f774440d644779982b8f296fdd2a6d44c3bad450c6a277b1f414db3239dd877510a289da6d3d065727efcdac3961f943c24b02bee0e67d86a2b19ee166bb901c82c56a37b36428012ce3d9b7726ab33828960ce85c2633c34ac0bceabbcc695617f64bc554390bf3d9c7fb954d97fcaa442f02aee9554e69948e42e73cd0bb4596ceab1cd1e9d2231d663e6de9a303b813780139a28ec57d4a9e223451964ff7a9c09483a65c9b3c245640b376197f5f44b0ea0484752cfef5ee6f906db4e3fb54d2b2c47bbec54de329d67e5a97febab05c4dc05f2c54323746cd0465fa9938c2b3c3cb111a259dc86f9c74d5d7a4a5129d79779b2d1304fbfa6cad81b8e2777486bceb5784ffdf34c91e4bb5411a9d7bc628030e7a842303b78ae496add2beda69db5132b2241087e29409a242625ff4f1c2952f91675d7c7ccd23024bae4c45f328e96b7665d3a90efd13b59fb5b55a183f91eb624ece8229a95ff78499628b0b4c28dcc6db8b1827cfa860375f63143aed924630f4a007ff69c9b5006596fb7e1c60ff2a26c47f14b253df8f522b780b7a320008d7bbd888c84507511d6d89116afc3170740b3c8bff54449774c5abb162b6f761c56dbc0b5fee80daf96bff96d37ee387dd379328ef1dbecb0b0752b092780e7bd51924de13aa4f25df48098acd55b1b28504117b829eb983768fa10ebbb290dad24ec3292753af4e7b532ba4922e2ae19a16a2f67f719716dbc6387a7cb98474e581ee256a1ab139c79eaf9baeec733a0fd8f84937bcac2fad79b8634fd318c079b0e1723c2ff56834e310a9b7a1154e13c02e2f671e868fd67e431233cf7181874b1d56ef857baed0bd399e1593d9550a7a4dbb89867a64c96d2d5f6c12cb5488cf9ff369f985f7ac6015ae055adf5c881c8fc5aba32bbe4437e20e3d0d477cb0d9861e06290f7f9bd4e0d2332d96280a049fa2404abfba8945f385f9c7226543bedbe966bb20bdfd8ccbe786b6f003659f25a7a0ad767d754d9b0245bcc421e171c5e6101bee7a0091d60ddd6451d0aef28f533bfd4d42edf2c00ac47fe4873fdf9243afd435098b20403592521f2c07069503ecad6d1e9db00405b9269357e08ff51296dd268b1220a8eb3ef86859c2d8abb4a3c4b2afe477faed5bfe08c76c371fc55d9db73568703d7c3e50fd4e5e42107de711f7aa1d47708a1142ce38530fba9adcf8c769074af4fffd8b447160bc043ba2a4d6864c5c8351a1241e6d780e21c89020244d1393c6f8b09ec4ff7500a233fd0c4be8479151d83334fc46ba04995cf8adeed9fa9a2b0ae7a873bd4059d87321cbb8c524e5ed10741e9fe4e68c2e490237cf492d14513fbed68dfde05be69b91d6e2701101b7b989dce7e4a36d9e9f6155adec0470cba77334e6faf660868839ef9b309588ad403fdd6d398c777b47a8434e6ab077043b06f5e058826c5b9197f47ba9cf26e1a2fc89c3d489c311f4f26d78568a9d56e784acae708f83b8d43045a8218264e13b633d744d62f7a6bf6ee2fa81f7fe02c8430db09dcb7da2925407112dc5098ee93ecf3bdf8d116b47c19650730d38ec12a84c34684ef6063a1c741f932f3fb571a9820039f34ee17e4653de9e24ebf8223e245e1e36605769854c5fd1c6dc0716dbd95f4ea05672ee53f27470cb584b097958730016d824006b7f3dc5484dac5eda6939fb086db0c7f89d6a99825e7402b45d73aa5f3437a7df8cac98b65a73bd428a3b16bd805f409517ce8ee036bfcd046929700133334a329d03f213e67ef8b4caa197c48c7e9ca1495f2715866ad07dd605673e2c29cb8257fdd7b0a3fcfdf2396b34175e55c24cb8a269368b1e6869ec9d2973bf6ab29268dafda4159f9ca448de9fe25569c8f01ecfb8c36872be9fb51e133ff24ae2bcac35e874b808c7382794e07d6db152769910ac5e054f114b4dfb32d6222557f53ea4fe23013ea5394b9414e844189d1732ff21c3d82af46a11dbc302aef39532f903c3162fd9442046fbca555625a4f73c81c851f4483567c917ad80c0c46a005bac81b84be25c5c4780d61fd172f0f932d845004d4da9ea1eda9ab71c99536ccf23b6e605b02536c2cafbb8810cd7c7f3d9b02c8d43245c1779a0176fb45c5ce0f01620420ee2f1f0afd3749a802bf811670e8c4ef166912887f1f1acffa0685a1e840d0296eeff1dcafbf36c752bf351a12aec01e3bbd480374b8ffdf9e7992f38b37afe34983541d13097124edc084054ef6e6fcd12c18b43d50078dda3b88b5f554160b8b29c0cfeaa9abb39f325fb16e65f78f31fcd1880174cc8ff5946e242efc33fb83bab1f228505e81717b56d853f8b89e8b341d7bc23a8a11848e2bf648196a5038e31ee6f4ebaa96e62882d8b0bb118e82c51d0e4c73807f889bc186a46d1d0ed770493a894cefc18960060cea9caa45e9aa890afdfcc260b8f6508d60784c5bef72bea58ddd9a89adfb74b6d5892ee37fe4994e0f15c0fea821417d5909c33942efdab662a069a5e184ec151cb7e6b5b883b7500b6bb989afb9b25e6bf5c389dcbdfdb23905fa264e84dd2e390e281055b4c62b82a202b1444a89fea67755fcf36360fa6f4cbef4e8f0f67be28ea2acb49016eb1d273ca5c71691c4268d5ed5871dd732318518f057efd17b264ebac412688a1743cc6b476cc4b23c2c79a4c76f549284c9775a29b3c11e94b797ad19812183848963470aab980905b39452b168d0c10779e79026a0867a27837ea0963a3334ff1af31058c1b0ece060fc3c9e01053e6b15224f95a6f12dcb4b85c10e238c4ffd67eb6e4440dc4a55ef1bb094987e63cb59813d4b312c2643a99dfafca290907bd5b8cdd3dcdd8cb0e73787c226835455f365781b4e1ce95d02794d4790be80558e6eacb045e63fb531a0760c7b7cfcc4b10983e99942e737ae6fc99d287eaba65eaace905d1b77189d9a692b64c2e075e60ab2cf2dc48725016e4c8741b4dbfbfce54803bab6fff7dee6af90dcd39a142367cf3f64492d02acea7c753f9aa656514b5412f6dd90b9bbf77728b3044539d67994bd07a1dfc4ebed97e085b757073dc956f9a246b5aacb677bf79dd63e978dfa8834cb2f9d58fc999123de8185fe5780756b62293b707b9a892bc0fb031fa8c6a7af8a21625a45578b6d9bd38d40e0e2b1452a14165bc87f8044c9d47e774ec66de0bf97b59e4da7ba3cc9b6f92605e393c1da5c226e5c13ee32dfc0778567804eb3fc5fb63c6cf9c509884492a0c973e401b710a38eca1f8725b7daf90aa17e2f36104cf22952dce65fb70487f9c173693be0eacf47affbcbb810e6233884f8337c8bd1d24ca1cb7ee810fd10f08ba7095bf16f41e02ec4a78e771c6b3d9b658b2988a6cc1cafc59c67149324a67fdcf17ff917a798f7707459323c4cdf5b4c72a397d40bcac7e408cddd7a2fc7dbd82ad80791a0853c40e98a44e6b2c654fcbd3fe999c297396d132f87b3c25bbeca9f4f4b5cf3c4e55a6f1841b5b3b6836f71cc5a33a462be355e9c944a1246eb140d13743c5d8ed4ea1ffac12e5856b73b0b650649a9cdf2769802654c5808db95d01879c99c6832a059230c8abe730d960a33485484a6ecfca9286614c0917878d91064e8401638a898c60ec7afa7c218098bf3e4dcee138c2eabb106d860f50fc270135ba1e14502717edd1acfe17affbf9a67062d79e4a9f76d49a162f9f052cc10591881b983288ea56c6452045504c25878dbcd435a7c0b384df871f9ac4816d00fc75cfebd25d217e41058d5af03c68bc1e04e5608c00e9cd7dde2ab8a2adccfbf0eeca965310f6c8fbdef16d28ea8589c8eb7a1f389c82b3f1fe1aeac9cff77f5e990a17ee9feef0322c7e5c38e0a0499785fa0af62cfaeb3e80c0502d78268a9ebed605a365e12a0d983e8bf80d115b55301497b6bcaa5b2193596200e34adabbbf475346d6d35d9a3e4e60363ca9b4817219902c3c437a4918815f482016c5d83c5ff4076276924693369571f276431c643866ec415339a9c079089735d349f093fa46d94d0f77f307e262763f08207c9f9ef89ff3e3a35d740d4c50dc199f78a74898cd2dbd72ec026c97a3f06c8701054eeb3493216e9fe041b7839057a681b699862e1a1c21246021278dc7f271d02f1afdba385891b6c091949193ea6759127fe51d3791e83fb1567a3bea668a1915a8d74e4192069a0ad7bbddbea9ac8dd6fe6669b183f47aa5d7d1337c5871ec2053f661a50128327c847c2b40d031b4011561124bc01eb00c76851747a1a3cb5b6b44462033b8cd0a15fc1e958d9a755d93e8965f60f8b64e08992dd4d1d466e532de3489df5e99cffa3b1a3b215f83cdb07f371dc05ed58480c85654f5ca001e683359f13bcb436af1f7d65339ca08f5517708dbfd761f2f2bfcb95d9647d49d7321b06973543d83959bcf87b694ca4312c90e2234bc5f34a4e6acf4109ee7b30618636fb41ebef519e41534f6ab1b0268d964b1040dd99a6c63481c4f85e440a7d24908c53c9eaa7f8223a4c9283bee436b14d2263a4eb4d841809b3a6ada30a0ca74941c2c0e5f406b970cf0080234bdeb603898684bca4027f803363769620c96271d36637b8a409c52a08d54f7bc1c26438313522dbfd784a8840cfe36a9719171fc193deceab52922d443a28285e1ce654ce93f87ce673ee6a42f5685ff7cdc75290352e6d128c2591554306d70fd117e137a018b182c331bba74c8e57dc8b6ac21f90edf95d4ae408cef9488d6240b993b1b496371f6e9f4f7be9f0a2d8d0833b3372f1978812cd0042842071be0ca0883c70d928bf3cbc8694c4816d3d34f05419c8dd4e093fd16c3c9e8db47b71d8aea020ab1e58a8be69b78031f4369451ac7eaadce5292f3a92b564029ee97811f5870c844711cf5b12bd535b7cae6d36f087583ae4bf1392d9a2ab30222d97df83206f82e6af6f45bf393f10d511fe27e819738489d81c3c85fa9c7edf2e83ab0434e6ad3acb1ce6445125d8402a9c66eac24da22cf54791892fb5600b68e9ed903e448ef4354e103896e5cb83b6d30100743833a6f7a34fd8040ad2d7455d68df92d8e08bea26c4eb1974050c1775eb68f4bbc8e0f945783fbec38d9faeedb026c40b90b561aebf5f220baefe42a6a2bdcf3d843797e058f828223fc9e06136794abfd7d1201af01a1d89f3739fa2543d7e260dd9cb70e06f9b8c005d7530a5cd590720255a8fa520c8dda07437b010ec6a55565a3ed60ef206580f860ca7221183e09ccfa4f5c413f633aed9d1047ea92acbe4bda0cdc7d77c09f88da93e4f593b4d4b85332ae2d3e391276184b3cedac50b5ed485f1c2942aeaf03662a7493829f70c2a4f0c9e017e59e1895d53133858fdd05432ed5733d7d4e4bc77dce9884d6638f0b00d50452fdc596b170f322e53fe2a83fbeebfe039160816626dd68b86f9f5d8a87723833c7aa0f3a1a8cf3c45ca918495b051ccc168f0c7ce7cae1d9d1796c55943cdb80ea22d24b9c60d71b9a3d93b08f4dc04994b340d1b28fb7151c8ba6baa854b9aed90823697a8b4c6af792ce95e46ab465d24610244b6838cde96d7909cfd2b87bb29e4dde8dff3c55d47017d703e98731a106a02b4f144c1a0008c76c9dd2589dcf6fbe85790e35583747724e272f5079816a46de5718dbb1a04f3a3fa5c535b9bfe7735c19a926921189b55c404971f727045a3d25c626efb702ab77d435b7a155bdf26cbb453c8e206dd365a8a9f546680f8cb016f489b44dc45e1248d00158732519229adcc71e0874af80342e7f3f160fe8602f693539ed5e4daf340aef81f49eb19158a56f0fe0b82cdf5e5fc1e1fba5acf764dac0322f2045ca07cf5a3f299a81b643566706b3f438b0deacdfd6e6fae950da7564bb648980e8a192c72e964ceeae11c2870aa856eb10ef95e50a4c068c794ff87469f8f0517102232c4bb63307978301e7847a677d0d5143cea4b48c992cb9805b8d0edfd632c2f9dba7ec90fada957af13ff2537245721d54eac1bc0db4a8d0a2e145a46983fd38c13918b8a440f39ae0ce127ddbe14dacbeee89c5bec666767ec70423ef6e569255ffd12e47d53e349ccc351ca698d8b3661d325e2ebceedc5d7a87fd6822c1f9e95871459c9d080187366299ae5afeb647c1e7fc0fbd1790708be2c0d7d23e616cb8518c2823ad0d1585ffdaa69ccb6d5d8e20f804ec15ec27fe80b36d2da93e67a770143b8228a850401f3473649f8afcc77d6561ff84ebdb3d6a32ff4995d30fdd9c7dbc5a540d5a949e1cc93fd49f96589f27b3058b8a7ae6a9f5d1728327d9acb45b30a6f633ccd1030149bc861eff32cac2afff5264ebc8fde6cd114a2cc4b8d786c8258d80abf5ba929055709333706b2d62ad5a5c900dbb991e2aaa2bcc3df2e525784fe54b9a74144a4deeb1aea37f38ecffa92c68da3b8b779bc40628718cc7944cc5a2cc53471bfae347ddd3f706715996f97a4eacd50c79346b3141257ce0d397bb142494c20a3b9f4222736ac2c813f3a5d3c32775acd95420247007a96b4819563e228215a81d182ba05883bcabb95df9c3fccc88ab427ad2730ea34c1364b021526a486c541905c79e74cfa70cc45276b25cae146d56bc34a0d36ffc9697fcdc4bf9e3b219c32378150215dd84dddbc3994747f2dbbbfd4ab4118af750c91bbaea8a6b9ec6c52fc25519c5525142a571c675ec0148cb517bd04e28dd5c78f345c97b9fcd26a79bce1a03abb3b0e7a29af23c008f4b8b31e847b1d9cd49db847fd1573854a6ba0dc09f2618348f5e6560b44f349ac5855c711b0d64e676c06ff190a0e331a898c8df82badcfe15f44ddd112fcb232d4ecded2385b087f14bff11faba40f05751eb51c02c02d18aa57c785df57a392b8e38c8135b9c237709079e96a1d5a5518e16f0ef12f9cd6831be8fd50536a5f50673ba719039b1f480f782869031e93f342b3e389030f16ad0438c8eccf235c476eb0fb0f6f6154399cc63fdf8bf37b2c845728c72cb6bfc53af9d4cd7eca489fbf194e4cd53a205b88ae8e91f3712a968875a98424282fc3cdef7d2e91b1f0bf47e6e39fc99e99de37b4dd216951084ad6adc6897cb9e3f5bfddf10f6d5d2bc703d6ecde79019601b3bbff596ca1d487b5fd18ea05101705f571efac7f12e36193d359a4bda63752654993d954235e4720b6b704dd827967622c4ed59aeca0eb9d2f5a44b8263c63b81de7916ea6dc372cf512093e0edfaaea64ba20865da0e81fc171e0e1ef7f6f2e551b3f8698e83797cea76c6dad50066a233f760dd612ced521d29509fb161a4f7515c284c52a0d85e418e78a6ab1b8b8a61d123654e6273af6c7f6e1d21d5029b67b1138efc7163c90d831bb9be29374fa027257e5c1116f879e2842c26b415a9edcfdeed84c1a21791ed688a0f6b53a24ee5b5a7d265144afa694b9e55f7bc6e21622b456f2801cc0ce3099396ade05a3d9a802b027740e21bbfd89462263c2849d8f4b8ffa5efe85270d3c524f74bdec4f73d9995d945b613e30997a1ca9c1a41995666c7f355eb924f6f9e3ba61aa82b1f19968b0135fdebb9992b249089bbec408d16c5619a77fcf9500f434b78d6840a799625e9056b0712fa613ac98f2e87a2ea5d1c841c428b3d26329e566c63a990e8933f13dfea87e7dbad5195606842e4daa275f9e5ccd4d8065ea5b5bf721871274b69a17ec571c74ef097f70a9d751c1223cc905dc57f88824f97c7417ae95d3b5cba8aba3bdc591f4f30b730c5d641fccacfea3807d78cdc51846862957ef30684d28b355c9932172a7e9052e638df279ee7169052739a9a4d09263b38ecfe645119e603117cf3d91ee7207a44582659b7edcabcb36e8e7b4480b5d5c97511b5a932eb9774cd2fc485cadd7224c7e42e50330e50905e66259c93eea983ed2ab46562bc61c4158ee9493c1f21688a31a43a2b387c12668385275a809e58cce3266fd345af0945d499696f5e7728cc1ad496eea148d6e9a773fbe19a109e195f94089325c141ecc71799b7c4baf5913ee32e77b11f4b5ad5bff333c7b835459c8394b13fdceb71205a6a14e1378dfb2f5b851eec60dfe615a83cfb46ad464f7d81fc324e9c64e37da77a468aaca33ee1c6b9e023f794a29333e44f976974bd471f6de7bd3c4531281c9db3295fb3f1973f5935bae976eb01d8c2460a1ac4b76c3466015ab60cc1e1a7cc120bb192fa007d60d28daf109488bd97481e601a7b7da4b5d8f4b326a5f2aaa1f8966fc399540f4a6ae503296235a9c3e12e8fc11a7d9c00c557495af999f48b84404cdaf60870139d74787ea72f227ff71c695f030a6ca6a16c1a87d23f17f74d86a8e821c19c1605c33df17a29a9ce60bb3d4c1009b47a7024676cc9f33f15c67da462376fb66c0be90153814c65434fc27cd614aad56e3fbdaefb04e3f0e493bd73a475d2b359065bb7c9e4c12fada58db7bb9864c5817e145767e2e076e2f67a6524e929da9e804e8117a219b045d0a2ee4644177505ddb00e8f8c7e308589afffac5997f99567dd7a111d3786c24362ab682518e2a8fab4705b4e2a0260c940a79fe0d98001065f20359554213f836386aaf0256d27eb8cb98b79b3c7ee4e88d4465c684864a0010c9aa372442f0a5b3beeb69fd8d1d59031ac5b896028643404c890321c731765a9cce593d6fdb1cf8929c95a6999f99095e562703e09a06160c1855cc25a716e1f89064d8398bd23502df9e77adf019d480b214eaf749be2eff5303e69e788c0c4b5c2ff9fd2f46ff1818cebc529187dbd26e26a959152613af717b8e4f0a6abc0057e9a0b4b65321640879c32969ea554fdae8e3a9f0c2ca683d66d0ba422c6eb410f56ec587d17087e748d326dc451806deeb9a3680a8ba87f852735fcb6ed0b69553c71744d41e54548dd2caac534c8fb3177919ba38ae0969780adf1855b846670f656fdb76696f71d62d5c24f92c403a33cde67ba3006b59cc6ef4d5be3215c2ead981775b7fd919d7bd63011ec564dc2c01007586a0f2d85f5e91e9cbf172cae245ba6327ef8cc24d4a81ddddd627bae9d5ff9097362833a46bb3c17a8b12a7e20178628107bdc4f2a129b4f3484c57bb0ff7c3f1ce6e971f921d5b404c6ba40cb1280932ba3fa72cc4f2f4ec22bbe5fc77b1423413af799fcff52ad90ec545604ea8cbdcbc03e01746f866cb133a244968158d21e1a381213b24869cc96df17484c9b4a3978c69d8ae77bd88a23b5344e7ca2d611793fde3af93e56d5b511ba43fce33a8751bd2a6a9575aa65e8005d56211521c0e65b180c3622f68cfeadbc612547295b36890b6d021c15ecc37746f7d95d681c9b8010e8015600d0ba661d6372af0aa8864add01ccbd0d6a72adda5f2321c77564472997013e1d9bfd73754982536a03d23446689ee3c31d1a5546a09524f6da1ee9a5a4d5ae7cfe02f7dfcfcce35c902e52b8976ea6c8c1242ade460e660f0c56d844979eb2ac5bdf3847cfdff9c77b0bad795adaf775f5a12233a0e376c4a7e4342c8f4f5694f89f115236b53cd3ac6b0451f386f8f333864ed4941e8aee2e9d459ac3cee0e48c3a49efc83f4e8c223c142f8ce2b3d5a1d7c81dc6bce88e2a3ea9050772604c9d3ff6a4d4117102c792f61ba35411ac040c978c4fd55f54657e79760f5b3c117a6b669a68a1864738016df75aa2c4d85b8a9d2be6f02163dfef1ce6171124e2f12dd2ce23504674609b001d4355d5b7914ea92fc0cb8d3aa3280b7212fe83aa08c3c7ea5bd37063acbaad245631d672d6873efb16e525de5aaa69c4e46a244f47738b5bad9e5c9b9dd12c4c7b6715414101b634be3787135345bb2997d4ca99ea1d42c8765d841dfc9df4442ac7b09ef29991f857c73853d6a88193627977b69d125f569f5725f5cd740918c4ad2d33f7643daeb22fcea0363fa54b0d3f9ea1a45e046eec1a36ab69fadc7fad6f1e257941b5faef346e6b730bbe1d415296c8ac5c1883305750042214b1754426c132785b9fbe2fe834b24dcf3cf31b0601a2886852ac66dc932b14a38fede595c7fd551caffd2bc1739461701381a9930c917f3aa1e568823a6adc968c97dd92e9bf06a662114ad62657ed90794b0681bcab6ca2f8ed2cb406048c5042661788a8e99209212e0b60f5314a07d2b95a893853717443a0106e0e8114d3a5d6c6f0700102beca83250af679272de2045dd177f5fbb72f19b76d323f99ae22cce644d2250c87f7a1fb9824f97243c78b5558d55c9c661edb8abb213c361aeefa22463c84c0f268ffebb45df004a719bdee731a1b36ff440d7b957c5ede98e83cb9b4085fd5cf3c5a7d422932f2424f640e500b79f4a18975dad90be967108518e848d89c69ce9fb976a71c07f8664130b4aacbb9c189adc6735ccbe12d4211208a13f93538d73ce6baf1bab1b86a3e53bcc68a44279f0c782c6a4d95d0759fa0645d78ae69375868a2410054a9859b841a3ddf86ff0d5b3632bbe8fdfae3bc1caf183dc0a8043f48c28c187b8305c651c1439a1354f8a389cf81b83d42b7ff2d5c2f6193de0ea02a9031c1de6021c9cce7fbd3712ed58cfdd36b7f6704373b356a2389093494d6ffe53497e557a52035cb79feeae8c46243756bfbc1b42f682dcd3bdbabd3db5135c0a0998bd69fdfc354568584085c4e169e484ffbd120f3952503b45b2ced23f244f2b8dfa489b27011744de27d2897a2b8015015d0f6967a3bbeff0e1396a9d14d033ce281e8b3e7926fff65aec9153f109c9cd97c017f15ddd1deb32e0f385fe6420d0220c28d2e6028b5ad933d4628f0e19d24bc94d9dbb2dafbf385dd99ebbc9ac5c0a19e82e1030b26250a71ba88bff25532795afaefbadb6057d28ecb7b1e777e26bd27e6c712a0cac628faa0961555a72d1f02e3bbe78930ff3ff4f5cf4b332619bd6639a8c058c0d0ce8ff418accaacae74fcc9975fd1aaea2780f6c7c409b36cf77d7241c716def5bc3d81f3a3eb4924359a0b37be645380e419f27da47aad45c986d8c2b6f58f4d20277b7193cf31ae5f8c7696c3d4578842d2df631194b17719b3354166acf9b0024bf6db5f7722428dc746a8c4f3994a7a64ca834add0ad259a871ebd3010b8b742262348c6e3f62fd70d2e62ddee4c05817c900f37e9c917095bf6d88f7fd05b2621ca3f56290dbab090f36d268789b6ccf97c36b1a249f66fc08d83bce54f0a51f5364c4b8842ce136b76b39db979fe3aa3b312fdc0a4d98ba8bbf8a768531e170454ed7ea689b78de5860eb1bd5f39d55e15b97d0076f975d56a07261dd689e3c7d222998d9068f4d069e0649072a0816e89669bd2f46340070d3d53f5899f772b73983ad07be40b39a2159f4d786f9eb76547fcc66cc2a0bfbdc8b5877b8798793b1ff6ca7effdc8b434e218996d5bd0421bb365ada1d019496e92a755766dcfc0b2ce80fbb5be54f89f74ffb62e54e93bec1fe75c89f7adfd0222b3de821eeca84fff369ebef1c1d63f17aebcef66d55832e525ea1602cd34373ca352fd1ca62e5749436a6dc2642ae4714d5329f2d65451a6ae3245656d7910bb205af5b3f4724fc4cb300585fd7634972acc68875ee09067f1ab1615951e49db3941465908d95bddcca5865f17c069915929a33119d03b80e4ec896e05fcb889a0b96930e37ed24d24f4c4046129198b7e655346281829ccff597aa5023e09a92c6e01abc29fa898beef98a13ee02bbf45873b28b2fdd5a0f1c3b4d6377abcc224caf0719a819bba26e975df1db7d365cc47a7bd7f56eee5257655562761848da2e957ed4fe8fee65004129ea9b0a9304d917d07649784cc81edf3333096cfb653e5625be6dcefc7590b921402d5bb768634c29c015a5cca9c8c5845da848d34a6ebdd06d246ebf216c449a28964081b843ba5dffc093fec0aba7420f7b581816b0d5565f9b1b3d8c8f0b01cbc064e14447ad56a8e87bd1ccf9d99ae07e9494592a6308af9837d0ea7649886f87b3c28cff9a95e1219ccca6a6e261c0e8559519e6edc155dbdc59e21b097826d4cdf21023c2638c8a6e9fc61c46bb00d4954e7d06f1a62999cdce2411c4ab15c7d67e530bc51abd6f3cf74930c88433cee7a92347768ab7e01c5b0199d4c832e9855d8a828585662e6196bc19680d335be3a453324e5e42a918087ce2c05a25cc567cd84dcf17ed5d642ac05a648230f8d85d898e788efbe9e2b31c4303ea6dd51f0c48ddadf5dd23b5cac3e2525ae1fdf6103ee3ebe5a3fc359b9728c7a20fa0f76a5ce1437ad58edfa51afb8a452ebe806af610aa97590aed7c0e7b068d929873a813799524ea1d5d19b2542e86e19be2901f2c689b202ce76f3ab7e9f5b744700e7f2820d05e32c6892f8cd7765cb2fb7ef7bbd064f7c69630024d8209a36f2f696a4b851b279af6473d06725f50b7df7ff7bf7e02abb086bb53c774a592641d07fa438e669533a04de8d5721dfcfa648913677055a8522c19c1a195ba013968fd3bbe7b8828bb982aaac92fb528fe721f69211594bd545334e60859ae1fc4f49a8ba967b0dfc445e7fe148c117e0666e843b9678b40e7e6f019bae4777132b3ccb5fc4004bdd844f2d05791666219a14158f8e5c69ef6de58395b3f43365f3452d5b95ec3da11ea87f3fc7d2a1827e8d199f2601879657c45a55b2574e0385284440de020e0d256b59bedaf3996fe93d8e66a9f5392b91ad2aa6c766eb33c524af46b5529b1c6f89137003c469e0018ba7d3df98ef5ccf1e8f67326ff0d9c34b4c2b219cf248ac556dcaa909185fc87461a40a2e5b742d782d649083d1fb59923c7a41526ea268253b52c61552427f877325e4c3dffcd048bc4325de1a5b0bcf188adfc5176441fd3bfa40256a257cf81e3297fd06405157b46b3425589f5f082432b84a21e2cf31a502cc35a82b51272a17c4f9149ac936af8c2bfa2d85485baf308d425fa7dde3020e13f174558dbd7142c87f7e5da34458ba420c450e8762bc4dd7e4bf5008c9a71a168729f1a0387852318a06cf31a666ab357a3f76ea4c11e68094d76dd8f3da00ade556cb996db12bc9cdc09c38572f99fd71d0fb60adcb594607c774784ddb4fdc7586caa4d912ddf51f825e6628fbaffa24be7956a749cc0b8ce1dd4710ce481b955bd8d062ac46c4972da1107d3d2e237222af8a59bc0af648c02145b8ad705cfe9d80245b8502f403653d296bd0b9e2218999435789f532faa70c55733179ba9ba94a12fb4ac5911f3180d75212141ada6c6d2c139cc6945a76a5a4c5282b812930d6875e842c12e2f53a5e747e1c5d256bfa0bd0db52fe3e5c4eafa7b406be0bb9d3dde9821635e7c782796a0d1b69b4051ae5617958fb5b0b27d04de0fba5949c3c208e04cd9713b9f493472a2cb50873794b58f30ecd4f765b2da187bf7c4d5aa5e56e77b86f34a355dcda8f785814f8820854cd852c15ab44db555ca8b063a36b0f862d59a5bfe7355a0be38f441fdb7a0fc224b8ba32c0a106e558c382abb73d0660467fcd93133991a176809f59a8e10124b38a58c294531c7a2c1811cce21bed18b056003f6461ce706f74e7483252b4d3923a559f1fd4c64cebd47e5c119b14eb2b599e2247762ad4da73e9bb656c855f166c529367ede6351cbb1d332a34d19db7a6f4efde942dd239b8af53248a68c3c8c58e81856d5f99c74421af67eb817f06c016de2b2c875beae9e4d856c5a2e66451eb5d4c197fa5544d40d3e97202f3941156019b5c7f94b925110e33fb4454b0bd17c90679363849f6626d33d4a06560b807d1ea4f81dd3da3a999d2a2f184aef50abeec7138dee8a369dc7a864f79979604aa634e99340faeb4f5622addcbc4053e550ff00f01160a066e118bb278246632c0f1f2477d808e4db22291891856c704a4f0ec3d7ba22465f625324ec2407d48196edcba4c141999f2b842c9b861f66dd7a3ecafa9b03bea6e02d72bd7b19749e7fd85fdc1ece6093cc568426ea736d67fff9e96e91cf609459445df3195db038044885b2353302d4fd2b49e9da8adffb511145ccb4296a73ce358d5fdc6ccd8f3bebec92043b965bb48ab330b7449babdda709fc8d595758e2269b0edbc05711cee236b81c97f17bd310585afca387bcca73021a7b03a5e41d4cb49c870c3900cf364fda444a71bde673fa58bc86ee6542089e745d3fbbf536db08c739ae4dcd24155eb35fa52576ee75ff7b8d292e10fd2439c8a2fb543513192a8e2996b28e859a337393ddb0289e75cd4a586e1b5b91c2f93df2d0cdba868080ff0d0b5fba7facdc6cce40a396e782d870c477c92e36e4a2216f4c47d3d6dc7c8e70217a6550d0de89328f44bc5e802a950907bca1a98f47b46956f81b069cbd888ee74c9e9b991401d69bc4fb226956a82bbeeada7e350f2873b750d0f5bbfcd4ef3a8ed6426ef84bc3039ded99fa82c68282c5be8c874fbb504c20587566d966e55026c0223f5557a3cbf50eaeab7c8c75a1ea8d90ad458784cd6a241f212a34d56bf284a50c5026b605f9d72cc4d8f129dff55257a52feb4e8764673b9e8bebc4bdf4d0180b7d5c22fb8d4062900a6f0d5763228fbb10b3f734b2640e0fa538bda28947c6c51e845af30b3774c75e7599fa1243f618fdb812f9048466e97c2356d8ec39ff89e0cc182c696ae4b598caef5eb74d829239cbf604dd6a3f4b7a72e925c270631f77e31c5b9c9ef584b939cfc307cb6450c0f0e9d3f625d419a8acdc6d33ccc0ce0720bd4d321a451e2e43f4fe319bad5e70cf231cfa274e47557bb0003f81c749dad0690d567c55215683f4551709140d68944e81aa7e1b0cb8fddff7214497eb646e89b1dfedaef98dc4d953b826b90caee626045f4e530c9e95ea26daeed6165f7abb87a2674f680a04beb4674495ebd905502079c80cba23b55df66f303e44373326e5e319f2efce432f6069d27822080bb67a536f67fd9fe52f64693204c5742c4be9af8574676aa2dc445f54bac9e09988ffd829832863e682d3fbe17945f3420283b7eaf7604138aa453e2f429dfe3d0cd322a046ec7dd2793d2bdb63e04699701c7bcbe03ec7079b1836bf959ce71ade7090afb82012e2cf81528c6597c354ce9afb949ba164011af7c8c58eb90bf9f08a08b89bc61e3c4e54b9b0488aca3f0fc6b3e1aa27b81af27a2f7565696b491db1e02c59d2b0c7a46fba68d9f3969b24923e09ff45a1c1049c98cad4de9fcdc582cde68a6c811bab26f153bfcd0d8482eb0082b7a9b4ca54d5005824e63ed3320c5897234b3df93e4d8aaab28e369c08ed0e12c28e80a63823b5fbb88eff8880473d587fcb55b49455208c12cd79acd6ac88021ae38a15871af2fadf4a4df9fab50dcfa69f9b3f0ecfc805610af0969f81d705ed5c1a8cc677265386a83142ca67ebf388834b06f69e16573bc0fa203999148431505c8a2adc60ba9773943ecd23808adb857784aa255ffc85b320420eeaa704761695acdde1c449a56350d64dd21e617e17c5bada0730c74e6f8624265af5ec6e33910d9a06a13b438255c143ec31f22d2499a23fb4ea9295dd4d87a5b950d6b1120b7f8bab3b1fb89ae37f6e1ab81322a7f17d2e38685999dbfe5d1af79d1305b9af7619ddc29fb2309d30a07c134eca0d2464ca9456c7a2ffb6a8e08988adb97ace314f55569fb71b23841eb36b2a1e7b8c609e59684de61cfc89395f35ec520d8f2f074c7bda98c0b4a0b136fadb0eb979753b6208c8103ec509809c1c5d38b1a35af476135ef03a1040b7194ae3bf1111778335a86497bedc5728ad81dde257c67a665f708e7943cbb19a8d087c82d1368bef930f64800ca0df287da9f5f2452853c8097919c6654da842e6132b2dd9fd177fd9c33d8e98a6535905bd16c2bf4f6f00193672654dac93f748fa3bd9ec050a4bc5e2051c8a1bc6debfb81130f42b35ba7574802e7df72bf7356808f6c3f4db01dd38a1b77ceeb2196aaf53b486a90c74f7fdf713a4d5eee823b038d923f5fecad38e0a297d6facf6545ebd75822717dff90abc300e49d35ac1b6e1806a4173a10abd30924db647175cbc6a6fc03c91fc37243d2b86e9c10c0746bf59d3283b55f9a03ba8a544368bb1b9b285c383cd4a3bbb2dae4f12f716d83440a875aae1a77f20c5ec26d7192dc62c0d723fb74a9b383060f297465c9f660601a9370b5bd087ec825cf2efa15d238f235f0ce7bda6e28eeeafcd069a94364c4f948d843622900fda24b6fced2a19eb01874766c38fa62c4ae6bfdb70bb44f845990ec5450e16707232606de62c0bcd2c8c35772fe7ab807a78b1c8e8ea5e4a9497a878d65a1972fa344fbf06169f39de1f8c6fd2bcc626de0407523c8438cc2d6a7a418313a5bf4c6699c8fb49dd0f1f6c6a3190056c0fd28c7f3eb39927468be20f2467cbc98c9f997e95ee8caa9867f48beacc1fdc2976ca76cd2562d06fdf12603e6bc96590bd182ae304b9a91a4b79084942191798526b45d5e5b39fff83bfaa284d62a1035d2c65f8f3819f86eeba77a7fa37fe1ed7e110abf5cc99f04b88ffa056a40485177def2080bcd553580e396613a74b6185421193a0d857ff9edcd9812320aeab9f2d74d78637b193840037e879ac36ee001535f6b30675fdaa1399bfe9f9370bc308c217031e3c22db9d60892ca57ea5e9b5fd11087335874ffdc2c166c3f61000871891f16693543cd9bffc41e0d333396081f802ec2aca66b71ca3efab8004b576aa5bac42424e8fedbaea419d4a182599132dc0444319e90b71757c56e7712b5ca8461c73513977800e44dfdd404abb1c91a98d23f4b38e2ae967ebaa577de0f3b929e79012232466bc6cb362c75ca362ee19cc2769e2f36e6f061315a722c2cfdbf1cc39115c7505e7c107476c5e346c753952b537800658fcea4804f52eb1259857c35289035f0bc5909d8dc841b19d67b02c870295ac2c3774bc0c48870a2a87481f52920a85625fa7cc5fdbdc5aef3f6ced5f6bf13bfaab1990f8ccfbdb27ec4e247932826feacbe35a222998fd5b4f1fb769253dcb12a8bb5ab3910101dca59f6f2c0358e75be580674851e4bfce8db32627b2e3e8ca5ef51fd1efae58ef5c6e231bd82c51ad1de03395d7caea75521b16f13a87e89eb300f8580dbd4a8507f959cc1170a61e82a15c27d661e9dd2590307bbde5d120f8e49ff9503a7e0adc97c02c5cd3d31a9abb24b2d13582e846f6ae1f5d408e9fa74080582213c23d2be962aa37894e5ea0ff0b802579ae420e8f8af4809c3f842a4e8dd1d40bf7b20163c6fd4d9e759242c809252d6cf928f2beba93c26816c049305a021e865adc816b6ad6a14d0eb475798ed3a59af24f006cfbbe5115ca2f8aad096e623908c0e733ed8ce659acb3a1a5508e17a4ddebd3e21abd697d0a6e8b21875ea84115ed7cd0db8cbc7d4c0479bb63a5151744136f4678c72ca235c1dd08a016f4f11134a614ead7ba37e420b2d7a255c0f0c48de510759819823fea6c07d96aa09bd3ad8d553a531315254827dfa577fdf7724897106c8e54606e68e0e8655237d7e9026e16f6c4cffabf901c3ac4722c899b0003de84eaf7c38aefbe8966a4b686ac2d43f238f06ded2d4889e9ddcb7147add56aeb2da6c32094c0d31c55f3f151d556882a02dc2ef81c4dc9092cce1b8f27895c8f87bbb1dbc95ef92e7361a20e5fb352da4eccb7e6cfd22dfd93215ec1e948f54d93d3b995bc7dbb898f35f5676ace41cda50c1bc61bb2f192f575cc96a57ef93ae8240decb2a89deaa946bdc9c975439634a4c1c989cfff28af50a05ade7c9da957dd2169aa837936c8ab2c1f42cb5b8f980ad1b1049568aa677bf24ee051a0937356c9f6328f3942d06e519c17b0db0a89a71b886d0acec72903029ef723cc44bf5f91df28cd0481933778ffd317e8063c6fe73bbc53e94831b736f7a576b6943da9a7b8c41d863b0bb4218578f76f26f95c164971a8d0f11f3e6fa0fbfe485ae47378558be1488142ea88bbccb4cec4b73f166a3f16622f442c55db2efbe7b9a6c0c2ff18153268027c099a9a04211cbce48e84f663191ee0449624f6a5a900f9ac0d45867612ad56b53421ff143257f7cb5d07f45c7cc70ab4afa4a9785dccc126a85a4b46007e63c981c448a7e1c03835c3827ff471a70fd7b2b7f1bc33fe29f60dd889d300592bcdd7fa3660e8087ff92b301d20fd07096d461f6f4237564de9209ce08e427119c9b5fb0ec7848e2059b076a9d4358ad1e7132e87ea93f6c7f32525f7f82c5526d244188c73f3a7d17cdddde3a2896827a94ebc12435e60cd68121cfc9a5b8a5e26a8482b4c8aa06cf8e18bd876f52890cca4e5125e07e4bf13df5633deafaa5cc0da424e895482adf8889d9eb3c1eef93fe1fb0464c43b520ca084d320ffc7827b033edd9c11de7d75ba818f344ff7db2f05a49b9de2a506b3a71974b5ed80c296cb43513a98e2f067993b8e0f60f079c7fce2f76a005ffdbbecf1c8c779d2bbfb0585fb32a35fa9ef1ec5a814502c4d7f59a94ea436687ce9118ce17922e408b2e6116a439682cbe0dddcaab6d0937a898fc0432bad7cdb388fe7add9aa8c3cffd5b1edb010dd6268b03b4ed12038e6e5605a7908026db22e46621e47bedfd18fb0dda3cb80c79b88bdaef5f721dba6c62c2395291c4b85f3e587605dd8521454c890876dd2f66b9f1a16b16545c3065174889acbe0fef736ee131b12b8c597e168bc96ee68918cda9c4d6002a6d9ae5f5fd1661acd14e23ed7b16aa3355425713fb513ec6a01ab3a475dd7bc68317eb973a9b494314f88242d7e9f166f5babfcb47d9b0ac3dc021dfc19c144a70cbe3237c6429a957c5568bc241cd791a3da0282c996c62eb89f13252c082af7bdff10d63480e3eb491f6bef36dadb7d53a9561af3ad6fc1f24c0a6e08f0fa9703299fd7dcb71444902ed8266353bd642649afab8ed57583a547394083432aa0b441eba37f2a4a7dd2030bc3fc824e50840268aaa8015bc83aa276b1c65790eeceb78346a299d7c9aabea8604682f6504ca87dc162837d319c45b02303a75e64e2bf5b7437d3bfc41fe08b3bfaa5f4d65e8dbb4c82501f5a0057a7ac97e7509c8aadaa10f0a629e52f85b20093458c57ccacf377eb4559c29f91bf1cbb54f40b5dfd742e51f8714d386abd5644f73347c75726019ef53f359e4769b006f4943e002750e2c7dca3ef82efe27430f771ef03cd99758550971d4275de055bd8ddc58ae2bcfd872d5b0180c43f98f84c07f17939024fb4d192c268bfd9ec7e6b2ad25882aefab5908f15c7a5f424e2bddd7a5a99f4e2281750f634f7c713b573b4addeed4691a2f8d6d58060342a084abcfd5cb047709fb1cdaa26c221d06c11d27b9d035c11f84d37c44424b303923f7a75f6809d95b1e63059948b9c840bfd5289cbd6373e058d31fa0dd5d498d1dc52eaa1e1950c62e8e39c268891c789ccc62dbd43ed15c58a528c0d2e9e0acbdfa62f6d195d87b4bc27f180b84261f68b6768fe93d8160c1561a5489276477d182c4620b2c605b6bfcb67b9d884d407aa3cf64d18cbaf9c6ad63d2cd4367dcb18ad5ad5e2900c79b645347c5d8b2fd4329d4b9d632c6adba01dabff814c8f70fe0d31ebfc22711174985cadba0c9c6fb5b5396f32acac034802e14a8ded588c94da857e55372c96c0546b18e5a20de62764ea398cd1bb25c3accd4b9db4ec2f8c045788e0700f2868268e749486603232427afc6c867bf1829c17c991b158ab488e2525f31e4fbe680e29114f92bcf38cd77d9e9657794dc52ac0876db200d7c96179d37b81c6137a10d642461557dbfc7d062c8d851436ac65b6a0314c8d49d81d4a2f25ee961720528d2e83df64615bcd74e6f15f00218b85d2b0281989e3ecdbb3107b553a9a8a47feeaf9b67aefdb7c0e067b26fed87683eb4745137f79fc809b8409644effbcc4d695d480ce651bb5370780f280b3a39b75b92e5d1f75618a6af791da17af3563bd3cbf9e07e3650a6a2f602b736a82c2d1c66a115194a3fc7c9196344aa2437ea029b43ef34c20d3dbadcf37ff0839afd75afa59d205581668b7d302570bbce1ef4229a30fc40c528f3945def73d836aa752b42d7fad3a24bbb3ffbb3b4c834405d7a37e2fc3d51be6a8d3eed3df4d7dd6cf05737579d1073216937980919dbb5eb84f8067748b774066190d24bfea50913776711ea298f9d9b674fe24c504578c78c202b99f1c54bb4e8c36e6e44ee597b1e28671a4dbd0c4f5838610e651e41a5e4dad25863576a78948ba5ac8cc8455d3be91885641c61df09b8888e7bc13aa73d90d9d4c3f293edf721e2ad85248d10534de4bad0b4b23506407a63cdb951b2dfc8f53aadcc988fed0a7e72c11daab50b3061b1f10ac2a1cf665e13335e97ba94b3e19fbd19a4a955c45d0b47880aa756032090cfa7aa9bd3ddcb1b54d6e2b34e6292e04a3a3b4cbe33eddf72967e0718fb9140ed23e3e8b5bb7ef6cd6e017625e509c34637393ed5facbf844f658f93c4fb0ac49e5b9a3be0ff849334b996bc71135a9ddebc41bfe84e9e443d6a07fc6c3baff479e2ff21d729358de678c426bed7a351e413f6463df0efa7621c201e291bad012d4179af6cdbf44ef278f6e7449e7afe7c586f5a4cfdd3d610126b87104e85eee8af49220b0eced5d9a2c69ce9166d84d448f3aa75b0be354d73b3dbc066567569895963cd08354b2bdf7754e5983fa77b7f3214b0652832c2ad45444785723f8690da04530a4271730fc4a5062df6f69c1fb2a643f53e58b62031c0bccab7157b6c1e53f9ab458c794f167ef52e9725c1318229b0bd8f5450c3275992059e908e0d9b45a6fbee125be6a4a00f969d79193d6e9eb7cf21722ea7a78273b0e54031e0042922aa4f0202f08f44d1b8482b9879086973df08bd430b1390164418b2b4467414c13f595b252cad319f7c00bc46081c45ffcf67b9f78dca78533d85de75a0c6f601793d73eb68f3c49c59de831c14ea4c9d40bb42ccc948fc5bb9184c06af6f02d4cd8f71916fcbbb0878c210652815632f2fceb8256bda3d0d08b9057eadff67a89a75c38cd9eb76de790573ca24d8e59ab3ed8430c3915adb573d1b773f75b69bc14b7a16dc0b93f16d0ca8b52d1922beaed20ef6c8e383368e8338bdba0f4e2eccdcfb6b60940acd5a16f73fb94b9072248497d54a544a5d41dba271e482e73157fa6ae96cf124e9e5af7b5a170b6bed8d27ffed073657a72ab6ae25435a64049902575ca951f2c08dabb6da7b75616ff35fc783ad65ef76dbc442a6413745452495562b6e3ff9b94448bc56681258529f3783c3059d3cebb38ad3fb859478fcef3b3d990ef029c9f072e852098e26a2c0fd8cd87bfcb8c0a71d7ddfb650ca4c21d3effb6285ba0fb557f609486e57507211ccdc996b37f6b86c3bf3654aec8c65bcb430ea919914b1599d1974f33c579841d8dfadf714918c7a33b543d444c18f02dffd26aad5f95655ba73e79ac1b46f975c8d82641ce1765bf457ff4f25318d83acb1bd64cd99a3135780b06485feed02296e1f3c557124cf8081991d1999a86faf774c9e39e39ce85722a3f9334c5a89bc182fb038a95c25350b341b5f7630ff9b0fb1ac3d849d2153cdd8ea9d5942f1b9788e6a0ebc78a22722f8cf6f0db480d817992b5b1e0d008573286ae803d579e51953c8d1ff58d5d7c9f2aeb85340b1926967a6add3882da3106a234b481e6269e5409064d9ae31a4c85633b0d1f1c3007d68bfcd7008d2b5f6e71fc4a955df16fa0ff39bfe28680b3d7d5c3096aacd36f989ca0bb3f774b34410aa4abcf31eb441fb62e5d7998fcf3edf6af5b5940b2d41d272946d6f0f97489f9071847cd1cfa94523058f11a35c69e3e96e8e43e029cb583d6c94a487c11d6d627f55ff45a8178cfa72d552a991057f170d1f74b08e0359951bcf779799a5597eb7cc862c9f7308a77a9021b86096975a95f497d5a09923c2a1a5b504db622557da0d493ff664f334e2cc08d5de0ddd26186a363d5c1a0d983768d370e2e06e894193914b55226ce3899dfab0716af60f9c3ffd4062520a77b1b7aed42feed55d9c467b409f9aa0be4dd78a3653e76acf28e44a76be13363351f185640b203eb8a2a330b947ade25735a8344a78f72e2d65e83eac0b853a09ade046e4be744fd5afcfce2e913c97c5b5bf3eca7038d889a63af730b8c232252cd64982e1d8cc060db6b321e3a83d8a323c8becee4d9869dd93586ccd322eff33bbe608aca4d83b3ae1a010bcc23790342501df7b26675aefe411b37693a9250e232ff0c206f9bb6ea6614c8f3cfb6e26a74aab4ddd799e3f47cf6629c61ddea0d1e6db2b4831590e048bf36222fe40a41801aa5cdbb24a896791f5f1b3c9c0ce86df60568e726224056c5fac7b57630a5c3753f17bfe8723e90341c3a2c1a5c7258651d31564295bf6c9ba58910243210ddce4df640a34d4cc4617505046de43ebf8dd042bd208296ad504ee4c7d44f0ca94ac8704efaec6562309d0e0d93e7543a9babea16116303b6224c55e4d0c0806b51eaeb1220729f0816098f8e244993eece2dbda5c24d1c59c6115f85396ffdb07ee4a380c7cd7fe79b49e4b670afb3a0e41e3d66d5c1333726f66dd25cafd5b23f145290108d1e5afd60a458d43442b99b4238bd1b116e202c6f571f68efca8b3fe2ea271ee7103b18e8d62ae8fdc96b7e1f3ec6eea22bc199f0f6ee9236db27442450f32a0e852e5b4bfbb606bd4489fc2c7ca3d31a088ac3a0c7dad3b96202f7165d5a57f8299b6fb630510723281f3d1f84afab654a915a2b4cb493c36e8dde7e86b6ff91df2cb69537c54a4e9d612b84705bbe4421d0c3c7b438529aa4bc1d7eae152ea725fa8321ffce5b4acc33a768df68e304157a2792b3cc462db6ff41a25b5b0fe562e7bc476d0d6ffc3b7dae40c830fbf4ea43020fa38b7301c23753fca45a984081c3b5a744c2ba587843f130e89f1ae1f08b8c16281a39db3308587381203d34552df7df4a1e6d2aa4440e26594ffb0d7a0134012a20b420282f60aedfc1478eb0e13bb8927972265462a95d7fba87ea425249536caede0cb6783a62e8b554c7d7b28e6d13e6e1cde54ba20e71d4a6c818862a177f74b9490d6281ae92f242c16b23c22cdb5a3bc5fc511f1775f911426e3e545375e74371a7c2c40af71e93afd240f3f69d2a9e90d1dc3092f19c57efda9e62e8c52bcf9bcea806f93f950444bd413fdf0440453b08aac17655c4477f0debf54ae7660ef10e4172bf28b7db11a4498651bede28b8862c0c83089de0bf420e9d4567914f70da09bba4816b8e38c94bb81704117fa1b1500796b9c4ed2efde202aa7f1901c6f1b30c717fd37b705431189a13cc019e15ceb44289a29340ea876a5dc42adefd86062ef93889c28a05901ab38f4e6a480ee65d1e44920e53d886f29b3dcbd96fd6d3575cde377807d1ed9c3e19ed5e81bdaa9677c9ce8697ff0ea8fc3f7086c780246ff4ae8261c52315f6de7043a8fc02a8a4ca5bbe13b0f19783194c344a06412c44094e94d0317d77173a7e6ee50ced15e202d1e5c0cf616c31fae53f5179c8160091961b9aed1e25ea5eaecbd91425cad4839d12bf0cdf80e1f7a9e809a74dffb12ec0bdcc610a6d9225abee9927104b61076ec42d25a30e74d30652919746649a933a082fcfec0893c50aa1efdce1f58e2bf04fbfb0198d137c4f56bc146dcecea5bbd87c03197113f278da63cdfaa92bebda52e790fa7bc3dc6669e9c88d57710f9d99880638a6ced75b24270a7b3456f73a247eacdd179fce4f02403c7f62e2f178ece290179e2e475df82451b3d8043febf92978835df3b44843c8919a162e179806f2ebb5e6edf30aacab3b0b9e4ab944998febc6571710ff3473d12b7347748ba34cc4923d401592be6aae78ea79c3b3c67f2283c6da83e95c7b9b751778cac836ad9871ffd955d1c6fd46b56a1472763ce3b363484d59d35804d676a7697785efd41a2091adcd51e5adf5f85d173717d1f02a9f6ec1180cef6030f9e45658160263ff66a6f501fda4f3737377079c2f91f80a6e5ef168f0da3dbe74f8fecdc0f4946cf1495c17cc8491b4bf2f352469f34779ff1ecbfb6877cb721f7d684493b5649bea70cd72aa9f227fe499da899d8e48da04c5ec26789aa4f11426d8e862c86d37e8952ea3dfbea4018c86f99cc6561bd0722a38ad506fbf1604c049841367797da9abe8177049e1de504e58a7ca3b57ed631034a21de9aa31413a9773430723957bd10aa66f698c82c778819c169a07154b94c88dd16c2e3171c037580b3bce41002ff4e47137de29461b9f42995ece9ca71aec18d6689e8d6b155ec2f4d7f206c96a16cdad7c54177f2b71c5259990d5a1a3baf9f1abebff124c6655cbe8037da1b6993f76f1ec4d56dbe7284de6c1d56ba8a1ea414f1ebb8974189da7ca7f063048bd9024c9ee5379597c8bd07ff163fde33105ffc63bdfb4704df5d2365451e7913467da019eebcd7074d708b0eb179a6f43d3c54c2668e48f3d1481cd4e34e2a89ae6d8587786f6a252c928127876c4fc017e0a9bc311c05b2cb57532693541862ca177c43db9cf20ac23d70b0863e97d784e816a027f35d14df6314231808431f79fd634e415659831c1a7c1a3f0bd0b9f59a8bf960be5aa7a0a89092a2eb379dc267605cdd21985f0234124a451af03d43d3839c9684f642327598c4a7473851df6c571a3aa2ba5de935c84b3b85de07b05f2115d8f8ab6a00d68626e3302f1b94db85c4a54e99c001a2c4b1a97347c3a728be28d6164dfa6af6eeb7f33c5450e83b14e95d415adf68eca9b8de24e7da280f83990550ad2c0f26bb49a11f5aba092ebadbc342ccba765d7c250f3b0a8b941474a3288d023d89ad97cb051ce9f714188b8bfa9effc1b5ca679c7bc83d4018bb11616fc8fe56023cdbc8f79b01113ce029c408240f57f96a8ccbc58441d71951943464d3727754fe94b96e2d4b6f022edb3e9f719005aeb748a2c36466068703a8b36084c4e70a48a05099c85ebbf7f085cb12282df47305094d9ac48ec273c86352bc292630a138acaa25dfd972b54871a1829a6981bed62a169ad94b8372bd06fb2e4d4b329219a702a2f996896ea6f8e9414f81c52b6977f87b9d7db7f9ab9d69dcc1520e41b55fa9c1ab72960bbba6a1bd37cf412300e2d78265ea16de4ec4fcbf0e97460fb56cc92474c554b500d4c411f708ca7f69c0c9a4bb5a095a23ec79cde709321734deb3ff2aa49e8203333878964c75c16719b422bfa6089b290a764492df889c327158007f531742645af798045fc613093bf107d5cf11713843e6bf5028efb41cd0d1e93f988755b96b82f03bdabfe7df0c4633142289ab56f041cde764624ecb8c2cf0edee15730c8a2122caa9f17a8c7028bce989769ba0adb7e818daf94bc72b9ca2b22759d9f00b3feeaf34e86e11e832e8bdb65e5acce99894e0af49e5d3f9421fdef8c480d60c475287d1684d0e34e70d73b28b23faa058a79bf7216dbcfc19e3b23a401f59077a8a742154435300a4c3b2e9b6698f583d25b37a02b7bcc4891fbab6c9823668fe9f7a6c807cd800a84f037c75b4d615adbcbd6108a1068fa4f9d3d7eee4dfe892c766a80bd4dbe5872747ed4cc7412c0a4fc690b66baf1f0df077108e43af1267b89e71487545ea4f7ce85a7b26c5fe5f4846316fedcf53dd11618fd83f2b1407298b0a9e4d3141df0cf3ca2d9cc95d9410f279636c7fab11621d0c36a237e2ebe0cca8192cb66807f42e2d06d1856ef9e92021ab2d565467c3bdfac556c464b5dbf86fd363d793f121e38a41aa6e247012602788e702ca5760342cb98c350b880925e65e002e76bca785e480c7298a6ccc166fdbb0ee5ecdb06c2fa97ba9c5b280d5906b26760996de7275ae0983abc4a4b0a5c28deffd25839d249fffdb30dad88f3439d8e1d35f636b3d29878931974cebacfe9a24daa3a1e58cea1cacc056fc3d828d7218fe0a41778ad0998149c4541a75e9c03384a7339addf9076de2e9421e08b3b74d87a172db8deedd08acd1764fe581fde10f0fc4423c0f7cfb8a0f575010b0d8ae98f7996b6be9fc2ca5e1ee32be22d32be54109b1924d30d002d62a5c673acb8633ced10925a760acae277dc054444c9e0e68874845706b2b7d06fe49e734b569485c3d92cf6bfe9aab230504e824ef33a87d30b96bdffa15f115abed200f68f349fe6c83bed8107d77d8706e8834298d5a66aa969b588c524aac377508ea6720161bb639e2ca492961aeca5bcedb335213ac4806cb4f9e15c29974d89914d37622e6e33afb7e6be874c5ba87d81a0dd124f23d5c2fbe0093d1831f1e53f90ccf0be8175471afe4bc0568f2f45ef0496e31e2bd7cb8aa2aa1fcd339766eb93dc0d8485a1c5147885fab089dbc20bf6f7bd7a75c29a50f2446074b4be2cf6159fe895e1240b8f1e691a846ccb959b1b6685292ca705a4fc9e4bf6d48973d92fdb9b30c88f7fd598e5dda529cba13d3eaea932445e2976956721366c5ef08ca8a36ee8b50e1c46b356a8bc54c2fb8d504084659becd6b0f9713a1d4af10a335553112b570fbe607a957a9010825518d8e1305ab1b78ba600ff26858a41888b4ea91954f95d89d6cdefa4b33cd58213540bc88d9d9b1ff398faedf3ca63a2f32b3c6433490d34775bdc285d5fa9b6080179ece821b0ff387b477717eeaa0e6d948838ecc7721dcf7e78aff9d9a8efa04e86b9cbb5446fded59aa6f863e825f856753040f54322ac12dd565a184df38fca93be65be57ebb5022b83a8397d2f6f8a042da3a1299522c9956dd5437f8e06a8534a22b449e2ad49da6e8a5844f47cbc9b57294095540f4d112a81387be81fdc68261e6a765f005c671471c70a46dca20728c0500d2d07572024489b5ab7106ab9945b2cd8df14067bf79e3165cdf91839cffdfc529b7673c3df590066e3277613b721c66034817d8ac2dd45d705f1c13c2e1d7b4411f1a0cbe19e618f95dd453f9f91c97da4808985b01497cb58cd69e8819c56ca81dfdd33ad2e4408e5f1f665c4374edfbb3418baed831c31baac974609d3a05d9e703042b4fe1ec73d50f66a2ea3862137a694932373613a2786125fe8653f436114716ba583ae10c5e92d87aff4d151f81c8d6f06fd97a1df30c73cb22c996e0fd2739967df50b6fec03cac5351797425853c06adafc728af2ed39911cb97fb54e0f90a30eda99e33f9039fb973010c1ff6a95cee6e28af678bfbd9ecbbb03f8ac78657279e4d99163dd45f819e82fa6e2f5bb794e906c850cca0535f757f2867ed7d20f06469c6f0e95fad62eca4f1f79804bfbaa3e28430130301548fb13645cd675b2ffc98e70434907a7e626b94cab768c1f25dfd521c3e80b41844afe5c457d7224204d78358a91dfe5e2d792d7b7b410750e81f5e3c4b5507912b470d4035d9835afe05614a938dc790bb9b3bf3af7f66d83f3fa7427c0a0fcf17f10ff7f58649565048e34d8b91eadd75f04f46fa0f6f5f7ff74113f12581caf90205d953e8b5bc56a75db9d0aab414e3ed88a68b19eaa156896f14934865891ac39733a40ddbf08758b6d8eda59d64d71007ca3a7baff294d5cf869a6e43e0beb623b832d40fa6f6ac1c2f322faa4fab039be48cf309ff510b6cf8904201f322c8282d27b4c99cd85884cf092ffa7603cf51d5a1c7ebab48a95e43ad84a6c6a382090134b93f40f32fca940c7b292fcef6103692347bccf6f6efc3a64bb93ade7f98ac21d79d0a9db8a47286f8150f352d7f09cad3dec0736aa58c70e2edfc4a701493ef3f1060614ef285b25f0c39578b7b8ebdb0ac6090d51b531bcfbbe50c0fad3d946b510539ced58497bb99a198959590818b365dfe2ba1b0b77413773430821f143dac8da378ed430a56e9c909d8bd39e21ed648d89851fa4116a487c5418c08d6cdced8c01db6b00b0d77191f4bfb3dc837215f61b1703ceb3d8e02a42a711c4b96213390b59bb8b4121e48b210be403591dafd4e987b4ce66ee1d6d919137e68166ae940180a3d254ca5537ca6fdad592e6269540107b3a2a231c61dff1432cebbf8d944d6ed57574d3e29c7bfa20fba9197ad699287568fe667d4dffe70e7bcf95c1a1a800d2da805cd57cdc8ddb7f7d96c860156197122da479a8e6d955c76ebc4432a4a6b9eec1e45da914c77bca89ef9c442e58f1588b3a38bfa8dd138f618e098f987d94ff3864e2e5090da6496666dbf029beb04054bc3ee417e59fd67b3cd4b3581744adea5c230f051bbfd602b8e94ad01b5289811e805001718f3037579c44e39d2e58808b76012f1452b784d960e18676032ba1acc8f0a2f43f0c4119d81a854ff0bced61b0402f3617b2baaf5912ae1c99cde35dd074ac7ea1238fb5e31a49c425bf7aa83c5b461bfae8842c7b172bf2c9d759ad5c02703da91bb352ee9b20ad9f569401718d615c95ebe7ebe8daf146d77b59b3deceffb67e4d3ca489e4975c1c9763a3612e87be30ddac6e8ad158778ad7fb9f8f02fe5e6057cc17644de962512911d404b59e033371452871cfc889e191382d4f95caa5dbc65e7dfece40d798b80b1d372720ab4736d71d5e78fe94b8f8bbcc11c9de94cfc3c23610b67a70e61fc2a5b091bc07824c1467440b5eb0de53dbca21cb114f59b3c808befd39f876777945b3f908b95d6a3afd61a99599ceeb533fdc36fc02ed996d942dfccedfbf7ee53cc5524afbfd58c0a6f8bad4a15b67fe25d4f44851275b8c828a91a0824c3f3b80ee6dff7f1cc210f3426c9f6969372ac225917306a967c572b87cf396f379aeca3f51c2241a2d8dc84909b3247c522e742bb33473204e4efa25f334add1199d3d3effd9e3bad76aeb78736c4c2a83858111f2c0bea4b2435a038b52fb4adfa151d75971d933f23df2aca55e649d7b4d2d35e4a7e2301f31d2bdbe3d9dfe55641bcaca90eaa084e0d95398f7b640971f886b360f2f2716cc98bf0679d06e38549148ed56ba144c598a962617128213c33b4d976a11cff009589ae9b1179ea037387435928c1ae2a2644ced552b5002b2b1045cd61b49bef9438df9272a99074f3524e543a24c53ff488556ba7f1f133b2320dd38ead27895945a50d1194e46c32234d90f08272a1375cc5aadf30bcd5dbcd0efdf8fb0531aad382609cec2e9c2a0c455a5c6be2d4025533ff3f7c2952577bbe14502315b4665e2ce59a3e16ab4dfb55ae94c25dbfea70cd310cd7ab5766db2ea7d7a07498d4d06c238920ca52bc2dd570dbaa729debf722f7e1bd3a38cfd5347971af4e6452b8ecd53fdba317dbfba97403ccd170a19acaf051519570943e9ca800e37dc286abeebf4134da43b80b7f3f53f0dd385566a177e04a769d8e493474cb611e063bed87f88693c93e7c8f1ec9a9e8314197a27627292a8d7cd86ce3eda6d537960a1338dc5eee35c20e9d925081d5220dc57bc8b8edf2354d461ff037a12650f8a10ff00c6a09fe1b8ecb5dce4ba37e7e0da9fb801b06c2910e4ed462968bcf033d2730652246a851311b6d9a93cf9ea517b57cec0d8ba15299ed6c057925f2bc26e22221eb276a8d1ebca05dd425af1023f1fb66fb50ae08f88d4feab11a7b15e8839ad565c0cb63564dbb26a9a3d173cd0b9a52ca1c936675153505eb7216c9b963c65c57295816ecb4f166cb14782af8e3541f2d050e9a6a872ef0a618b1c112f0de05cd62eb6954843c3ae3ae6a1c8a1dd2a381f96d2264c7377b29af1512e89e2bc12c9e348bbaf3d042180a94ed2106337e426e58ac11dac99cecbbdb4e7d739650070e80df298505e287bf23352b3392a43058603e48c20e9542f341eb89b5e365bfd1878e51c4f55be8e5fbf9a2036171249b4631d06831feeb4ab403f7ac351d09f50a361841a80d2444b5f5480c0c931a3261d36176e8cf5f2fbf32ede757ef859e00a4b4e841a63a4e65e7447c4dda23dc6b1cbf2c802f0b0bbf0855c8ff1cfbdfbcd02c462e307d33cbb272be2e6a0622a6a730654ba411aee57c575f6c374ee8b8cd62ba6f8161de46291efd62f5c8807bbf929ad94189d0d8de8915d8ee5d43a04c95c025c3c2f3d8ac31e031daed68ca4244732c13db58374efce6416bd45c4c29403a4813259c3d010a0b861d8e56d70460ef7d41e1667ef7a61deb7349f5862497bb4edd69ce3c8ce94863e7a19c8f150dc62d16d5f581a9d109f2e3d91aac1849c8016286102b97523b2dc3a0367f15c79649b0ccf6ec37e72a0bf804edc9b2b0ff21ebd72c8c4ba67dc36e478761e2a2fc2f4ee25bdab00880e85b815ff4707103c76aa4813d74aeb69035e1caeb46b4a51fe2dc9b3706f73478b7e411f7e9e81ceacbc27979bca251591a23be60cb2f00a8b4cc3c36f8e9b32350b0be73d7c29e0fdf63b053fd21c43b69c2e04b42badecfd8a7548a7d0b311f4e1d230d8a6c32f8bd7738e10cc0748cc44efb4ca8c9d5aae6de3e19b12fdcc597abb8dc209fffa9d5b7acdc044a97490b7877b2b13e754023853c55e674c067ed36d67db3b952563866698167eafa2d1878588ff0abb6bbe4e61b8f4f7db75e315a9cf5e39949f110b540120bc7b3bd84dd463d00df71332b01ab3304358dfc5a51d4b22a0997d851cb61e41d4e1a985e565d99eb8d8a8c1ea7b26b09cf3cddda7cc8669b77b8eeb70e0590f5f3ab2528b3e19e4d428f991a5df66cc73a821c501769494d1bba0108c8c894d91a58a59d432a43d8521a0bd616767d7158d77e530f3df4890cc71ddd0972318f04e6464d832291e55eab5d5f0f22e341e489a3c107c384f03b0c850a271d4bcee9591b332a884fccb6ec51f3b9363146d5cf918893fbdb78fef806181aa9f09c7f5e36cbca52500c85eb93bb84ad292363a6ce87e43145257b9df6a1f1db5574d3d7c6207da286105e92a3e0094f480a8db3e87a5c289525b0d18a7ee8bec7c13fbf923b9a14df4a66c55ddc68fc8f0ef2091f81d1296f8d4b278458c73ebc3d1fbb9b7ab138e9231986e9c9b83a599a2b399de243dc822196dc57e5ecd43f545233147f66fbed7451a4cfc4bc8faf720fe69efe335009d80543e22f3a898dcef26855bc86867f00d3556addffb5007c032640ba8b1cdd04d78405e2f2a2c213ef2c45b5ea711097753c15f028d4324a0fed31d7ad879302e9260601d03c9781f884cf858be31a49a55aef51955e1433036200ff55226227d991b8246d22e2e3a82ed9c54704b6fa8997bcd25451a2da4f92aef78a3e3a129a85cb076be89a5ae79f1081782f83f0044b76ae068c4860b5f315e3537b3ce24357402b18fa4c188f1a782775a8c16efb6bc868bd027fe79df5574df476357f3a00ab05894500c9964b14980983ea9e028b4b19951d25210d77a8c2513eec92856fbf402349a234944842063ad3cd2de842b14e016c13bd1ba0647f0c6cdf76be52b58504ce9b7725bd7b6c447060e949486ee3da6d9dc34ceeb2b79148a088a8abb7363fe3c25e96ab74970814f86a8f6392ad956dac9150ccf6b27e410c885053e313f5c9da25f52515f5b93bc4d592823063f84cf3d21404d4d6fed52025f3b653b82a3a273e9bb90f441998fac441e577ceaada944bbb1671e8f33b8dc3c19764b64485e0a7c095d0321a1c1388cdf7e4ca2a4f2a7ed49b6018550d2fbefc89559dbb525b31b9c136406ba347e3cea54af9515a3111d820931c234111c0570183e302ad9eef35d4c111904472cb5addbc2fb2a268747064d2f8c94eb9563bf93d4ce4fa91f908c3a81674d74f4b35394fc88f6b542fe87cc2ae3edff98e0f62c1aa0cc92d536cadec0e83eba7364c0c2f1e8193dd9d70454f4c95a3fdac00dda1362286aaad8ed86973e07a7bba0f92657f60997ded88248dc8738a468f36e7597f71d4b1fec4653c6dae5bc56e3d10289fa3a53bda1c84234945c303da1974a17aed860be63a69c16b5d7de6038b6e94437d3aa63a54dc639a60f69dd24857d86a617cfe837800cc6c5a03d3030fd7879d9a76cfe094f27d7db9bd2f0caed3f9b506c1d112f39410ec0b6f46d509ebeaeafbdf956e93cab08b62dddb118586d9b81c443dd930b1e5da20ea4b9b5803d3d834a577ee71e4cc5b4fca671d5125d528084cfd500380f64b284d3ebda1a2a733d92d6b47fc2ea6fb91b1c98292756468c2db73d33a60a43847003ee4e9c7cb7eac7cb0cb48b3ebd074c96ad146e711a863926d73d884dd48d0703200275be7365347b7a81527aabaa2dd1cf119ced298c902de0235ca3ac89c40b83ed1f8255aeb9581cdaf28e448ca8dd283b0e2a53d6e3f1c619787f067c9b6ac5d1288688be87b4948d4fd2152a40df68eaf4294c4273f893cd5d9737bbf59512d35eaf56dc80e0e4f406eb34abd669c2366f2eb8d5764acb515aae836b98e82c18eef37f1f1fa93e527d87b1fc13b853a9b5da40525131e2117931eda246d921d06fd457492b09ff8ffb2aad915aebe0d32ccca186e254d38845216d6676343250535f00f6722cbd1eb73a94b4857fc3b36f7406296345f1509226f12aed9959837ed7ec5b303ed5c03cd7cd78968c095e66dbade1c4b5bf69019d58c14f794c5bef306c44acc06dde8ab8d969789d67df964a8cc30e540b07bbd4e1f91e218422a699761f41d32b68f0878699895cec791a392222418e8ee7b8b27683471c42e8fe00126c14bcc9ca6e6c4861bc762ad2ac3be8b028328d8214e6101dd1fb8062114b1f56da52d015163a1e705f5e898148f6a77428a0cc2b48cdc61a672d4d9438f928f22934eb94948f43df9cd58ac36306a2577fde0ce5ee933c88da73f10992f91114fcb5d62fd7b2d7fc0c23fda74df67a6f1914407f9bc1ef4ecf8a1cde4ca6a549f3e05e23af1dfd083966ff2090efaf6c14845cf660c6fa4ba8f2cf62711e23c322b92f2efc9bdc1e079fb2b1f01958b09f0dd2e1de9a79db1d50428a9ca45ef739429dddb6c6515468c04f5eb841b1f11481c1a6edee6a5e3c6377810a0a871f99c2d3cdf22b8dfc16b74aac79ec25a3d77e06d272340bf69d78ab89f6d124eaee4d431a2675b9c319f530b05a18864c93ebfa521842f94f65dc799f911fa01c2ba3b3dffcc0903eeea10d1c4f3bd7b083ba762db8c2c3e37be24ca8039ea461cc447abfb98d596ef88f685bbe8bd00ce4ef4e63139b0bdf4961a7b349ebc42a0c146c5bb804be7c68435ee532df3c850c8f8234c60f6ecc921ef65c57a4d3fb4ffd08466bd06cc6b892c18b0c047c1b93bf32b8d2338995f1657eee140f0ecf1652d7d97e11c20e04fc9c843cb27074f405caa95fe93d23f7296f2285486384b99f9dcd0b8c2cd4c7fe236f563d2b414c0ccbe3fe242dc7899b11a3bdb838241ed1a078e082a3f0dd0017e7f51033ea648b1366f3e3557a966f3ac983654855e2ac3e43aa40ada283a6d71164a3b3e8a0adb745b77e37093c655020e1c75d330c00c9840af2ac72ecccbc0fe91ee3af7036ab6fb3deb9af5f73c4b4b5c65a1883af2267b43f5b4d3f685c66e226c1e6f05b2b33713010a18a3a78665bd1f8e4c9adbabccf5bfcc755743453ef319bed5c99978042c9229078e8a57030523517d8dda4986ee57fcd2a1ba03f52fe18fb9b1c29511331ead4f30527f98535f6a5507f53c6471612256a7c29e1f4b6678eae2238c66dba9a9c81f5052e7e4ec76c2acb34a25b36e64a46f5d0bc1800b77c98f91e398ffadafc5fe3dc6f15fb871e21ab307b01fb2d672e89bba1926c254ca97ac8013edbce4be2ad62890518d456a494b91002d0015d1a48212be2dc15e763b48d1dde231ccaf2c53073b6c39bec2b3e8b6e0b09d3a0c98cc4086192b971b4cda7b7737550e8d6634dc619713d7c7244049d9b41dacf67aa1f3da0db6a32978a81959bc036f8c5eaf153380611af34337551a82bf42a96bbead37fe21d8bcfc4ffd2ffc9aa61a3cf14c573904ec79110799440d30710328604f5ab0803b8d14e0b5d5a32c9fbb076c3a4ddf75fe43f16dbe3de6d9fe2635c60e5845542da959ee2676252f55c86123072ccb9e173a31a7ef0cb2b3702dfe0da380dbbd4d3fcac00fbb2ca0378693d512761ebfb077aa1408a09fcc1938e206ee87391171bde546302ae8a911fccac77cfb1a13c3b9f8053461300e9d2477e329f3c768dc95b6f3d18f940f3f886896aa7734560cf86008198a90af8e3c8163486b1e104e8f9f6228a9238d15d3bda2f81c19ab7d7435546873916652ee9ed4b43d64d5ca20785aaf880f0bb713fa273a2a2e8304cded6ce2bd64862b99f9cfc55f7ebefb15deb782dd0e0343190e6dbcc9adc152a8b99480ac4ab3c962e5fdffde4563fbefe3c7f2c72fa826784f63ababb06218768f4b6c09cb68008630cdda6cb9ede503f6b494d14ef0e2a1cdcc3bcb77c390c884f5bb2c25e194bd0bb651fa468a63e0d3a9bc0baedbcb0ea84500b8b43d2acb1a1456fe131972e93097ca42679e69723a3f254bbf4d0b498b519f41e6a37689a321bab19c0affc9bf68e6c861830ea5ed846c101ad9c6bc84dadb1ed03e3b7949011994fdf8a3aed564683a72bc2f9c9a53a1093840657c7a5854a8238ff269329722386bf9fffe7f77cc2eee6e660510b568563076248db4b77505baaa30036c195acc8824dd5ba61cd567eb8d094006cf4ac4ff213557fcf0fb21892d71af0e85a8437a380febd54ef3d5e544ecaf83250bc80159412fa7b25f86f21d3b10202d91a6d4dcaea11a334db952638b911e9895180d3af45f3555f15addc4e1283b5bcf2780819a5e607af429ed50709d087225b7c6dc0bd1be480d9b0f230384e86cfdc94c1feee37ef79fb148efba4fbbcfe9fa1aa2d48a557ad5a9b865e26aeff87d0c15bd73410f99b9e496145cc077d997dfe0e1d360ecb695b25688cd305ddc912ed38af7c4ba286bb6dc1d6df64958bc4635357f3773f7ea76fa3323c9a092f430c55179578368ef9dc9954de7af72c20ad17df6cac5ec72d632a2286e0a55269854ddaaac70eeab3c7e974fe6f73da8fecbc7bd45f2508419cdf87569481059db747d6dc6bb356c0931d7bd0111272ecbd0801bcd9ecd6b0d7152b921f3eba8ad2e6437d0045bffc45cbc3da37adfa5a0b29be0a8c8546d7c4c6721790df155f9ae38c4ee2f0aa56009c8eabfefce38dd3ad39a98bc1d34a1fb3ff93a21892e706b803ef1cfae2652ff0b12e74ceb341d7172882e571aa350236156498b17c9b5621b3905482fd78f979d69e91f74d9bbfd086f310d3b6521b826dcd1c622f5bdc185aeef174eb0dc4cca6990ea09e83ffa9e99a009cae11fe406e8880a9046df5fb81ebfdf4e3a421553b56e08c5eeb38dd09af4a912aac641301ef1095a245e15d137a633acb4e469315805e2766531722b8a2f875bfd8b6aaa0098e810c296e77f6682aa6a8b06c5ed850fcce929921be9f9d81f1fed8f993430efa8335f8ac5d08e8b355afc597be757c9d76c31e92352f1fc877961aa7e8ccfa9bcc5ac3dc59ff796b59dbc58f945a7283848b6552ae380b1df1a3c3e9d8b67e9458811b3053abf6fe7bff329e6e7df7c6f3d513fc9bcbfe6b42f2528602a1b4314ee9218fa1013a25194d405b3aef274d2203fd6f0567a7e5b498aa55478c5a544eeac6a3d9756cfbc0165427238b3d553ebdabc99dd575d3724d9c00f405f41fdd7d3244fd9820897a97c3a0fae469447f48a61822432643aa4e7f2a7f7be956675d1f460f111aa9e630730da9e0096caa13a054fe932146cc95f1b6d2671a5d2739538cc69f03457e302d998d89059e1a45707cc66a6ea8a94e17539e9a735a2c129fee395317d30feada724e72bd0527a3e30f8bc9b4477b8312efb9445622f0df496b6ce0f62db32b5e041be73b6d765c477f572e5f9e739a77a417ebeff4892243ac288aa3bf74b236e064a9c89106453e24311084e3d42cd748ca009d35817da8f93f18cb442a3e381d49ddd9622ca8f54a4eac8dbf6cf01106cd51800663829ee0fb534997900b9847e3f38a5637dbbd73dd83012ece0b350826b62e56e726c464cd8cf26fb5d77c8cb22379c2d21f54496d807d9234af9af9b65e7d1bc11b9fc7cbb398a9402347f8001d0de1a3031df0cc0322ed5f384bf57b76fc6b9c05f0b8aeec849632da59be5c6c75bbfbaa39fd76619f9ff3902e6d07160aaea2883b6bfeb267628b4d6f6d8ff47affb8174a7cf8e99ea9fdbc4fed743d8253a86d854123062dee12c9caa6053aa37d8844f76c230fd86ced8be208a52476bd7a9fcbbe76c05805462307d67d67e7be872244014cc50c94bd4cacca2473a44bc6fff19b2c1ac4da9299c396be479e13f99f10dd285fe143db45e621e94479a6bcf0854e4ac717e79b3180a56140d50492c8d44c1907713b3b54f571fe6287e2d7530b111fd4817c2d01aaa3861e7d212bfa225f2fcbf73462075d7f2e6654c7acf3aef64ba7a697df740ad4e9ddac9f1ebe8aa42f73994c41eb788f855a715bcb69a6f66538fee204b4606e81b8cc3b2947cf8d8d24bff7e3ceda4ec3508c53392def369596eb1937b7302952715a8af748a05dae24f512b10b78eee9784be25dd85d598e129284d971caf8cd7daa2c6648c183d4454df984047f9d0d2097cab7dbd1bd0b2754569c1b257092aac39103ea1c9229e46901535e77a570f0c214d026117d5464991c7f97bffa3ce179cbefaa0f7d65e0613f5ea5897dda14698ef3430a7dbd1f8c956f3949010925b1ef020370dc7ca9658b8213d6979151355e26d675fcd7bcc6e5ee72355a1ac6f38e2716773d21a4b856a8044974a32454ff9fd3f46278fb1021739b25a75d07c88170a13efda2d8671288f17bd82669e40f21bc9f86f8780b2958da335b820fb1a93689dd84796766cded39bd8725af0eb361eeac9c1a7f9475ce605a8c713d135e728d775db713291fc9d1b0e687cf8c1ba696106c1146cd3635f904780cf65aeee57ac82a5cb000f2bc2566456fcae946325600707059db7fd3dec2db0983dc9375f0d8471eabc748e6cb882d869d5865193e561a449147f44fc2cb069aebf07a2b1ba30966f20d97d8ce843337bf35213874ec328392cf7408284c8fb77e92f1d2eaaf2e8c968b7a205142ee267fe32c8fcdc2e69dd5aeacaf89e953ff790fbc816bd7c2c2e45183329a3c59cebe12ba8d19b1a358e67f4bf06c9b07bb41384d9eafb11cc1593feb6759bc0febd6ad8571f5ef88c4bac003430897dc19fb6d77d8f609b88d6ab4467e4e4b31bd0af289fc429afc58fbe394ce97dd44a5a3d03aae844ddb6711b4f67d2bdf88f3c604bf522184c2055daa0893d4a699c4336eabda303b3fdfaa930e22ae8989d37d5226588c712e635b9204a61d93e7fd3b06128e01e48e943050be4eae2d852c95d615c065276edd09c5ffff17f4da9ee0274faeba9c043f39a3f9ffc7b1b57fe5ce4d538974311cf876e708a2c752b0e1ec9c69f9f8c177d08b547888c659af4f4849cda3a8bb55e1ec279545c2d498e911e617ab5febcb06d7020a262f5944c18de0e392e82c265b00d11bf194793b478a02649c961784b925ddf07aea751b24d02c91a92d6f3c4eeeaf25b05bc5359dc6b088e1d26c322a45421619a0282d4e59944d4ef2e0755350a2b8b3a866f7b198199f7380bca110528c99170c8168f9a26f0da2e6c5d778332791a3d33d90bc487561911e269b6c6f33fa0eadcc02a943906779b734b8ead4ebe855090c98852788af3510eb95c928803e64a4b9970cef67003a9dfe0e28a61f1ea93b9ec240f449a338c2de8107298ed1b0fd7ba92bfccde6bf26ad4b0c70d9f30440beacdad4b3c81cb4d1e21ceb330c6ee8361d99281ef36a6a681a53505f333a64cfdd8ce2be3aa6ebc7661d29d3f31e724871f14f2a256dc6a47c13fb27c5d62dca45353cb9fb879c4e1e33f2d89fa025cc387068c37650ce1aa9542d2e063c09a2f4ae16a31640d7b905c7c80f00679f814518c9557e4bc87042e1d6f4ccff6d9fa13d0bdaff2510b5c4c6d7833df50d76250a6b25335117d8a3205b42f8341ec7c3a047401fbfbfa71f17639a804eb2be133e41ba6b511ae3e05b6fb33c91ebc6c870201c867131449e6d30523a3486c7168a0e23cb4a3268e6795ef6181ca84a5c67479eec4e160510c21f234afe322e65c700476a27fac73b2c0fbc627749c2af18d6d7fe21ff0558de1b92877c8d133bfe002c3f394a172c75219251a056e67223acb620d7f9fe996b119f0d60c09165b3a1a3236114c9d12b1c29eae7f911299940fee5c17205de200dfbee768cadb013838f4270b8b847951afb7b67f2d5ae240cd2bc6f1146eb35a9a6b7cc96b9f13cf7e346bffc2d9af2ef5e55c23b386a56ffe101dd3694771ae3e01bfc59b2602e1dee6de8513611c497f374d26e48bdaf0cd0c1c9689c92c9fe4cbde3aa3aec93ccd8ea4c2efcf50ec6894bdb14e75cd9eeca9b3ebd4c0d269e85cddcb9191521056e6a7951a698ef10e906e29a7e79aea4ae974b07d3793905f70e249d1044ffd75441d213ed7d44e9b1c71e3bc2ebad3d61d8894d9534ab5f0acb10444c6bf3a83e50b555b8f02cca04e7918825986386b0615024e0e155f560f6f659eef2618badf0bed607273f8a304848ff83d159fd44dbe54096d0fabaedd9e863a33d266726bd0b6fbd124ef900ff2e34388784c64babf6429bd533c9276a639d106fd643ff3d27d82c993b94dce11b9c7345d3fb328a3187624ac4c6e27dc70bad29ba81244ec782b3a77241a8b748c69ee79ce718760937706a049d3793999ea7b82672832190e311f0c0f70589c7859ee80236e319c10634c4be1dc6f0eb5c5900262e6c1564af002ee31a6a853a7b5a5620fc05937b2e166d70724dde1358bf89e4d4d7ffae23aaf4d57bfe2c2deb60b08b40f71400793304e1df69ff7add4f002c67a9b2f26c2ef0a35e9b9bb7d60cbc8c102eaf82faf425207f04386e599fafa78751fa94b90b593f4c0e7c9e40b65539ff77fb06c3e6c94763d52f7a77654bd2a0676bd5ac7cc2e0b71d6422ab13bb14fd6648bc11c89b2ee0807d8c42703688b00685f60e6e10f7c51bc7c04910331b8c64d636257198abdba13da1ac0127e7761e949ffa588e66edb0ca76d934476ab866e6c1cd60d3b56e301f43f676b26a2c2a892fc17f0585ff199e866f4cccc5f92ff232d7ce479a66afd2208076dbe0e67da315eea126b41d72892c23c7afff07304a4cf8261a11c43666deeddc89740f69ede4b140da0563e71f4d5c166f95b496a1674bb673f22139e1d667d8f47d642a4343fd6f41ca6a2a4513623929eef703e7703f79558f292b7854d0eb2ec2fb7ba7012993e3360986e6d3edd24e54551e9d026732445f375a321aae85b52d8e40490ff3412ab2f82af46b3d6213883479f0b96be02721ea832da96f160663524d1c9d7501f56633c81206b1dbd4bd381256a9d6efc40557bb1121af3c72bec97c22ad3e4db023dc23ea3c257e5b242b5204d435ca534853c6992d19165aae917572567ee0aeccb56d5e547b7dfb79b6d821cbca97b2cfac697c3c96df2210c43756cb5f710adb7747ca6e93c64ad61270af2a783965ec969a3a95da4d81312456f7ccffa0985cba7b7e2d7cd478718c857325541c44783df781bef4143de219d52785793c766bf7ab00667450da2a607deb4a77c12d5e915b15a26d625f585b0c6896716d5c6ffaaf66f3af270c2ac78ef6d61796045684e89a3f9376b6222b54cdc1ac5c08c05d63871e7a5f10f524a341c242f8230a1cf8a4d1ba3d8e7a31e76b5ce85c8485bd853a03b52ca3179202cf16929a22746a6c366ba561825b0f33a710b4302e1014d45952d804767235c483e593079413f80b9e61a27050fc8c9727b050f7ab0b65b8e94440d42a5715da32831e1a0f8e4d33faa1c5b205ac7f3bce2f3ada8e77ea742ac64dc9fbaf749b6e7c3cf81de57db4e97770bbadc1f5a710a982069f539d611113c921b739970a17c52cd255068cdabf74a32f3fa59c16b435a45aa14491dc7ef00bc1da37110b08ff54c1d6dc1ac9cb81dd5030c0a70393daeb9d754bd01b88396a1d626688a55861bd8c7f20a5608d53cf399b1b94b573a816f29c683da435f656020b6ab9ccbc1877204e2af93f39eff66edc742068e63f3283c38d35620c060ae32c857e1958abd53debaeb135d90befe3ee9e923a04f8aa76d12cfb513f233df4b5d879ac350f42f98f656a46ee08d78e3204b37ed37727beba8d3eed77dbc3b5f985757c5092917819958e9262585b47387da53178a785138042576039ab7c996f3ebfd6e4a41ffee0e632fc95d902bf88c42c9648acc9ed1bf90967f10ef5cbe0d913f97b4574d64ef31a368e2a2a24d049af096096a5da9f0b74eb2f3bf29fa8f57dbee17fcc562a4dad0e1914cf2ed19e6e68d768705e9d4d24e5385f4827274331572d0b14518a0ce50bb06286eb4e86bc7f71570155e83a9c248e0a2848aa28a107dac8c45b6ada5fbe622a0b94e42440e0513654ed8b46d5faa5ae3fd1993df20bb25d005fe254e94a0479686a3c8792e7b0c91832ade55e17298933fb0eb62c88111b8faecc55149591d399f316e12c476de26b4ab9edc8f2656968e88456a8f441156f4ac8d786e2be311852302a6ce1d938ee16fed71ac9961785fe5ecb8075480a42a788ebae8dcbdf0dfff47e7166e699d54d0ff4ba8c4e6dde7831bd88af7cdcb45e011405a7c9937f46c86c703aa9cc3d1fe1b4ac047bcfff547ce523e28d7eb0b469ed3e6e8cf4edf84b28304bed1b595bce15c2d8d466decadd453adde513608e441a020d5ca81af5e81cea4100b011b3a4276df61e7a843e25e590d4459e2a565c74155c99323967ed473f563c7f23659ffcb6ddaf6debe5cbf63048dfa6f72acaa510a07b83fe7091414185e69dfb76aab27071846e97cbd0c42deb486d5598525246eb6bf8c2cf17a26ca031280e2c1609f94a8ce7d5a55ecfaee95fe502ba75b22c02e15cd8455da4be8e34749933d8fd3a92e8c91545d8ae44c48caf76dac5af0cf4d585fb739cf006846ef28013d4833ceeb108d3c3d76e2ba675299264b3793aa99426fc117de43c5b26a39a6fec3f017c828c4878cb3de9c1cd3b4557b470470e5dd61638d222169b89129231f7c04d771a098e5d360afe15f00d1a3941001157b2d725668f09db8389ae017b884d82f31c5274fbcffb156687758760a7bf5efc21489f5588d5eff16aea78c961d16044978cd1e15d6b0520d509d64eb34d0acff27e9bbc843a5f07b050049478ee8b4800c3aa25b3c3986f90faee858390bd21d40a5ae5518d449f4349c33ed2ef77d4f594416df8b8aa4769f583790675c85b74977bbaca9eb0001fb4d38d004aadd2b1212d71824faf70eb35d37b88c1483e0c513351cc6a96f48da5e123bf23c7357d0881092ac97917a0fda04d68e919cdc14bfce9a504b59988e0744c527c6ca012fc0e806725d97e7196ed63467221bfae9bde78a3371ec3fabc52432ecf3add26e2d5740453975fa6ccba1a1ca64e1856280983dca770e5aec55a292dfc8d60c59150572417b9585f3d0d028f8ef54b879b983c673f36bf33c495691554c3dacb219d1b3aabb77c701a9fe2b79f3fec3985841c098db7f33c2f64a4637526df36d0497901bf17441b11df49af7afce7f11bb992429e049920a2ae93adf187dc9b584980cbe262893d6da020b3e84b11062ffb2eb4370fe7c68c5b2375bc5377c95f7d47b1fbe790a617df9d3311eb2855b091bfb3c4d5960ee7ab7e2ef833ccada31d0415fa56de62e33d3476050f322e40d898ab966aaa3faf29b7576233a5b597f05ab953ee157e8a9ae9ff7e7f4efcea426b2426b40df20ac9c56080050a88c4e0b627e7fcab72709618f23bc30f63215671650ad7055126df8e9d5894ff2129ebe0f2074ee60f412a0ea368a62186c1a2ce3c6173dffbfaadf941910a77d8d013637a510103fb781b4ad95c6320b1e259703e5147418e024b97a304175af6c7e2ba2708a2a7005768a6a475cdd8b65c37d882dd42a1f31c8c6797316d19396616888e57058c0fa70356520ceda8253badd156bad4cc74b63702f1132ce29dd711599ab957e4f09cda0f71808c45f6651c0282100398e0abab578cbe5aebebffd544824c336691fc6c2f0feb1907d708896e915999992725221023edd905c66fadd05156ddd39fc228302d1fbda83d3052bbf96a530ec951189b34ac51306f2a5cc4bbd4979f43c6855187a9bf115cbb15ad21bedc8a505493553bb9704118e52a803bde217803f2734877b625564b1d1390e5a7a0d7c6838d7c8a0f09b81e954209f315dfe476e95ef36c6350b913b748b69b9914fbbf4dbc4919133a890286565dc3d5b1ed0d491c673df11d6e82ff4bbe6298ee516d5a8096a332d6936906b35cf03b36a2df001f1cf58c7df5b4d1a37ec8c4163850a41019aa15e7b9cac356e87d0d3744e71498eea23100656721f41be651ac941355403e84975fc2163fde1ec199541ea9c0f45ad189a64b07a49218e387e553083f8f1a2096c8b55f21895451f4e3d607c845d5f86fffe034c29e6207603da460fbe69eec80968707ba7804b6e0fafa25a8ef4cac1fd4a7e000e90f89906aa586ee45b34aba766db57abf2ba7779c3e6d8e88095b4aec9f81f07ed616a58860282da9cbaaab5cdaee3b77cde4d3bc1f61616d8cfb095d05a360016630a723d2ee3fafbf74716ed97df36e709e9744876b5665ae84dd239daa58f7bc689bdb0214ecd7bac0d1f13e986ee03dc5b07efd92986924fe49535c550bd4efbd631b319d8cfa60ad000456c5c8351dd0c9c812b16cefea750d35989b2333953ac54ec64733ab3bf3b98bf62d4adc1c2389f9aceb7cfbe5b3526f161e4e1860fb043a483b36278c8c3fa2dfb21d2d216fe813f4fb0c96e1270e3feef00df3df0f25c0578c3eca37e925519cb8451b381b5f452e403b0a571e78c68cec23bcfa14b978dba5d0007b0a060bc0a6b6446c5bbcf6fba1f31d549f63c24e753ee851854110c463909facf7354fb30e2fc1cf2cf4782823505dd6ea6853990b40f7703738e186707afca1384d39cd30ff25bc3ac7476698739137683483cb9593a18f2e7a2195dbffaba168f51f3b82d4d9339a8914dff488354f71e6283c5bacffc5e5668745811f15f334080272f29715c8059c47911bfc8066c4feb9180d0e7ed1b6e5c4885f6db509feaf96381ef281f66aebb35b0f639be82d10280df678083eb412da66076c139f1789e5d91dd2aa099c31a719485a521d190a3556b1559cf5e5862064990c2540f70ec709b147f670ec4669a76b252d6c68e98ab9bead60028ac8f3598381798fee7e3bddccca417e9469d8219b9a2bd104b052126539ce27f44110ff3b310e3eeb6719226fff933a456817178ca865981bf6158475ad91c8306a98d9240aee4a5781ef5b548444ad513232062e5fc6a9c10cf41acd1a0fae4ca46cce55de26dbf1dfa1394555bf4907cbb88f23640906ec5595a12c00abefd823ea3c0c9e53dffacdc01678d379e399a285e9a6eeab11fd920da5d3f3fd4570296f35d1cabbf4d833d8370c7b7f1d68fa6c30dec51c3ae6224d419016aee99146eec748e71e5bba1f4ec07bd6b5ceef330f6cff719012e86be63be5f1c2676cb86345a543bb001e1e60fa1fe7726cbfae98d2d088f79b4e2ca7632de4dc31363b0cb1db17612126f3e0b7039bc9848b8375dfd67f672ce15e94592ce52b3d83ceb11457c226b711a6900430925a3d1007360c0bd113354c2a56092f62dea25f06c0a45657df4ebd6c93ceca91e6ad287698d9142e610dc31e0edc7e117e5967ca0dd7d72edbd1b0cccc9bd012866b6b42a00ec27332c53fb42d17782ea7448a188f1b1fc310003b3c08a4d0edd0d8e4514c0e8c6a743e484e67cc567043b11b7a28f664a390e35e375f3ea5f9af370db89008a9620124295bff6dcaad0aad978a90483089668530055ed01669494973a525e2507e368f41e35caa6c7a9b9a347678918c1464c51aeaded8d2fabac704b3497e4126aa80ffd8366d089eb829528436f8408691f64ae564c555afdb471ce9971c1476ff8e314e01d6300cd97e9666ea7d4ce91e7fb6c738b12cd6eec86f2ae8fa6faae03fc147fd4259cd8840c4316ccf1831120a441334075126d3cbe9c9ae2bc984c348384826527b2b9370751ccf1c5b8dbd508bfefcdaa7c09012c240eba8710200df8102df31d49e397bad7c41db3fd0b11e2d58d69c160b68edada2301cc4855b2bf751c07d5162b601427d2a70187bb4ccbf38a9bb509b1e95e34d8157552a4d51f052512c58b5a8fbdc7987e6e6d03ef303cb9544c28af612794f1ab3ac399053dac5a78ad0c159226c5de13280a45e315d02f9d57de65e343cba601e7f372562572890b2ccd0402bf174e91a49fd1a82b4d70f42e887bb2124beb514bd5dc178189826f5dc04996c8d0ab1e00333d1baad800e7dace5dac9b1a6d3e9eeddfb06eb9d021da3ee3e5b80d36f8e3e2babfe5e21411d29cc3a47ee5c033c5810cc6036eb7761ec2d570907f57a89432aa5ea3b18002aed45af1ff4eafba69bc2ba9fae1f5828c0d2fe13e17454436b98b9128612070fc42fdb4a83e3884dad5206fe49836206fff5aec8f36e468673a4d419988b1f8b0e370fde77db563e9f798977eacd1428cdcff4855ff025588630fbfd1dbdee213edf20143e7d87495919967da730e20d7369cf812a096a3a77bc3acc8fe2697778a1993e73b96b6e9cf5e2a680c4cf5045c19779af65b0c4c2101b8499b66635ac7b074de4827c937d4b2144deb344daf0f33552acb406e59e24e3f17e76683c5f264d0c12b3ed015e39c2129d0a2a7bf748800f3f29375ffe53a215f1ca76d4185eb6430fca52b1b4e8abaad6948f49bbe2f58ccb255444c2ea0617459bb1cd11c77573f29e128fff42b9d7383dee3036c7c34685de68488fba427066e6d184feaf9b6e3dca6ec4ee4bd87b59845461dc4c70a07befb2a17fbf5c4b127d8bb32cd2c09792a29a100b37ec0d62bedd9ab6a2a884fa47f7b2cb5dc91475e6a8bbe95de2b7c54b99975b86107d00fceec3bf785acd908059c71a0b37c4d57ecdf918dc567c235a252fc0d3e7311d5060bbda2fa2dcbb9e2a84ea50c2a1de298020eb63567bc730bc06ee0f610cd7ebe3bfea5477e4c76b686263bb3e240f73f80764e605aea1c767b31e2f77beb6250139feb949ba6af4e56ea5bd6b201596dfa861567cbdc9a048b79724b5f93d817c42a45989a7b7f8e49baecf6b5f81e5d778d17604194a803912a184631eaf6c918ed1aa34037ea37f15c2d1fd675847ba9b16119074ec58c856258ac12d0e680474723d0a1b41ad59adef9949369d9ba17e2d16935efc7f2c0bb24b1f933689df77e183dbc78d0d2bdd3bb021282562e9cae066c19c6ff6ed937586fc7834ce0f688ee770c42c1a8f042f1599968f080cb3f29bc2deb019cd061a210980483884cdeec6a54aeb69e198d394ec80bd3cdb6ff2e90e19b711dcc9fe73c7ac6ef3524eefe0e9b56ced894237ea0d7fc9c50d219e0b69b6624fb5c27bf938e655f2816b70336830b70c01df6f58fb07a0209d79da97f7bc73d56381648863ebe5e4e72469f8d02c227a640bc7b2a84fb0a3b628beaca66e29338c62e6cf134a13c5c0c76b06c9b1cd5166d8368575e19418a9f0b41eb646b66ca5de4f85e39b7183c2b2e39621d09e24b7c6a9c7a0b2f7843d1cd2288019e5935f0d959b431fca2ce45c6122a25f8451c3eff5b863652fe856f03e56f7ce669f9c2b20f4885a6514932091a3ad467ad73e7c4db7f7635f05520d172a55ae8e9bde7d4f0790f31ae469e9ff633b3dcd63bb4cc5776c1cfdd3ebb19faf5d37ec857aecd0c0a14f3f9ad791119a6e0861afc4a827c8873d9316af3babd298ae000584e4c947670e7cb888cd9af9d9fa36bb17cfcdb2be0e6423eb9948c7b08b8add3bc1b2578a185701db77a87c74b25a9d5a4dd1262942156504d288bf74975dde80531a29be7f3b9362a17d36916ed99295f01d25f423be0bcd24ae71b56b7835048407ae432c079551a7a9fdd9203b9bda4a9bbaa6f932512b23086053eb70e6db4feb5fc1dd3474c6e2755cd03812ca2f0ddd01fbc505a2a4b6d3653cede0bd63657358d713d2c076279a72597671e6b45ffc1d5ce0a11fb0a9312218999f432e64070ee505cc637ac54b2246975be748cd17983d2e8ebc63960093c238bcfa6f6d98e50ba2a5dd4acc357b77eb441862b59df2e8c7b12865b7f8d336deff4e42392e2340bc0ba27f3e221c96c4c98f09b3fa62def716896b7b685cd78a1304c131f1d7320646e9f0da60ee129bf56b760f569fd847553270ce60b6962bc4376758c099d3983667b3f4b37175e085e621b73d28a8884448b501ace6ecf3be8f5410e9560c4a153f773e5816a16d77791474dc02b5e44ca40f2b3fa0ba4cf69e1d3ed3ffa58bdd1976941cd88c7665d5f1a20293ae7281eb9c858f1ccafa6b9e2d16ddf14b0e8bc56910bd9c170a3f46969aeae83a6c2b7bb02b4651b90fe316c404e5e0b8cd6363d2933f53f2b6be570ad72ca7c0dd8909804deecc3b2c2abaf5dd695bb8085a7318c4b9a3f3468980e96526fb4b3a8bfbcd89232d4ade8ae14383aa254c4edc4448f75ba51ab1b63ecb8ff02587a0c25eb0976878ca245fa70d58bb8a56f9dc7f726adea49aa5eecf5087a85df330d9329b9089be25fe216f5746cff8ee17e22dc48268cfbff7db88df8f2048d666aee5a25fc64b2076e509cbeafea5362540cc154ffb85e022aed55f22c3a865706d00d8bf0508a12c4ab33bc7cc661b0de5281cb8a8b35215ea50ecee65fc42baf1e2ebfe549070e954e5280cccc113ea06e48c1abb208ba48c018e4b3bd214091958ea188273078f3f43ca9d482d1541027d235a291f72f5abbd6160be8bd9ea1e8e87daf3933e629d99a6f536ee85f4514fecf6a9be044df65ac8d2de6420bdaaff29ec2af590d304ede55cbefd0f1dfa012368fc7da4bcc43f4040a00606ed6e8cee7a1a733fb9f4e4a3d39dd62a53043c23fcb9ae0f260ca77525f1f8b9e4b53f1572fea0dd579f5d3de96cb300990d24ffd00c01a96a168425f538b7c0a04048e4bc559fadbf461dc10eb26105e1092e23c57b5c0fe906efbdc64cdd9d4daeab477eabd30ff426700650faf5aeab5a5edb39ad18a49697c1c29166a4ae704056f67d6f3fdf174d52a9ad8738947822a5d69f70c971f5d0759d663575495732bbe53900a7144934e11278a1471c29489196422e23e07f0954b8a7a0fe1262e611a962fae36c6893c8fc35606416b7049523a3b27f0aa3378e3ca888e56006dfeed47b1274b870ec2470a6c32a72ab831310e7884100cf1a9a87d045f8693a99ab2c6abab58c87d38943262059d36951401f2ecd0c2afd11ffbccf7b5eb3b45d848911c8f5da3ae10185de80a9001457cd03cf15f1e667d789c263e5b7ee8b95dbad22fd56df344b5a07cf1a84059ce5884040616f5163fe12acb2343a01c740bac58c3d45816f9113487851a3d67acc211626234678fec377f7afadee2687def5ef65f8d316c506ef07918a55bb919d04d95f4c2f37ba9f2ce1c9f65e9e435dc4049dea903f57ff9c609c0c6c9a8924470ae1bfe1cac21e9303d52006b88a2a21519c4ad0502b32451c840ebc0bf78a02ca51164df957b980b76131a21f0799f093773423695e89609b08699bcf66ea6c08909c9d1945727b6fab78d7348c046d2c925a90d14013e538d0fe5a3a6cb7bc05558a2caa384535ea01b1fa44f2f8d91a13c20c6fc796b7f4f3bd00530504497a33d0cd43d194a9d36443a167ab1381ba2ec4a6c5ea54bde58161f4d5e88cb944a99fa113a4738c9ba8d520727328d3035ab3a0294648a1e549885f8d060363b67e3b4d6c8e17063839700a878bb9e29415c6009d185b00616462ad8733abddc5fb66a13e2d492be440494af5fbd982c12ffff9ee7ed7613b942bfb40a871818980fafa794546bc62ad79aab949356cc6b6b4cfd5f13324e3fdcbceb213e9055bffb4ef67e7ecf4d78229bd2d4c4e817f3991f66446a9632d3f99c61a41ac708f0341a61839d426c6d07db2f30221d0a50937b0e64d2684f311f394017d1d9bb05ab63a0fdb95cb8dd8cf10bc217d601f0039f6953e01416a4a66c8b248871b7dcd93ccb0a756d3607dd81e0733f3d9c58da7883e2ff6044f978fb64debbf2468436fc576df84dc8d2a7acb2f6f94b923fe5f2c29e62eb6b2bb02a98ac4b44801d166dd9d3a45047060a83c13ea8a8d747e7416874d8f9de5b9e3711edf59bdb1a906ac6775a11e64461c51391d0e5900c35246d5898851fafec54ee6da841ac3239f515dec9084146fce2dc38062370ec7c67c690b598e34b3504f24856a4c92e9fc2dcd98682ad390ebf1569008d86a53d2cbb46dd6f48561d7e54eca5027e1cc68c9b104738b2c239d380a7806b10d799480fd17d534c3d33c183c184a2cb165ea017305e02a5a1418ac1f2b9e6f37fb2b06664220b1509b95db08472447b2364d324d4fbeb8a39bec86cf4c381b93b1f0fc2a3907f1dbca18a885f29ffc69612bc1ceb0aa65b0c86fc3425159ebb6c2d3410589c5bdad8c85b437e72b990ead2b0a656e1b18b864b6469c829dce5cc3ddd6a534f239f72e61fb41173305c0444cb7e71bf66301285a4b1c326013eb7650cb97bc33879fc53af139c5d65203a06565eb491623f9d01f38c20fad887477c3c897a58d75ce9ccf5b33c6e318b64914320a811292c8a5bdd7dade67fe6158ea9a452899ca8e363e7325026eced4d1f510f9fe99bb35ceaccde1284d1256e1c657478966af1f581fdde17cfa903108740ec643d438e23c7df661728410e26534bff2a629c42726e3cbbf0830fa6eecea92ee5336f7337959c22757c8a481442cb279f7b2ebf73d6207c87cbcc71fd4570936ff60cec2597d0caba6c24505a011120ff4359e77a35c704060ec09466dfde31c9a5552967c9d41d6b5484b9947a4c04866b085631f2c688f249e1a9cef8f8d7dfb0752b6d04c682e34f0f89368cd8ae6de1f46fa90dea736dc56c9565b3bc6ab1c99c1b219916a60cd7ef95162cc8e4c19ffc9dffc79a9fc7658af59db546103dca9fed676d9e246be5458972a5f9b7f991ef74bac17dbb6349b18a867055210e747fe10aa877790335b6e922617ca9a825093b9fa1d92a765421135f5322343d70d7a1eee85e25d43b30857f784de191fd209eb328ca17bcbbe17f9df9201585bd0fd5413173a5bc7e09b4d41b89e00c448bc590b5ea78d787eaa70e90ddeb7ec83df0f94766c7fce2dca41b45555210c3424a1ff71b924f5d374aaf0a28417f01f8fb38f507c9bdfcf2404717363263d4ba5ee2b57a588fafcfa81e77af210071e542150a5fcb5c84032cc8cecbac784ede31ccf78d25ace31595abe299c3a9143cf0e6a5421f98fc70d8b2a9d404f70d9464d38cec8518c678da77c6d32fc6732b82d9642162c9945b47237b1fa96f516a12d37711afa7ac3149de3e147b676fd2020a6f7340e1747878ff8339d0e436fe6c44b9cc13d66865f0ef78c0313b1a54964d932e0a255eeb788f9bec9c9d14cdb17ee4ab8a9415c6a516b298e5f2bb19aaea809677fe3ca1f6fe379d82af2255f3493873c3cca96b46c4252b29d997f7d8b05d83fd0db8ad58b374054671d9ba3372e7257e9795e5ed2b6c21b98f54416601ef5d22ba906b5dadeaf952b40b446b6965a0f84ccd93e11ee0462b75c357f1f47ed7efc519f7d3fae99f3eac2f3169183576d78718f5f07249622ba2853b03d99db24781d1336fa6bd039916f30ba736bda9482e6990d7a890dbadaa5c36fc2ea79a57e99d800d54b3db698adec96d75affd23acbb4e1a402c52ef59e48cc717a9fa04fea72577c6b6dc825d6bcf8b1ff4e2e1064e09de3cabfdeb9a804220055b5fd8fbc60d7c1db86d81d137a8545dd822f57fb054792dd5bc1a673d02351f0d09076fd99f394b107a8287e23fd47c684c09b1bfc7287753589c071f0360abc0b1870983828db840dec34ed2d3977a99880a512ecc0cbbd5a842c7597ba91bd10cf9b9d82b6565694db3b6bfe3049ecc0719eeac0ff956de008f1fc3e095acdd1b6d76567267fca8d0526ff198f8a7dee7af67bfb0f674c8c51e06da102aa08f0d73ca63cd1135c79b72fef4cf4b0ae5300194c91be269cf0e729b0ffe34ac3e87573520b9d7feeed33f7264ab19a1a9002a07a9459e74f3d4dbdb7010de67d56b49a7afd816e90bd8db3e282649cea4cf96e8044cc15a607a85969a5cb62052047bdd8716cc7800a0f4f92ee515acf1e068af64907542e0d833f4fcca81b88f4afc99daf777f44d7f1b7bc14fd5ac30aca0a3a1136d775f9be1e259e43a33efa92d8e2a38b6bbb1344cd3058b581a77e497ef6f747206887219eda379212aa893bd693ca74b98a8624567950afa8dc75b910f707d4227fe5f407ec06add953544054680a30e30e460afb165b739ce10a0d806d1ad369d17c2a9fa67ca49463bdbf5581518646a8a1f46e7c10d9311c5fd9519a040e88d67812ad7306ad13a6817fa91f016b9cd6321c28ddf7b57aa4d36c414d901d8b8350a4902da56af888988c543ff8d30881432710b0cd93913eebce252ada04a504b277b50793bffe780ec51681b73f38e6e098178a2319373c9aa32e57e5ecf5d53be5b41302b13cd4749ca062f71f5391e4a6302ce6a4021a5a2e7a7d7e537a4472cc90ff898577f9635ab57d918ea1443d1e94db1d4f42f16c0bf7b88086552a99ccecd153580b37a40d05dfceb922a740a435195f7d7095d9e136dbdb5c51154c2d98269ca29f796cecb7aaea9b8629280d722aea4d735e13ef5b50da91a51998077bec4d6630a7fa7ba6b996f55776beb117cce0f44d2de362d142411d44a12ccd690637a29642ecfa76d3515b651cb2b47eaca44f9ad4172069691f97d87cdf231867e651834b5baad1a87410e7188877a3a9bc30e7e7028f084f4f602095d22495b1b3789b8115277462fbee611fbce26602fc436e52782811a83fdddc29cd0948176e6ddc1fb20ef539f465dae209320bffc49dcbccd6141735bcde6e90dea25d313acc2159cef4a977feede337d126af12642570c3f3d1dafa4aa734a9ec97883aa7805563392ae3692448076039e95fdb23ad27293e2e044fe722e82f2a80f401c17b056445a27ee6525aa0280703e9ac24f666aa447727c8e0c2117fe84733106e8d8b6ef1ebd2ffdb464cb85e6537d3a1ce0daef079729e00b75dde985c8b4e5ff39ed768baf69bb6fba7cbc68346bab5e07e0cfcfdf17ea873db4a10b9a0845a7da2ee146c88739903a61e87da3974da83338e59db18eb7cdde16443271e204e5193a5a658105ad69608c28941a1a58be495fb5b66c2797083c4da316a566caf0fe9f0d122481313dcb40e45f6e73fcce912b08bf35b865780e92a86995fb169bd2564592a541009c460b2b8ef532ac4cb0a0c28f41e837ca4f296ae872d43d1639d7e880a539239838d15410422ac53debcef066781c9551a1d4245eefc618d5f819cc6de91fb6e3ab4cdd55baddaa5c4956092bf20fd39cd9f13f5970272329cefc904faf4b95682064f9e7c235160b17ff87ae8a452863170e6854b378a2cac06b1bcf6584057225e9e82cd76ebcbcf8978b89f95d1f80710f3f85eaae35d555aebf8b3a7dc192e9d035883e48bd1cedbb5dd70bc63053f1d3e2502c687da0b2b2d09ff95afe1d454a0165af4fe149c7e7708789a51771b383590f348d848222781f5d23a13d5d6a0768eaf16fabb4ae400103a8b68aaec5993315e5dce9150356d5a5d9ccf963f9971a22a431ce151a528f3627aa371295933d74da006a3604d20349d571a71dec3af79158a29863fb516a69ab2936f15ac5a1e8a1c901a30fd6efdfca1762e2ffc267551edc1fe582c58b1de134ddaddca936f338ce7a7c61d64553b371fea1d04703aa5a96798a360e39adff43f608b2cf3e626b6cad1b615b8225d51c99a8d91aad0e4275a3853d644e0c0453f634052891f77ce3766d133ce1b3685e82c993017f7e20bcfd9c3ff9e62207b889f2aad854b8b9353185d3ccca1af6f98a952f87ba45dd56856e8b91ba67b9e95663fb2ecfda1a953f1b373e731fe14514c1fe6feb9d7aefeb9c72e237fe750e286b021b12f2f3470775e38f86d99ae256b500ae06e6bd33851c5de8e49734919ad77a3dc99c04a916d75f64c8103bc513979ece37478f32ceb385ba987f616c79e35b8f419cf813a396f2f8638efadc6702424f25106cae8792ce089625982f8f6175a83c0d502567e24bd868305ef1c113a908382c35e51b3b2d3455973beb3c3dcb4b3f867e87bca3621e9edee712ec2eda06ef808d20aa88ea51c20a427a6e3b8d0d798cd46b4bab9f09c2371bbb479170d28e4cd5173fbfb32c58e3b33beb5cbac26aefa553e6bc98d049957d9d20ba6794b016edcf4059856b6b44602f5c91a397dc7dce701145c9a7512ffbcf5b8c5de35b9738c75227a2c2b86c6d00d595d13de5d63ba0c5313b327d626c46a1023b47a3414ba063e531316692afcb464898f30e334f2ad437cf2e78ede222bed0118b9378ebe5f2eebecfec51b55336c72af7cd7bd503b4e13ba507cc10aec9e3fab46a42fc93d841e7040c1c45757b2c9b75551aed45c39ae9a3be7ff2818378f89fcad04f1e4a7244cb0e8fea960466b6d67d023ca01b101d207e2b08e3091868b2dc882916fba7f4dc883a081e1446f48bff91499ed3ba6fda318c11a56d6e0df4628858e450de712a17b36bf959244aa7d5b71b4f83a19608701c55a1edcba3ce6cc5761ede1cbac28e48e96395e37996072b838aeaa1a507914060f9d835bc40962ee362055eaa07a36583e1f350b4efdac88aaf247554947620baefca68a740ac0693293d053b1154752af6395bea8ff05c867d3647b1fb5c6d8c2a6065c05338db99c4896fc9899632c73886a9fee155be0e2b012a1d31efcd96da2535271685386bb09037c363938cda4919cc0f0db76d9a0419bbd16ded970e9c2a8bdaa25c024e62621173de3ae3118d690db6b23bdf8965f599e70cdb4a44fe2d9334fe2dfc34fb63a0cab5afef9782c654a7ba5fc4abccbdfea0585b73066f105686199c5c3fd13191b305ffc9bba116e3063a01c2bdc0d6aca6d95a76a53d0d022c72d40b9c268ab0d5eb9fbbf781efa916d344eb4d22c2403b59a1655bc5827ffa5926945c2e13c5036711d3bacf35554325cd6a9a3f1da4687c3ecf20cb837433332cafefba6ee791bd78396ca64c752b0230515a89e5c5d584b6d2025ba090e0aaa6de2bd6c6bba32d4fcc8ce8cc040dacc0f75bbb1a43072ab981f222c4d48d5a888e856052b3ecd5ae5cde7c6ff6631cecb0e920f1db6a40d60fd37b5b4503a24f030dfdf94afd37f08d6244e4c37ed8d5ab3d229a314ffccc2d05c05d7a895a3b27b57c44b469c36e909d8bc5589af26a030ff9ec9f45d281b08e5176b119120d5c68841e94f2bc74a0e8818bbbdbeb3489a2036c2b457185f25b3f2a0f72d11a40e0f8431b67a559450ca9a3c3e8998500bbb746a7d15406a89f00aa486be36b7e0248dab71cc383a983701c770be9ea70332fe8839f34f33389182d3349b5be265efb0d9ece803faab889efde2c18fa37ff736bf4e011c9cdeb4a71e04397c7b67038a6a09853cd9045a83f2a36f7c62a5906787bc3347db0c6552e785493dbb4695119c45aba903d73f58379b46823033da9d5a74862f6694c98d507471f238fea16263cfcceb5f1061cc735d4f40ed5704435bb4659a58cb7c2bab516b7b46f7fc68263bad62f93559c7a5c6bef183942c6a651e64991056ab2b0fc6f103ad5c3a021b002e96f5c09981d75ced07f9750723fe002e043734d130d666e37fd72ec0414eff98054a77fb44ce0c1bea093b6d6922a2842ff9e333a4ce8b21695c9fc1f58116d71339e2b655541f2bbb8174ab0378b1f68469a0893c6a290a8462a4164c19b999efeaed49ffb337d4b786bf72597b4682906d4e7c58c1c50f024966e8a2441d08fcdc15fcaf388c3988314e93278d1fa39b91965c82829836d9c22587cdb7be2d518388ffbba61ae120e75e386f572408989b108f769c6ace10812cdac917764c0ac631f891e001977608e09dfebfbb1a390c84ca6bdb7d08bc23aac46ffe8e89616326573d6b861e7af102a9a09899e746821c62a70f7b6e47d9d99957a933784a66f71dab914094bd123f6b57b9bf0d8f942c754ed21180dd38d8559cd3d28036da5c821d67c3f33e32a95863554dcc5ad6a67cd2ed63afcd6661ffb8afbfd86e38d2a0882d7eb2c1995c3e8be9df3ef31c1ff92267e53f008109b59553a3794192f2b945fa28dd521e82dbd80071d1f8159ee0eaf7e04979c59643a410f69c16e038e9b9974a5d5f0d04db5320595e7286cc20a135f7c3f06855db3f985958de33c99724f34136dddcf4230f06ab0d6189150bd3ef4275c485d60f115c4027034423af8d595dfa719078629a171892e8e97ad817951a7d12dd0b6a070745f7f33d6708bd0e4bf96b62b3114b2c31d5646dc9783fc2b5c3d9c1871345e64442ea1dc274994355fe9e7bb477f4cc2f63dede30846d1f0333cdbcb3a2ce2685ab6d9ff5f9e8ac22526e353c1cb050386cd80157872e6fd33f3a352e127f9f03b0c58f306e2299ac54336192cb65d61459e8c5e4fdaf4e1f815f1dd35e598b187634b4b5a1d17e54ed3876882db49681a8b07564238fabdea7b481dec429d898771b6f10e3aef713cb52b432ff6647952595fa14ddb744b8b3baffcff95c69f86d98553c2274c061b24465145954f08fddc17fbd06024efdc59982f2413dc8a09bf84fd315be0bc4f9fc83f7308a57ded09451c07c7052685f43d8781ba6b820146efee62911a3cea2af607133f826abe189899aea8a554524bc90ea81c909598358ec6d841f5aa3d5aa38faf66a69eedcdefbad39100411667fca557d8e6a183a290fd6c1656eb67a3bad59b2628a40bfb7f16a60d565b4df7518f9ab1a3fda9acfff5994f3b48d4d303cdecfab18864933e1f2d77d9d07f32e0dfbea74984f5ebfe0e28f8ff0e3dc949f892b181898a70a61290473e3ff322511cb25018616b7830cf7828b539f1cda5eda421a77a4f34dc2ece3d012a7e031b3b3eaaf2520035d689a9d0b35f77a4d163d5ae33ca8ec8ab74f5f895a0062334d1aaaacf869d070b33803002a2c50e41c5dcb42af9a98b0972fbe0d9f543dbf92c79c4080f3f5b1cd3a7a13bab0c86d48b3cb3c0016939a3a1e875f0866bf0a053cb0cb527e89155221bfddcc8c2200b0b4fa887517bb0d6ef7417361cf685a81470b53aa90f22101aa3a926efe83f6f82def95a6fc0123a3e8ed577fecc958471860baa78134fd1ffa276f205f1f41292a45d74c143e0898789956a878660fb74f24b5ef5b7066f5568b1ad39ba66ee284efb6a3fb2e3cf06550af9223b198474158519dc30547005a12b095356d67612e7c7639f3efb9da9425f15e93d952097059e11d286a837e300e7c7c67da42c47e19c1c37f09c941654aec2ab75798207596e5fcb2dca0405821ddde4739d8bc7bcf402da11a46d5d7c8aedfd2e0d2c3e187a3db26b608c07addb5206ba6f1f1922ee3d5a689efc5aaf2becc6e6ac83c420f35346eafe9d65d9348c1baaa241f5e90a15b304008d258230edb9225a4f3f2f2c328100f0ae083b64c385bcbec52b1d263317a2543e27e1a8cfbcd425b6f13d4a7b5ba6b0009cdf99125219c29c97a108665880bbd9809857cb4441bb02caaf34f31cf6d2b751d98f3fa7e229f09aeba8da4cc396b132e678f2c3a1a71c4601259cfde243d13b1cabf650d5f5ef2faa3e2925d7bf7b1602f786474aa85600c48bc50d4c2ef126f88da7facc41631d91c7167675c4c7555aeab847095e73daef2b110213ee9abd1f43bcf074bf6214c8daf7ea4bd3dca44cc04dd106d4aa4e17c5556e524273d57621c4dfbad3fac05fbff48ce7479f4a34bf05d009c5aa5dc415403d903f18a62b527b646bb800596264cdd20f8663836e6ee4823eef83fc90b890b2ba1f441d6594e3a2b764202be34a15dc1c1a6399f9055a0751a5eb3eff25257262bf27e5c91d53cc33a8a0e3b4fd4be4954a61e912d02f7e42ca26579456305ef9d5edf57e65109d745cc6526326966ecdcdb23b690fac363d9a4e61501651e97ed3b164ec1d58daf30139fb4f5b856d001c82600084aac2f65a67752b44a64c65a9af1d9d050d884b6d3b0a6e495d08fdc5b67acc63152e6bb7b66558f0bcdd8cd52a3007082462bdf786b2d6596ad3e5d2e4efc80875f819f93377a9d2b7283ebbd98dcf462394b77ce792157b648469effbb6349c0af274eb6b005e71828b351f2aa0320c757374361d9be9e04d30ca24557d44fe0de0ddedcf59c7c22febac138bf5913c53681fcab740e09392a257276cb0a8538201bfd3a238a620fc714c981201755b0c047670cf0e1d2c8f9e116f19d711a5d43a78c77cc1e7084436d322b03b2d9eebda2094b01f61aa09345f870b60366c2e32f7c38bf57e95b7a76f7bd5ed902c9558f4f2b55b87933e043dacfb930dabca2d00ba026735cab72c2d10b9620912e6b48582e2088d919d36f84f2a376558595f434e27da3f516643eba5278009fc0af7585c52a20e333d80644e1800a8f9dbc619ca4d87d873474d27c70e018bbe694bee0928ddb5c2f88ed7b9d1ec75459d6e3d0d8dbc2dda88a0b35b16e443ec86c733d7f8fcc774f7f8400c64758aea438ec1f800fcc70af2511f54e174c101ee72a040028834bfac6bbf78b7c8c5ef1d6a3cca08df064601e4f4cafce2d26d334cd5baa401e89aade3b8dbe256b07b2b15da20ce83136d6a1fcd3a0545398d1a3ff27920df26a4ea53bd46b62eaa12212ab9b48150c7f26cc343939461051a1ed5a717ff7f3f8471c3b1c315cef2fa33f6fed031b480bd05a0b36592b4a061780dd5a1adb76471bf4c768f09dc422891398eabea866ebde0970cd634a8ac85e5ddac09909b00d5b024019dd0809fa622488196bda2c8501cac5415b2f42df1d4cec743b58cd36dd05769ba371e9626715fa6557e44126c0f6e3886c76ee182cdd8db6817ebf57ae3767679d5d347590ae28efa3d51ed844284dd7a3c6b8daf5cf17648bae74621ded8340444a98d36f9f86bd3b7ac5aebe7db2798f6871ee973c4e7146c2e5a6ada7bd4e081317edd6fa82840bb02737b25e2f2d37c145335feaf4bf7bcb863609e344422a75a33377de82db1d2e89156909667494c575afd7a30e570f571f45aa4b3eaa0544cb4971bdeb9495095903c05be6bd3d48b1a0f0eba67bdde5ed1004b270fdd3ca46a849be0c5427384cfb8b8827f36ca276b2e02b1ce4ebb4c3077f2402e08467b14dac8dd9137ff1f20b87d2fafe78b70bd250f273b46f2353606545a595fa8b0afe82ee588c9baeb579a9a0d68231c30317ceb06e2885e0be5bf9307ad62be3cc74ad21126f342474d5bbecf1b9df9efcf5240533ed19c4b952b04b6d2f57ad565596566cbb3d0935a9d7ef6af4215d067e682e7f194a17d7f537abf8509757bdcac47a0d264c089f8d31b8dc6ebd4c51e05a4a380213d72776b7375ef6759070ea6c4b0975ce483b365b1ad8925a7685c21aa1e38303a17a83db2500f2f1202366867a70aee4ffbb7f64f998ee79326a9e7d3f1895d5b39304e1fbe9a4e2a95063514e8db3640f1bc4b1018511512763184c49e69e6219a39aa0c65d9355564398c48bc665faf834e9d3b35e3c2794b8523a06ff580b73e93927c2ee2b5a68e7af12c0df76cfb72f24ba717cffc14592227f5f48726812f6d06e7108c61ff5e68c2a679a2cd1eccb9d6469fede21b6ac2bd188e1ac79e432cfd8fc06cfc2e9985f19ad1e9fc84649bb1d768dc85e9a8c74a283cba8140b3f13ae4e8a0e650abf6e946293d7fd8b3d98eb1a3365c68670eaa851318ea50b5f4ec499207acbf2c1e28e8239dcd832af6c9f050e01bd2d6a65b983b0952343aa5824df5b1dddf24af562a15e1efec94f38018e9e905b620ebaa2d4ecb671c9a668272148a1029020419900c32345fceb45621129206628ddaf4d460d097feb4524a7f543b087f55adaf6ce2404cdec2e0da4073bf158cb061a3cd2e2d6bc193edf35125e6380f3dd2a10269b94626477aa940d7f2c740c08d79ab83bbd5cbdc733d62b6f50ca08eddce08cb46fabb40d81599564756896a8c6b8474b86e194f34bc1664a8245d20358b9aa9b619d6befb9a1d2fa7f87cebce8518d618dc31ca6af00c30c875469990e62fa106756c984e8b384d1bcd169228e1e028b19b7bbe636c966f15f4993fa1d0bbac165b319e11b3bb653ff18c8e8e6e7c26f53a1918460b80c3466ae138301bc263fed9e59ed82488ed37d7ae370b323e2baa836d5bf87e4fade36e8182dd235b0fa38be1156d821048f06ee54707a8bd202d7fb6d73a37dc1079eb0d61249fb57bcdc51ba21a13f80889d270db7747cd95128a547700a32a4fa2c117c328c95ad81c7d57899a2d9cd01d795eb925b6928bc7148f56959a57db262d6c46f5926286ca0cc778179355c3dc0772e203925c72b16894e4eae48b628bacbac2f6d527fad457f167dc7fe20a27217fd253e5fb803a6d587a4177b90fd55e76e7ecea831043145f24160217dc2cdcde68b186eab6c78794d99f25abc4bf0b1b8f64df5b92f5c0583584ba0c7451216f5becba5ed663b49e5e9ba17418515e9b12702930561389aea4ca1d645d493003b88258587ce53f9de6c9bd1d29c39873a520515b7b9b734736eaba21860a5bc5802d524663ea0441e5f1a71417e5af8b036fffcc5aedb09abda12a88bc2c4cc1b3bcccdacece020fc1345809b9d659071021915dbf850f1f5807199d135558e1f37d5608163f3907ce1c0c3216e0468b62c2c5b2d4c026d343bcc6acf9e188bb474bda03331eb8c119b296f780cc4b6d108170849cbf802b85bf3b583a78186d1c76b4035556a5fbdf5b3d95d832265f5283665fb4d650b4c313924fbbd7161ef461887e4ee60ef0d26178c90cd8dd5bac26ca4231b172c86cff288be31b4875a7eaf94414010f1f8ce1ab2ea4a8ae51a4d7876414e04a6399e8b8c12c10de4a59a798ff5932454409a4d64e2cd28fc994aeb1f96ee241c7dc71f20a28e6ea3aac87008a1d071731baa37119377a938b6760e90e6ccf1ba26399ad1c5419722e0961dc16c194f6d8d0c921edcf271d84f1df7f20c9a8b390d7f5bd454181749002426fccf842f25b07c646c78071e6dbbf26c855bba2204e65503c453275d58d830b7fe5e04476fe1d7b88d726e4fee9dfd6f155c1082a6adb3dba9f81633d16d4585f15a71714072c38e97afafb9fdb85e5d18c2fc2be2f85fce80db35190ef850915e216c965b75a5d7b7d75e9436d1496d40f385bad871865b74c95144bbf5f4e733cf39a4667b3517a9b179fd60b6c7d02e4187bf266fbfcd3a555c61880b59ac3179e7248b4b501a1c8a67a87b627443ab9427d91695a1bbca27b09a0e88b2b9968c0f6872b67021dc6b93402699f7be2937fed5f5cc664afe57a68e9ef7811cfbf72116d6a4e050dc56db2a484ae22a2322a4b33aba2fe2d8f270f2ac6175a37fc05f936aa5a9502d718ea0519b063addb687b8a2945b1f7dcc1dc377709117d3c3fcfe406301c74442ad200d8fd72d7dad3a0ef34af37f444f373a6b296acb1c023d307eb9f33476465da6a5d4875b60eaaa6366c1e45c60cd043ed8348ebede7cb58ca8c4b823f0efdf9dcf3a24acbfaa23d9ca964110a656efe948aa8feaa172df11cc749af6d4808d0715c40cfc31ffc83c5dc26eea9b503300cf2821080584ace77c1c22992abd77c257b041bea87edff370bd857516dafcc998c27bfb2899f516e63cad2d4b97b58554d1f457dcb1a43bef41a9f9e00d1f1a9aa5488c006948efcec3e6183448e28ca9ec70f85d4afbc84f742f6d639d64bfd0e2c4721fb746f9f3d50794c5a51b6d8cf74c95396ee57c1131c5caf2bce0314a1a0c0edcae27fbd34ccb6db2f4755679ed7e21fe9fb4b6257afed28c86d9d000a3ad989996fda79cffdd125c36c0108a88215dd7b68e763efd14c8888e5ea7a7cafa842ae419d013e32550d467ec72facba1131a999fb973fdc77d76184c3876fff2220bc3f293baa14fcf8315a5dd87461aa446b1f585bf804f43eeebb45f755a49fd56a37108af205106994b0a30b92d853aca01b08edfdceba37460d785baa842a0e014143a6816943d4c746e339ae22fbcefad54cd876c9721f79cdc707b48b8282616560bb7245952aa5a0a80d0627677ce88296e5e8d91216d91aa6b980299a172456e8713a08f4cf7cb46df2244256f0747905c8f9490d2bc753f29f53eb0e32248d658338153a23586fc06cb41d93545da831cc73a97cac45983144efb09791820b68b5a05cbdb2967b0221be3cdd0bb3e493861cbe2b505cd296d71002ba11e3749f81ce84e4239172eb043ad04d83ab29cbc646f02a21cf22b63e28be274d71697e01d74c40bc0243859c74d2d6fcf45d2e6deae21931eba501007f11136a784e2743fb3b4c58a4c925933fcb6aae70006d7c9947db1d49e8ae26547ec64b77f8e58539800db9254fda6c0de54024a04edded1aa263b933c5db6de29ccd02ecebf204121636ca285a3f1358745ea28ef53b3cd260ef5a3dd5ad9a9f26a7bfc7a6fa68b8026bcdee553011bd9c1411f5138df449916a526f494dfa29d3f4d08fc5d76993cc2dc6a71fb94fae9958c95c684c69adc7a33af55a096ac14cdd99f8dc951e0ad53cb12a6e52c01bef466c313e806008a722e798d278104e056ed8701383c0d6960a85b203ab665be95650f03b45a2ae2b241fe194879cb4fbce18661ad70092fddb5979249a55060ade0148ccdbc5a1c47509199f539fd74e6c705ccec6ee6bcc07ecadfcbda99294ee8ec35fa2072547b3d54e8f339232e80e18e00d01abbefe55119c01084ad075b06fd573901551a1576f4df8c73a6b20160c63d98a8802079aa51391ae4fcf8ce138223547fa09065515756e4184c7f859b8d99f802d31e2da840ad0e13072e2d347dac094e8276249b1cb66b0ea95e79a255348ca1f5d9d6631994272fc1d25a2efb5dc9e5e3315eba7846e276ddb311bca3ecd13ceaf42f258dbad670f9228b9b62c9fc28df72cfc05dbd117d2f9a5f66ac329bfca68fd66af9bf6d49c52a4f5d35185dc7d19e3b1c1d9a4a2ff515a2b7ade65ce7dc7d84e8c7fb2013baa48501bb097e74aaa0f9a10e1ba698a15ad9c501cb1727c225f770b742bc101dcb45a1054e054d39c871c64bf44d3ddbc5ca6c20362e1709c096b554839937e72806ba932bbd348abd9201444423f210907b321d953756751926d59b2c3954c1d321d0a598237657a2b49865a14a21d50d2f7697649893325556ef9de9af181502296d9c9471c29750d00246ca90745bf393e4b40b045ce68351b7ef195c2cedfe60c4a643135d4b1c146a9f764a05588ea388fdbb7e0a07469d003f1c3817fe229d39acf69f9f63f9e9d203e8947f63639e8816d16f87a9062eaea6b1bf2d57f1dc7fb8e511df95bd34fc5f8e9e0fe705785859938ef704947aa68e192f44188ba2387e32acf6c356b0343d6791cc28887e258f855b5f22fd6b0c48f448a85695c19dd9e9d117b1345370fddfc3c0f074b8cda33e8b12b69a70cce686aab2fb702ad970d49058f9bb0195cf9dfc6486a3098c1c409bc66467732a948ee97453be7090beea529173bc69b86f906636c9a89a269d9106093218207e78307ce34b24f61cab92850ae7ae92abd89123d34696e3b86e6daf2cb27ca2e9c3574f3d7bb6f9903bed0d5a76fcf945967c8d02deee5e26023eec937dc4c665a3b95a46fe27a125ac513a1e9b6d97f4572435849683be2bd3a4f973be91a1298011fb9bad90981b351f20f2fecda24b6412bf688cd19331b4448606b86c204e9086bd60e2413474b522787128624ef3ed708f0cf82a474524506e97eaf27c3eee13d88befb324e0ee8cae3bd2f1bec9c95a717842b6fb6dcf74e678a6889f4d306b2889eb40d1eee501055cb0f2b68e6730b59fc89e27d8c0ccbc6dd57da3c990f0b1b7090ca5c5969bb546665d0981463b268bcf2d83725bd61114b66a2d21fa2ba183010f4aa075a2df40d2a4de6c73c56d57a915911752daa98eca7e64e62e72c80bfb4c5176e32ba239ea457ee72ee74960cdf7e91726724483739cd19572d0d14ed600be04bf25b54335315d2b07eddb30542d9d398a44e56d74f15d34dd073c4b87c0f05ac0446690c48e93e8f41085568f41754c27397b077550849265c03eac67ed953975c7a1d123cdd6bfc4da8c16ee85ca322f332d80b8c5638d0f25878d2f9664f43cc4efd190d3c57f2683933bee8d3c3ab25e145841019f657a8887c9691e35b352e1547c35db84fedbcf7b0f8f63982b8174f809f02a9944a79675ce2a6ad7a50a6cc380c386b1e13022bdd9408731354bf2fbd844d26a51758ee37c2090ca5d5c2cedc3490adb2b00beec91f7badceddf00b596da4371c5f21e7869c7d3ef02ebe332a24acc1333832bd64eae04d96eb77ff106a15d6f1275175b9c1e3e87a8017804b740dd544025d8069af671275c96c52fe85c56b0d55c83d127554a4a49cb104fcd1c069d35c600da83e26a785ec86f71190c67785640444e000d89d1b03a3594f2036f951b0ef2c31d9ac6149778615b1f96e9337a791f218b3d90ab77836a52c8ed4fbabbb145aa1e10edc237983538ae6232fd4590221f41cc87a9715ad3501225e44c047839f1149afc50e9f8d8e80ce85529148599305d51c4d84e4ef9e5216b3e1d86b536a36df872b0fbf57804ae7340c4a0f509adac8c646820c1f92dcdc9039b33abe70625331cfe9ad242a4944be9580b962948d7d1c9a8c2eee45c658991d1d9f5a7bd4008efabafcfa8500720ed95a42334e2df5b54ca6f0a6dc65763aadfb64d9ba32bc9a2b1e37e138dbb226dff4f6bc65c08a941129cff7505018c3ac2239ac9da7b3ce6619c23759e194b80eccba88e0bd6d033e15b896aa95b5e8b4fa63e89a41cf7f7a0f8237eb8078fd50408ebe041991d59cad3bd2da59050f3153a68555076b9dbc935bc69d8c6ba4a8497c2ee9031de0148827cffc5fc3df61bf2561679ae8241d3d0abd5dac562aa76b2c4b6e659013036c5b19aaa0bdabf15eeef12af1ee31bf607827b7a9ee7cfcc2dac3dc4d2045d67ecc0e54a948138bfea2488459c39c99f1a7ed5516fcf696815bc33b0704468d0507c26bfda6fd0e733db1239d73b6af42936e7ed4d9022d678706a76e8abdf94b51c9228148ed2cec6c6e10d22678c8a156205450a29cdfc54443018c3bb94000d106cd6d7c5fd98ff0e585854c3862ef19db40be044fe00b5411233a24f2be94d805517e9e55fb370f77eddbadaa9a299db7b704ab9ce9dc4be9a26c35b7f9fa1702836f8e5e4152ae1f27a380b44b66098ed1501e701c871be397da6c0032495450b36f4cd57804a989d71729b566010f1ed19d264b54d5b37a417863853f10e053fc8de35f8c684a488d4811f15c8ae270cb941f50e398f0e119dedaf8e937a72d54467eda18a7d73565bd5c0c694ff22f893acc77f7e500c43c91123e23af9edcee877531b6de04fae474b6c9452c8296433a82f99e46dcd0b6f8a9b13b943231c08598baea98baf13d86f5b5cdb8a2e20409b545272c3cf748d9a87cfac4b0e90d30f0dc401a83c4b564be0b92fd24fb50022c01d092f29562f2a1e6c481dd5f91a957116d7f55cff533b91fadbb8f5d15d38d67b03d7a5d95e380fa419ac06a1d2d4f59884ea6061c5f0660c631eb5fee35865e43381f13efb24791de1b6d69eeea23ca925633b99b5b98d22a0480ae4248174ba2328d9a47342a67db2ea7a9b48775db35c8be5dcc10f7dd84c158dbd4757b33900b164e621f1dbeae885dccc9d0a350b48a1e55f8757c978c34fe34a9bffb272394d6c03873ad6084810ffe8f5d1a3e272d56785f24b52f7b3e5cfc8944a22c9cd32973507497ba35a0462d46f0e674488d47f7d2a52a6921b3bbe9dbaef2958db56c874e6dcccc2499b7078b5c2d4143d964c1410c76426ea2a2160ffa27876dabedbedbb9ab4b00aabf90f8f70f2a851e441622e6b9413967e04c347aab7488f4760d3e8fe1a26b0f84a1ee5eb0aa541c9b8b3fcc5c499ba7bb24babfca2f1edc91a792580846619738a8cd6a956fee442d94992beaaa80e7e6be27f33a03c5e67766e3b04e57670209e22cd0ae0282a1aa7b65f4eeb48168d65ebe60145fb771a250b9f1c8f1d7abd3dc3b62c3bc864e1a4df1e2d36914b8172f2ce840bfe7c07db6205485aee0e095a193e695633bdd2eade76239137193afe18bb5986f03da97a7e0c2a9f4406b92497a6c942e84e72ba6bb7275e435182101c16651ca1d497e61d6bd9e1390c8d100305a890b3d54eac2449a6a261c26b9403257c4253644ada152634a99e20d8f909d753bee656296c2338282f0779330f2db7bf0ad7151ff0b1edca7f4e56ba9a0c1dd35861d43f5b3942445bf5b0df198bb93a3e7d69113d454e849571e5c80b855ab9c1a399291471c5053ab43969298bae96c65f2e0d990973b02bf3c5e4788577f14a7732bb67c9a9ccffc12e65f1fb5aa486e3ffd0f405ef6ef305f41d2e38bfdb9ac9e5d87ceafc0628f23c2fbb211c1b106e4a551f9f04974a1747212061940b2e3161b8a0901b926afa3618ee7f9ab2237a5b96765d201da1432193d54690190ce37b22853b8d8a03eb5a93776cee5903439ab358dc5c921247c92e4ead264b706542b9f66e743452a589efd8ac02b81ac9004252345f20afeb72c2548ad5c85fb428ccd0cd61782b5d84efa18d54f91d8c19ed5f746cb4cb8a0bdc087f3b1f0392ac959c1a04935c9a89145755fb462b34b79cb341150e06a4912157ce4e8e4f7b14b6254e0db2aa7f9c06280b28d32f9b617516d00b79b6445f3278b8fba13e18447070c77508c3c172c9a7bf302f39d9bf938e4fc8c4f3afb97984d7e7654ac7adb783f1cbb408ad80a768da3461cd87920052a16b806c4166c6bb91ca721af5b1249eb25eaf3f5996b3039f9535488d98d826db940109da1bd43abc8a7bda4e94024dd5ab0b65b7d1877fbb48d51484fda02e25571ca87da898572d98292267253e93760993235dc93b211d32324aed6c1e1bfcb6cf2260afe408161558ebd89beb20c957f057c82570db0fe3") r38 = syz_kvm_setup_syzos_vm$x86(r33, &(0x7f0000c00000/0x400000)=nil) r39 = syz_kvm_add_vcpu$x86(r38, &(0x7f0000016800)={0x0, &(0x7f0000016280)=[@nested_amd_clgi={0x17f, 0x10}, @nested_amd_invlpga={0x17d, 0x20, {0x58000, 0x50df}}, @nested_amd_vmload={0x182, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0xf, 0x9a97}}, @nested_amd_invlpga={0x17d, 0x20, {0xfec00000, 0x1781}}, @nested_amd_invlpga={0x17d, 0x20, {0x1000, 0x691}}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @nested_load_code={0x12e, 0x79, {0x0, "67470f487f05410fc7280f20d835080000000f22d88f2978cb3d080000000f20c035040000000f22c0c7442400d0f60000c744240200000000c7442406000000000f0114240f0095bffb0000b98b0000000f32430f01f8363e3e66440f383c6e0e"}}, @nested_amd_vmload={0x182, 0x18}, @nested_amd_invlpga={0x17d, 0x20, {0x1, 0x2a0c}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x0, @save_area=0x4a9, 0x5, 0xffffffff80000001, 0xd}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_amd_set_intercept={0x181, 0x30, {0x3, 0xff, 0x1, 0x1}}, @nested_vmresume={0x130, 0x18, 0x2}, @wrmsr={0x65, 0x20, {0xc001103a}}, @code={0xa, 0x64, {"c4a1f9e6530066baf80cb83c050c8aef66bafc0cb0eaeec4017a705e4702360f01c9b805000000b9000001000f01d9c48299f774fd26b9490300000f32c4c115faba6736c958b8010000000f01c164430f01ca"}}, @out_dx={0x6a, 0x28, {0xb7cb, 0x1, 0x9}}, @nested_load_syzos={0x136, 0x58, {0x2, 0x2, [@nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @control64=0x2006, 0x6, 0xdd07, 0x5}}]}}, @uexit={0x0, 0x18, 0x8}, @nested_load_syzos={0x136, 0x80, {0x0, 0x1ff, [@set_irq_handler={0xc8, 0x20, {0x6a}}, @nested_amd_stgi={0x17e, 0x10}, @nested_amd_clgi={0x17f, 0x10}, @set_irq_handler={0xc8, 0x20, {0x76, 0x1}}]}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @set_irq_handler={0xc8, 0x20, {0xcd, 0x2}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x96, 0x2, 0x9, 0x2}}, @cpuid={0x64, 0x18, {0x1, 0xffff}}, @code={0xa, 0x6c, {"410f013ac744240072000000c744240203000000c7442406000000000f011c24c7442400c7d2b538c744240239000000c7442406000000000f011c24b8010000000f01c1400f791666b8bc008ec026440f01c5410f01d00f080f09"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0xa2, 0x3, 0x40, 0x3}}, @wr_crn={0x67, 0x20, {0x2}}, @nested_amd_set_intercept={0x181, 0x30, {0x1, 0x8, 0x1, 0x1}}], 0x541}) r40 = mmap$KVM_VCPU(&(0x7f0000ffa000/0x4000)=nil, 0x0, 0x0, 0x1, r39, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r40, 0x4) syz_kvm_assert_syzos_uexit$x86(r33, r40, 0x6) r41 = socketcall$auto_SYS_GETSOCKOPT(0xf, &(0x7f0000016840)=0x1000) syz_kvm_setup_cpu$ppc64(r33, r41, &(0x7f0000efc000/0x18000)=nil, &(0x7f0000016ac0)=[{0x0, &(0x7f0000016880)="a600c07f0000e03e0000f7620400f77a0000f7660500f7620005003f00001863000017930000e03e0000f7620400f77a0000f7660500f7620000003f00001863000017930000e03e0000f7620400f77a0000f7660900f7620000003fa3201863000017930000e03e0000f7620400f77a0000f7660d00f762ffff003f4b451863000017930000603c00006360040063780000636400f063600000803c0000846004008478000084640500846022000044e403007c0000003c0000006004000078000000645b9200600003203c00002160000020900000003c0000006004000078000000645b9200600000203c00002160000020900000603c00006360040063780000636400f063600000803c0000846004008478000084645b92846022000044889c7f1385793c110000603c0000636004006378000063640cef6360ae43803c0b6984600400847832d2846464ab84609f20a03ca8eda5600400a578b640a564b1f3a5607295c03ce2a3c6600400c6780ab5c664b456c6607af7e03c4f1ee7600400e7786dafe764735de7606ed4003dea68086104000879843e08652b1e08610f08203d57992961040029792ea52965a33a296110da403d21f44a6104004a796b7d4a651ac94a617ad9603d84786b6104006b79f9f16b6562ee6b61220000448c30803dde998c6104008c79c3848c65c4008c61427ef31308db47fd6310e03fa71cff630400ff7b5816ff6760a0ff6326ffa17f", 0x214}], 0x1, 0x8, &(0x7f0000016b00)=[@featur1={0x1, 0x9}], 0x1) syz_kvm_setup_syzos_vm$x86(r41, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$KVM_EXIT_HYPERCALL(r40, 0x20, &(0x7f0000016b40)="e5b31e151b44d5a7e6d4318c23841cad911cec23f0d39a4bed977a0a13d9f9d106f592bf97ea28b048c1764155a698d413be9712ccb298c0b89ca67076be69d83491ff71bc7733d0", 0x0, 0x48) syz_mount_image$adfs(&(0x7f0000016bc0), &(0x7f0000016c00)='./file1\x00', 0x80828, &(0x7f0000016c40)={[{@othmask={'othmask', 0x3d, 0x6}}, {@uid={'uid', 0x3d, r12}}], [{@smackfstransmute={'smackfstransmute', 0x3d, 'wlan1\x00'}}]}, 0x0, 0x1010, &(0x7f0000016cc0)="$eJwAABD/7+DzLu5nJlfY4S8N7x7c7H1u6LgA+exdzvpOLzQAr7/rfNFAHfnAo2qv5nhO5QygY0GgGz/kSfj6xNYfxXqBteG7nY3Vty0ff23vxTYFz5UfxoeEobtaWv+1og3Yxk2dXn1o6J9IlvClC+R9nWENAi8UlxSASZiae36mhq8Kat6nAIGsC0+v7RYUEprkHeyLogLBn+MVGrdNeyBRrbDI7fMQy4hlDsd0m95OqrFRe5iM1xgZqwl0IMDrI4ZSv0jNKx9QDgV0rEp9L1So8BWushiPyaoTCz4e5Uj2yo8qTDvP2eRW7gNKBKwo7by8nVXMOs5q6SYOm+Iv0Ed+vcWM6nTFc5IcCKlso5ealIwWEVuGuuQLcntNAZUK0mwv1MdzFjUE5VpjCFUzeZ+Bqp6ZJW0ROky4mBP2IQpLyWkgiEeNDedVt0Cm3B5LNG+jOzCiZ2M9O3CSP6t1GXKptT/VKBXzkDe1PLRpcNjlA8RbX38YaiVLOImft3UbIXbJ6UCTwf56q7ri0xqqeaB2pnCyTqqt+4/2nIDcCY2VFHKbYFJiLhMICgn/lJc8JOQwYGp6OwNDTVu705XrFH7dmZ7I440NmPRWgJuf3PdCMNYezlwY2wQELRqQ8B8kFSjZfTgyz8Yg5Zc2+xG4MTaNRZo+JjSh39rorZs0LF1wrjL+8/xkDuEogTjaTnrvieMkLjxLU035BJKNxCGfdOmrYqrpWcQsn0vDpxuoPJyQKh3mDm5R5JllVa/1mJ41oob0oQMPhY7fxQIO5CgOclTrTC3mO9c9byvnmE0nx/oX6jmGDuuCW5EropfqF42lJmLHkixSlv2skDGhmYJkvwcaA3QaS/vpq0NF+CwKZ1yTb1vWiqPVYhq6kAPbzd+BmWbxJyaTCUc60UYku/9J+VLLGkEwgBjps7TEZGT/SjpJ/Kp+/sj4pOzilfGreaDQkRs+p6H3+CUiGT7uGxcegn3yO0D9dl2ZhxBU3AinBTK/+kXFCNs1kGUE+7HuSIzZguM+DYgxNwAqROiwIjcSewciAK2Wf9N9KI0y9VmbOZ1226Nt+2drpFz+eT7YQlDzHdnAEF0C6I3Ws1YBxQHwMmcgVGoi3kc2O4dpn7ShwIvxXyRKbT3d73cG057wE/lV8BKx2BhaAErPjDOQBPG+Yo+kAUvilaZnZwSn8Jl/Il8RVjaOBkKIm+MG8zn3zfsEQLK5nZmIXDY1Y9xY7k4Usib9kOQeGLC9uNH7N+D5GRPwPaIiyY32R4OrZIbQMRm8oggL72pGc6khaPF4ztTXMD0OWAr+FjIe7yRrNKkhlMJGWwV/O2P2ctHc/BEIxpG/+SNj7Y+nJFgpfqzUuRI0mkYxlaYYagpImXAN+kWFhLG9s0OpiMQ1ek2G/7xFDUuQWKDAyJEkjWxxfg7OlTaSfM5N+nHKE0JwqYkZCS/3Z2Yc9lf5QyzJCXNt6lETfjInwK26k5BWgCcRJDUE0+H/MTojXRdG0ky/GPg+rexrA4I5FUDtJGuo+U9iGviyo2anDfFO66SmwkayKqvCmNUcsokvPUX9VychADi26NGVAp6KNFS8rB4WPPs4ccGB/cBpnnIrdx/1VSDon2lIX6j0MP4qw7ANTOiIcyVCTp5d1kAfaZo3QgFDHzlSCor6MpPfSkGDc1X6AN5hNByYPhB+KDKiMY8iEMUQLWLg197oRysm60uJgZnvXypwo2fUAwuHZmFzxSYxVL39XtVy+ZC/zq5oMUJxgGghXOJ3qzbm3t2sl0hiwIpJsIavbCrltLkQbgqO9+gnrcqA/WYisTQqJmFhvF/VeL0uDW4f2JmfV7UK/7pDxcdXqmz51Fc75lwGUzrR9JcaT3RMS+6YSCUJeV7cgjxUjxAE+Mmg8joDl4OBzgKr7Yw0mfkILHHDiQiE0t6ZXyRFjmKpadhripIg9P6vf8H6ig6OQs7XYtR7UrB7UEtD0R9AJawbMG46HQuD1P91pkazs0+MGhbbzsC86JdV+KB6ypwnJi2LAVf2N9SSA94c/LIwNkE+jQvmU8OkJsKGUKfSzX7iKJnB0Pj7N2jIDRQWd+ByCo72c5juv62PcVDeC5nadSbu1qNH0cD93QZyMFiknlhFyBchzcqoJDmxFoPFtv0ajILAdfB3c7I00fgdnwyA1kgs0h805c9xWPYI1MrfwVefG2hkXh5QFWlOqEIH+kGkMGu2GmSHdrWnFANiGCSGwPNbGYPP26HXx1hOTFCX/7mNEtPQ6qFps3rYx0bYtpanB+RaP/D2sMkxjXEptqRsn4bebqtMicNbGFvGxpNGSieHgXvDzdj+jMa8PW+ueRmPh8cT4hGgxRh1I+oZTAj5ZXo43K6x63NGF9Wb9vih651f3BVcllqUwQjmwIs7Eu4rbrP/DwimvGEXUTmmRf3ztR1LcPhpxCn5Yit4GmH/AFOYTNyU0G4u3hcqqJPfT7kTxzB50dbbsAo+YHrHKliCAI1iYFUyS/PaxmtBOJSLxyp9bVmfXTeimZ1/W3m2jmuqR+uUpiNAbTXSzLwuBR6dv7V0jmL1Hez/fZuQGsJwG56GqBfsAENkI0zwdsTsYtUNb2CF/zeI6xDiVU82dP1hgLb0NIQEFMjLFTc4nL+V5aQVJrz03kirusjs0TfxDU7YmVs1qZGpkBeV6VBd4OK7lnJ1GsTp1lJcaUj4kv+/fRJYKLlO5akkR+Z3ztimgaLzbqaqnzi6b0YksDW/O4cElQc3R6Dvt06ScYinuhZKoTH5RRbUi1tXOLJilAvGhSKg0U66qxZ0SP352NG/zhRPjG2uKKpVjVfFNBDLI118dt9BUzHQxw2vQw4dfXZ5Wo/EPxttR6n17xqdTbvpC2EJqVIWLiqXWW8KYauUcvGWAXU5PV8slOLu/acjqsjI4JTDrowX1TO1G8kG78vov2HIYWadyuS3qWee1WJzPHrpfGGPMNV1dqs7H+Lacu9D9NSqrYgTaWrUhSDBHQsCfIHthMB+ixoSL10VCHAu2DEzsn9EUHaaMAheNyuZS2iCZ6Ou8oz56aCLrhm0t5VIKv94CyUr+KPvT1yfIK6+po48KKnXyeWalemDodSW2utjqCaLc3bjlCqyEmbuN047AWByKLJ1CeOtiegd9O/SQ4XfFaln5TDMTNyNvSHk8R7IyHrJxUpd2pbI026b0AbExUkZ1rxWsMgrXM+4Kc+puYlohv14Pip27mVXBmvX8wHm/xcn9cMPmO7AUtI22sX1cfHqmsIV0i+bw8EFJ1C2iRiB9FzzJ13usOTAWSqAt/VBQWFVw8fz/C+rgy4JFpsIyEEU+c7ozzOtGEXZnz1UKH6vnxuWQS82qdcKV+x+SxEhGUCi+E7hgDj+L9uwmYvxSU3ROChcPHbdlSurJ6JdOMpYdBIOd4sxcoubkW4E7gpGjH8v/1qw/bi3GnHWWEp9PHThPs+UvcTiQaNLjaXNy/mygcDnqR91PbrKqFA+lS8evPflnc068rr/5lFm7YLRAgPybtIhMxZ1cSR0Ne+9mKBqu+lvb+mWlAUP+B/QkEFLyd4hDgP3n4B570BA0Ym/AyqZf0OOE7XSRp4JaQDiuYYJn+h1r24mDDe+TKoImpQKwH5YSevAJ7zyifYV83MTBY9hNa8l+CX8XyjOd6f3MVDQBqBwMQ+c8h/FIHvEAKZp0etmEP0SZ4wdI6eENK9Gv38l2Fj1bsQZmNSxepZGFPK13e8vECMVNVPINct7gkpTEa441vJA9B9FMwAOm97YIke5BEPk7QLcrat9bOH0Mv4aNyy4E8Ma0T7Y3I7hW8b+KfmhvFuvz/RAVqy8vH7//qwyxRBdQ1B9nPL1QpynGJfBa+lxlrbafWkZmwn8Nq3Qew4YmsrFI2bREEQi85ZM1cgUkrJVCn9/F6bjj/m88+lyVVKX8ZchUpPg3XiPDYofdlJM9UxywD66ZJL5O0NomZuzB82le7sDmvXgMZwnYlyFiUSip8VW8JBhJMYctzhdH2UdjF/uI4HMF1GdIGCAmdbOft+bqP0CSSYw+G7G56aB+OApIJUBKN/vWYFKKSE3qhrn7islCofanfsBMSBfluYS0ReN/9T59a3ztoJwxIy0Z3IAyu5wn6NzPBepo6caNkGI7BIXmhoihku6wAly4Z41zm7oSm3x3JXFW9rzfOA/zPHwntvnziMbBkZHrsdM0ORaIk3UIeapRxmYoNRxcAzUemH9xyhlGPqIn/gHfDlQqw5ySsh924BD5pxtcdLAtgfkJ28Z7MAjYzSJXcW1pmsyPPu3ZtXcHDwwHA6+K0cXW/AZLz4swCUMy4B8DUZriwqFKAG88SwnDirP7jTHzRdu+bOLPVlcAImA9FZdAgI8QHMgg/9unXANWCMn4GSrM1YRDPNQekOgU48w2idM8EVqbo+YR6I55yuZYhzeNOG2AmPTrlPi/RDRs+91RCbu9xvB9w+y+zQhxCSbrbPBlZJV2KQPZuGQZMTuARhQDXgFnFKG/3qjuD7JC39qBsnyBnaOw9ysYwXFjRBcou7lMr4v+wITsxE6l1jmgciRAdn7CLtMY0H0ZhmqVrV3efe5KhAXXk7/pNYRlmdplCoFl3B8ZCE2ZJq7s13SyPg0cPy5WMQ/1j4NLBfPH/AHXMRh2DBCmj4I5HHOEn7MwydW7LMAzYbQCbyW2sAVx7Yp3sJ5pKRQ7SQiwjxrMR5mOgqQ4aogTr0LvHED4xh5sEpHdFiO2GW4pVEBfU6F5zCyANr9f0tefrSPNaczTct0Q8Doo0w4EwtTSjwux102iX46uWv6pAqZBURzXjWXz6atokVTFKch5TM0yExzYkX7LU2YYxA1c0wNaSu2lbxdx//2jnHmxnIbAaKDp5hLVaiLPnMM7mS56eY0PqPBj0J8AYTLRJBGiQHorAfoig5o8owdtkBtCYU70+CX2lbB/1geky36s/0qdukaxlxcUSdzBgukzD7qTGukVnZReLitvHUUsMmrSGIbvQ0xRx0VZ57PqZRGMlOQbmDujbnoqx+hNZdiwC1hyk74btWRYmANzjNiLm6IFu4YawCjBiIInpA5+8GXxdGQZ6rL39Q3bHU/ZvCyppWJkMyNgW4+rmuUplv6FzbtmHqdq3W1QXKzydm6rkzyKXU50Px/cktZlktrUExSKGSuMEfyYUT83ynuLaiw3obHNSsgVNCl1aSXiiVg2YDudR0oxMdQCn5GxpeFFPA8+N91Xrq9OomvQfpnNN1t9XVvwRMNzORED1ewBIei73znBodVO/0dzssMJbwctCGwCxkSGOwdY0VcyFjaT2aXmcpNOfykGqFYkGjbuy48+REaWwLH+c+qGwRi1FucoafT38WtXBUs+KSJLp/e+Z+opJ0Cf7bRY8YINw+dIpiY7sJy2IywyfPPgGv4y/Q31MrTq9KpTVOzJrMA2esB0gA1tBlbBafPddfjr/QndNIDyMnj6S/ImLD/UIG8ey67/EitGAMBAAD//4vg68M=") syz_open_dev$I2C(&(0x7f0000017d00), 0x9, 0x484580) r42 = getpgid(r16) syz_open_procfs(r42, &(0x7f0000017d40)='net/if_inet6\x00') syz_open_pts(r33, 0x208800) syz_pidfd_open(r19, 0x0) r43 = pkey_alloc(0x0, 0x1) syz_pkey_set(r43, 0x1) syz_read_part_table(0xa3, &(0x7f0000017d80)="$eJwAkwBs/6RRXCBt7GMlTq9EwjPgL5iXkmoXVekSpoe7ibH6oF/5D/ZAK8XpdW8CA5rjuSzcvCA++0N5lxGWHxXxqSl4LLmGp3bnsP5gYb0gZdymHwDFW8VDe5gP/DZ5nimHPbk4LNscZFNeCdt6zcNh8i/TsdVkCZ1V5euwB4WSzV6Wxd/mGwg2gTZ3887ZGxYH5DiblIuYQAEAAP//2jdIgw==") syz_socket_connect_nvme_tcp() r44 = syz_usb_connect(0x2, 0x745, &(0x7f0000017e40)={{0x12, 0x1, 0x200, 0x8d, 0xd8, 0x82, 0x10, 0x1bbb, 0x203, 0xa779, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x733, 0x3, 0xb, 0x1, 0x80, 0x1, "", [{{0x9, 0x4, 0x2, 0x5, 0x0, 0xf, 0xcd, 0x1f, 0xf3, [@cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '<'}, {0x5, 0x24, 0x0, 0x80}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x8, 0x3, 0x1}, {0x6, 0x24, 0x1a, 0x7, 0x6}, [@mbim_extended={0x8, 0x24, 0x1c, 0xc, 0x6, 0x122}, @country_functional={0x12, 0x24, 0x7, 0x8b, 0x7, [0xfff9, 0x5, 0x3, 0xad97, 0x3, 0x0]}, @mdlm_detail={0xac, 0x24, 0x13, 0xb, "784f7bf45593f2145d18e49bc52edb011422491eba8fc40ebed34d5d81304da0a35565ec2036117bec4b01ef8f75c9d54e74b45316d0e1672a97b631729bcb7dc99bde682891bd5954d945f412979ecae7ee086c3650d3f976a990edea932dc3085d9c08f20badcebf87a97ba36151788daa2e6be45675380139cb89a17f95a65c87a272b183873660c9b63cee55c43ae5df58b45fbe08f00a86c6b1dfbd517b7dcdca1c6c75cd37"}, @country_functional={0x6, 0x24, 0x7, 0x1, 0xa}]}, @hid_hid={0x9, 0x21, 0x9a, 0x8, 0x1, {0x22, 0x373}}]}}, {{0x9, 0x4, 0xb8, 0xc, 0xf, 0xc3, 0x47, 0xe8, 0x7f, [], [{{0x9, 0x5, 0x80, 0x2, 0x410, 0xd9, 0xf6, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x5, 0x2}]}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x2, 0x2, 0x6}}, {{0x9, 0x5, 0xb, 0x3, 0x1308e9cbc37c7b4d, 0x6, 0x8, 0x5, [@generic={0x82, 0x11, "45836f6c3f5125725ed5b96b96b2911adb85370ceb5989894bd83417ee42276ce80fe734db8d2d94f2fe8c75bfd042fb632cfa5d5254f9b0fadc885d628a0dc92e274c02cd3be0421b608e2c538de20b208eaaea7b51dc13bdf7f2e00a6cbd3030df9baca667e6ccc42bdc2f5d822a3fc298b060da91265dd01583221a09899f"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x8, 0x4, 0x1, 0xfc}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0xd7, 0x0, 0x0, [@generic={0xf6, 0x22, "67439d731f507017a62ab89eb7118e315aab47bce00cfe092f9b6b6527812c051d98789a341cd8579c0c0f64f353faa641372867640b733bac8b8800b7baf106d03b36b934ebf24e84f554e1489e48416547bb7c90482fa4706467390768598bfddeee37f96a286a2f726ed89e5cfeb0dca14945145d5727fbd9b2949f9528d01e948e6305191bbbdfe60f223ae3a19823ce4a8797df004c048b9c0d793d173e5a39afc5eafe8ed82b45d9ac82fdfd1ef590fa300f32a49684630a4b392ff580eeaeff43c607a95169525530c24b189dee913cf7b9e1c1bafb11771b05c784720c28eb001ad218d0a92c1e32071606734ed956b6"}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0xd57d}]}}, {{0x9, 0x5, 0x1, 0x0, 0x400, 0x93, 0xff, 0x5e, [@generic={0x9f, 0x22, "faae6b7b5cb60baabdbe69da80d6306cc5c48a7eeedd7a47a92b693f17794385e5df43428ff861b389fffa4e903a47cbec60c794d78a7287affd416273fae978b7313ebd0b4ba90d2c47c1a1a66f6a698dcad67c6b40c482a09d3b92c05422f1eeed158be373e6623f40f82b25697f8f7934c60a81a403f22d919166e011d31a6497a0c7a512e4ddd841b5441454c1e15d8a2ab3e78f86a5cf03e792e7"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x1, 0x9}]}}, {{0x9, 0x5, 0x3, 0xc, 0x10, 0xb, 0x3, 0x2, [@generic={0xb1, 0x0, "33e5f9756d19a3eb392ba45b9f381dc2b062ee3ce942a485e678a8ea13f6c9eac74ec9641b119d78a9e36b32327cfb535d6ee402917d7b92a3ef09a79323735dbed9b623ca4b83db0117d537e5c58c6405bb0fe33bda56ba384b95fd4687df0217b223a0a525062ef259591dba73db936a7f85b82dddced8216aa4bc4ed636a57fc6e683e3ceb10a63be63330c0ea4d2a5cff5db4ac71ac10cdce3f5bd50c29ca7d1558dc5ed7f06b21dd7ba9a0dc6"}]}}, {{0x9, 0x5, 0x5, 0x10, 0x8, 0xd4, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x0, 0x20a}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x5}]}}, {{0x9, 0x5, 0x5, 0x0, 0x8, 0x7, 0x7, 0x1, [@generic={0xd4, 0xf, "737d3a4315658a8ffad124ef25692125494e376089b70b3fa63c98d548319145d9a432c0a3a910835f2c89b97e7168de3f5a68fc6d3086b5abbd9cad99b9f57df66d7a2af8b11c90041dd44ea5cb90b08493f1cc38391ab393edca7afe19ada684d62c76028a4283d3f7c4b6a29530b4345f74fedf78709f1a6172ae091c181037aa8d41503c854f5d64a4e1772982edb2faeb1f1a4ffb5f1b62415e46f1bb27374d48245031d050dc5528c7d19e7d9f4f71983984e44a633575f1b792d06db2ada0ca60eb3896c7e517981d567fe7b58ad2"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x5, 0x47, 0xff}}, {{0x9, 0x5, 0xd, 0x4, 0x10, 0x9, 0x9, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x5, 0x1}, @generic={0x84, 0x4, "c25a3fb73a08d8b88a25e396fee4b018b4487bccabbffe8ac964097b47dd926e5cb685c9568c4738e1bc0972ad10f12789a9a8080d7a492630e9a155a12e267604f53773b1f3a603c19d4dc0f4c5ccee5e9571706e990dc862312fb3d26cc37b011d95f3159d13c4ac34ab084c1a0660509ae13fa6f84d6068b33e5ff1da2a32373a"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x400, 0xa, 0x8, 0x4}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0x6, 0x4, 0x96, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0xbe, 0xda}, @uac_iso={0x7, 0x25, 0x1, 0x8}]}}, {{0x9, 0x5, 0x8, 0x2, 0x10, 0xb, 0x5, 0x8f, [@generic={0x77, 0x53a54cd3d610e5f7, "e6da6832665e8fc36a0e8f94157f6a5fbd96ba6085fa6cc0de01635150751fa9080a8ce5aaa4e50bddbefe649a9885244d8fd877920b570d6913ac5ef74d87139a81215ace972e769b6e707e2102de593a661d408d0cbce385ecdc66d00e649dd5504e8b1f2aeedf02eb08bd9a2b2102f37927bfb9"}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0x40, 0x8000}]}}, {{0x9, 0x5, 0xd, 0xc, 0x40, 0x6, 0x0, 0x9}}]}}, {{0x9, 0x4, 0x1e, 0x8, 0x3, 0x90, 0x1b, 0x5d, 0x9, [@uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x3, 0x1, 0x0, 0x35, 0x8}, @format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x4, 0x3, 0x4, 0xf6, 0x80}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x35c6, 0x1, 0x3}]}, @uac_control={{0xa, 0x24, 0x1, 0x8001, 0x51}, [@feature_unit={0x9, 0x24, 0x6, 0x4, 0x3, 0x1, [0x4], 0x8}, @processing_unit={0xb, 0x24, 0x7, 0x4, 0x3, 0x9, "d6e5bec9"}, @processing_unit={0x9, 0x24, 0x7, 0x1, 0x1, 0x6, 'CO'}, @input_terminal={0xc, 0x24, 0x2, 0x2, 0x204, 0x5, 0x9, 0x9, 0x1, 0xd4}, @feature_unit={0x11, 0x24, 0x6, 0x5, 0x6, 0x5, [0x3, 0xa, 0x3, 0x9, 0x3], 0x3}, @extension_unit={0xd, 0x24, 0x8, 0x2, 0x5, 0xfa, "cf521fd9778e"}]}], [{{0x9, 0x5, 0x0, 0x1, 0x200, 0x3, 0x9, 0x6}}, {{0x9, 0x5, 0x1, 0x10, 0x0, 0x7, 0x3, 0x1}}, {{0x9, 0x5, 0x9, 0x3, 0x20, 0xf, 0x4, 0x5, [@generic={0x30, 0x30, "9af3fe7151c3b3ad7bd1a1c8e2ee7c9495bfb52094d1dc13f41f06a76b111ebf9089a2372b323499e81536ed22f6"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0xd, 0x1000}]}}]}}]}}]}}, &(0x7f00000187c0)={0xa, &(0x7f00000185c0)={0xa, 0x6, 0x200, 0xe, 0x7c, 0x5, 0x40, 0x6}, 0xec, &(0x7f0000018600)={0x5, 0xf, 0xec, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x7f, 0x4, 0x10}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x19, "3708892f9f7225be3a6009559965ad74"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x20, 0xc9, 0x3, 0x3, 0x8}, @generic={0xba, 0x10, 0x3, "2a0452f8e56ac2ffaee6cb1fc6faea4298664f032676da02ee36cac0df472c05b6a895c87b06145c8cb2bf1563d915fb7459dfa37e7b010a2307d76ed4c75a0c1962074d24f9836e05df965fdf4e2460076f7f109708230872abfc7b89d4e5e08d5d7b3b28be99666169e4beaa1ed7099d4ead2e0aeab9e01ff1bf20b59a78a6d9852989b4c4732550c70f843daa0c88d82ef806ece508cc9553fe8134cfadc5769bff046dca8f1fe031f25dbae923962256a0d962f081"}]}, 0x2, [{0x5f, &(0x7f0000018700)=@string={0x5f, 0x3, "159faef02b246dab7cba3efc4a7fed8d174bd706d48457f261ad8fe88dc0426fe71a32291ee93575bf347cbfc21323b208f15a792abbf3017092aa8e551fcbd851ca7390612f9e5848738c872b638738755adfa7d432eab1cdf11246e6"}}, {0x4, &(0x7f0000018780)=@lang_id={0x4, 0x3, 0x41d}}]}) r45 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000018800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r44, &(0x7f0000018a00)={0x2c, &(0x7f0000018880)={0x20, 0xa, 0x6, {0x6, 0x11, "11be6906"}}, &(0x7f00000188c0)={0x0, 0x3, 0x4b, @string={0x4b, 0x3, "54f166c504f790b8fd2167ab4d2207faf4e0d9b9068564c8fee82a31e2a56d9b863c4188c802bd1e737993ba22a323795cb0b4f4e94cb796758840f7c88898694a059be76c0285d691"}}, &(0x7f0000018940)={0x0, 0xf, 0x1a, {0x5, 0xf, 0x1a, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x4, 0xa, 0x4, 0x10}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0x6, 0x0, 0x1}]}}, &(0x7f0000018980)={0x20, 0x29, 0xf, {0xf, 0x29, 0x7e, 0x0, 0x2, 0x7, "3c6895ab", "138253ae"}}, &(0x7f00000189c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xe, 0x1, 0xb5, 0x2, 0x6, 0x7, 0x9}}}, &(0x7f0000018e40)={0x84, &(0x7f0000018a40)={0x20, 0xc, 0x2, "d80b"}, &(0x7f0000018a80)={0x0, 0xa, 0x1, 0x7}, &(0x7f0000018ac0)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000018b00)={0x20, 0x0, 0x4, {0x0, 0x2}}, &(0x7f0000018b40)={0x20, 0x0, 0x8, {0x1160, 0x2, [0x1e0ff]}}, &(0x7f0000018b80)={0x40, 0x7, 0x2}, &(0x7f0000018bc0)={0x40, 0x9, 0x1, 0x81}, &(0x7f0000018c00)={0x40, 0xb, 0x2, '~s'}, &(0x7f0000018c40)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000018c80)={0x40, 0x13, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x17}}, &(0x7f0000018cc0)={0x40, 0x17, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x3d}}, &(0x7f0000018d00)={0x40, 0x19, 0x2, "b362"}, &(0x7f0000018d40)={0x40, 0x1a, 0x2, 0x6}, &(0x7f0000018d80)={0x40, 0x1c, 0x1, 0xfa}, &(0x7f0000018dc0)={0x40, 0x1e, 0x1, 0x9}, &(0x7f0000018e00)={0x40, 0x21, 0x1, 0x8}}) syz_usb_disconnect(r45) syz_usb_ep_read(r45, 0xd2, 0xde, &(0x7f0000018f00)=""/222) r46 = syz_usb_connect$midi(0x0, 0xde, &(0x7f0000019000)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x10, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xcc, 0x1, 0x1, 0x9, 0x0, 0x9, "", {{{0x9, 0x4, 0x0, 0x0, 0x5, 0x1, 0x3, 0x0, 0xa, [@ms_header={0x7, 0x24, 0x1, 0x0, 0x7}, @midi_out_jack={0x11, 0x24, 0x3, 0x0, 0xf5, 0x5, [{0x4}, {0x7, 0x7}, {0xc1}, {0x3, 0x3}, {0x2, 0xc}], 0xd4}, @midi_out_jack={0x13, 0x24, 0x3, 0x2, 0xd, 0x6, [{0x13, 0x80}, {0x2, 0xe}, {0x1, 0x3}, {0x8, 0x7}, {0x7, 0x4}, {0xeb, 0x6}], 0x4}, @ms_header={0x7, 0x24, 0x1, 0x3, 0x7}, @midi_out_jack={0x9, 0x24, 0x3, 0x0, 0x6, 0x1, [{0x2, 0x53}]}], [{{0x9, 0x5, 0xc, 0x0, 0x8, 0x0, 0x3, 0xef, {0xf, 0x25, 0x1, 0xb, "8dca6f86ba1543f9fd5417"}}}, {{0x9, 0x5, 0x1, 0x2, 0x10, 0xa5, 0x8, 0x3, {0x13, 0x25, 0x1, 0xf, "fc2ab7fab02e86b9c83c1a1c2ee5ba"}}}, {{0x9, 0x5, 0xc, 0x8, 0x400, 0x3, 0x0, 0xbe, {0x13, 0x25, 0x1, 0xf, "d9811e1ed3642bab8c2a71bc25bf6c"}}}, {{0x9, 0x5, 0x3, 0x0, 0x3ff, 0x7f, 0x96, 0x7, {0xf, 0x25, 0x1, 0xb, "0ec3b8efc022fc1b474cae"}}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x18, 0x5, 0x3, {0xe, 0x25, 0x1, 0xa, "e3c106c54a63638a2e82"}}}]}}}}}]}}, &(0x7f0000019280)={0xa, &(0x7f0000019100)={0xa, 0x6, 0x110, 0x2, 0x2, 0x8, 0xff}, 0x3d, &(0x7f0000019140)={0x5, 0xf, 0x3d, 0x5, [@wireless={0xb, 0x10, 0x1, 0xc, 0x40, 0xab, 0x3, 0x100}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "5699f3928d2d0a00633f2b02584c016a"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x0, 0x8, 0x6baa, 0x2}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x6, 0x0, 0x98}, @ext_cap={0x7, 0x10, 0x2, 0x12, 0x5, 0x3, 0x4}]}, 0x1, [{0xc1, &(0x7f0000019180)=@string={0xc1, 0x3, "b64349de30b23e683c87b0fe59341d26e0e391acdf6ad0571acc05f8e5fcfdc3936c96d99906c4c1e5d9ce59609e60fc394029a19fec981cfde7e9d38c1465f6a04b5b0ee298f5f21e58f71b8f7100d1bc55ca97b1b3ab63485b92e16630ae0c539315c25cefc347d66d80c2531e81af67e179c16966bcb8e998e0cd1b3c2bdc6c049946edb3eaafbbd9b5f0fe7c5925b619e8e7cfce1a62c4d2ac459740065e9f9eb72202c0edae4bfcf5d11b9314581d63e688ec40c037a3c41c0220bb1a"}}]}) syz_usb_ep_write(r46, 0x3, 0x9, &(0x7f00000192c0)="b72534d84209a7a862") syz_usbip_server_init(0x1) csource_test.go:162: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_cachestat #define __NR_cachestat 451 #endif #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t user_addr; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint32_t flags; uint32_t resv1; uint64_t user_addr; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; static long io_uring_sqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_SQE << !!(params->flags & IORING_SETUP_SQE128); } static long io_uring_cqe_size(struct io_uring_params* params) { return SIZEOF_IO_URING_CQE << !!(params->flags & IORING_SETUP_CQE32); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0, volatile long a1) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + params->cq_off.ring_mask); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + params->cq_off.head); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; uint32_t cqe_off = params->cq_off.cqes + cq_head * io_uring_cqe_size(params); struct io_uring_cqe* cqe = (struct io_uring_cqe*)(ring_ptr + cqe_off); long res = (long)cqe->res; __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return res; } #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_params_ptr_out = (void**)a2; void** ring_ptr_out = (void**)a3; void** sqes_ptr_out = (void**)a4; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); *ring_params_ptr_out = (void*)setup_params; uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * io_uring_cqe_size(setup_params); uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * io_uring_sqe_size(setup_params); *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < setup_params->sq_entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct io_uring_params* params = (struct io_uring_params*)a0; char* ring_ptr = (char*)a1; char* sqes_ptr = (char*)a2; char* sqe = (char*)a3; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + params->sq_off.ring_mask); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + params->sq_off.tail); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sqe_size = io_uring_sqe_size(params); char* sqe_dest = sqes_ptr + sq_tail * sqe_size; memcpy(sqe_dest, sqe, sqe_size); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_io_uring_modify_offsets(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* params = (char*)a0; char* ring_ptr = (char*)a1; uint32_t params_off = (uint32_t)a2; uint32_t value = (uint32_t)a3; uint32_t ring_off = *(uint32_t*)(params + params_off); *(uint32_t*)(ring_ptr + ring_off) = value; return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 74; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 56 ? 4000 : 0) + (call == 64 ? 200 : 0) + (call == 66 ? 3000 : 0) + (call == 67 ? 3000 : 0) + (call == 68 ? 300 : 0) + (call == 69 ? 300 : 0) + (call == 70 ? 300 : 0) + (call == 71 ? 3000 : 0) + (call == 72 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[47] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: inject_fault(1); res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/0, /*ring_ptr=*/0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x200000000000, "threaded\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000000ul, /*len=*/9ul); break; case 2: *(uint64_t*)0x200000000040 = -1; *(uint64_t*)0x200000000048 = 0; syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); for (int i = 0; i < 4; i++) { syscall(__NR_cachestat, /*fd=*/r[0], /*cstat_range=*/0x200000000040ul, /*cstat=*/0x200000000080ul, /*flags=*/0ul); } break; case 3: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xf503, /*arg=*/0ul); break; case 4: memcpy((void*)0x2000000000c0, "/dev/bsg/2:0:0:0\000", 17); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000000c0ul, /*flags=FASYNC*/0x2000, /*mode=*/0); if (res != -1) r[1] = res; break; case 5: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x9360, /*arg=*/0x76ul); break; case 6: syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x111, /*optname=*/2, /*optval=*/0, /*optlen=*/4ul); break; case 7: *(uint32_t*)0x200000000240 = 6; *(uint32_t*)0x200000000244 = 0xa; *(uint64_t*)0x200000000248 = 0x2000000001c0; *(uint64_t*)0x2000000001c0 = 0xfffffffffffffff7; *(uint64_t*)0x2000000001c8 = 4; *(uint32_t*)0x2000000001d0 = 7; *(uint32_t*)0x2000000001d4 = 1; *(uint64_t*)0x2000000001d8 = 0x200000000100; *(uint32_t*)0x200000000100 = 4; *(uint32_t*)0x2000000001e0 = 0xd8d; *(uint32_t*)0x2000000001e4 = 0x40; *(uint32_t*)0x2000000001e8 = 0x42; *(uint64_t*)0x2000000001ec = 0x200000000140; memcpy((void*)0x200000000140, "\x39\x70\x15\x49\x5b\x43\x3e\x06\x2b\x4e\xf5\x49\xb0\x56\xc6\x05\x30\x06\x14\x82\x48\xbe\xe9\x34\xbd\x6a\x20\x8a\x2a\x61\xc7\x9f\x4a\x49\x35\x7e\x53\x65\x38\xe0\x86\x95\x7c\x37\x7e\xd1\xf5\xa6\x46\xb7\x40\x17\xe3\x05\x84\x21\x44\x81\x2e\x9b\xba\x29\x01\xbf\x44\x11", 66); *(uint32_t*)0x2000000001f4 = 9; *(uint32_t*)0x2000000001f8 = 1; *(uint64_t*)0x200000000250 = 0x200000000200; *(uint32_t*)0x200000000258 = 0x3c; *(uint32_t*)0x20000000025c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000240ul); break; case 8: *(uint32_t*)0x2000000003c0 = 6; *(uint32_t*)0x2000000003c4 = 0xa; *(uint64_t*)0x2000000003c8 = 0x200000000340; *(uint64_t*)0x200000000340 = 3; *(uint64_t*)0x200000000348 = 0x72; *(uint32_t*)0x200000000350 = 0x23; *(uint32_t*)0x200000000354 = 8; *(uint64_t*)0x200000000358 = 0x200000000280; *(uint32_t*)0x200000000280 = 0x107c; *(uint32_t*)0x200000000284 = 0x10001; *(uint32_t*)0x200000000288 = 7; *(uint32_t*)0x20000000028c = 0x5e; *(uint32_t*)0x200000000290 = 0x50; *(uint32_t*)0x200000000294 = 5; *(uint32_t*)0x200000000298 = 4; *(uint32_t*)0x20000000029c = 1; *(uint32_t*)0x200000000360 = 0x80000000; *(uint32_t*)0x200000000364 = 0x4000000; *(uint32_t*)0x200000000368 = 0x7b; *(uint64_t*)0x20000000036c = 0x2000000002c0; memcpy((void*)0x2000000002c0, "\x31\x8d\x74\xc3\x26\xf1\xd0\xa1\xdd\xbd\xe1\xb5\x12\x64\xef\x98\xbf\xda\x4f\xb6\x9c\x29\xe7\xe2\x6f\x55\xd0\x0a\xa6\xbd\x24\x97\xe2\x3c\x84\x95\xbb\xc9\x44\x03\xa7\xcb\xa7\x51\x20\xbc\xaa\x83\x2d\xd5\x3a\xee\x8e\xa1\xa6\x6a\x79\xdb\xba\xf3\xf0\xe2\x32\x10\xa9\x00\x05\x9d\xf2\xdd\xac\xa7\x12\x5b\xd9\x0e\xb9\x1f\xa2\xc9\xc8\x10\x9e\xb6\x25\x52\xe9\x0a\x21\x9e\xf9\x66\xdc\xaa\x59\x4c\x33\xa1\xe6\x23\xbc\x0d\x18\xfe\x1d\xb9\x7c\x9e\xb7\xbe\xab\x52\xef\x03\xc2\x1b\xf7\xe6\x14\x49\x52\x66\x87", 123); *(uint32_t*)0x200000000374 = 0x10; *(uint32_t*)0x200000000378 = 0x80000000; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint32_t*)0x2000000003d8 = 0x3c; *(uint32_t*)0x2000000003dc = 0xc; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x2000000003c0ul); if (res != -1) r[2] = *(uint64_t*)0x200000000380; break; case 9: *(uint32_t*)0x200000000500 = 0xf; *(uint32_t*)0x200000000504 = 7; *(uint64_t*)0x200000000508 = 0x200000000480; *(uint64_t*)0x200000000480 = r[2]; *(uint32_t*)0x200000000488 = 0x77; *(uint64_t*)0x20000000048c = 0x200000000400; memcpy((void*)0x200000000400, "\x8e\x46\x8e\x19\xaa\xb0\x47\xd4\xe0\x0e\x0e\xd7\xfa\xe1\x83\x0e\x8e\xaa\x0f\x74\xbf\x5f\x1a\x07\x1c\x66\xa6\xcd\x46\x19\x7d\x7c\x22\xaa\x47\x14\x7d\x72\x3b\xee\x80\x23\x8f\xd9\xe2\x75\xb5\xc9\xac\x9c\x89\x79\xf6\xfc\xbd\x06\x8a\xcc\x94\x69\xf5\x61\xdb\x80\x6a\x72\x0d\x53\xb1\xdc\x48\x32\x0b\x36\x5b\xad\x54\xf0\x4e\x1a\xcd\x0a\xd4\x08\x62\x61\x8d\x0e\x89\x53\xcd\x02\x02\x16\x9e\x15\x49\x39\x2b\xb2\xed\xd0\x7d\x80\xfd\x37\xfc\xe2\xf6\xf8\x48\x01\x3f\x38\x38\x53\x95\x19\x06", 119); *(uint64_t*)0x200000000510 = 0x2000000004c0; *(uint32_t*)0x200000000518 = 0x14; *(uint32_t*)0x20000000051c = 4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 7, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 3, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memset((void*)0x200000000050, 255, 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 9, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 3, 4, 12); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000058, 0x7ffe, 1, 15); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 4, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 3, 6, 2); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 1, 5); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005b, 1, 7, 1); *(uint8_t*)0x20000000005c = 8; *(uint8_t*)0x20000000005d = 2; *(uint8_t*)0x20000000005e = 0x11; *(uint8_t*)0x20000000005f = 0; *(uint8_t*)0x200000000060 = 0; *(uint8_t*)0x200000000061 = 1; *(uint8_t*)0x200000000062 = 8; *(uint8_t*)0x200000000063 = 2; *(uint8_t*)0x200000000064 = 0x11; *(uint8_t*)0x200000000065 = 0; *(uint8_t*)0x200000000066 = 0; *(uint8_t*)0x200000000067 = 1; *(uint16_t*)0x200000000068 = 0x70; memcpy((void*)0x20000000006a, "\x38\x74\x97\xa6\x98\x41\xa2\xe5\x28\xb4\xf2\x99\x12\xf3\xdd\x10\xb5\x0b\xa5\xa1\xe1\x70\xcc\x5b\x6d\x1c\x7a\x78\xf5\x7a\x5e\x0f\xcc\x9b\x2e\x9a\x5e\x87\xd2\x55\x16\x58\x0e\xa1\xf2\x23\xf1\x31\x7f\x86\xec\xc3\x91\x17\xcf\x0e\x53\x5c\x2e\x2b\xef\xcf\x11\xff\x81\x99\x9d\x1b\x87\xd9\xb1\x98\xc8\x03\xd7\x2a\xd7\x24\xe9\x4c\x78\x3c\xca\xc7\x76\x3a\xd3\x4e\x6f\x74\x91\xb3\x63\x7c\xe2\xf4\x66\x77\xa7\x61\x28\x73\xed\x0a\x3f\xb6\x4c\x0b\x3d\x78\x50\x3b", 112); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x9c); break; case 11: memcpy((void*)0x200000000100, "wlan1\000", 6); memset((void*)0x200000000140, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000100, /*ssid=*/0x200000000140, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000180, "bpf_lsm_path_link\000", 18); syz_btf_id_by_name(/*name=*/0x200000000180); break; case 13: memcpy((void*)0x2000000001c0, "\x49\x98\xde\x6d\x85\xea\x9e\x09\x84\x15\x17\xb6\x1c\xe2\x2a\x88", 16); memcpy((void*)0x200000000280, "\xb9\x66\x2d\x10\x0f\x99\xf4\xe9\x1d\x1d\xe2\xc9\x80\xce\x45\x99\x94\xb0\x46\xbf\xe0\x6b\x9a\x28\xc6\x0d\xea\x96\x80\xab\x4b\xcc\x3f\x5d\x33\x97\xa5\xa2\x51\xd7\xba\x76\x93\xb7\xeb\x37\x17\x7d\x03\x0a\x2b\x3f\xce\x8a\x23\x2e\x5b\x03\xf1\x0a\x94\x80\x52\xee\x90\x7f\xb3\x2f\x57\x5b\x23\x10\xfa\xe9\x91\x07\xf9\x5c\xca\xb7\x14\x72\x2f\x59\xec\xdb", 86); res = -1; res = syz_clone(/*flags=CLONE_NEWNET*/0x40000000, /*stack=*/0x2000000001c0, /*stack_len=*/0x10, /*parentid=*/0x200000000200, /*childtid=*/0x200000000240, /*tls=*/0x200000000280); if (res != -1) r[3] = res; break; case 14: memcpy((void*)0x200000000540, "./cgroup.net/syz1\000", 18); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000540ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000580 = 0x200; *(uint64_t*)0x200000000588 = 0x200000000300; *(uint64_t*)0x200000000590 = 0x200000000340; *(uint64_t*)0x200000000598 = 0x200000000380; *(uint32_t*)0x2000000005a0 = 0x22; *(uint64_t*)0x2000000005a8 = 0x2000000003c0; *(uint64_t*)0x2000000005b0 = 0xb3; *(uint64_t*)0x2000000005b8 = 0x200000000480; *(uint64_t*)0x2000000005c0 = 0x200000000500; *(uint32_t*)0x200000000500 = r[3]; *(uint64_t*)0x2000000005c8 = 1; *(uint32_t*)0x2000000005d0 = r[4]; res = -1; res = syz_clone3(/*args=*/0x200000000580, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000340; r[7] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000600, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000600); break; case 17: *(uint32_t*)0x200000002fc0 = 0x8001; *(uint32_t*)0x200000002fc4 = 0xee00; *(uint32_t*)0x200000002fc8 = 0xee00; *(uint32_t*)0x200000002fcc = 0xdaf9; *(uint32_t*)0x200000002fd0 = 0xd56; *(uint32_t*)0x200000002fd4 = 6; *(uint16_t*)0x200000002fd8 = 7; *(uint64_t*)0x200000002fe0 = 0x200000002f40; *(uint8_t*)0x200000002f40 = 6; *(uint64_t*)0x200000002fe8 = 0x200000002f80; *(uint8_t*)0x200000002f80 = 8; *(uint64_t*)0x200000002ff0 = 9; *(uint64_t*)0x200000002ff8 = 3; *(uint64_t*)0x200000003000 = 6; *(uint64_t*)0x200000003008 = 7; *(uint64_t*)0x200000003010 = 0x101; *(uint16_t*)0x200000003018 = 9; *(uint16_t*)0x20000000301a = 3; *(uint16_t*)0x20000000301c = 7; *(uint32_t*)0x200000003020 = r[6]; *(uint32_t*)0x200000003024 = 0; res = syscall(__NR_msgctl, /*msqid=*/0xab1, /*cmd=*/0xbul, /*buf=*/0x200000002fc0ul); if (res != -1) r[8] = *(uint32_t*)0x200000002fc4; break; case 18: memcpy((void*)0x200000003040, "./file0\000", 8); *(uint64_t*)0x200000003080 = 0xfffffffffffffffb; *(uint64_t*)0x200000003088 = 2; *(uint64_t*)0x200000003090 = 1; *(uint32_t*)0x200000003098 = 7; *(uint32_t*)0x20000000309c = 0xee01; *(uint32_t*)0x2000000030a0 = -1; *(uint32_t*)0x2000000030a4 = 0; *(uint64_t*)0x2000000030a8 = 0x74ff; *(uint64_t*)0x2000000030b0 = 4; *(uint64_t*)0x2000000030b8 = 9; *(uint64_t*)0x2000000030c0 = 5; *(uint64_t*)0x2000000030c8 = 0xc50; *(uint64_t*)0x2000000030d0 = 3; *(uint64_t*)0x2000000030d8 = 0xd; *(uint64_t*)0x2000000030e0 = 5; *(uint64_t*)0x2000000030e8 = 0x1650; *(uint64_t*)0x2000000030f0 = 4; memset((void*)0x2000000030f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000003040ul, /*statbuf=*/0x200000003080ul); if (res != -1) r[9] = *(uint32_t*)0x2000000030a0; break; case 19: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000031c0ul); if (res != -1) r[10] = *(uint32_t*)0x2000000031d8; break; case 20: *(uint32_t*)0x200000003500 = 6; *(uint32_t*)0x200000003504 = 0xee01; *(uint32_t*)0x200000003508 = -1; *(uint32_t*)0x20000000350c = 0xe; *(uint32_t*)0x200000003510 = 0x101; *(uint32_t*)0x200000003514 = 0xf1; *(uint16_t*)0x200000003518 = 0x40; *(uint32_t*)0x20000000351c = 0x287c; *(uint64_t*)0x200000003520 = 0x6a1a; *(uint64_t*)0x200000003528 = 2; *(uint64_t*)0x200000003530 = 9; *(uint32_t*)0x200000003538 = r[3]; *(uint32_t*)0x20000000353c = r[6]; *(uint16_t*)0x200000003540 = 0; *(uint16_t*)0x200000003542 = 0; *(uint64_t*)0x200000003548 = 0x2000000033c0; memcpy((void*)0x2000000033c0, "\x05\x69\x76\xa5\x86\x33\x69\x6b\x63\x36\x7a\x4c\xb4\x88\xb1\x6c\xe8\x5e\x89\x94\x3e\x5f\x09\x28\xec\x40\xd6\xd8\x93\x80\x7f\xa6\xc4\x4c\x5d\x38\xda\xab\x11\x84\x33\xa7\xe8\xf1\xc4\x6e\x1f\x06\x0f\x28\x16\x5f\x41\xad\xb8\xe6\x79\xcd\x9e\x46\xac\x38\x47\x74\xe5\x6b\xca\x18\x80\xa6\x90\xfc\x3f\x8e\xd5\xf1\x24\xdd\x98\x46\x7a\x33\xbb\x40\xcf\x19\x1c\xfb\xb9\x59\x0f\x59\x17\x9b\xb6\x11\xcc\xe7\x89\x22\x59\x22\xa0\xef\x4f\x22\x86\xf8\x7f\x84\x72\x14\xfe\x25\x61\x8b\x98\x9a\x05\x01\xe7\xec\xa7\x17\x0a\x39\x13\xbc\x68\xb4\x53\x99\x66\xe2\x89\xff\x94\xac\x31\xe8\x82\x36\x68\xbd\x04\x99\xd0\x9b\x05\x5c\x41\x41\x0b\xa2\xf2\x10\x1a\xba\xf7\x15\x53\x99\xf9\x7e\xe9\x24\xe9\x27\x7e\x6f\x54\x81\x9f\x12\xfe\xf3\xc5\x76\x93\x78\xb3\x44\xb6\xff\x64\x09\xed\xc5\x78\xc6\xc9\x3a\xcc\xb0\xf0\x8a\x5d\x8f\xfc\xab\x30\xcd\xbd\x71\x3d\x1b\x93\xee\x7b\x8e\xef\xdf\x77\xea", 214); *(uint64_t*)0x200000003550 = 0x2000000034c0; memcpy((void*)0x2000000034c0, "\x02\x0c\x5a\x2a\xf3", 5); res = syscall(__NR_shmctl, /*shmid=*/0x81, /*cmd=*/2ul, /*buf=*/0x200000003500ul); if (res != -1) r[11] = *(uint32_t*)0x200000003504; break; case 21: *(uint32_t*)0x200000004640 = 0x35cdee94; *(uint32_t*)0x200000004644 = 0; *(uint32_t*)0x200000004648 = -1; *(uint32_t*)0x20000000464c = 3; *(uint32_t*)0x200000004650 = 6; *(uint32_t*)0x200000004654 = 2; *(uint16_t*)0x200000004658 = 0x80; *(uint32_t*)0x20000000465c = 3; *(uint64_t*)0x200000004660 = 8; *(uint64_t*)0x200000004668 = 0x7ff; *(uint64_t*)0x200000004670 = 1; *(uint32_t*)0x200000004678 = r[7]; *(uint32_t*)0x20000000467c = r[5]; *(uint16_t*)0x200000004680 = 9; *(uint16_t*)0x200000004682 = 0; *(uint64_t*)0x200000004688 = 0x200000003580; memcpy((void*)0x200000003580, "\xcd\x05\x2c\x20\x6f\x36\x8b\x4a\x7d\x16\xe2\x8c\xd3\x6b\x1e\xa6\xd1\x0d\xab\x70\x17\xb7\xd0\x85\xea\x27\xb3\xe3\x38\x9d\x76\x0d\x22\x77\xe2\x0f\xeb\xc6\x86\xf3\x59\xd6\x08\x3a\x62\x9e\x79\x81\x08\x9e\x04\x19\xc7\xb5\x62\xdb\xbd\xc2\xe6\x7c\x1e\x95\x10\x4a\x39\x05\x49\xc9\x37\x1a\x43\x45\xf2\xaa\x7d\x84\x58\x09\x4c\x60\x75\xb8\x4d\x11\x48\x6d\x27\xbf\x68\x23\x3b\xb4\x57\xeb\x10\x6b\xab\x49\xa3\xfa\xd2\x99\xb5\x90\x02\x5e\x4f\xb5\xe4\x3c\x71\x2a\xd8\x91\xf3\x91\x38\xbd\xb9\x22\xea\x9d\x21\xb7\xcf\xc7\xc3\x43\xf9\xa2\x14\x96\xc6\x69\x22\xca\xb8\xe6\x65\x35\x33\x7a\x89\xa7\x17\xc3\x54\xbf\x18\x46\xb5\x06\xc2\x34\xa3\x09\x3d\x72\x8c\x6b\xaf\x27\x2a\x6f\xa5\x15\x3d\xc0\x39\xf8\x7e\x0a\x36\x74\x4e\x1f\x80\xf2\xaa\xc0\x30\xe2\xf8\xae\x6a\x7d\xbc\xd3\xf1\x7b\xc6\x8a\xd0\xb6\x1c\xe3\x12\x12\xc4\x6e\xdd\x61\x5d\x57\x1b\x33\x8e\x22\xc0\xed\x5d\x26\xf7\xbb\x2f\x36\x5e\xcb\x2c\x43\x26\x47\xa7\xc6\xd7\x75\xb0\xe4\x1d\xb9\x28\xf9\xe7\xb2\xaf\x72\xd6\x90\xac\xf8\xb2\xad\x8c\x2e\x00\x05\x05\xb6\x95\x2c\x4a\xb9\xe2\xa8\xec\xd0\x7d\xe4\x4b\x2b\x48\xaf\x7b\x89\x46\x96\xae\x56\x7b\x6d\xd0\xa1\xf9\x9b\x00\x7a\x8f\xcf\x41\xdb\x20\x82\x7f\x58\x32\x5a\x9e\x88\x12\x35\x44\x25\xbd\xcc\x3f\x81\xf2\xd3\x86\x3d\x77\x77\xfd\x80\x36\x0e\xb8\xb9\xe7\x7e\x47\x05\x9a\x1d\x22\x65\x73\x3c\x4a\x8a\x06\x3b\x45\xed\x0b\x8c\x24\x81\xe1\xcd\xea\xfd\xdc\x5f\x42\xc9\x31\xb3\xd3\xe7\x10\xe4\x53\x8b\xba\xd8\x15\x47\x9c\xd9\xaf\xdc\x5c\xb4\x47\x23\x02\x6c\x4b\xc0\x06\xe2\x56\xf6\xf4\x27\x04\x2c\x67\x65\xa3\xb2\x53\xe9\x35\x6c\xa1\xce\x45\xd9\xd8\x3d\x5e\x11\x19\x28\xb4\x7a\x8a\xb8\x42\x2b\x37\xe8\xc3\x82\x43\x68\x62\xc9\x44\xe0\x8e\xbb\xad\xd1\xa3\x36\x86\x21\x9a\xb8\xcf\x99\x5c\x12\xa7\xab\x70\x85\xa7\x9a\x7d\x1e\xc3\xc6\xcd\x73\xa4\x43\xcf\xce\xac\xba\xca\x1d\x7f\xc0\xcf\x34\xd5\x8c\x92\x77\x88\x1f\x98\x37\x46\xff\x62\xfe\x41\xd0\xf4\xf7\xa1\x2f\xf4\x4f\x4b\xa5\xbf\x7d\x89\x35\xbf\x09\xa8\x8a\xd9\x8e\xa8\xa9\x12\x4d\xe1\x78\xc2\x8a\xcd\xf1\xba\x1a\x97\x34\xd6\xc2\x25\xda\x59\x1c\x22\x9d\x31\x3f\xcb\xda\x81\x0b\x0f\x10\x57\xb0\x73\x0a\x95\x72\xa8\x07\x75\x8d\xef\xb5\x79\xdb\x3a\xd0\x21\xac\x31\x6f\xb7\x44\xa1\x58\x2c\x16\x25\x6e\xa1\xc6\xbf\xa2\x6c\x73\xaf\x1e\x2b\x6c\x4b\x8e\x7e\xf3\x29\xe7\xca\xd7\xdb\x91\x79\x9d\xc0\x44\xae\xcc\xe5\xf0\x6e\x80\x3a\x4d\x85\xbc\xf5\xf4\x5d\xc0\x15\xd1\x3e\x3f\x2c\x18\x92\x09\x9e\xe6\x53\x77\x7c\xa5\xf6\xc9\x2e\x41\xf4\xe3\x0b\xa3\x0f\x83\x27\x03\xdf\x08\xa4\x16\x75\x2b\x83\x1b\x46\xc5\x65\x63\x82\x0f\xce\x5e\xd3\x42\x1e\x9b\x2e\xd0\xa1\x9c\x64\xe9\xb2\xbb\x80\x81\xea\x08\x25\x5f\xda\xd2\xf2\x35\xe7\xba\xc6\x8f\x94\x6b\x34\x27\xa4\x4a\x75\x8e\x78\xda\xdd\x8e\x42\xa9\x09\xa7\x78\x51\xbf\x66\xb0\x1e\x42\x7c\x2f\xed\x94\xff\xee\x1d\x65\xe2\x17\x53\xb3\x9b\xce\x8d\xaa\xc6\xd6\xf1\x16\x96\xe0\x03\xa5\xf3\xc2\x1b\xf9\xd1\xcb\xf4\xbd\xb8\xf3\xcf\x5a\xe5\x42\xfe\x7b\x25\x5f\xb5\xae\x7b\x18\x4f\xb5\x9d\xb7\x35\x50\xd2\x93\x25\x42\x77\xb4\xf9\x4a\x71\xc9\x3a\x90\x9b\xbb\xfa\xf3\xdf\x95\xc3\xe7\xc4\x17\x0f\xe8\xb9\x1f\x9e\xcb\x86\x73\xcb\x54\x92\x75\x0e\xdf\x45\xc7\x6a\x20\xd9\x4e\x21\xb0\xd3\x61\x4d\x3a\x99\xf7\xc9\xe3\x97\x8f\xaf\x09\xe0\x67\xf6\x49\x26\x20\x4c\xd0\x90\xa9\xf1\x15\xcb\xe7\xf7\x27\xf5\x80\x99\x76\xaa\xbd\x33\x7e\x8b\x2a\xee\x42\xa9\xbf\x68\xe2\xfc\xcd\x41\x52\xb3\xd9\x83\x11\x49\xd4\x0c\x75\x46\x9f\xd9\xb0\x3f\xe1\x86\x0d\xc1\x92\x0a\xc7\xd8\x69\xed\x88\xd4\x14\x8c\xb7\x46\xf5\xeb\x32\xa2\x76\x1e\xed\x44\x73\xc5\x43\x15\xd0\xd9\x10\x44\xb6\x2a\x14\x53\x7c\x82\x5c\x8c\xf5\x78\xfb\xd6\x8c\xf8\x74\x8d\x67\x72\x2e\x27\xb8\x1f\x9f\xbc\xc1\x32\x71\xc2\x33\x35\x05\x7c\xab\xce\xd8\x62\x12\x5f\x76\x4f\x53\x21\xf5\x96\x43\x51\x43\x92\xb7\x2e\x2d\xe3\x2b\x1a\x54\xe4\x09\x6e\xf7\x3d\x06\x92\xec\x6a\x36\x5c\x03\x5d\x0c\xbf\xdf\x77\xac\x65\x0e\x7d\xe4\xc3\xdc\xc5\xa2\xf6\x0c\x4e\x08\x53\x6e\x75\xcc\xd8\x1a\x41\x42\x5a\x1d\xe4\x4e\xa2\x75\xba\xaa\x2a\x7c\xd1\x6e\xf6\x4b\x41\xcc\x71\xf8\x56\x86\x12\x17\xbf\x24\x3e\x8f\x61\xc8\x99\xf5\x6f\x4c\x64\xe1\x16\xe0\xbb\x02\x09\x86\xec\xa1\xf2\xa0\xd8\xfe\x1a\xb5\x13\x0b\x63\x9a\x7d\xb4\x1b\x54\xfd\x26\x2a\xc8\x58\x45\x2a\x2c\x79\xd8\x2d\x99\xae\x59\x79\x57\x17\x01\xdb\xb3\x0f\xc7\xae\xdf\x23\x7d\xc7\x85\xbe\xa7\x57\x6e\xde\x6c\xfe\x60\xc5\x3d\x88\xdb\x5e\x7d\xb5\x9b\x32\x14\xc8\xe7\xf0\x81\xa6\x1d\x3b\x69\x9e\xeb\x80\x2e\x6e\xf4\xe2\x98\xb8\x7a\xb2\x2a\x20\xbb\x1f\x3e\x8e\x4f\x7f\xe5\x6c\x31\x8d\x4b\xfa\x3e\xb3\x12\xb9\xf3\xe7\x59\x57\xbf\x62\x64\x7e\x30\x9c\xa0\xa5\xf6\x69\xcd\xed\xb2\xc3\x09\xaa\x72\x45\xcc\x83\x20\x77\xf6\x41\xb2\xce\xce\x61\x4f\x09\x38\xec\x1d\x45\x66\x00\xfa\x30\x06\x4f\x24\x9e\x2f\x8e\xfb\xac\xbd\x9d\x2e\xb9\x0e\x99\xfc\x09\x38\xed\xca\x24\x92\x4e\xda\xed\x9f\xbc\x50\xb1\x29\x2e\x64\x75\xa5\xb4\xf3\x8b\xfd\x37\x94\x01\xee\xda\x87\xb2\xd1\x7d\xe0\x3c\xeb\x23\xd7\x88\xdb\x69\xb5\x48\xae\x24\x56\x98\x9b\x8a\x51\x89\xd3\x80\x02\x03\x89\x0e\xb9\xa0\x49\x1a\x20\xf4\x46\x03\xc8\x81\xff\xb0\x64\x7e\x7f\xf2\x91\x13\x9e\x80\xa5\xc4\x6a\xeb\x43\x22\xe5\x93\x56\xd9\xfb\x1e\x6d\xd3\xdf\xfe\xfd\x4d\xf3\xe3\x5e\xac\x72\xf2\x92\x17\x74\x77\x1b\x8e\x28\x8a\xdb\x81\x8c\x85\x60\x55\x4a\x7a\xe3\x64\x7a\xe4\x9b\xaa\x80\x77\x6b\x74\x7a\xbc\x82\xdc\xf9\xe4\x08\xe8\xfd\x14\x47\x2d\x3a\x5d\x7e\xe0\x14\xa7\xba\x43\x74\x30\x6a\x6e\xad\xe2\xdf\x58\x03\x89\xca\xd9\xf5\x48\xbc\x42\x76\x9b\x27\xc8\xc4\xae\xfd\xdb\xea\x9c\x3d\x89\xd9\x96\x05\x51\xcf\xcb\xfe\x37\xc2\x14\xcb\x5f\xb3\x1d\x98\x35\xf1\xf8\xa8\x85\x7e\x53\xb3\x6e\x91\xbf\xe3\xa2\xe3\x55\x9d\x38\x38\x05\x0a\xfd\x13\xbf\xc6\x92\x45\x87\xc8\xd2\x2c\x21\xc2\xdf\x3c\xb2\xa0\xe0\x6f\x01\xf2\x31\x03\xc4\xb6\x95\x5a\x98\x5a\x7b\x26\x34\x7a\x6a\x9d\x17\x8e\x83\x5e\x77\x53\x65\xd4\x1f\xe3\x44\x3a\xe7\x99\x70\xda\xc3\x82\xa3\x2a\x59\x7c\x3d\x56\x7d\x05\x11\xb5\xdc\xdb\x4e\xbd\x12\x71\xdb\x6e\x67\x5a\x4f\x34\x3f\x95\x01\xf1\x0a\xb4\x72\x37\x38\xbe\xbb\x63\x66\x24\x1c\xd6\x02\x67\x3f\xf9\xc7\x69\x12\xde\x61\x41\xc5\xcd\x4f\x2e\xf9\x5e\x7e\xfd\x66\xdd\x51\xb5\x65\xdd\x50\x03\x5f\x8f\x7e\x86\xb5\x76\xd5\x12\x94\x81\xae\x75\xf7\xa9\xb7\xcf\x03\x3a\x40\x25\x02\xd5\xd1\xb5\xaa\x41\x15\xba\x1b\x84\xf7\xf2\xcc\x28\x4e\x3f\x63\x6a\x23\x4f\x40\xe0\xaa\x11\x8c\x8f\x9d\x0c\xe6\xfb\x7e\xe6\x13\xcc\x2f\x1c\xc7\xec\xc2\xe2\x64\xb2\x57\x3a\xc3\xdc\x26\x4a\xaa\x27\x64\x3a\x48\x3a\x1c\xb3\x8e\x2b\x02\x37\x77\x5e\xca\xed\x62\x6f\x7c\xb8\x9b\xc5\x63\x49\x2f\xfe\x1e\x5a\xe6\x40\x1c\xd8\x2a\x9a\xd0\xfb\xc3\x2f\x7b\x5b\xd3\x02\x9b\xda\xb7\x2a\x8d\x47\xf3\x4b\x37\x01\x1e\x9f\xba\x52\x07\x5a\x56\xb8\x9f\x29\x63\xed\xca\x79\x69\x30\xa4\x99\x8c\x75\x5d\xa0\xd2\x51\xda\x98\x5a\x18\x29\xcd\x10\xce\x76\x65\xd2\xb3\x64\x77\x6b\xd6\xc7\x6e\xf9\x97\x8f\x80\x0b\x45\x3f\xa7\xc2\x70\x48\x38\xdd\xe0\x5f\x2f\x64\x89\xf3\x1e\x35\xf6\xd7\x31\xc2\x67\x8f\x32\x85\x07\x0f\x29\x7c\xb3\xbc\x03\xc0\xa0\x12\xb2\x2f\xca\x31\x29\x55\x76\xac\xc3\xe6\x79\xbb\xcb\xa5\xfc\xeb\x7e\xe7\x69\x27\x49\xfc\xc5\x84\x95\x61\x4e\xb4\xa7\xf3\xa1\xfa\x7f\x21\xa6\x55\x17\x2d\xa2\x8c\xa9\x16\x29\x2d\xc7\x48\x48\x34\xc3\x1a\x3e\x5f\x54\x91\x2f\x10\x27\x1d\x58\x67\xe5\x7b\xc4\x64\x66\xd7\x81\xbb\xb5\x02\xef\x32\xed\x8b\x2b\x44\x52\xa5\x8e\x21\x2e\x7d\xb8\xae\xe5\x73\xdc\x62\x52\x14\x2e\xc5\xbf\x26\x83\xde\xd9\xa5\x8b\x60\xcf\x78\x83\xef\x04\xbd\x50\x2e\x3d\xf2\xd6\x21\xbe\xc0\xe7\xfc\xaf\x67\x26\xe8\x4f\xb1\xc6\x95\x37\x22\xc7\xb8\x52\x3d\x4c\xb6\xe4\xb5\x5b\xc3\xd1\x96\xc7\x93\xc4\x48\x58\x81\x4b\x02\x9e\xb2\x3e\x8f\x80\xb6\x6a\xef\xdd\x8b\xe2\x15\x41\x22\x86\x08\x85\x2f\xc3\x54\xf7\x56\x05\xae\xef\xb8\x28\x97\x1d\xef\xa6\x8e\x28\xcd\xc6\x94\xb2\x4f\x2f\x46\x1c\x70\x7d\x27\xb9\x8d\xa4\x00\x0f\x9c\x82\x3e\xbb\x33\x84\xc5\x0d\x6e\x41\xe5\xdd\xaa\x60\x1b\x69\x6f\x41\xa9\xba\x4f\xee\xe0\x88\x52\x87\x4b\xf0\xe3\x1d\x20\x15\x28\x95\xe1\xda\x84\xa9\x4d\x52\x9a\x19\x4b\xe5\x3a\x88\x63\x04\xe7\xe3\x60\xa6\xa4\x0d\x2d\x40\x74\x90\x5b\xbf\xd0\x6e\x37\x13\x37\x5b\x31\xbc\xca\x23\xf4\xdb\x67\xda\x9b\xf6\x92\x0a\x5b\xb4\x48\x85\xdc\xc3\x08\x6c\xa7\x89\x5c\x10\x69\xdd\x35\xf1\x89\xe5\x7c\xe6\x0f\x8e\x0b\x0b\x5d\x33\x7b\xd6\x69\xd3\xde\xac\x1f\x01\x15\x57\x0a\x5f\xa6\x50\x5f\xac\x83\xc6\x21\xc4\x6f\x69\x3d\x84\xdc\x77\xe2\x14\x8e\x88\x7a\x82\x2d\x86\xc8\xc0\xff\x4c\x00\x48\x5c\x7f\x37\xa5\x19\x8c\x69\xc8\x81\xc1\x58\xb7\x44\xfd\x09\xcc\x76\xc0\x57\x4f\x4a\xca\xad\x64\x62\x04\x55\x27\x74\xe9\x8e\x17\xc3\x99\x8e\x34\xe7\x56\x28\xda\x26\x30\xa5\x31\xcf\xe9\x27\xd3\xc5\x5e\xf0\x2d\xf3\x37\x7e\xab\x25\x14\x35\x89\xa5\x0a\x07\xa3\x29\x06\xe7\x14\xea\x42\x58\x4b\x3d\x69\xd7\xdd\xda\x2f\xc0\xfa\x48\x6a\x0e\x93\xba\xf7\x8f\xf1\xb3\x5d\x98\xc0\x82\x38\x41\x23\x0a\x26\xb5\x21\x20\xa4\x45\x11\x5a\xdb\x78\xd8\xfd\x99\xb7\x1a\xb8\x6b\xd2\x7a\xae\xcd\x16\x59\xe8\x9f\x99\xef\xa5\x4f\x87\x64\xc2\xf4\xbc\x01\x97\x5a\xce\x6f\x35\xd2\x7c\x2d\x18\xc7\x13\xa9\x94\x71\x79\x21\x18\x19\xdc\x42\xf7\xcf\x3f\xe6\xb5\x46\x67\x4f\x14\x46\xf0\xc8\x1a\xa0\x82\x77\xec\x6b\x14\x0e\x14\xb6\xe4\x36\x07\x82\xbd\x17\xd0\x32\x55\x20\x8c\xac\x91\x7a\x5f\x8a\xc0\x3e\x6e\x8d\x13\xd0\xe6\x2d\x11\xbf\x55\xd0\x0b\x3f\x8f\x1e\x80\xb8\x55\x1b\xd7\xb6\x5b\x62\x84\xd1\x56\x6c\xdf\xdf\x43\x07\xa5\xee\x5c\xe8\xbd\xd6\xfd\x04\xa3\xed\xb4\x87\x1b\xa9\x7a\xa0\x1d\x67\x3a\xf3\x37\x69\x8f\x0a\xda\x53\xca\xb9\xbd\xf9\xf6\x31\xd0\xcc\xb7\x61\x7f\xf1\x3e\x0a\x3b\x37\x85\xed\x26\xdb\x72\x2e\x16\x32\x71\xb1\xf5\xe4\x69\x00\x05\x24\x94\x27\xbd\x44\x36\x2c\x66\x31\x15\x72\x86\xdb\xe4\xac\x19\x62\x0b\x55\xa6\x4f\xa6\x95\x8f\xe3\x2f\xf1\x3b\x1a\xdd\xfd\x7f\x56\xa1\x6f\x79\xda\xf4\xe9\x27\x87\x27\x57\x8d\x01\x54\x11\x8f\xe5\x91\xa0\xd8\x9a\xf0\x7d\x8b\xc3\x58\x2c\xf5\x1a\x01\x76\x6d\x9c\x9e\xe3\xf8\xf8\x0b\x58\xe8\x6f\xdf\xbb\x47\x70\xe6\xcf\x25\x54\xb0\xd9\xe0\x76\x99\x28\xc4\xa2\xf3\x83\xaa\xa5\x25\xdd\xf4\x73\x4f\x4c\xb1\x99\x96\xbe\x80\xb4\xc9\x1f\x91\xbb\xca\x60\x94\xab\x91\x0b\x66\x52\x41\xe2\x9b\x3d\x48\x78\x4f\x80\xd3\x2d\x21\x61\x34\x7d\x2b\xfd\x79\x1a\x66\xc6\xe8\x24\xf2\x30\x8b\x07\xf7\x67\x25\x0d\x11\x62\x6d\xbd\xcc\x96\x13\x68\x3e\x46\xcd\xc9\x90\x3a\xa0\x84\x88\x03\xb4\xa3\xdf\xb1\xfc\x9b\x35\x0d\x47\x16\x4e\xc5\x9d\xb3\x65\x1e\x1f\x5f\x9a\x5c\xc1\xad\x48\x46\x54\xac\x3a\x7f\x01\x3b\xad\xb6\xa0\xab\x87\xef\xfa\xff\xd5\x26\xa5\x3b\xea\xd6\x59\xa1\x5d\xc2\xfd\x63\x1d\xcd\x84\x3e\xc3\x41\x80\x4a\x56\x3d\x06\xff\x6c\x56\x31\xdd\xa5\x04\x4b\x9a\x99\xdc\x77\xbc\x4a\x4f\xe3\x26\x79\x8d\x67\x2d\x45\x07\x27\xe8\x1e\x49\x15\x33\xe6\xa2\x11\x21\xe3\xb8\xe5\xcd\xe3\x5f\xb8\x4e\x74\xfe\x50\x11\x89\x62\x35\xfe\x05\xf3\x35\xbf\x12\xe3\x17\x24\x01\x91\xe7\x42\xdf\x94\x38\x75\x29\x84\xfb\xc6\x97\xa5\x3b\x39\x50\xe2\x6b\x3d\xa9\x03\x1d\xc2\x34\xe8\x43\x32\x6d\x04\xfe\x09\x6b\x1c\x89\xce\x93\xbc\x6c\x5a\x60\xd7\xe6\xf0\xc5\xe8\x43\x8f\xd1\x0f\xa6\x6b\x3e\xef\x5d\xf7\x9a\x3d\xf5\x15\x24\x5e\x2f\x37\x0b\x91\x3b\x93\x33\x87\x59\x06\x01\x54\x60\x28\x3f\x87\x3b\x82\xb7\x91\xfb\x4d\xb7\x1a\xa4\xf5\x7d\x81\x82\xbd\x91\x46\x13\xba\x4d\x85\xf2\x49\x0b\xb9\xbf\xc6\x94\x0c\x5c\x49\x86\xc5\x44\x30\x8c\x3a\xc2\x2b\x79\x5f\xcb\x0b\x5a\x06\x2d\x3a\x15\xae\x30\xf6\xb7\xac\x27\x1b\xf9\xaa\xc4\xbd\xcd\x94\x9a\xae\xe1\xd7\xbd\xc8\x89\x5e\xea\x12\xda\xea\x16\x18\x5d\x86\x9d\x6c\xbd\x97\x1c\xcf\x16\xe4\xda\x5d\x70\x37\x64\x37\xa2\x0b\x6e\xa6\xc3\x5c\x50\x7e\xae\xe0\xa0\x22\x1c\x70\x52\x7d\x69\xc5\x7e\xb3\x55\x1c\x61\x73\x20\xed\x3f\x81\x7e\xe2\xa6\x99\x88\x12\x09\x64\xb3\x31\x13\x74\x06\xdd\xe2\x02\xc2\x43\xa9\x1a\x0d\x81\x0d\x16\x13\xac\x87\x09\xb2\x6a\x0e\xcc\xdd\xd7\xfc\x75\xa0\xd8\x18\x27\x6c\xb4\x95\x3b\xb8\x05\x76\x26\xf2\x3b\x72\x1d\x60\x73\xd7\x65\x86\x39\x7a\x8f\x05\xd0\x60\xd4\xe2\xdf\xcf\x14\xde\x48\xfa\xda\xae\x6e\xcb\xd5\xfb\xfe\x95\x8a\x2f\x93\x1c\x53\x1e\xa3\x25\x18\x2e\xd2\x98\x72\xa3\xdf\xec\x46\x90\x74\xbc\xda\xbb\x2a\x1a\x13\xfe\x24\x66\x7e\xfa\xaa\x26\xc5\x05\x19\xaa\x93\x35\xd3\x06\xfd\x23\x37\x99\x39\x74\x3a\x10\xac\x90\xd3\x17\x1b\x3b\xd0\x6a\x5b\x46\x3a\xd1\xb6\x12\xef\x3d\x54\xf5\x3f\xdd\xff\x55\xa8\xea\xef\x0b\x6f\x78\x77\x9d\x94\x8f\x7a\xa4\x59\x8a\x1d\xcf\x72\x6a\xaa\x45\xb9\x9d\xa0\xbc\xa1\x96\x81\x2f\x9c\x59\x98\x60\x84\x89\xe8\x0d\xde\xf1\x3a\x4b\x8e\xb0\x30\xc7\x17\x42\xc3\x04\x66\x5e\x15\xa9\xf5\x6a\x77\x67\x9e\x7c\x4d\x70\xaa\x84\xa5\x34\x66\xbc\x5f\x50\xd5\x5a\x67\x6e\xae\x3c\xdf\x86\x29\x36\xc8\xb2\xf3\x45\x1e\x21\x87\xb7\xae\x8a\xe1\x44\x6e\x09\x01\x42\xcb\x89\xe4\xee\x09\xe4\x0c\xd4\xa0\xfe\x82\x0e\xc2\x84\x50\xed\x7e\x7a\xe2\xe0\xe4\x7a\x3d\x40\x54\xa4\xac\xf5\x36\xe9\xa3\xef\xb8\xfb\xf5\xd0\xd6\xfb\xc6\x9a\x51\xba\xd4\xa6\x72\x3d\x62\xc8\x31\x1e\xc2\x24\xec\xc7\x10\x48\xbc\x16\xf9\x80\x5d\x91\x7a\x8a\x62\x94\xc0\x38\xb2\x84\x2d\x61\xde\x81\x0d\xb1\xb1\xa6\xf3\x77\x20\xd3\x01\x1f\x5e\x55\x80\x38\x50\xb6\xaa\x0c\x4b\xab\x3c\x81\x2c\xd7\xdb\xab\x18\xa7\x32\xac\x8e\x16\x7c\x49\xec\xc8\x35\x93\x88\xa9\x50\x80\xcb\x1d\x79\x6c\x32\x4f\x1a\x9c\x37\x95\x74\x9a\x36\x68\x23\x57\x60\x1b\x26\x0d\x85\xc7\x10\xdd\x0c\x67\x17\x3a\x8e\x4c\x1a\xa1\xe9\x5d\xdb\x86\x0e\x37\xc4\x4c\x99\x0e\xc5\xd1\x1c\x0e\x71\x90\x7c\x3e\x5e\x5f\xd2\x47\xfa\x32\x1d\xe9\x2d\xb5\x06\x84\x50\x6e\x82\x94\x47\xa8\xc8\x59\x09\xd2\x39\x7e\xc1\x1b\xbe\x06\x13\xa4\xd8\xaf\x44\xc2\x09\xbc\x45\x70\x29\x3e\x9c\xf7\xba\x6f\x47\x75\x4f\xd0\x50\x6e\xc3\x4a\xf2\xf9\xef\x20\x25\x0e\xdc\x01\xf9\x7b\x83\x74\xd8\x2c\x75\x09\xa2\x31\xb0\xd5\xc9\xb0\x85\xf9\x94\x8e\xfc\xe6\x8c\x57\x12\xf9\x6a\xfc\xf4\xf9\x2a\x1e\xb3\x49\x34\xb1\xd6\x64\x34\x41\x04\x33\x7c\x2b\x50\x28\xc8\xc7\xd6\xd7\xe6\x2e\x74\xcf\x28\x3d\x61\xda\xc1\xad\x87\x21\x50\x5c\x48\x84\xa8\x1c\xf6\x92\xaa\x33\xf8\x01\xcb\xc7\xee\xe1\xae\x61\xbd\x4c\x96\xa4\xb1\xad\xb8\x8f\x24\xb0\xa5\xe7\x81\x5c\x53\x7b\x25\xb8\xbc\x2e\xe2\x83\xe4\xe0\x5f\xa0\xf1\x57\xf1\x94\xf5\xb2\x2d\x6d\x02\x67\xfb\x0f\xd5\xab\x10\xbe\x22\x30\xcd\x21\xf8\x70\xe0\xe6\x51\xb5\x74\x7b\xb7\xf4\x59\x3e\xf5\x2c\x8a\x2e\x51\xd5\x09\x3e\xe1\x40\x5e\x49\xbb\xa6\xb3\x6c\xf9\x7f\x0b\x2f\x71\x50\xa1\x0a\xb7\x66\x94\x78\xa4\x83\x1f\x9c\x5e\xe6\x79\x0e\x91\xe9\x3b\x0e\x81\x4b\xc3\x14\xb0\x62\xc6\x8a\x3d\x36\xcf\x48\xda\x34\x9b\x02\x23\x80\x27\x22\xd7\x6b\x8b\xde\x97\x98\x2f\x78\xdd\xda\xb0\x64\x08\x4b\x3e\xea\x0a\x33\x5b\xd0\xdd\x84\x61\xb1\x05\x81\xd4\xa9\xaa\x69\x9d\x54\x2d\xba\x4c\xa8\x46\x4f\x62\xad\x3b\x9c\xd7\xe8\x20\x26\xa3\xfd\x15\xc2\xbd\xb3\xe3\x0a\x76\x43\xe8\x2f\x2c\x8e\x76\x44\x98\x86\x69\x89\xe2\xfe\x5a\x9e\x89\xc2\x37\x40\x4a\xad\x6b\x55\xc2\xbe\x45\x8e\x3f\x65\x47\xf7\x27\xf0\xb2\xc9\x05\x2d\xe4\x83\x9a\x6b\x5f\x03\xf5\xa7\x88\xe5\xa1\x4d\x84\x48\xee\x25\xb3\xdf\xf6\x90\x02\xd5\xfd\xa5\xca\xfe\x5b\xed\x82\x60\x28\x5b\x61\xce\x3c\x53\xc1\x62\x88\xef\x8a\xf1\x75\x9f\x63\x13\x60\xae\xe3\xbd\xc5\xeb\xfc\x22\x9b\x96\x7d\x19\x37\x99\x65\x53\x95\x24\x09\xf5\xf5\x86\x08\x20\xfd\xd2\xed\x84\x6d\xab\x93\x1b\x2d\x19\xfd\xda\x50\x69\x3a\x92\x6a\x41\xe5\x60\x60\xf2\xd6\xc1\x3c\x12\x5c\x0c\x4b\x08\xe4\x75\xa9\x92\xcc\xe4\xb5\x1e\x0f\x76\xeb\xc3\xc7\x36\x2f\xb1\xbb\x0b\x98\x05\x33\x2c\x16\x2e\x1e\x09\xd1\xff\x0e\xb7\x3b\x24\xe4\x0d\x61\x88\x13\x6b\xbc\x6e\xf8\xa3\x6f\x63\x2e\xa3\x2e\xa4\xc0\x61\x99\x18\x1d\xbb\x78\xf3\x99\xf4\x7d\xfb\x46\x33\xd0\xf0\x76\x8e\xe3\xd3\x3b\xef\xdc\xc3\xc0\xfa\x08\x9c\x21\x82\xd6\xa8\x5b\x27\x21\x35\xea\xe3\x43\x6b\xfa\x09\xb1\x8b\x10\x21\xf3\x70\x97\x99\x4a\xd7\x1a\xc9\x4c\x97\x44\x8e\x2b\x25\x2a\x75\x86\x16\xc1\x5f\x09\x66\x44\x7d\xe5\xd6\x48\x71\x05\xfa\x40\x80\x42\xc9\x0a\x9a\x89\xce\x90\xf0\x72\x8d\x7d\x76\x7c\x47\x2f\x60\xa1\x74\x0c\x77\xc0\xa6\x4a\xf3\xad\x4f\x94\x54\x4e\xbb\x3d\xe7\x94\x20\x1d\x17\xd6\x39\x97\x65\xe0\x55\xa5\xb9\x4d\x56\x9c\x66\x18\xe1\x14\x27\x5c\xfe\x79\xc2\x63\x63\x69\x42\x4e\x01\xca\x8b\x8e\x3a\x53\x0b\x92\x43\x16\xf4\x3d\xf7\xe4\x3c\xd0\x70\xd1\xb0\x9e\x8c\xc1\x84\xac\x7a\xe9\x79\x11\x9a\xae\x40\x15\x5a\x2a\x67\x32\x9e\x18\x72\x2c\x3d\xc7\x2d\xee\x00\x49\xeb\x4c\x29\xb3\x06\xdc\x81\xde\x1a\x19\x67\xcf\xe1\x7e\x97\xca\x47\x65\x62\xca\xd4\x3e\x84\xab\x3e\xc6\xe7\x6d\x35\x88\x29\xba\xad\x98\x22\x41\xd0\xdb\x74\x45\x45\x4f\x6a\x40\x54\x05\x05\x7b\x57\xfb\x93\xdf\xbd\xc8\xda\xe5\xb3\x0c\x64\xcd\x22\x0d\xc4\x8f\xdb\x56\x67\xa3\xc0\x65\xf4\xb3\x08\xbd\x07\x6f\x95\xc8\x10\xe9\x1d\x5b\x2b\x92\x11\x26\x12\x85\x20\x02\x8a\x70\x0e\x50\x6d\xa6\xc7\x61\x7f\x62\x42\x42\xa5\x9b\x87\x4d\x06\x04\x09\x11\xd5\x34\xa0\xe1\x5a\x51\x95\xfd\x8d\x9c\xb4\x65\x17\x62\x75\x11\x95\x40\x03\x48\x92\xcc\x6e\x6a\xaf\x17\x4b\x06\x43\x56\x25\xf9\xbd\xe8\xe6\x99\xe2\x8c\xbe\xed\x2b\x9a\xe0\xfc\x68\x4c\xbd\x8c\x77\xbf\x83\x80\x86\x45\x03\x95\xf2\x2c\xd0\x25\xc7\x04\x60\x39\x4c\xc2\x19\x78\x9f\xc7\x56\x83\x79\xdf\x98\x56\x58\x3f\x79\x6c\x8a\x29\x44\xb8\x57\x07\x7b\xd2\x9f\x54\x78\xe8\xb3\xbd\xf9\x16\xe6\xd6\x79\x63\xf8\xc0\x39\xba\x46\x9b\x60\xd0\xa2\x4e\xdb\x6f\x9e\x00\x40\x2b\x6f\x28\x6d\x88\xa4\xfc\x10\xbf\x76\x4d\x8c\x37\x25\x27\x10\xcb\x47\xb5\x69\x37\x08", 4096); *(uint64_t*)0x200000004690 = 0x200000004580; memcpy((void*)0x200000004580, "\x82\x07\x18\x73\x3b\x49\xda\xf8\xed\x80\xb0\xed\x25\x77\x2d\x57\xd7\x74\x35\xef\x1d\xa1\xca\x4f\x19\x30\xad\x4e\x71\x3b\x84\xd4\xc1\xa2\x4c\x71\x2f\x02\xe0\xb8\x6d\x18\x42\xc1\x64\x41\x5a\xa9\xe4\x90\xe6\xc8\x23\x0a\x89\xe3\x09\xfa\xf0\x7d\x23\x9d\xd7\xcd\x35\xda\x5c\xb5\xf3\x69\x19\xdb\x06\xdf\x51\xa5\xa9\xc5\xfc\x80\x49\x89\x7d\x04\xbb\x73\x17\x25\xff\x5f\x5d\x98\x47\x6e\x15\xb1\xdb\xab\x8c\xdc\x40\x5c\x2c\x17\x36\x58\x05\xe2\x7a\x61\xa5\xf0\x61\xe7\xea\xd1\x00\x27\x2f\xe2\xd9\xbd\x8c\xae\x4a\x26\x1b\x45\x19\x19\xeb\xb9\x27\x20\x4c\x1f\x63\xa8\x90\x81\x47\xb9\x98\x35\xba\x99\x43\x78\xa3\x2f\x9f\x11\x03\x57\x4a\x08\x93\x4f\xbc\x79\xd3\x1a\xaf\x13", 164); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000004640ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004644; r[13] = *(uint32_t*)0x200000004648; } break; case 22: res = syscall(__NR_geteuid); if (res != -1) r[14] = res; break; case 23: res = syscall(__NR_fstat, /*fd=*/r[4], /*statbuf=*/0x2000000046c0ul); if (res != -1) r[15] = *(uint32_t*)0x2000000046dc; break; case 24: *(uint32_t*)0x200000004740 = 0x600b; *(uint32_t*)0x200000004744 = 0xf; *(uint32_t*)0x200000004748 = r[3]; *(uint32_t*)0x200000004750 = 0xee00; *(uint64_t*)0x200000004758 = 6; *(uint64_t*)0x200000004760 = 3; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0286405, /*arg=*/0x200000004740ul); if (res != -1) { r[16] = *(uint32_t*)0x200000004748; r[17] = *(uint32_t*)0x200000004750; } break; case 25: *(uint32_t*)0x2000000048c0 = 1; *(uint32_t*)0x2000000048c4 = 0; *(uint32_t*)0x2000000048c8 = 0xee01; *(uint32_t*)0x2000000048cc = 3; *(uint32_t*)0x2000000048d0 = 6; *(uint32_t*)0x2000000048d4 = 0x10; *(uint16_t*)0x2000000048d8 = 1; *(uint32_t*)0x2000000048dc = 0xfffffffb; *(uint64_t*)0x2000000048e0 = 0xffffffffffffffa8; *(uint64_t*)0x2000000048e8 = 0x800100000; *(uint64_t*)0x2000000048f0 = 0; *(uint32_t*)0x2000000048f8 = 6; *(uint32_t*)0x2000000048fc = r[5]; *(uint16_t*)0x200000004900 = 0x40; *(uint16_t*)0x200000004902 = 0; *(uint64_t*)0x200000004908 = 0x200000004780; memcpy((void*)0x200000004780, "\x1f\x8a\xa3\x8b\x61\x93\x8f\xb7\x29\x9a\x96\xae\xe6\x1f\x6c\xfc\x70\x19\x0f\x9d\xf3\x01\xd4\x0c\xcf\x55\x77\x95\xfc\x00\xd7\x75\x9e\xfa\x4a\xd1\x66\x1c\xbb\x0d\x54\xc3\x10\xaa\xbc\xc2\x92\x85\xc2\xce\x84\xfc\xbe\x97\x40\x7d\x84\x9e\xde\xc2\xf5\x98\xb2\x05\xfa\x5e\xa2\x46\x0d\x0f\x61\x5a\xd8\x7e\x7e\x26\x05\xe8\x10\x1f\x58\xad\xb6\x2e\x17\x8c\x78\xc4\x54\x58\x0a\x55\xd6\x3f\x5e\x1d\x11\xf9\x32\x25\x0d\x1f\xef\xd4\x51\x95\x45\x15\x88\xbf\x53\x0d\x73\xd8\x30\x76\xa9\x3a\x28\x9b\x61\x3b\xc6\x8b\x49\x90\x54\x23\xd7\xd5\xac\xe8\x01\x62\x92\xe8\x03\x77\xfe\xd1\xb5\x88\x77\xd9\xc4\xd0\x4e\xa0\x5b\xa8", 150); *(uint64_t*)0x200000004910 = 0x200000004840; memcpy((void*)0x200000004840, "\xb7\x37\x6d\x34\xb8\xa4\xcc\x32\x66\x7d\x88\x59\x91\xbb\xbc\x68\x28\xd0\x8b\xd6\x69\xe6\xaf\x09\xfe\x1e\x55\xbb\x32\xd8\x85\xd2\x17\xaf\xb9\x56\x45\x97\x63\x90\xdd\x73\x08\xc5\x04\xc5\xd3\x99\x53\xa7\x83\xb0\x65\xbd\x4f\x0a\x72\xbf\xaa\x17\x6a\x0d\x2a\xce\xe5\xc8\xe4\x1f\xf9\xb6\x92\xa4\x1d\x01\x0c\x7b\x34\x59\xf8\x4c\x72\x1c\xdc\x4c\x7d\xad\x40\xcd\xb1\x71\xae\x49\xa5\x56\xc9\x8b\x5e\xda\x14\xdb\x8d\x4c\xdc\xc0\xb4\x7f\xa7\x5b\xc9\xfa\xa1\x71\xe6\x8b\x70\x0c\x49\x60\x22\x25\x16\xf6\xd5", 123); res = syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/0xb, /*buf=*/0x2000000048c0ul); if (res != -1) { r[18] = *(uint32_t*)0x2000000048c8; r[19] = *(uint32_t*)0x2000000048fc; } break; case 26: *(uint32_t*)0x200000004a80 = 8; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0xee00; *(uint32_t*)0x200000004a8c = 0x5c6; *(uint32_t*)0x200000004a90 = 0x1000; *(uint32_t*)0x200000004a94 = 2; *(uint16_t*)0x200000004a98 = 0; *(uint32_t*)0x200000004a9c = 0x326; *(uint64_t*)0x200000004aa0 = 3; *(uint64_t*)0x200000004aa8 = 3; *(uint64_t*)0x200000004ab0 = 7; *(uint32_t*)0x200000004ab8 = 1; *(uint32_t*)0x200000004abc = r[5]; *(uint16_t*)0x200000004ac0 = 0x300; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000004940; memcpy((void*)0x200000004940, "\x8d\x80\x00\x08\x98\xd8\x1f\x2a\x2a\x53\x7f\xc2\x1c\x52\x02\x3b\xc6\xee\x66\x95\x4a\x12\xa9\x3f\x24\x18\xcd\x8b\x0b\x69\x06\x7e\x3f\xfb\xce\x8f\x5d\x74\x31\xe0\x01\xed\x25\x5f\xb5\xed\x78\x43\x74\xaa\xd3\x0a\x67\x50\x0f\x8f\x6c\x04\x2b\xf9\xe6\x67\x06\x60\xd4\x25\xf7\x61\x1c\x7e\xcd\xfc\x45\x0c\x05\xef\x9c\x0a\x65\xc6\x2d\xc2\x21\x5f\xec\x7c\x02\xb7\x12\xde\x12\xf5\x05\x3e\x2c\x3f\x60\xd7\x80\xfa\xfc\x4d\x1a\xc2\x21\xca\x09\x07\x54\x29\x32\x88\x9c", 113); *(uint64_t*)0x200000004ad0 = 0x2000000049c0; memcpy((void*)0x2000000049c0, "\x9c\xcf\xda\x86\x9d\xeb\x66\x1f\x5f\xc9\xba\x8f\x62\xd2\x9a\x4e\xa3\xbe\x92\x86\xf7\x7e\xf1\x11\x78\xf9\x6e\x25\xe8\xbd\x88\x8e\xcc\x08\xd4\x52\xe9\x47\x31\xdc\x6e\x97\xd3\x9a\xb9\x81\x4e\xec\x35\x7a\xcb\xb7\xad\x42\x32\x89\x93\x15\xb7\x4d\xf9\xb4\xdf\x71\x30\x2a\x48\x2e\x3c\x52\xfc\x98\x81\x62\xd5\x71\x39\xe6\x91\x02\x87\x53\xaa\x86\xb2\x0c\xbc\x06\x0c\xea\xf9\xde\x31\xcf\xbd\xfa\xdb\x28\x02\x23\x28\x70\x09\x02\x86\xf9\x0b\x42\x6c\x18\x86\x6f\xb6\x2b\xb4\x66\x2a\xc9\xcf\x93\x8b\x12\xc2\xb3\x80\xa1\x32\x4d\x83\x13\x57\x5e\xad\xbc\xec\x1a\x33\x83\x27\x33\xdc\x87\xa6\xf8\xef\x25\x23\x0f\xc8\x15\xe2\xb6\x75\x6e\x60\x14\x4a\x41\x19\x57\x69\xee\x48\xe2\x1d\x49\x7f\x0e\xb1\x9a\xa1\x24\x19\xeb\x80\x45\xac\x2c\xad\xa3\x87", 181); res = syscall(__NR_shmctl, /*shmid=*/0xfff, /*cmd=*/0ul, /*buf=*/0x200000004a80ul); if (res != -1) r[20] = *(uint32_t*)0x200000004a84; break; case 27: memcpy((void*)0x200000004b00, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000004b00ul, /*statbuf=*/0x200000004b40ul); if (res != -1) r[21] = *(uint32_t*)0x200000004b5c; break; case 28: res = syscall(__NR_getuid); if (res != -1) r[22] = res; break; case 29: res = syscall(__NR_getuid); if (res != -1) r[23] = res; break; case 30: memcpy((void*)0x200000004bc0, "./file0\000", 8); *(uint64_t*)0x200000004c00 = 2; *(uint64_t*)0x200000004c08 = 3; *(uint64_t*)0x200000004c10 = 5; *(uint32_t*)0x200000004c18 = 6; *(uint32_t*)0x200000004c1c = 0xee01; *(uint32_t*)0x200000004c20 = 0xee01; *(uint32_t*)0x200000004c24 = 0; *(uint64_t*)0x200000004c28 = 0; *(uint64_t*)0x200000004c30 = 1; *(uint64_t*)0x200000004c38 = 0x5f2b; *(uint64_t*)0x200000004c40 = 0xffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint64_t*)0x200000004c58 = 0x80000001; *(uint64_t*)0x200000004c60 = 5; *(uint64_t*)0x200000004c68 = 0xcc8; *(uint64_t*)0x200000004c70 = 6; memset((void*)0x200000004c78, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000004bc0ul, /*statbuf=*/0x200000004c00ul); if (res != -1) r[24] = *(uint32_t*)0x200000004c20; break; case 31: *(uint32_t*)0x200000004dc0 = 2; *(uint32_t*)0x200000004dc4 = 0xee00; *(uint32_t*)0x200000004dc8 = 0xee00; *(uint32_t*)0x200000004dcc = 0x401; *(uint32_t*)0x200000004dd0 = 9; *(uint32_t*)0x200000004dd4 = 6; *(uint16_t*)0x200000004dd8 = 8; *(uint32_t*)0x200000004ddc = 0; *(uint64_t*)0x200000004de0 = 8; *(uint64_t*)0x200000004de8 = 0x101; *(uint64_t*)0x200000004df0 = 4; *(uint32_t*)0x200000004df8 = 0xffffff46; *(uint32_t*)0x200000004dfc = 8; *(uint16_t*)0x200000004e00 = 2; *(uint16_t*)0x200000004e02 = 0; *(uint64_t*)0x200000004e08 = 0x200000004cc0; memcpy((void*)0x200000004cc0, "\x00\xb8\xfc\xb8\xc5\x1e\x1a\xf1\x5f\x5b\x1d\x2c\x15\x82\x1b\xb8\xf4\xe8\x46\xf2\x0d\x66\x2d\xad\x19\xa0\xe5\x94\x29\x99\x48\x59\xbb\x1d\x0b\x6c\x63\xef\x69\x44\x16\xac\xb4\x94\x49\x4c\x66\x18\xf9\x85\x73\xd3\x70\xcc\x43\x50\x65\xec\x4d\xa9\xef\xd3\xf6\x76\x26\xf4\x4c\x18\xb9\x6b", 70); *(uint64_t*)0x200000004e10 = 0x200000004d40; memcpy((void*)0x200000004d40, "\x23\xc6\x65\x18\x78\xdd\xaa\x08\x5a\xe0\xbd\xfb\x7c\xcb\xb0\x8b\x71\xaf\x34\xf9\xf1\x56\x5e\x8a\xc7\x7c\x52\x93\xba\xdd\xfe\x69\xea\x20\xac\xed\x26\xde\x58\x66\x4b\x32\xeb\xf6\xf7\x34\xd3\xf7\xf6\x92\x06\x5f\xe4\xf9\x9e\xa2\x83\x36\x2b\x12\xf9\x6c\xb9\x72\x63\x2e\x80\x27\x3d\x01\x46\x87", 72); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xbul, /*buf=*/0x200000004dc0ul); if (res != -1) r[25] = *(uint32_t*)0x200000004dc4; break; case 32: *(uint32_t*)0x200000004ec0 = 0; *(uint32_t*)0x200000004ec4 = 0xee00; *(uint32_t*)0x200000004ec8 = 0; *(uint32_t*)0x200000004ecc = 0x19; *(uint32_t*)0x200000004ed0 = 6; *(uint32_t*)0x200000004ed4 = 7; *(uint16_t*)0x200000004ed8 = 0x53; *(uint64_t*)0x200000004ee0 = 0x200000004e40; *(uint8_t*)0x200000004e40 = 3; *(uint64_t*)0x200000004ee8 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 5; *(uint64_t*)0x200000004ef0 = 0x45; *(uint64_t*)0x200000004ef8 = 0x38; *(uint64_t*)0x200000004f00 = 0; *(uint64_t*)0x200000004f08 = 0xffffffff80000000; *(uint64_t*)0x200000004f10 = 4; *(uint16_t*)0x200000004f18 = 0x42; *(uint16_t*)0x200000004f1a = 7; *(uint16_t*)0x200000004f1c = 0x2825; *(uint32_t*)0x200000004f20 = 0xa21; *(uint32_t*)0x200000004f24 = 1; res = syscall(__NR_msgctl, /*msqid=*/1, /*cmd=*/1ul, /*buf=*/0x200000004ec0ul); if (res != -1) r[26] = *(uint32_t*)0x200000004ec8; break; case 33: *(uint32_t*)0x200000005680 = 0; *(uint32_t*)0x200000005684 = -1; *(uint32_t*)0x200000005688 = -1; *(uint32_t*)0x20000000568c = 8; *(uint32_t*)0x200000005690 = 6; *(uint32_t*)0x200000005694 = 0xa87; *(uint16_t*)0x200000005698 = 6; *(uint32_t*)0x20000000569c = 5; *(uint64_t*)0x2000000056a0 = 7; *(uint64_t*)0x2000000056a8 = 6; *(uint64_t*)0x2000000056b0 = 1; *(uint32_t*)0x2000000056b8 = r[6]; *(uint32_t*)0x2000000056bc = 5; *(uint16_t*)0x2000000056c0 = 4; *(uint16_t*)0x2000000056c2 = 0; *(uint64_t*)0x2000000056c8 = 0x200000005480; memcpy((void*)0x200000005480, "\xfe\xed\xc6\xae\xab\x06\xac\x00\xe0\x0a\x47\x26\xdf\xfa\x89\x36\x98\x62\x1b\xfa\x7d\x41\xa1\xac\xc3\xb8\x24\x88\xd2\x7e\x0a\xd4\x99\xd0\xf4\x71\x76\x04\x49\x63\x03\xa3\xc3\x2e\xee\xb4\x4d\xf0\x79\x18\x2f\x9c\x1f\x77\xba\x86\xb5\xd7\x5d\x3c\xfc\x32\xf4\x50\x62\xe9\x3e\x18\x4c\xec\x89\x02\x44\xb1\x95\xf2\xcd\x11\xbb\x0a\x90\xf2\xa2\xd8\xf6\x7c\xc5\xc0\xbe\x21\xff\x7a\x4f\x4d\x4a\x43\xb7\xfb\x2b\xa7\x33\x04\x0d\x26\xfa\xe0\xfb\x33\x2c\xcc\x40\x57\x09\xc4\xb6\x02\x93\x6c\x96\x94\x2a\x8e\xb5\xae\x32\x7c\x87\xdb\x6f\x2f\x6f\x61\x0f\x80\x3c\xc6\xd8\xd2\x09\x9e\xc2\xa8\x74\x19\xcd\x0c\x20\x6b\x74\xac\x24\x97\xac\x1f\x8b\x63\x7c\xff\xd4\x42\x7d\xae\x82\xe7\x7b\xea\xf3\x7c\xe6\xf5\xd2\xbd\xde\xb3\x19\x44\xc3\x6a\x67\xec\x43\x46\x59\x2b\x8b\x0a\x7f\x4f\x28\xc9\x52\xc8\xf6\xbc\xbe\x0a\x5e\xc3\x5a\xae\x35\x4c\x1f\x9e\x66\xbf\xab\x1f\xa0\xf8\xfb\xe0\x2e\x56\xaf\x6e\xcc\xe5\x25\x61\x78\x00\xb4\x2e\x8c\xb5\x83\x1e\x20\xae\x90\xe7\x3b\xdd\x29\xda\x4c\x8b\x8d\x1d\x00\xad\x8e\x8e\x8d\x8f", 246); *(uint64_t*)0x2000000056d0 = 0x200000005580; memcpy((void*)0x200000005580, "\x48\xfe\x27\xd9\x96\x54\x0a\xf3\x9e\xe6\x3e\xd5\xb8\xcf\xd8\x52\x3c\x9e\xee\xa2\xa9\xf6\x19\x60\x14\x21\xc6\x14\x0e\x3a\x98\x4a\xbc\x8a\x5f\x42\x1a\xc2\x62\x1a\xd0\x9d\xcf\xe4\xb7\x03\x89\x83\xe0\xe8\x82\x40\xcf\x3d\xd6\x11\x96\x97\x6f\x83\x6b\x58\xbc\x78\xe8\xd0\x80\x44\x6c\x8c\x46\xfa\x4d\x9a\x6b\x52\x29\x42\xef\x8d\x58\xf8\x9f\x40\x10\xf6\xb6\x2b\x5a\xff\x90\x27\x53\xb6\x2f\xb2\x9f\xb8\xa8\xa3\xa4\x75\xf3\xe0\xe4\x45\xbc\x8a\x4f\xe0\x18\xfb\x6a\x5e\x3c\x2d\x53\x4a\xab\xd3\xb0\x91\x5d\x7b\x06\x57\x81\xca\x8c\xdb\x3e\xb7\x34\x01\x63\x90\x63\x8c\xde\x96\x40\x37\x5b\x4d\xfc\x90\xc2\x11\x60\x3b\x5e\xa2\xbd\x44\x29\x57\x50\x41\x50\x67\xbc\x3f\x14\x7a\x66\xd7\x7d\xcf\xbf\x65\x84\x80\x36\x9e\x1d\x1f\x19\x3d\xad\x08\xc0\x0f\x36\xc9\x9a\xf5\xc1\xb5\x2f\xf0\xa1\xf2\xe8\x93\x84\x1f\x1a\x2d\xe0\x97\xfb\x0e\x00\x1a\xbd\xb9\x56\xf6\x82\xde\x1e\xcf\xc1\x80\x1e\xc9\x43\x6f\x86\x4d\x3a\xbe\x6e\x7f\x9e\x33\x2a\x32\xe9\xe5\x44\x5d\x85\xed\x61\x3b\xa1\xd5\x9a\x8a\xe4\x83\xad\x90", 244); res = syscall(__NR_shmctl, /*shmid=*/0x80, /*cmd=*/0xful, /*buf=*/0x200000005680ul); if (res != -1) r[27] = *(uint32_t*)0x200000005684; break; case 34: *(uint32_t*)0x200000005980 = 0; *(uint32_t*)0x200000005984 = 0xee01; *(uint32_t*)0x200000005988 = 0xee01; *(uint32_t*)0x20000000598c = 0x80000001; *(uint32_t*)0x200000005990 = 0xa; *(uint32_t*)0x200000005994 = 9; *(uint16_t*)0x200000005998 = 0x50f4; *(uint32_t*)0x20000000599c = 8; *(uint64_t*)0x2000000059a0 = 8; *(uint64_t*)0x2000000059a8 = 4; *(uint64_t*)0x2000000059b0 = 7; *(uint32_t*)0x2000000059b8 = r[6]; *(uint32_t*)0x2000000059bc = 8; *(uint16_t*)0x2000000059c0 = 3; *(uint16_t*)0x2000000059c2 = 0; *(uint64_t*)0x2000000059c8 = 0x200000005800; memcpy((void*)0x200000005800, "\xdb\x41\x18\xb7\xfc\x55\x0b\x52\xee\xc4\xc5\x9c\xf4\xb9\x3c\x16\x9c\xd2\xe4\xc6\xb1\xeb\x5a\x84\xe9\x5b\xb2\x10\x93\x86\x54\x4d\x81\x85\x38\x8c\x50\x4c\x49\x5c\x8e\xf8\xb3\xd1\x96\xce\x76\x84\x46\x52\xa8\xd2\xed\xdb\x5e\xff\x11\x69\xa5\x58\xd6\xe7\xc5\x6d\x46\xaa\x70\xe6\x29\x8f\xbf\xaf\x95\xfa\x39\xd5\x39\x85\x94\x4c\x38\x2b\x26\xcb\x4e\xe5\x1e\x02\x1b\xeb\xc6\xe6\xe8\x03\x88", 95); *(uint64_t*)0x2000000059d0 = 0x200000005880; memcpy((void*)0x200000005880, "\x11\xd0\x1f\xea\xa2\x06\x48\x96\x7b\x16\xd3\xe6\xcb\x0d\x49\x89\xe6\x1f\xca\x36\x74\x07\x92\xd8\x80\x8f\x57\x2b\xe0\xb7\x0d\xd4\xfa\xaa\x5e\xce\x73\x85\x99\x83\x67\xd7\xda\xf2\x35\x0e\x52\xa7\x4d\xde\x02\x7c\x39\x77\x11\xa1\x8f\xaa\x7b\x87\x7c\x14\xe9\x2f\x48\x63\x6c\x7b\x02\x1b\x50\x82\x8c\x93\x6f\x30\xbd\xec\x29\xc6\x74\x13\x9d\x1d\x64\x36\x9d\x02\xd6\xdf\x35\xbd\x75\xc5\x4a\x72\x9a\x1c\x28\xf9\x4a\x00\x49\x7c\x29\x12\xe4\xf7\x3e\x55\x74\x6d\xc4\x37\xcf\xb6\x4d\x82\x6f\xb5\xdc\x13\x28\x6f\x2d\x3d\xc8\xa3\x54\xee\x95\x76\xb8\xb3\x7c\x40\x78\x14\xe5\x52\x41\xfd\x87\x16\x08\xc5\x99\xdd\xb5\xf9\x80\xe7\xc0\x1c\x23\xb0\x2b\x73\x8c\xe3\x4d\xc1\xf4\xd5\x57\x7f\x02\xc5\x53\x7e\xec\x8d\x5c\x15\xf8\xc9\x3a\x7d\x45\x0b\x47\x01\xde\x03\x80\x22\x41\xa3\x4c\x3a\x07\xa3\x78\x11\x9c\xfb\xb3\x4e\xeb\xe8\x75\x3a\x48\x51\xca\xe1\xa1\x4a\x12\x47\x49\xed\x8c\xaa\xec\x19\xd2\x22\x0b\x21\xd7\x1e\xdd\x40\x85\x67\x22\x38\xc4\x58\x2d\xbe\x77\xee\x25\x8f\x75\x04\xe5\x86\x84\x58\x78\xa7", 244); res = syscall(__NR_shmctl, /*shmid=*/0x7ff, /*cmd=*/0xful, /*buf=*/0x200000005980ul); if (res != -1) r[28] = *(uint32_t*)0x200000005984; break; case 35: *(uint32_t*)0x200000005a80 = 0x1d; *(uint32_t*)0x200000005a84 = 0xee00; *(uint32_t*)0x200000005a88 = 0xee01; *(uint32_t*)0x200000005a8c = 9; *(uint32_t*)0x200000005a90 = 7; *(uint32_t*)0x200000005a94 = 0x100; *(uint16_t*)0x200000005a98 = 0x1000; *(uint32_t*)0x200000005a9c = 4; *(uint64_t*)0x200000005aa0 = 0x400; *(uint64_t*)0x200000005aa8 = 3; *(uint64_t*)0x200000005ab0 = 9; *(uint32_t*)0x200000005ab8 = 9; *(uint32_t*)0x200000005abc = 0; *(uint16_t*)0x200000005ac0 = 0x4c17; *(uint16_t*)0x200000005ac2 = 0; *(uint64_t*)0x200000005ac8 = 0x200000005a00; *(uint64_t*)0x200000005ad0 = 0x200000005a40; memcpy((void*)0x200000005a40, "\x20\xfc\xa2\xd9\xa8\x4b\x14\x9b\x22\xcc\x11\x86\x29\xf2\x44\xc8\xf9\x90\x9c\xbe\x31\x7a\xd4\x69\x3e\x5c\x7d\xda\xcf\x6f\xf0\x8f\xf9\x64\x41\xb2\x9c\x38\xfb\x9a\x61\x61\xaa\xc4\x2a\x96\xf4\xe5\xb9\xa9\xed\x64\x8c\xa3\xd6\x00\xf7\x63\x14\x86", 60); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x200000005a80ul); if (res != -1) r[29] = *(uint32_t*)0x200000005a88; break; case 36: memcpy((void*)0x200000000c40, "\x55\x5b\x07\x8c\xdc\xaf\xe3\xdf\x82\xab\x07\x45\x00\xb8\x54\xe0\x53\xe9\xbe\x2b\xde\xa6\x7c\x3f\xdc\x61\x39\x5f\x5b\xcf\x26\x9a\x1a\x3d\xb8\xdd\x7f\x3d\xb0\xcb\xe3\xe9\xee\x7f\x3f\xd7\x73\xe5\x7f\xb4\xf6\xab\xa5\x3b\x02\x82\xae\x6a\xb4\xf9\xb9\xd6\x9d\x36\x2e\xbd\x6f\x99\x17\xff\xa5\x85\xa5\xe2\xb1\xdd\x85\xaf\xdc\x2e\x0b\x9f\xd0\x7d\x2b\xb6\x93\xd6\x87\x17\x43\xb7\x3e\xdd\xf8\xe6\xcc\x6e\x58\xe5\x02\xfb\x0d\x8d\x80\xfb\x48\xbe\x00\xbe\x3a\xcf\xe3\x5f\xd1\xfe\x21\xf9\x7c\x59\x8e\xca\x5e\x05\x46\xf3\xf6\xee\xc8\xf7\xe4\x03\xe8\xa8\x0b\x58\xfb\x34\x34\x2e\x2f\xcf\x0e\xef\x3b\xa1\x64\x4b\x26\x2d\x0a\x87\x7d\xeb\xa6\x46\x22\xae\xee\x38\xf1\xef\x52\x8c\xd8\x36\x08\x5f\xb4\xf8\x43\x7c\xa3\x6c\x3c\xc2\x11\x98\x0a\x65\x23\xfc\x6b\xd0\x7c\x49\x74\x7f\x5f\x9d\x6d\x79\xca\x43\x5f\x84\xf5\x9a\xf8\xbc\x5d\x7a\x76\xad\x9a\x4d\x29\xe4\xc5\xea\xf2\x0c\xf5\xe3\x73\xc2\x67\x7a\x04\x8b\x4a\x06\x4b\x25\xc8\x0e\x3c\x22\x5a\xef\xc7\x98\x61\xe3\x9f\x88\x98\xdc\x74\x9e\xd0\x43\x2a\x34\x74\x29\x9b\x35\x0f\xfb\x0c\x53\xcf\x96\xca\x64\xa1\x27\x30\x8b\x7a\x77\xf8\x0e\xc1\xad\x1c\xa7\x4f\xc5\x8f\x71\x80\x3c\x78\x7f\xc8\x98\x20\xce\x64\x7e\x6e\xed\xc3\x84\x51\xb7\x0b\x15\x30\xcc\x70\x60\xd1\xb0\x72\x7b\x74\x68\x5e\x6a\xdb\x33\x10\xcf\xa9\xed\x51\x65\xe3\xd3\xe7\x4a\x38\xa7\xb5\xf2\x50\x24\x61\xb9\x3d\x63\x36\x93\xf3\xc9\x25\x9d\x2f\xa0\xad\x38\x9f\x24\x96\xc5\xc2\xe3\xdf\x9f\x85\xc1\xa8\xa8\x58\xdb\x4b\x7c\x58\x15\xfc\xbb\x65\x68\x21\xe1\x84\x4e\x7d\x6e\x0f\x3c\xfb\x64\x52\x8f\x96\x62\x97\x9a\xc9\xa8\xec\x10\xee\xf0\x60\x3b\x3d\x1d\x78\xd5\xd2\xa4\x85\x48\x6a\xa8\xcc\x31\x0e\x49\x0b\x94\x71\xae\x12\x71\x94\x15\x1b\x73\x2e\xd1\x9d\x49\x4e\xa6\x3d\x28\x36\x51\x94\x09\xa2\x13\x42\x5f\xe1\x00\x5e\x46\x69\x5f\x4b\x24\xbe\x7b\x25\x82\x96\x53\xe4\x1c\x17\x4b\x1b\xc6\x9f\x10\x8a\x07\x67\x69\xc6\x52\x40\x5d\x43\x6a\x7c\x69\x8a\xc8\xe5\x4a\x85\x0c\x0e\xd0\x24\x9a\x82\x50\xe5\x54\x88\x69\x61\x6b\x9a\x72\xf2\x6c\xb9\x70\x96\xcc\x66\xcb\xbf\x03\x17\xa1\x7f\x96\xee\x0b\xae\x08\x02\x4d\x5b\x80\xdf\xf8\xbe\x40\xc8\x22\xd8\x50\xf7\x49\xe7\xbf\x54\x33\xd2\x52\x20\x2b\x03\x58\x3d\x8b\x87\xb5\xb7\x07\x90\x5e\x3c\x84\x61\x24\x1f\xea\x66\xc5\x99\x5a\x3d\xe3\x0e\xf8\xe3\x3b\xf0\xc7\x92\xf2\x3a\x26\x43\xbe\x67\xd8\xe0\x77\xb1\x6a\x84\xe5\x2d\x80\xc3\xc3\xe8\xc3\xba\x8e\x58\xd0\x68\x3d\x00\x41\x2b\x9f\x98\x73\x25\x24\x11\x3d\x24\xc8\x9e\xbb\x02\x0b\xa6\x31\xc1\x61\x8c\x7c\x1d\xed\xf1\x8e\xe5\x9c\x67\x7e\x58\x52\x99\xfc\x6b\xc0\x60\xd5\xc3\xf5\x7f\x9d\x52\x9f\x93\xc3\x7e\x08\x6d\xb0\xed\x59\x93\xa0\x5d\xab\xff\xba\xe7\x43\x0f\x9e\x20\x60\xb0\xb6\xce\x6b\x0b\x21\xfe\x6d\xcc\x4f\x40\x16\xd8\x7a\x74\xd0\xfa\xdd\x6f\x9f\x12\xb1\x02\xf7\x8a\xc9\x4f\x2b\x84\x6c\x2a\x7b\x9b\xc2\x43\xc5\x6b\x0f\xe4\x41\x2f\x03\xaf\x33\x72\xd3\x56\x43\x2c\xff\x83\xc2\xd7\x12\x7f\xa0\xa9\x72\x90\x6d\x16\x74\xd7\xe5\x5d\xac\x17\x89\x01\xb6\x61\xf1\xf1\xef\x39\xe7\x17\x25\xd8\x9b\xc1\xe7\xce\x8a\xc6\xa2\x38\xa9\xb2\x11\x5c\x65\x63\xf9\xc2\x19\x93\x43\x50\xcb\xff\x04\xbf\xed\x91\x66\x53\xcd\xfd\x93\xc2\x5c\xa0\xcf\xa1\x22\x3b\xc8\x5f\xd2\x6d\xcb\x17\xe5\x30\x21\x28\xfd\x81\x94\x51\xd0\xb7\xf0\x85\x4c\x70\x32\x84\x97\x77\xd1\x82\x8d\x48\x3b\xc5\x8b\x2b\x91\xf6\xe4\xeb\x2a\x90\x26\x55\xa9\x5b\x03\xfe\x2c\x86\xf0\xfb\xa9\xfd\x2c\x67\x7f\x6e\x5b\x60\x92\x17\x9a\x5e\x84\xa6\x7d\x88\x1a\xab\x57\xdd\x2c\x32\x39\xa1\xdb\x9b\x47\xf2\xb5\xf6\xce\xeb\x79\xa5\x8c\xd1\x25\xe6\x14\x7d\x20\x68\xca\x21\xa0\xca\xc4\x7b\x0c\x12\xf6\x68\x3b\x71\x98\xf1\x39\xf1\x12\x06\xb2\x84\x90\xf7\x56\xe0\xbf\x15\x22\x19\x5f\x14\x60\x8d\x19\xff\xb6\xa3\xba\x85\xf0\x47\x44\x31\xf7\x1d\x1a\x38\xb4\x92\xe3\x86\xdb\x9e\xb0\xdd\xe5\x57\x69\xc0\x2f\x87\x57\xa4\xe1\x4e\x93\xdc\x24\x1f\x2d\xd5\xe6\x55\x0e\x3d\x75\x3c\x91\x7b\xbc\x4e\x5b\x1a\x33\x85\x25\x91\x63\xd6\x64\xb0\xc7\x2d\x85\xbf\x78\x35\x4f\x18\xcb\x63\xf1\xfe\x0a\x33\x7a\x07\xf2\xe7\x8f\xd3\xf8\x94\xff\xeb\x85\xda\xce\x3f\x30\x27\x7b\x5c\x0f\xdb\xb2\x4f\x9b\xc3\x54\x54\x6d\xe8\x12\xed\x54\x45\xf8\x54\x88\x8a\x03\x8f\x04\x36\xc7\x8b\x21\x23\x0c\xa7\x3e\x77\x0b\x4d\x37\x5a\xc6\x0d\x30\x2a\xd1\x62\x9e\xd8\xc1\x7a\x12\x76\x53\x02\xad\xd9\x81\x9e\x9b\xdd\x10\x02\xdd\xf7\xd7\x73\xd0\xd2\x01\xe6\xaf\x2b\xf8\xe5\x8f\x68\x91\x5d\xcd\xb8\x0f\x4b\xdd\x73\x1c\xa0\x54\x4f\x9b\xe2\x92\x97\x21\x9d\xd3\x42\x2d\xf4\xf2\xe4\x36\x42\x2f\x94\x0d\x8f\xe0\x72\x41\x4e\x84\x38\x94\xc0\x1f\x43\x80\x7c\x4d\xd4\xf7\xc5\xc1\xfe\xb2\x0d\x50\xf0\x60\xee\x1f\xe6\x12\x22\x9c\x2f\x49\xda\x21\x72\x89\x52\xa0\xbe\xf8\x1b\x47\xfa\x85\x84\x8f\x65\xae\x37\x56\x70\x60\x13\x09\x5f\x1f\xf8\x4e\x5e\x32\x21\x6b\x94\xaf\x24\x79\xee\xa8\x19\x97\x10\xc0\x15\x59\x7b\x00\xa9\x7b\xe8\xb3\xba\x52\x43\x9b\x12\xe3\xf1\x94\x82\x18\xe2\x81\x6b\x75\xb6\x84\xf3\x18\x2b\x43\x4e\x0a\xc0\xcb\x31\xa1\xa8\x3f\x2c\x7b\xbd\xdf\x28\x0d\x1e\x4f\xd5\x08\xc4\xb7\xa0\xfb\x0b\x66\x4c\x61\x3e\xdb\x4c\x7e\xc7\xf4\x8c\xdc\x94\x11\xa1\xaf\x51\xc7\xf2\x95\x64\x95\x04\x17\xca\xcf\x4c\x84\x8b\xc3\xc6\xc2\xff\xb3\x17\x59\x91\x7a\x52\x51\x00\x01\xaf\xd9\xde\x6d\x6e\x9d\xdc\x26\x36\x43\x53\xea\x50\x70\xfc\x73\x0b\x22\xd8\xf4\x34\xec\xc2\x12\x47\x94\x9f\x63\x7d\x03\xd4\x30\xa5\xfb\xc0\x36\xbd\xaa\x35\x01\xd4\x9d\x63\xdf\x32\x38\xab\xc5\x94\xa5\x64\x43\xd0\x5f\x53\xa5\x57\xb1\xe0\x4c\x54\xf5\xde\x09\x10\x86\xa0\xcf\xe9\xf3\x70\x7c\x74\x77\x1d\x41\x6c\xbd\x75\xc5\x3e\x74\x56\xba\xc5\xad\xce\x64\x0c\xd9\x3c\x66\xc0\xba\x2e\x59\x09\x6c\x5e\x08\xcf\x2c\x9b\x96\x48\x9e\x94\xf8\x06\x52\xf9\x05\x84\x9e\x4f\x38\x99\x7f\x0c\xd4\xe6\xcf\x1a\xd1\x8a\x88\x1e\x9e\x81\xae\x73\x2c\x28\x4d\xf2\x54\xde\x39\x81\x60\x6b\x02\x1e\xf4\x1d\xa3\x71\x76\xe9\xa0\x94\x6a\xb8\x08\x26\xdc\x7f\xb9\xe4\xb9\x9b\xd9\x94\x8b\xb0\xee\x33\x4a\x5d\xb2\x91\xea\x58\x80\x7c\xec\xd5\x9f\x87\x0c\x69\x13\x85\xe2\x7f\x18\xd7\x48\x46\xd1\xed\xa2\x20\xb9\x60\x7a\xaf\x2e\x6f\xc0\xae\x9e\xae\x57\x60\x8e\x60\x1d\xf9\x44\xd9\xac\x45\xd6\x2d\x79\x65\x12\x90\x3b\xff\x90\xd7\x40\xef\x9f\xcc\x40\xc3\xb3\xf2\x73\xa2\xbd\xfa\x30\x14\x3e\x90\xcd\xa7\x11\x6d\x8c\x68\x82\x6e\x67\xea\x0c\xf5\x78\xf5\x92\x31\xca\x85\xf0\x3f\x11\xb4\x0d\x06\x31\xab\x34\x73\xca\x2e\xe5\x35\x87\xdd\x4d\x8a\xbc\x53\xc6\x06\x9d\x56\xbd\x9b\xf7\xcc\x9f\x04\xd8\x98\x2a\x4f\xae\xda\x89\xfb\xff\x88\x84\x25\x1a\x1f\xcc\x5f\xef\x64\x2a\x20\x52\x99\x93\x0e\xe6\xc9\x02\x22\x23\x57\x68\x88\xc4\x91\xf7\x96\x62\x4d\x04\xd9\x5a\x98\x3e\x40\xb3\x44\xe8\xf4\xc9\x8e\xeb\x55\xe0\xff\x11\x6f\xcc\x8b\x4f\x29\x6d\xdc\x2f\x11\xc9\x32\x27\x86\x44\x0e\x0b\xa6\x22\xed\x96\xdc\xcb\x6b\xf6\x82\xb9\x7a\x2c\x78\x06\x47\x47\x38\xe9\xce\xa3\x64\xa2\x28\x30\x23\x5c\xa3\x5c\x60\xca\x4b\x0f\xd3\x0f\x81\xc0\x51\xb9\x6c\x67\x98\x21\x7c\x79\x85\xe7\xfd\xfb\x4f\xd8\x04\x09\x32\x66\xf0\xd3\x94\x7b\xc1\xd5\xb3\xbd\x53\x5c\xbd\x34\xbf\x07\xa3\x09\x6f\x16\xda\x81\x8c\xde\x06\x88\x7e\x94\x25\x75\x79\xf2\xc0\x20\xcb\xca\xc1\xcb\x70\x0d\x34\x47\x2b\xac\x93\x01\x30\x53\x0f\x9d\x09\x44\x83\xfa\xf3\x11\x19\x4f\x9a\x96\x41\x92\x5c\xde\xe8\x88\x79\xd2\x18\xb3\xbe\xb8\x3d\xf4\xf3\x3f\x5c\xb1\x09\xca\xc0\xc7\x92\x6f\xf1\xeb\x49\x4e\xbf\xc5\x8f\x22\xe5\x13\xde\x37\x6d\x1e\xa9\x03\xe7\xaa\x65\xb8\xd1\x82\xe5\xe3\x82\x17\xe2\xd2\xc0\xb0\xcb\x39\x2d\x44\xad\x76\x84\xc2\x29\x96\x8e\x71\xa7\x61\xb9\x67\xe2\x5a\x28\x83\x92\x9e\x19\xbb\x5d\xfb\x05\x32\x18\x13\x9d\xc3\x04\xea\xee\xd9\xe1\x5d\xe1\xf0\xa9\xe6\xf0\x47\x61\xc7\x5f\x72\x99\xe6\xc0\xec\xcb\xf9\x3c\xc1\x01\xeb\x5b\x01\x7c\x2d\x97\x27\x3b\x22\x38\xd4\x48\x1c\xbb\x5d\x24\x4d\xb8\xf1\xb3\x29\xb8\x93\x05\x45\xea\xa4\xa3\x6d\x59\xc3\x7d\xdb\x37\xa6\x10\xde\x3a\x79\xdd\xd8\xa3\x1d\xeb\x0b\x1b\xbb\x31\xd0\x1e\xee\xb7\x8c\xf9\x5a\xcf\x3f\x27\x27\xb5\x3b\x62\x36\xb0\x7d\x49\x0d\x86\x31\x82\x97\xda\xd4\xf6\xb8\x01\x07\xa0\x31\x29\x9f\xb5\x2a\xc0\x61\x0d\xa5\xaf\x4b\x71\xa8\xa7\x1c\x48\x6e\xda\x6e\x77\xc3\x50\x22\x4a\x9e\x24\x65\x99\xd2\xf0\x17\x90\x79\x6a\x21\xc1\xc9\x0d\xfb\x6e\x64\xc4\x9d\x6f\xe4\xee\xeb\xe6\xd6\xb5\x19\x2b\x6e\x13\x0e\xea\xc6\x73\xc4\xcf\x46\x69\xc0\x46\xce\xc7\x38\x80\x79\xd1\x4b\x25\x99\x25\x28\xe2\x05\xa8\x66\x3d\x42\x9d\x8c\xea\x1f\xcc\xdd\x3e\x53\x8b\x97\xc6\x35\x56\x2f\x2e\x26\x95\x88\xaa\x14\xb9\x30\xa7\x40\x80\x76\x29\x8c\xc4\xde\xda\x70\xb3\xc2\x6c\x42\xc6\x70\x22\xc5\x9e\x26\xf0\xbc\x4a\xec\xc4\x3a\x95\x6a\xc6\x02\x30\xba\x1b\x06\x81\xb8\xdb\x4e\xfd\x0e\xf1\x33\xf0\x99\x56\x3d\x0f\x55\xb9\x19\xf6\x43\x77\x22\xc8\x6b\x4a\x5f\x92\x8a\x75\x6b\x45\xa8\x4f\x9c\x54\xdc\x2b\xdd\x79\xae\x9d\xa5\xa3\x9b\x59\x93\x05\x5b\xf7\x74\xb1\x29\xb4\x68\xfd\x38\x85\xa5\x44\x70\x52\x46\x0d\x71\xa6\x8c\xb9\x6d\xed\xbd\xc4\x88\x2e\x6f\x6a\x2b\x7f\x64\x26\x27\xf3\xe7\x78\x3a\xcc\xc8\xf2\x2d\x29\xac\x8a\x83\x78\x8e\x64\xab\xd6\x06\x19\xe2\xb1\x3c\x48\x3b\xb9\xf6\x44\x2c\xd0\xa6\x72\xdc\xa7\x19\x26\x2f\x2e\x8b\x52\xd5\x8e\xfc\xca\xbe\x63\x12\x0f\xa9\x55\xda\x00\x62\x98\x88\xb0\x98\x6a\xee\x35\x03\xf9\x4d\x69\x01\x15\x52\x8e\xa4\x14\xff\x93\xfc\xfc\x48\x7f\x4a\x3b\x02\x13\x79\x8f\x27\xce\x36\x2e\xcc\xfa\x77\x5c\x9f\x84\x11\x44\xae\x5f\xe9\xc7\xd9\x5b\x46\x57\xea\x10\x67\xf1\x2d\x1d\xee\x02\xf9\x11\x78\xb1\x13\xf7\x96\x20\x73\xa3\xc9\x8b\x91\xde\x9b\x47\x02\x3a\x22\x05\x92\x01\xbd\x49\x5e\x7e\x2e\x4d\x3b\x3d\xec\x65\xef\x29\xfe\x44\x2e\x27\x1f\x13\x87\x0b\x0a\xed\x81\x83\x52\xbc\x69\x1b\x5d\x39\x17\x56\x5b\xf8\xb6\x6a\xcb\x66\x58\x05\xd9\x37\xe6\x35\x87\x91\xed\x90\x60\xf2\x61\xca\x7e\x34\xf0\xe7\x28\x6c\xf7\x56\x3f\x57\x25\x4a\x05\xb3\xce\x5f\x17\x5d\x8b\xca\x32\x2c\xb3\x1b\xf8\xde\x32\xeb\x0e\xf6\x36\xda\x05\x5f\x3e\x9e\xee\x3b\x7e\x36\x06\x6f\xe1\x0c\x45\xc7\x74\x2c\x39\x73\x2c\xc7\x89\xaf\x38\xcb\x73\x7a\xa1\x78\x98\xd3\x1a\x20\xce\xba\x6a\x89\xc7\x88\x35\x19\xce\x21\x71\xc6\xe7\xb1\x9b\x34\x49\x4a\x58\x06\xf9\x9c\x26\xc5\xdf\x8f\xd6\x41\xa1\xbe\x5e\x66\x0c\xe8\x87\xa7\x8f\xb6\x91\xa1\x01\x6f\xdb\xf1\x07\xbc\x92\x99\x2a\x2b\x62\xdc\x34\x74\x31\x6d\xd2\x4f\x40\xff\xe6\x1b\xfa\x84\x8f\x97\x90\xe7\x25\xc0\xdf\x3f\xa6\xd0\x90\xfd\x38\x37\xe1\xa4\x6b\xf5\x8f\x3b\xee\xf4\xad\x77\x21\x95\x1a\x97\x79\x48\xb8\x6c\xed\xc0\x7a\x24\xb7\xf0\x4b\xe1\x4d\xf3\x6d\xff\x71\x53\x1a\xd7\x15\x32\x8d\x70\xa2\xff\xfb\x3b\x59\x43\x96\x19\x82\x6e\x0c\x26\x72\x9d\xa1\xaa\x66\xfb\x89\x2b\x94\x0f\x8b\xe7\xee\x4f\x22\x7b\x43\xfb\xb4\x30\x94\xc5\x08\x64\x47\xc8\xb4\xdd\x72\x66\xf0\x7b\xc7\x9c\x28\xa9\xb4\xb0\xb5\x11\x73\x9d\x68\x94\xc0\xf2\x04\x9f\x9b\x83\x57\xa2\x45\x1b\xc9\x64\x89\xc2\xfd\xb4\xc6\x3f\xe6\xa1\x51\xa1\x1c\x72\x30\x47\x4b\xf5\x1f\x4d\x04\xb1\x60\xa6\x5c\x22\x10\x4d\xfc\x29\x68\xa2\x3e\x42\x7b\xd9\x7c\x4d\x2c\x0a\x5b\x35\x9d\x59\xfb\x17\xb5\x51\xf8\x90\x5a\x4b\x6a\xca\xb2\x44\x4d\x66\x08\x2c\xf5\xc6\x48\x03\xf5\xaf\xdd\x46\xf0\x57\x35\xd1\x8b\x52\x07\xa9\x27\xef\x34\xcc\x76\xa8\xed\x38\x19\xc8\x69\x54\x1e\x06\xe5\x09\x50\xd5\x50\xc9\xb8\xf0\x34\xd4\xa3\x29\xa1\x35\xaf\xaa\x25\x7d\x3b\xf2\x5d\x36\xac\x7c\x7f\xf9\x85\x1a\xb9\xc3\x86\xc9\xb1\x6b\x7b\x11\x1c\xfb\xfc\x39\xf1\x9e\xc3\xb7\x1c\xe4\x35\x40\x36\xcf\xcf\xfe\x36\xc8\x7a\x8d\x65\x47\x00\x6a\xb4\x4f\x19\x32\x0a\x35\xdb\x00\x3a\x6c\xce\x51\xe5\x33\x8a\xfd\xea\xf6\xfb\x6a\xd3\xdb\x60\xba\xbb\x52\x1a\xd5\x6b\x08\x0e\x55\x64\x41\x3b\xe5\x96\x99\x4a\xfe\x9d\x45\x55\xf7\xb7\x53\x0c\x4f\xb1\xad\x9b\x55\x90\x0c\x76\xba\x40\x49\x71\xd8\xe2\x72\x6a\xc6\x48\x0e\xc1\xe1\xb5\x6f\x68\x60\x0e\x79\x0a\x32\x80\x6f\x10\xee\x80\x76\xff\xbb\xe6\x31\x30\xb7\x2a\xe2\x2f\x0a\x79\x9a\x56\x58\xf2\x72\xfa\xed\x77\x0f\x1c\x72\xe4\xb6\xc3\x2f\xa1\x9b\x6b\x9e\xc2\x8c\xec\x7b\xfb\x3b\x08\x69\xe7\xf4\x7b\xb3\x2b\x63\x1d\x44\x0b\xb1\x50\x4e\x92\x7f\xbf\x0a\x75\x29\x59\xc4\xa6\x33\x45\x9b\xd2\xd3\x49\x26\xad\xa2\x2b\x97\x71\x6a\xdc\x61\x47\x0e\xda\x3a\x96\x8b\x89\x89\x82\xd8\x96\xe7\x7d\xa4\x7a\xf7\xd4\x89\x72\x8a\xde\x39\x50\x57\x53\x89\xaf\x48\x83\xb2\x1f\x53\xe9\xf4\x9d\x4b\x4f\xec\x3c\x56\xb9\x5f\xae\x00\x27\x1b\x01\xfd\x3a\xda\xc9\x79\xba\xca\x1f\x9c\x3b\xd6\xf0\x78\x42\x47\x20\xf7\x47\x59\x1e\xa8\xdc\x70\x94\xc6\x08\xb1\x47\x6d\x1e\x10\x51\xa5\x5b\xb1\xe5\x94\x10\xef\x9d\x8c\x29\xf0\x0a\x6a\x4d\x9b\x31\x03\xa8\xd2\xaa\x08\x7e\x91\x11\x6f\xb3\x63\x97\x58\xad\x6f\x93\xed\x07\x06\xbf\x99\x3e\xce\x70\xe8\xed\x75\xbe\xa2\x89\x70\x85\x9c\x72\x56\xf9\x72\xaf\x86\x2b\x45\xb4\x2b\xe1\x59\x57\xe2\x18\xfa\x65\x42\x4a\xaf\x13\xc2\xa8\x47\xce\x1d\x40\xda\xb5\x2e\xe7\x57\x66\x92\x45\x14\x0c\x43\x46\xc5\x81\xf2\xe9\xab\x2e\x72\xb6\x44\x28\x23\x72\x50\xe1\x42\x93\x51\x78\x45\x56\x8d\x20\xed\xb8\xb1\x03\x10\x6c\x48\x26\x62\x1b\x6b\xb0\x75\x6c\x1f\xac\xd8\x59\x50\x9f\x93\x31\xd0\xa1\xaa\xde\xe7\xad\xf1\x34\xd4\x63\x30\x98\x11\x22\x0e\x9b\xdd\xf1\xdc\x63\x02\xad\x89\xab\xab\x68\xe3\x2f\xd5\xf7\xc2\x7c\xa0\xb2\x17\xd8\xc2\xec\x34\x2a\x26\x05\xfe\x54\xee\xd4\x32\x1b\x34\xea\xf5\x4f\x8c\x21\x62\xd3\xbf\x5d\x7a\xce\x24\x29\xfb\xeb\x4c\xa1\x87\x06\x50\x26\xaa\x81\x4a\x98\x33\xb6\xee\x94\x3d\x1d\x33\x7d\xe2\xd9\xec\xda\xab\x2c\xf4\x63\x4c\x16\xa9\x15\xe6\xa9\x64\x8b\x36\x8d\x8d\xf8\xd6\xd2\xde\x47\x72\x11\x21\x4b\x3e\x8c\x29\x1f\x16\xed\x30\xea\x38\xff\x58\x1b\x81\x89\x9c\xd1\xc4\xa7\x4b\xb3\x38\xa6\x32\x20\x03\xc9\xfc\xbf\x16\xa0\xac\xf0\xc6\x7b\x97\xd8\x5d\x55\xa6\xb8\x1f\xb7\x53\x6d\x43\x4a\x0e\x49\x99\x29\xe0\xda\x0a\xe3\x18\x18\xda\x52\xcc\x25\x24\x18\x80\x26\x21\xcf\x28\xee\x5c\xd5\x55\xf1\x3d\x4a\x0f\x6c\x41\x60\xb9\x70\x16\x80\x9b\xa7\x5f\x30\x50\xc2\xef\x1d\x3f\x90\x04\x5e\x97\xf4\xea\x5d\x03\x73\x9a\x8c\x5a\xb3\x49\x2f\x5d\xd5\xb1\x67\xd8\xf5\x29\x49\x61\xf9\x42\x84\x7d\x95\x50\xf1\x1f\x73\xa8\xff\x1b\x8b\x28\x8d\x27\xa0\xfb\x75\x9d\x86\x54\x46\x91\xf9\xee\x3f\x9e\xe4\x8d\x0e\x57\x3f\x21\xcc\xef\x46\x10\x30\x28\x71\xc7\xae\xc5\x59\xad\xe8\x95\x11\xdd\x90\x75\x80\xf8\xf0\xd1\x19\xb8\x27\x4f\x65\x2f\x5e\x4c\x8a\x8d\x32\xf3\x0f\x24\x43\xeb\xf4\xd9\xbc\x12\x48\x61\x88\xc5\xaf\x74\xf9\x8d\x31\x54\x95\x38\x9f\x10\x30\xd4\x5d\xe4\x21\x9c\xaa\xea\xb0\x35\xbd\x51\x1a\xfe\xa1\x8c\x84\x48\xbf\x80\x54\xde\xbe\x9c\x74\x7e\x60\x43\x1d\x66\x01\x5c\x62\x57\x8a\x00\xdb\xdf\xc0\x6a\x5d\xd5\x27\xe3\x14\x13\xe8\xdf\x00\x42\x0c\x33\x2b\xb4\x16\xdb\x84\x20\x0c\xb7\xe1\x47\x08\xa1\x37\xb7\x54\x90\xd9\x5f\xfd\x69\x3c\x9b\xd2\x15\xcf\x71\xc3\xf8\xe2\xd1\xaa\xab\xff\x3d\xd6\x3c\xc2\x28\x0a\xb6\xea\x46\xa0\x39\x0e\x75\x35\x63\x50\x59\xd1\x28\xb5\xa9\x2f\x68\x67\x3a\x05\x8d\x96\x33\x03\xe7\xe5\x79\xcc\x16\x61\x9d\x78\xc6\xdb\x79\xe8\x26\x21\x52\x5a\xef\x9a\x8a\xf3\x0d\xf9\x11\x2c\xe2\xb6\x8d\x56\x8c\x39\xa8\x13\x8e\xbe\x5d\x0c\x3c\x26\x38\x02\x09\x5c\x3c\x4f\xe2\xa9\xba\x48\xd9\x7f\x6d\xf3\x11\x26\xb6\x4a\xbd\xb3\x7c\xf8\x06\xb4\x10\xaa\x9f\x32\xc8\xf2\x0a\xb1\x37\xe1\x2d\xa9\x9f\x8f\x06\x96\x07\x22\x4a\xc1\xcc\xf6\x10\xe3\x62\x12\x45\xf7\xcf\x01\x7f\x8b\xb1\xf5\xde\x00\xbe\xdd\x6a\x66\x81\x1b\x28\x6a\x87\x0a\x89\xc1\x13\x08\xa3\x5d\xfc\x58\xba\x24\x5e\x93\xc1\xd3\xa5\xff\x01\x0f\x8d\xe2\xaa\x44\x6a\x90\xd1\x53\xb3\xe6\xf8\xd0\x72\x5d\xab\x1e\xe4\x35\xba\xb2\x6a\x08\x42\xc5\x72\xd3\x88\xe2\xb6\x26\x57\xc1\x33\xe5\xca\x2d\x47\xfe\xc6\x55\x61\xab\x2a\x71\xc6\xd7\xfb\xdd\x24\xdb\xf0\x50\xf6\x88\x9d\x83\x22\x70\x94\x17\x80\x96\x99\x6d\x85\x66\x25\xdd\xcd\xbc\x23\x6c\x0b\x5e\xd2\x8e\x7c\xf7\x18\xb4\xf8\x05\x89\xd3\xde\xcc\xee\x9e\x70\x54\x36\xdd\xe6\x45\x5d\x8f\x0b\xea\x6f\xc4\xc3\x54\x4d\xf5\x5d\xfd\xa6\xd5\x2d\xeb\x92\x1c\x0b\xcd\x96\xf8\xa0\xc5\xdd\x8c\xe9\xd3\x8c\x00\x83\x7a\x56\x28\xa3\xb2\x52\x97\xcd\x3b\xaa\x14\x90\x54\x5b\x5c\xcb\x87\x1c\x36\xac\x1a\xac\x4c\x70\xb0\x5a\xa4\x59\x73\x4a\xa5\x23\xec\xf9\x47\x6d\x90\xe7\x19\xba\xa1\xe0\x3d\xe3\x49\x2c\x3b\xd1\x0e\xe0\x29\x0a\x6c\xba\xda\x72\x96\xb2\x6f\x46\x3b\xcb\x05\x1b\x53\xf0\x8e\x9a\x80\xc4\x71\x57\xcb\x49\xb7\xde\xd5\x02\x11\x21\xc0\x43\x15\xfe\xa9\xd4\x80\x0d\xd2\xd6\x23\xc9\x12\x34\xf9\xce\xc3\xa7\x87\xbc\x28\xf2\x73\xb0\x29\xcb\x66\xd5\xa0\x5d\x54\x63\x11\x61\x38\xfb\xc8\x75\x79\xa7\x1e\x0d\xbb\x29\x70\x38\x67\xfa\x8b\x69\x21\xb6\xfe\x65\xa7\xd1\x96\xe5\x14\xd8\xa8\xc2\x1e\xa8\x56\x66\xda\x05\xb7\x2c\x0b\x3d\xac\x14\x4f\xe9\x04\xd8\x18\x43\x1b\x5d\xc7\xa9\x0c\xc3\xe2\x52\x66\x7d\xe0\x4b\xc6\x1a\x19\xdc\xa5\x65\xf5\xa5\xc1\xf4\x21\x6c\x69\xcb\xb5\x9c\x71\xdb\x52\xe2\x8d\x85\xc1\x37\xd2\xc4\x86\x62\xd3\x18\x13\x04\x1b\x60\x65\x31\x39\xbd\xe9\xd2\xb5\xc4\x72\x68\x5b\xef\x17\x7c\x2f\xa2\xbd\x82\x56\xb3\x2a\xfd\x59\x8e\x4f\x82\x52\xc5\x7c\xd0\xc4\xea\x6f\x7d\xf7\x76\x31\xec\xf0\x0b\x0b\x6f\xae\x05\x82\xb3\xaf\x17\xa5\x77\xba\x6f\xda\xdb\x8c\x22\x74\xb6\x3c\x3a\x5c\xec\x2c\xf0\xf3\x02\xdf\xdc\xae\xb2\xa3\x8e\x32\x57\x37\x99\x80\x3b\x73\x68\x6f\x45\xab\x88\x5f\x43\xdf\x45\x61\x62\x4c\x34\x7a\xb1\x11\x55\x91\xae\xc4\x23\xb0\x9b\xfd\x69\x46\x17\x23\xde\x7b\x10\xf9\x18\x9d\xfe\xc9\xf0\xb2\xd3\xb6\x6c\xf8\xb1\xae\x59\xdb\x79\xfc\x26\x11\xa6\x55\x61\x65\xc3\xfd\xd1\x1e\x43\x80\x81\xf2\xe7\x47\x3d\x3c\x16\xae\x56\x76\x19\xe5\x8e\x4e\x4d\x24\x33\x74\x9b\x90\xee\xae\xe1\xf4\xe5\xf9\xe2\xac\xc3\x7c\x67\xbd\x22\xdd\x92\xb8\x56\xeb\xab\xf0\x4b\x09\x4b\x8a\x87\xd3\x86\xe4\x44\x46\xbd\x32\xcd\x75\xb6\xdc\x35\x24\x69\x90\x7d\xd3\x9a\xe2\xbd\x9c\x5f\x96\x5c\x3f\x17\xaf\x0b\x77\x85\xa5\xea\xf4\xfe\x48\x5d\x4c\x31\x16\xae\x77\xa7\x4a\xb1\x65\xea\xf4\xce\x8f\xd8\x63\x4a\xdf\xf3\x90\xbe\xe9\x1b\x5b\x30\x17\xea\x83\xc1\xb2\xff\xd7\xd0\x4d\xd0\xc4\xdb\x62\x5d\x6c\x4f\x99\xca\xdb\x2f\xc1\xdf\x1d\xf8\x77\xa6\xc5\xee\x05\x64\x33\x49\x4b\xcc\x7d\xf9\x2f\x02\x39\xaf\xa2\xfe\x75\xff\x14\x1b\x2e\x74\x97\x5f\xb8\x0c\xf9\x57\xc5\x17\x37\x50\x59\xa6\xa0\x95\xd4\xb8\xa9\x17\xb7\x1d\x52\x0a\x36\x03\x66\x2d\xde\x20\xde\x7c\x73\x97\x94\xb6\xcc\xdd\x18\xfd\x54\xc0\x5c\xcc\x81\x44\x71\x89\x9c\x4d\x62\x14\xd8\x80\x5b\xef\x7b\xa4\xa4\xde\x0e\x02\xe5\x67\x5d\x5f\x80\x65\xcc\xb2\x24\x2d\x51\xeb\xa5\xcf\xe8\xef\x3c\xd7\x0b\x53\x2f\x9a\x0b\xc2\x2d\x9b\x64\x19\x3c\x79\xb6\xce\x46\x88\x90\xe6\xfc\x7f\x69\xae\x0c\xbd\x8e\x3a\x42\xae\x06\xfd\xa9\x8b\xfc\x7e\x04\x17\x16\x95\x9e\x5a\xee\x95\x11\x46\x43\xa3\x08\xc4\x33\xe4\x02\x91\xc5\x32\xff\xfe\xa7\xc8\x8d\xe8\xe5\x36\x11\x9a\xda\x3c\x52\x89\xc9\xc5\x7d\x1d\x47\xfa\x06\x26\xbe\xf3\x27\xfa\x8c\x19\x56\x76\x06\x64\xf9\x6a\x38\x53\x8a\x81\x88\x37\xe9\xc8\xa6\x6a\xcf\xa4\x2e\x01\xd5\x9f\xe3\x9a\x9c\x72\x61\xa7\x7d\xff\x5a\xc5\x09\x20\x5a\x25\xf7\xc7\xd5\x6b\x27\x5f\x65\x10\x7c\x3a\x4f\xd2\x6e\x8e\xdc\x67\x7e\xb9\xa4\xc9\x20\x80\x51\xe5\x21\xfb\x7c\x93\x2b\xdf\x60\xfd\x69\xd1\x0c\x92\xf9\xbe\x09\x2b\xd6\xee\xc6\x8d\x05\x97\x2f\x82\x00\x58\xc5\x31\xd1\x20\x68\xe4\x97\x5c\xcb\x0d\x4f\x03\xf8\x89\x37\xdc\x17\x89\x98\xa7\xd6\x8d\x43\x30\x79\xf5\x1d\xa4\x23\x9a\x5f\x5f\xd4\xa5\x63\xfe\x6a\x73\x82\x45\xfb\xca\x5e\x6b\x0b\xd8\x8a\xbb\xd6\xeb\x9f\xd8\x09\x31\x03\x6b\x02\x34\xcf\x66\x7a\x53\x40\xec\x16\x67\xc5\x78\x2d\xe6\x75\xab\x47\x86\x20\x18\xd9\x4a\xe8\xb7\xde\x93\x20\xd3\x81\xcb\x84\x3b\x1a\x88\x5d\xda\xf3\x1c\x35\x76\xf2\xce\xbb\x6a\xb9\x57\x6c\x33\x4d\x3d\x40\x1f\xa6\x16\x32\xdb\xa1\xe6\xcc\xec\x91\x5c\x45\x00\xf8\x6a\xc2\x89\xa1\xde\x65\x49\xf7\xea\x27\x6f\x9f\xf9\x00\x89\x68\xab\x31\xa7\xa6\x48\xec\xd6\xf3\x6e\xd1\x85\xaf\xb3\xe9\xb3\x4c\x92\x28\xe2\xd7\x26\x94\x4c\x33\x22\x7a\x9e\x3d\x77\xe4\xd5\xbe\x8b\xd8\x50\xf3\x10\xdd\xa0\xfb\xc3\x0a\xff\x3f\x5b\xf2\xf1\xea\x3e\xed\x0c\xe2\xff\x15\xa7\xc3\x13\xcd\x87\xa7\x9a\xdd\x3e\x29\x0c\x2e\xcd\x76\x4c\x45\x55\x20\xd5\x81\xe3\xaf\x9e\xbe\x2c\x56\xd1\xde\xef\xaf\xa8\x73\x1b\xfb\x49\x06\xb7\x4d\x13\xf2\x71\x20\x48\xb4\x1a\x51\x58\xcf\x3c\xdb\x81\x5c\xd8\xd6\x3c\x90\x12\x46\x86\xdf\xb5\x67\x34\x83\x4e\x15\x53\x4f\x2b\x8b\x7e\xe2\xb2\x24\xea\xf7\x95\x15\x02\x1d\xe3\x15\x61\x91\x67\x7c\xa7\xfb\x47\x67\x42\x92\xf4\xed\xed\x88\x7f\x3a\x63\xba\xaf\x56\x4e\x35\x8e\xe2\xdf\xdf\x12\x73\xb3\x73\xc3\xaa\xb4\x99\xf4\xbc\x54\x8e\xde\x75\x12\xb5\xe2\x2c\xbe\xd7\x61\x8b\x23\xbc\x64\xb4\x6c\x8e\x6f\xba\x9b\xfe\xaa\x96\x3b\x33\x5d\xe5\x8d\x0d\x8b\x66\x32\x4b\xa8\xf5\x92\x52\x9d\x12\x09\x4d\x22\x66\x81\x92\x96\xd3\x95\xe7\xb3\xb0\xb2\xe7\x15\xe7\xed\x73\xfa\x8e\x2a\x1e\x15\x11\x59\xed\x41\xec\xf7\x54\xf7\x3c\xf8\x21\x68\xdf\x08\x14\xaa\x0c\x6f\xd8\xb9\x98\x8d\x20\x8f\x66\xba\xdb\xb9\x0a\x54\xb7\xa9\xb3\x11\x83\x9c\xd6\xcb\xbf\x09\x28\x01\x37\x67\x7a\x98\x4d\xdf\x87\x95\x1a\x47\x13\xcd\xf7\xf4\x94\xfb\x54\xe5\x37\xd8\xf1\x62\x8d\x79\x4e\xef\x29\xed\x26\xe3\x13\x21\xac\x41\xb9\x37\x3d\xc1\xcd\x85\xe4\x82\xd7\xe7\xbd\x56\xba\xef\xbd\xa3\xe2\x05\xc2\xd4\x85\x51\x26\xda\xbd\x2e\x24\x44\x62\x14\xa6\x33\xeb\x31\x1c\xc4\x87\xb8\x63\xf1\x11\x59\x63\xa4\x21\xaf\xa6\x1a\xe4\x88\x32\xeb\xed\x5e\xae\xcd\xae\x72\xd2\x7d\xe0\xce\x76\x17\x36\xe1\xa7\x1b\xcc\xfd\x36\x1c\x2c\x9d\xfc\xe6\x19\x60\x9e\xbc\xa1\xa0\xd4\xd8\x63\x75\x46\x89\x1d\xf3\x8f\x25\x97\xea\xa1\x00\x7d\xb2\xd3\xf2\x0e\xf9\xa6\x56\x0c\x71\x63\xed\x1a\xe4\xb5\x5d\xea\x61\xc3\x1f\xbf\xd2\x88\x84\x60\x50\x6d\xbb\x7a\xf2\x6c\x17\x8c\xca\x34\xea\xd9\xde\x4f\x0b\x71\xa0\xf2\x16\xdf\x95\x8f\xe4\xf3\x85\xe2\xc5\x90\x8a\x5a\x55\xfd\xc0\x32\x2e\x2d\x97\x93\xf8\x8f\xb6\xad\x76\x6f\xfe\x8e\x17\xb6\x44\x96\x4b\x27\x49\xe5\x64\xab\xfe\x28\x69\x24\x16\xc6\x61\xa8\xce\x57\x0b\xaf\x46\x4d\x47\xa0\xf1\x28\x88\x88\x94\x9e\xe8\x0b\x4a\x62\x60\xd0\xc6\xb4\xf7\x54\x7f\xe0\x1d\xdc\x10\xda\xda\xed\x67\xf3\x9b\xe2\xa7\xa6\xf1\x21\xcf\xcc\xe4\x90\x29\xbc\xca\x23\xf7\xe4\x98\x54\x11\xb8\x16\xfb\x9b\x6b\xce\xab\x0c\xd1\x35\xcf\x71\xa7\xeb\x10\xc9\x71\x46\xb3\xf3\x42\xaa\xba\xfa\xac\x9c\x2c\x69\x0d\xcd\xfa\x46\xfc\x4d\x28\x86\x23\xce\x1d\x13\x85\xdd\xed\x99\x71\x5f\x35\x1f\x39\xb5\x8e\x0a\x75\x61\xce\x85\xda\x8e\x85\xee\xd6\xca\x8d\x4e\xeb\x9a\xa2\xbc\xb7\xcc\x77\x71\x6c\xaf\x84\x39\x3b\x3a\xcb\xb6\xfb\xd9\x3d\x5e\x26\x6f\x62\xd2\x34\x6d\x58\x86\xc3\xc5\x8e\xbd\x6f\x71\xda\x40\xe1\xe6\x77\xbe\xef\x21\x5b\x19\xa9\xdf\xe5\x2e\x08\x62\xd0\x6f\x28\x7c\x72\x40\xb4\x70\x95\x4c\xc0\x05\x71\xdc\x40\xc2\xd6\xfe\x95\x82\x91\xcd\x26\xfc\x28\xea\x60\x13\x95\x8d\x00\xb0\xa7\xf0\x19\x10\x33\xb2\x44\xa9\xcd\x14\x6b\xbe\x14\x49\x2e\x47\x99\xe9\xa2\x0a\x27\x69\xf0\x96\x91\x51\x55\x59\x4a\x63\xe3\xa5\x37\x43\xb0\x6e\x44\x72\x3d\x7f\x40\xf4\x56\x47\x31\x4a\x7b\xa9\x59\x20\x1d\x2a\x1d\x6b\x45\xf6\x5a\x49\x39\x83\x38\xaf\xc8\x20\xc7\x65\xad\x7f\xb7\x59\xa4\xa8\x40\x88\xe0\xca\xbe\x22\x09\xf7\xfc\x39\xe5\xe5\xdc\x17\x72\x13\xfb\xc1\x2c\x8f\x1f\xa8\x28\x40\x1b\x10\xe3\x94\x89\x6a\x80\x95\x76\xec\x11\x8a\xd7\x15\x04\x8c\x7f\x2f\x5a\x33\x17\xdb\xd2\xb2\x5d\x75\x95\xf6\xa1\xa1\x33\x1f\x97\x8d\x31\x3f\x64\x92\xbf\x81\xe7\xb7\x86\x8e\xd9\x84\xc4\x00\x71\xd2\x08\x54\x03\xa8\x3b\x98\x94\x81\x61\x49\xc6\x1b\xaf\xdb\x55\x3c\x31\x30\x3d\xf5\xcd\x1e\x6a\x0e\x28\xd8\x1a\x10\xd9\x43\x09\x46\xb3\x29\x72\x51\x22\xb1\x5a\x45\xf8\xff\xcc\xc5\xb6\x66\x32\xef\x9b\x3e\x62\x91\xb8\x80\x7d\x7c\x2e\xcf\x36\x1f\x9c\x33\xb2\x2e\xc1\xb4\xe9\xb1\xc1\x5d\x5b\x7f\x69\xd7\xe6\x3a\xfe\x29\xa9\x18\x02\xaf\x6c\x5b\x40\xc6\x09\x19\x70\x63\xce\xa2\xd2\xeb\x67\x92\x44\xad\xcd\x98\x1b\x71\x9f\xb9\x91\x23\x1a\x18\x10\x2b\xf4\xf3\xc3\x1d\x3a\xf4\xbe\x37\x56\x8b\x8e\x82\xc3\x3c\xa8\xe4\x38\xd9\xdc\x07\x6f\xe1\x7f\xf2\x1b\x9f\x92\x4c\x8d\x8a\x60\x65\x29\x41\x04\x6f\x08\x5d\x86\x1d\x33\x8d\x37\x6f\xba\xe9\x1f\x85\x46\x0c\x1b\x13\xe3\x8b\xfc\x5b\x72\xcf\x19\xed\x32\xd3\x4b\xf8\x5b\x2c\x13\x2c\x23\xc4\xc2\x51\x67\xbe\x36\x53\x68\xee\x0c\xb3\x81\x8a\x85\x6d\x51\x40\xde\x04\xf9\xae\x44\x5a\xbc\x2a\x3a\x96\xc2\x30\x23\xbe\xc3\x2b\x22\xe3\xb3\xee\xd7\x0c\x25\xaf\x8c\x1b\xc5\xfd\xd6\x73\x1f\xe4\xbf\x7d\x56\xa8\x1a\x3f\x22\x6a\x0e\x94\x42\x2d\xa5\xca\x31\xa6\xf3\x89\xf7\xf3\xc1\xbc\x3f\x87\x05\xde\x1d\xc0\xf6\x56\x55\x2a\xf4\x68\x4f\x3e\xc2\x35\xd5\x26\xcb\x64\xf1\x9a\x5a\x91\xe8\xa2\x91\x47\xe3\xf7\xe1\x31\x10\x7a\x13\x03\x5b\x36\x5a\x0d\x40\x18\xd0\xba\x85\x5d\xa9\x0b\x7f\xc0\x01\xfa\x12\xd6\x2a\x43\x52\x2f\x1c\x45\xa9\x3e\xde\x4c\x10\x84\xdb\xb1\x01\x9e\xbd\x46\x4b\x33\xc7\x88\xf1\x24\x68\x3f\x99\xa8\x66\x50\x26\xf5\xd8\x7b\xae\x95\x4e\xee\xc7\x68\x4c\x63\x1d\xe3\x88\x26\xaf\xcd\xe6\x1f\xc3\xf2\x38\x2e\x60\x7a\x78\xa5\x83\x07\x57\x61\xf5\xdd\xf4\x12\x33\xa7\x27\xa1\x5f\x75\x83\x1e\x72\x06\xb3\xb2\xe8\xab\xc0\x3a\x8e\xa7\xa3\x43\x70\x91\xc5\x59\x38\xbf\x16\xe5\x43\x5f\x48\x3f\xd9\xa3\x4e\xd8\x79\xdf\x65\x20\x09\xfc\xfc\x3b\xa6\x0a\x28\x7b\x2d\xf7\x7f\xe1\x36\xdc\x6d\x1c\x9d\xc2\x4b\xef\xf5\x6e\x88\x8e\x54\x97\xfb\x91\xa7\x33\xd5\x8b\xca\x73\x95\x21\xf7\xf1\xaf\xa4\xf9\x4a\xc1\xea\x3b\xc8\xd2\xcc\xe1\x68\x9e\xb3\xa3\x9b\x9b\xb8\x1f\x96\xe9\xac\x19\x64\x6c\x58\xa4\xeb\x72\xd4\x7f\x65\x3b\x4a\x28\xb4\xc2\xb4\x34\x09\x47\x22\x6f\x08\x54\xc4\x5f\x76\x6c\x1a\xe6\x5d\x63\x00\x71\xac\xf0\x4b\x89\x9d\x14\x67\xb4\x60\x57\xc3\x35\x76\x9c\x4d\xd2\x30\x77\xfa\x6b\x08\xa7\xcd\x44\xcb\x3f\xad\xaf\xfa\xd3\x34\xf0\x30\x09\x81\x58\xdf\x1e\xc8\x9d\xd7\x7f\x36\xa9\x5a\xb5\x8c\x08\x0f\x86\x01\xd9\x39\xbb\x2e\x14\x3e\xca\xe4\x78\xc0\xae\x46\xa7\x97\xe8\x81\x21\x84\x4d\x81\x29\x6d\x09\x42\x1f\x25\xe2\x7a\xbb\x3e\x35\x7f\xed\x43\xa4\x73\x3e\x33\xdd\x21\xd9\x0a\xb4\xaf\x3f\x77\xb3\x41\xc3\x5e\xa8\xd7\x22\x2f\x49\xdc\x24\xe9\x2e\xe2\x6f\x28\xb2\x12\x7f\xcc\xbf\xdd\x63\xe1\xfe\x24\x15\x90\x10\xa2\x3c\x88\x52\x92\xb5\x5c\x4b\x61\xa7\xa9\x06\x66\x64\x55\x59\x82\xe6\x57\x74\x4f\xe4\x28\x6c\xe5\xa1\x83\xea\x22\xcc\x46\x27\x21\xbf\x9e\x61\xfc\x78\xd5\xf2\xc8\x14\x04\x13\x31\xf0\x9a\x01\xa9\x58\xe2\xb6\x4c\x5a\x08\x26\xa5\x53\xa8\xb9\x94\xd6\x6d\xbe\x89\xfa\xa6\x40\x3b\xbe\x70\xad\xb3\x82\x3a\x1b\x55\x27\x6f\x08\x9b\x4b\x38\x57\xf0\xa4\xdb\x9e\x89\x15\xba\x0f\xea\x98\xb8\x81\x17\x75\xca\x4b\x95\x08\x89\x4d\xd7\x8d\x80\xa2\x0a\x9a\x9f\x89\x05\x4b\xab\xb1\xfa\xe3\x04\x50\x9c\x15\x84\xd4\x44\xa8\xae\xd1\xf5\x42\x6c\x78\x01\x0c\x8e\x8e\x9a\xd1\x7b\x89\x4f\xa5\xe3\xb8\xd6\xcf\x8a\x9a\x23\x1f\xd5\x96\x70\x94\xc7\x8c\x7b\x88\xf8\xc7\x04\x0b\x09\x84\xdf\xe8\x78\xbb\x29\x58\xca\x39\x91\xed\x8e\xff\xcc\xe2\x34\x8b\xc6\xab\x93\x75\xe0\xf8\xc1\x95\x43\x62\xcb\x3e\x69\x7a\xe0\x1c\xab\xb0\x66\x55\x81\x2c\xea\xb2\xea\xc9\x38\x3e\x04\xef\xc1\xd6\x0b\xec\x2f\x18\x8f\xae\xcf\x37\x3a\xe8\x12\xae\xda\x6e\x7c\xfb\x74\x07\xf3\x22\xc1\x33\x35\x89\x33\x4b\xcd\x72\x04\xee\x02\xad\x89\x67\x8f\xc2\x99\x71\x7c\xc1\x31\x7e\xb5\x31\x12\xd9\x51\x59\xc3\x8d\x92\xd0\x1a\x13\xbe\xee\x3e\x3c\xe6\x4a\x95\x00\xe6\x94\xd2\x53\xb7\x57\x5d\x37\xd2\xed\x59\x96\x80\x9b\x02\xc1\xc4\xa4\x85\xd4\xc0\xda\x6e\x84\x5e\xca\x35\x55\x93\xcf\x18\x46\x27\xdd\xfb\xa4\xdf\x25\x19\xbe\xed\x80\xc2\xc7\x3f\x89\xc8\x11\xa4\x46\xd3\x2f\xe2\x2f\xd5\x73\x3a\xc7\x7c\x87\x0f\x9c\x1e\x03\x73\x4b\xc4\x43\x16\xd1\xa3\x90\x76\x4c\x4f\xfd\x4f\x10\x68\x11\xcf\x57\xc9\xf6\x57\x8d\x87\x34\xd5\xf4\x9d\x91\x3c\xfb\xf2\xa8\x3b\x24\x83\x54\x1e\x6f\x91\x36\xd6\xbf\x7b\xae\xe8\x77\x02\xe4\xb1\xcb\xba\xf7\xdf\x3f\xf6\xa7\x3e\xff\x01\x3c\x28\x90\x08\xd2\xaf\x88\x16\xc3\x57\x7e\x84\x09\x59\x0a\xde\xe6\xa1\x74\x60\x0a\xa5\x16\x65\x96\xb4\xf6\x8d\x61\x43\x6b\x85\xc5\x49\xe2\x03\xcc\xde\xd5\x65\x48\x86\x2c\x5f\xc4\xf3\x82\x59\x27\xd6\x3a\x18\x31\x4f\x8d\x2f\xb1\x1e\x67\xf5\x45\x34\x0c\xbe\xf8\x24\x7f\x73\x73\xc2\x02\x8b\xb4\x05\x2b\xb4\xf7\x98\x04\x98\x47\x2d\x38\xaf\xb1\xe0\x0d\x60\xa8\x00\x96\xcd\xf0\x05\x92\x6c\xb1\x85\x60\x81\x0a\xe5\x76\x66\x7d\xaf\xc0\x67\x8d\x72\xe2\x39\x2e\x1e\x02\x63\x35\xf7\x83\x05\x68\x85\x57\x60\x70\xf0\xb3\x6a\x8c\x34\x41\x39\x22\x5f\x53\x32\xfc\x49\xc1\xe4\x58\xde\xa3\x66\xff\xeb\x2c\xf1\x2d\xe9\x67\xb5\x56\xa1\x38\x80\xca\x41\x14\x0d\x7e\x79\xfb\x56\x41\xf6\x44\x91\xc8\x79\x33\x19\xa2\x62\x7f\xa4\x40\x0a\x42\x0e\x90\xfa\x69\xa1\x59\x4c\xb6\x47\x49\x07\xc9\xa4\xac\xf6\x22\xf9\xf0\xc4\xb7\xc5\xa0\xee\xc0\x93\xb6\x71\x5e\xdd\x0c\x97\xb2\xd9\xa7\x56\x06\x01\x21\x8e\x77\x78\x4c\x97\xdd\xb1\xa4\x57\xd1\xf6\xbf\x85\x1f\x3b\xf2\x62\x3d\x2f\x0b\x1f\xf7\xc1\xe4\xb8\x5d\xba\x90\x0a\x37\x9d\x58\x46\xe7\x83\x96\x4a\x08\xb0\x16\xaf\x92\xcf\xe5\x9b\xfd\x26\xc3\x1d\x85\x93\x9f\x60\xd3\xd6\x6f\xfa\xb1\x8b\xaf\x13\xea\x47\x86\x71\x0b\x00\xbe\x25\xaf\x31\x4d\xef\x3c\xc0\x99\x61\x96\xba\x40\x35\x3d\x0c\x47\x70\x2d\x03\x3d\x46\x61\x58\xcd\x17\x73\xdd\xef\x96\x5d\xb9\xdf\x67\xfe\x1c\xf8\xb1\xdb\x86\xc3\xe2\x4a\x71\x34\x02\xba\x7d\x79\x19\x79\xb4\x6d\xca\x1a\xc2\xdf\xeb\xc3\x0f\x1a\x43\xa0\xfc\x30\x81\xe8\xaa\x7c\x00\x04\x08\x3a\x4b\x03\x2c\x35\x3e\x70\x2a\x94\x7c\x80\x1a\x65\x79\x89\x6c\x8a\x8f\xc5\x5e\xdf\x38\xd8\x18\x31\xc7\x03\xd0\xc8\x2d\xeb\xe5\x98\xc0\xbd\x2f\x99\xde\x66\x50\x21\x06\x34\x16\x36\xca\x9e\xbc\x1a\x3e\x0b\x03\x98\x51\xca\xee\xce\x0b\xc9\x6c\x9e\x3e\xef\x1c\xb3\x03\xf4\x54\xe4\x6e\x30\xe6\x50\x01\x7c\xfc\x20\x2d\x53\x69\xd2\x3c\x6a\x4b\x85\xeb\x3a\x66\x4e\x2b\x95\xcb\x71\xb2\x0e\x31\x11\x3d\x83\xd1\x30\x1c\xe5\x27\xc4\x0a\x39\x48\x5a\xdd\x09\xfb\x4b\x49\x87\x45\x58\x70\x09\xd4\x52\xa5\xb0\x9b\xc3\x57\x2d\xb3\xbf\x3b\x28\x5a\xb9\x78\xeb\xaf\x4a\x3a\xf0\x73\x32\x3f\x59\x92\xbb\x63\x0b\xf4\xfb\xcc\xd1\xc1\x8e\xd5\x54\x4c\x55\xb3\xd1\xa3\xe2\x6e\x05\xdb\x7c\x7e\x60\xa5\x70\x17\x0c\xd0\xef\x9f\x77\xa4\x74\x2c\x6e\x2c\x08\xf3\xf2\xf8\xcd\x66\xdd\x5a\xe6\x0b\x19\xb5\xfe\xfb\xd7\x2d\x5e\x57\x14\x9c\x76\x0b\x74\xac\x80\x5e\x57\x4d\x8f\xf1\x2a\x8c\x12\xce\xbc\x72\xe1\x3c\x0e\xbe\x3f\x39\x38\x0a\x93\xf2\x9b\xc7\xfb\x5e\x28\x94\x8f\x9e\xe2\xac\x05\x6f\xb4\xc0\x37\x8f\x9d\x41\x51\x73\xf9\x61\xbb\x79\x1a\xb5\xdd\xfd\xd2\xed\x71\x68\x02\x87\x66\x98\xc7\xa9\x55\x3a\x5f\xce\x4b\xf1\x61\x0e\xad\x50\xb1\x99\xe0\x2c\xcb\xd2\x6e\x00\x02\x45\x64\x47\x7c\x55\x4a\x5f\xf5\x0e\xe5\x0b\x97\x9d\x0c\xb4\x20\x2b\xa6\x03\x46\x1d\x34\x26\xf0\x6f\x4d\x00\xd4\xab\x84\x2d\xc5\x2c\x3b\xb6\x3e\x11\x7e\x1c\xc9\xbf\x09\xc4\x06\xc1\x86\xd3\xa4\x10\x9a\xd7\xed\xa0\xfc\xc1\x64\x9c\x54\x7b\x3b\x20\xeb\xe2\x6e\x2d\x81\x80\xae\x5e\x4f\x48\xa2\xe7\xfa\x45\x52\xc8\xd8\x31\x65\xc3\xea\x74\x16\x43\x28\x95\x43\xec\x56\x87\x7c\x56\x18\x77\x75\xc6\x7d\x9c\x17\x2b\x5b\x9e\x7c\x83\x8e\x19\x55\x62\xb2\xf5\x0b\xb0\x86\xef\x49\x5a\x9c\x27\xf0\x7f\xfb\xf1\xf9\xb6\xf0\x5e\x47\x6f\xec\x2d\x96\x9a\x88\xff\xf5\xd3\x6d\x2e\xe6\x73\x23\x0d\x79\x94\x57\x98\xc2\x61\x9d\x4b\x0f\x5e\x27\x32\xc5\xa9\xad\x3a\xbc\xb9\xc6\x11\x98\x67\x68\x2b\xf2\x0f\x1b\xc9\x87\xa9\x69\x2b\x43\xea\xf1\x98\xe4\xc0\x0b\x05\xfc\xf9\xbb\xd6\xd0\x61\x33\x53\xbc\x19\x04\x51\x55\x16\xd3\xaf\x2d\x1c\xef\x4f\xfe\xc7\x91\xd9\xfd\xf2\x77\x9d\xf4\xc9\x14\xcb\x8f\xf4\x0e\xe2\xe1\xbe\xdf\x97\x4e\xf9\x5b\x97\x3f\x9a\x5b\x35\xb5\x61\x5e\xd6\x07\x98\xc2\x8f\x4f\x8a\xb0\x8e\x88\x81\x01\x5b\xaf\x88\xf9\x72\x99\x85\xce\x05\x6b\xad\xbd\x88\xb1\xfa\x6f\x44\x0a\xf1\xcf\x1e\x38\x12\x43\x9b\x04\x40\x8c\xc5\x9f\x4a\x6d\xbe\x3c\xe4\xa4\x43\xc4\x76\x04\x0a\xd0\x18\xdd\x82\x8a\x0a\xff\x7f\x97\x24\x72\x08\x7e\x4d\xc5\xfd\xe2\x32\xf6\x55\x78\x1d\xfc\x42\x2c\xe4\x02\xa9\xc0\x36\x43\x6f\x7e\x20\x11\x9e\xdf\x27\xec\x00\xed\x99\xdb\xc5\xa6\xd0\x9d\x6b\xfd\xd3\xa6\x0a\xed\x38\xed\x14\xa7\x81\x20\xd3\x5e\x84\x8f\xdc\x01\x2e\xf1\xd5\x59\xae\x04\xe6\xc4\xdc\xca\xbd\xd7\x9e\x5d\x4c\x8d\xab\x90\x1b\x58\x31\x69\x66\xa2\x15\xd4\x58\x07\x24\x6d\x7b\x62\xaa\xee\x76\x0c\xfc\x5d\x90\x7b\xd4\xee\x2c\xd7\x49\xb8\x6d\x5b\x67\x9c\x40\x96\x68\xd7\xf3\x4a\x7a\xbf\xa8\x95\x34\x9f\xb9\xd9\xeb\x47\x65\xc9\xd3\x9f\x20\x1c\x40\x7b\x0d\x5a\x89\xb3\xe6\x82\x16\x96\xd0\x0d\xe3\xb1\xef\x71\x4a\x7f\x25\x9d\xd9\x4e\x1a\xc7\x07\x42\x1e\x4b\xa4\xfb\x34\x5f\xb5\x71\xa7\x85\x1b\x9b\x24\xc7\xee\x58\x5d\xe4\x10\x7a\xde\xa3\x28\xe9\xc0\x11\x8c\x9c\xe6\x26\x52\xa6\x49\x40\xd6\x38\x19\xa7\x0b\x72\x6e\x88\x51\xd5\xeb\x67\x3e\x98\xd3\x3b\xb3\xc6\xca\x62\xbe\x55\x51\xcf\xd4\xff\xa0\xe9\x35\x95\xca\x43\x87\x7c\xd8\x89\x0e\xe0\x0d\x0e\x10\x91\x43\xb2\xeb\x0c\x14\xd5\x41\xeb\x9a\xd1\x1c\xc0\x8b\x91\x19\x4f\x51\x5a\x44\x79\xc4\xcf\x33\x3c\x09\x85\x38\x42\xcd\xd7\x54\x14\xe7\xb7\xd6\x88\x91\x42\xc2\x99\x9d\xc0\xe8\x98\x6b\x6a\x3a\xc6\xe0\xb3\xc0\x30\xc9\x43\xe9\x85\xfe\xca\x92\x7d\xc9\x53\x16\x70\xa2\x3d\xc9\x11\x72\xac\x8d\x77\x9d\x9a\xce\xc6\xa7\x97\x14\xd0\xa0\xb1\x61\x1b\x23\x60\x37\x97\xe2\x22\x8c\x8d\xb7\x70\x6b\x38\xb0\x08\xa8\x32\x37\xf2\x8e\xd4\xf4\x56\x12\xdd\x9e\x68\x5c\xcc\x22\x79\xc8\x62\xce\x2c\xd7\x4e\x33\x26\xab\xd9\xdb\x1a\x8e\xf7\x11\x8c\xfc\x82\xdb\x16\x09\xbe\xc2\x2d\xd0\x50\x2a\x4d\xc3\x2c\x26\x9b\xdd\xe8\x4a\x9e\xe5\xb1\x7a\xdb\x45\xc0\x12\x70\x6e\x66\x04\x7d\xc3\x60\x5d\xa9\xf1\x69\xe2\x0c\x73\xc7\xf7\x64\x72\x01\x29\xac\x00\xb2\xae\xfb\x69\x81\x2d\x72\xff\x64\xd5\x87\x4f\xce\x5a\xca\x4d\xf6\x8b\x78\xe7\xcc\xec\xb3\x5a\xa7\x6b\x5e\x76\x7a\xe3\x94\xb4\x1b\xef\xf8\x6d\x10\x70\xb2\x11\x57\xcf\x34\x35\x9a\x16\x7b\x7d\xea\x68\xab\xdd\x22\x48\x78\xce\x3d\x38\x18\x35\x8b\x92\xa5\x2e\x4f\x31\x3b\xa3\xdf\xb8\xd9\x7d\x87\xdc\xfb\x39\xff\x43\x8b\xda\xcd\x7a\x8a\x4f\x8c\x79\xd2\x45\xe4\xb1\x6f\x42\x63\x4d\x5c\xb6\x3d\x61\x2b\xa9\xf0\x19\xb6\xc0\x6c\xbe\x52\x23\xf2\x4c\x44\xd2\xe1\x6d\x8e\xe4\xfe\xcb\xfd\x94\x1b\x24\x8b\xb6\xeb\x63\xe0\x13\x6d\xc8\x2b\x9d\xf7\x4e\xff\x1e\xbf\x9f\x04\x2d\xc9\x16\x6a\x64\x4e\xb8\x4b\x44\x45\x35\x87\xc4\x05\x16\x4f\x22\x1b\xdc\x4f\xfb\x51\xc2\x6d\x1c\xd1\x82\x8f\x69\xed\xfe\xba\xdb\xaf\xd5\xe0\x3d\x26\xbb\x6d\xce\xf5\xd4\xc6\xc7\xcf\x51\x2e\x75\x76\x09\xc9\xe5\x2a\xbc\x42\xf2\x0d\x6b\x18\xc8\x1b\x5b\xec\x2d\x5a\xaf\x54\x6f\x1e\xda\xec\x29\x1a\x7a\x18\x28\x54\x99\x11\x5d\xfd\x75\x31\x9e\x9b\x61\x02\x03\x0a\xab\x5c\x09\x95\xf6\xfa\xea\x2f\x29\xfa\x41\xe7\xd5\x82\x8b\xfa\x59\xfb\xfb\x18\x1f\x96\x00\x4a\x67\x33\x6f\x98\xba\x0b\xad\xd7\x2d\xbe\xd7\x31\x9f\x96\xc1\xbf\x8f\xd4\x3d\x1c\x0b\xdf\x65\xcf\x24\x42\x47\x58\x6b\xf9\xf4\xcb\x31\x05\xb8\xc3\x03\x88\xd6\x78\x48\xc1\xa2\x86\x7f\xb4\x16\xe4\xd5\x4b\x30\xf4\xb2\x58\xcf\x60\x5a\xeb\x72\xb9\xed\x04\xd3\xee\x73\x02\xc2\xe2\xb3\x3c\x4a\xfe\x3f\x88\xf3\xdc\x97\xc1\xcb\x1b\x0e\xa8\x3c\xfe\x5d\x14\xec\x93\x51\x03\x59\xa3\x24\xb5\x4a\x53\xc7\x4a\xcd\xf9\x19\x1f\x86\x84\xec\x2f\x43\xec\x6a\xcc\x0b\x67\x2b\x3b\xb5\x13\x21\x72\xa6\x87\x94\x41", 8192); *(uint64_t*)0x200000005c40 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x50; *(uint32_t*)0x200000002c44 = 0; *(uint64_t*)0x200000002c48 = 3; *(uint32_t*)0x200000002c50 = 7; *(uint32_t*)0x200000002c54 = 0x2d; *(uint32_t*)0x200000002c58 = 9; *(uint32_t*)0x200000002c5c = 0xa; *(uint16_t*)0x200000002c60 = 6; *(uint16_t*)0x200000002c62 = 0; *(uint32_t*)0x200000002c64 = 9; *(uint32_t*)0x200000002c68 = 0x57b; *(uint16_t*)0x200000002c6c = 0; *(uint16_t*)0x200000002c6e = 0; *(uint32_t*)0x200000002c70 = 2; *(uint32_t*)0x200000002c74 = 7; memset((void*)0x200000002c78, 0, 24); *(uint64_t*)0x200000005c48 = 0x200000002cc0; *(uint32_t*)0x200000002cc0 = 0x18; *(uint32_t*)0x200000002cc4 = 0; *(uint64_t*)0x200000002cc8 = 8; *(uint64_t*)0x200000002cd0 = 6; *(uint64_t*)0x200000005c50 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0x18; *(uint32_t*)0x200000002d04 = 0; *(uint64_t*)0x200000002d08 = 0xa; *(uint64_t*)0x200000002d10 = 1; *(uint64_t*)0x200000005c58 = 0x200000002d40; *(uint32_t*)0x200000002d40 = 0x18; *(uint32_t*)0x200000002d44 = 0; *(uint64_t*)0x200000002d48 = -1; *(uint32_t*)0x200000002d50 = 6; *(uint32_t*)0x200000002d54 = 0; *(uint64_t*)0x200000005c60 = 0x200000002d80; *(uint32_t*)0x200000002d80 = 0x18; *(uint32_t*)0x200000002d84 = 0; *(uint64_t*)0x200000002d88 = 0x80000001; *(uint32_t*)0x200000002d90 = 3; *(uint32_t*)0x200000002d94 = 0; *(uint64_t*)0x200000005c68 = 0x200000002dc0; *(uint32_t*)0x200000002dc0 = 0x28; *(uint32_t*)0x200000002dc4 = 0xfffffffe; *(uint64_t*)0x200000002dc8 = 6; *(uint64_t*)0x200000002dd0 = 9; *(uint64_t*)0x200000002dd8 = 1; *(uint32_t*)0x200000002de0 = 2; *(uint32_t*)0x200000002de4 = r[5]; *(uint64_t*)0x200000005c70 = 0x200000002e00; *(uint32_t*)0x200000002e00 = 0x60; *(uint32_t*)0x200000002e04 = 0xffffffda; *(uint64_t*)0x200000002e08 = 0xfff; *(uint64_t*)0x200000002e10 = 5; *(uint64_t*)0x200000002e18 = 0; *(uint64_t*)0x200000002e20 = 3; *(uint64_t*)0x200000002e28 = 1; *(uint64_t*)0x200000002e30 = 0x100; *(uint32_t*)0x200000002e38 = 8; *(uint32_t*)0x200000002e3c = 4; *(uint32_t*)0x200000002e40 = 4; *(uint32_t*)0x200000002e44 = 0; memset((void*)0x200000002e48, 0, 24); *(uint64_t*)0x200000005c78 = 0x200000002e80; *(uint32_t*)0x200000002e80 = 0x18; *(uint32_t*)0x200000002e84 = 0; *(uint64_t*)0x200000002e88 = 5; *(uint32_t*)0x200000002e90 = 1; *(uint32_t*)0x200000002e94 = 0; *(uint64_t*)0x200000005c80 = 0x200000002ec0; *(uint32_t*)0x200000002ec0 = 0x12; *(uint32_t*)0x200000002ec4 = 0; *(uint64_t*)0x200000002ec8 = 0x93; memcpy((void*)0x200000002ed0, "-\000", 2); *(uint64_t*)0x200000005c88 = 0x200000002f00; *(uint32_t*)0x200000002f00 = 0x20; *(uint32_t*)0x200000002f04 = 0; *(uint64_t*)0x200000002f08 = 3; *(uint64_t*)0x200000002f10 = 0; *(uint32_t*)0x200000002f18 = 5; *(uint32_t*)0x200000002f1c = 0; *(uint64_t*)0x200000005c90 = 0x200000003140; *(uint32_t*)0x200000003140 = 0x78; *(uint32_t*)0x200000003144 = 0xffffffda; *(uint64_t*)0x200000003148 = 2; *(uint64_t*)0x200000003150 = 5; *(uint32_t*)0x200000003158 = 0x30c; *(uint32_t*)0x20000000315c = 0; *(uint64_t*)0x200000003160 = 3; *(uint64_t*)0x200000003168 = 0x1ff; *(uint64_t*)0x200000003170 = 6; *(uint64_t*)0x200000003178 = 8; *(uint64_t*)0x200000003180 = 3; *(uint64_t*)0x200000003188 = 0; *(uint32_t*)0x200000003190 = 0x400; *(uint32_t*)0x200000003194 = 0x400; *(uint32_t*)0x200000003198 = 0x362b; *(uint32_t*)0x20000000319c = 0x2000; *(uint32_t*)0x2000000031a0 = 5; *(uint32_t*)0x2000000031a4 = r[8]; *(uint32_t*)0x2000000031a8 = r[9]; *(uint32_t*)0x2000000031ac = 0; *(uint32_t*)0x2000000031b0 = 2; *(uint32_t*)0x2000000031b4 = 0; *(uint64_t*)0x200000005c98 = 0x200000003240; *(uint32_t*)0x200000003240 = 0x90; *(uint32_t*)0x200000003244 = 0; *(uint64_t*)0x200000003248 = 0x8001; *(uint64_t*)0x200000003250 = 2; *(uint64_t*)0x200000003258 = 1; *(uint64_t*)0x200000003260 = 0x7fffffff; *(uint64_t*)0x200000003268 = 9; *(uint32_t*)0x200000003270 = 0xc0; *(uint32_t*)0x200000003274 = 7; *(uint64_t*)0x200000003278 = 1; *(uint64_t*)0x200000003280 = 0xffffffff; *(uint64_t*)0x200000003288 = 8; *(uint64_t*)0x200000003290 = 7; *(uint64_t*)0x200000003298 = 0xfffffffffffff801; *(uint64_t*)0x2000000032a0 = 2; *(uint32_t*)0x2000000032a8 = 8; *(uint32_t*)0x2000000032ac = 0x1ee; *(uint32_t*)0x2000000032b0 = 0xff; *(uint32_t*)0x2000000032b4 = 0xc000; *(uint32_t*)0x2000000032b8 = 0xf; *(uint32_t*)0x2000000032bc = r[10]; *(uint32_t*)0x2000000032c0 = 0; *(uint32_t*)0x2000000032c4 = 0xac; *(uint32_t*)0x2000000032c8 = 4; *(uint32_t*)0x2000000032cc = 0; *(uint64_t*)0x200000005ca0 = 0x200000003300; *(uint32_t*)0x200000003300 = 0xb8; *(uint32_t*)0x200000003304 = 0; *(uint64_t*)0x200000003308 = 4; *(uint64_t*)0x200000003310 = 1; *(uint64_t*)0x200000003318 = 2; *(uint32_t*)0x200000003320 = 1; *(uint32_t*)0x200000003324 = 0x101; memset((void*)0x200000003328, 123, 1); *(uint64_t*)0x200000003330 = 6; *(uint64_t*)0x200000003338 = 8; *(uint32_t*)0x200000003340 = 0x12; *(uint32_t*)0x200000003344 = 0xffd; memcpy((void*)0x200000003348, "./cgroup.net/syz1\000", 18); *(uint64_t*)0x200000003360 = 2; *(uint64_t*)0x200000003368 = 2; *(uint32_t*)0x200000003370 = 4; *(uint32_t*)0x200000003374 = 0; memcpy((void*)0x200000003378, "!\']!", 4); *(uint64_t*)0x200000003380 = 2; *(uint64_t*)0x200000003388 = 0; *(uint32_t*)0x200000003390 = 0; *(uint32_t*)0x200000003394 = 0; *(uint64_t*)0x200000003398 = 6; *(uint64_t*)0x2000000033a0 = 0x400; *(uint32_t*)0x2000000033a8 = 4; *(uint32_t*)0x2000000033ac = 0x3006bd82; memcpy((void*)0x2000000033b0, "\322}$/", 4); *(uint64_t*)0x200000005ca8 = 0x200000004f40; *(uint32_t*)0x200000004f40 = 0x538; *(uint32_t*)0x200000004f44 = 0; *(uint64_t*)0x200000004f48 = 0x200; *(uint64_t*)0x200000004f50 = 4; *(uint64_t*)0x200000004f58 = 0; *(uint64_t*)0x200000004f60 = 8; *(uint64_t*)0x200000004f68 = 0xe9; *(uint32_t*)0x200000004f70 = 8; *(uint32_t*)0x200000004f74 = 0x8f62; *(uint64_t*)0x200000004f78 = 6; *(uint64_t*)0x200000004f80 = 9; *(uint64_t*)0x200000004f88 = 0xffffffff; *(uint64_t*)0x200000004f90 = 0x9b; *(uint64_t*)0x200000004f98 = 0; *(uint64_t*)0x200000004fa0 = 0x8000; *(uint32_t*)0x200000004fa8 = 0; *(uint32_t*)0x200000004fac = 0x400; *(uint32_t*)0x200000004fb0 = 0xef0; *(uint32_t*)0x200000004fb4 = 0xa000; *(uint32_t*)0x200000004fb8 = 0x10; *(uint32_t*)0x200000004fbc = r[11]; *(uint32_t*)0x200000004fc0 = r[13]; *(uint32_t*)0x200000004fc4 = 3; *(uint32_t*)0x200000004fc8 = 3; *(uint32_t*)0x200000004fcc = 0; *(uint64_t*)0x200000004fd0 = 2; *(uint64_t*)0x200000004fd8 = 0x9f3; *(uint32_t*)0x200000004fe0 = 5; *(uint32_t*)0x200000004fe4 = 4; memset((void*)0x200000004fe8, 170, 5); *(uint64_t*)0x200000004ff0 = 4; *(uint64_t*)0x200000004ff8 = 1; *(uint64_t*)0x200000005000 = 1; *(uint64_t*)0x200000005008 = 2; *(uint32_t*)0x200000005010 = 0x100; *(uint32_t*)0x200000005014 = 0xdde0; *(uint64_t*)0x200000005018 = 3; *(uint64_t*)0x200000005020 = 0x401; *(uint64_t*)0x200000005028 = 5; *(uint64_t*)0x200000005030 = 0xef; *(uint64_t*)0x200000005038 = 4; *(uint64_t*)0x200000005040 = 0xff; *(uint32_t*)0x200000005048 = 0xf; *(uint32_t*)0x20000000504c = 0x94; *(uint32_t*)0x200000005050 = 4; *(uint32_t*)0x200000005054 = 0x6000; *(uint32_t*)0x200000005058 = 0x4a; *(uint32_t*)0x20000000505c = r[14]; *(uint32_t*)0x200000005060 = r[15]; *(uint32_t*)0x200000005064 = 0x40; *(uint32_t*)0x200000005068 = 0x81; *(uint32_t*)0x20000000506c = 0; *(uint64_t*)0x200000005070 = 0; *(uint64_t*)0x200000005078 = 2; *(uint32_t*)0x200000005080 = 6; *(uint32_t*)0x200000005084 = 0xf; memset((void*)0x200000005088, 1, 6); *(uint64_t*)0x200000005090 = 3; *(uint64_t*)0x200000005098 = 2; *(uint64_t*)0x2000000050a0 = 3; *(uint64_t*)0x2000000050a8 = 0x7b; *(uint32_t*)0x2000000050b0 = 3; *(uint32_t*)0x2000000050b4 = 0; *(uint64_t*)0x2000000050b8 = 4; *(uint64_t*)0x2000000050c0 = 9; *(uint64_t*)0x2000000050c8 = 0x692c; *(uint64_t*)0x2000000050d0 = 7; *(uint64_t*)0x2000000050d8 = 3; *(uint64_t*)0x2000000050e0 = 0; *(uint32_t*)0x2000000050e8 = 0x80000000; *(uint32_t*)0x2000000050ec = 2; *(uint32_t*)0x2000000050f0 = 6; *(uint32_t*)0x2000000050f4 = 0x6000; *(uint32_t*)0x2000000050f8 = 0; *(uint32_t*)0x2000000050fc = r[17]; *(uint32_t*)0x200000005100 = r[18]; *(uint32_t*)0x200000005104 = 0xfffffbff; *(uint32_t*)0x200000005108 = 0; *(uint32_t*)0x20000000510c = 0; *(uint64_t*)0x200000005110 = 1; *(uint64_t*)0x200000005118 = 0x100000000; *(uint32_t*)0x200000005120 = 0x12; *(uint32_t*)0x200000005124 = 0; memcpy((void*)0x200000005128, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005140 = 6; *(uint64_t*)0x200000005148 = 1; *(uint64_t*)0x200000005150 = 0x80000000; *(uint64_t*)0x200000005158 = 1; *(uint32_t*)0x200000005160 = 9; *(uint32_t*)0x200000005164 = 9; *(uint64_t*)0x200000005168 = 4; *(uint64_t*)0x200000005170 = 0x400; *(uint64_t*)0x200000005178 = 9; *(uint64_t*)0x200000005180 = 9; *(uint64_t*)0x200000005188 = 0x4c4; *(uint64_t*)0x200000005190 = 0xc; *(uint32_t*)0x200000005198 = 0x8000; *(uint32_t*)0x20000000519c = 0; *(uint32_t*)0x2000000051a0 = 0xf; *(uint32_t*)0x2000000051a4 = 0xc000; *(uint32_t*)0x2000000051a8 = 6; *(uint32_t*)0x2000000051ac = r[20]; *(uint32_t*)0x2000000051b0 = r[21]; *(uint32_t*)0x2000000051b4 = 0x99df; *(uint32_t*)0x2000000051b8 = 2; *(uint32_t*)0x2000000051bc = 0; *(uint64_t*)0x2000000051c0 = 5; *(uint64_t*)0x2000000051c8 = 8; *(uint32_t*)0x2000000051d0 = 0x12; *(uint32_t*)0x2000000051d4 = 2; memcpy((void*)0x2000000051d8, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x2000000051f0 = 5; *(uint64_t*)0x2000000051f8 = 1; *(uint64_t*)0x200000005200 = 4; *(uint64_t*)0x200000005208 = 0xffffffff; *(uint32_t*)0x200000005210 = 0; *(uint32_t*)0x200000005214 = 6; *(uint64_t*)0x200000005218 = 3; *(uint64_t*)0x200000005220 = 0; *(uint64_t*)0x200000005228 = 9; *(uint64_t*)0x200000005230 = 0x2c3d; *(uint64_t*)0x200000005238 = 6; *(uint64_t*)0x200000005240 = 0x479; *(uint32_t*)0x200000005248 = 6; *(uint32_t*)0x20000000524c = 5; *(uint32_t*)0x200000005250 = 0x7aa; *(uint32_t*)0x200000005254 = 0x2000; *(uint32_t*)0x200000005258 = 0x4a0b; *(uint32_t*)0x20000000525c = r[22]; *(uint32_t*)0x200000005260 = 0; *(uint32_t*)0x200000005264 = 0xffff; *(uint32_t*)0x200000005268 = 8; *(uint32_t*)0x20000000526c = 0; *(uint64_t*)0x200000005270 = 3; *(uint64_t*)0x200000005278 = 9; *(uint32_t*)0x200000005280 = 1; *(uint32_t*)0x200000005284 = 0x1ff; memset((void*)0x200000005288, 36, 1); *(uint64_t*)0x200000005290 = 5; *(uint64_t*)0x200000005298 = 1; *(uint64_t*)0x2000000052a0 = 0x10000; *(uint64_t*)0x2000000052a8 = 0xd; *(uint32_t*)0x2000000052b0 = 1; *(uint32_t*)0x2000000052b4 = 5; *(uint64_t*)0x2000000052b8 = 3; *(uint64_t*)0x2000000052c0 = 0xa967; *(uint64_t*)0x2000000052c8 = 3; *(uint64_t*)0x2000000052d0 = 0; *(uint64_t*)0x2000000052d8 = 0x200; *(uint64_t*)0x2000000052e0 = 0x8b8; *(uint32_t*)0x2000000052e8 = 8; *(uint32_t*)0x2000000052ec = 1; *(uint32_t*)0x2000000052f0 = 6; *(uint32_t*)0x2000000052f4 = 0x4000; *(uint32_t*)0x2000000052f8 = 8; *(uint32_t*)0x2000000052fc = 0xee00; *(uint32_t*)0x200000005300 = 0; *(uint32_t*)0x200000005304 = 2; *(uint32_t*)0x200000005308 = 1; *(uint32_t*)0x20000000530c = 0; *(uint64_t*)0x200000005310 = 3; *(uint64_t*)0x200000005318 = 0; *(uint32_t*)0x200000005320 = 0x12; *(uint32_t*)0x200000005324 = 5; memcpy((void*)0x200000005328, "bpf_lsm_path_link\000", 18); *(uint64_t*)0x200000005340 = 3; *(uint64_t*)0x200000005348 = 3; *(uint64_t*)0x200000005350 = 2; *(uint64_t*)0x200000005358 = 0x3d5; *(uint32_t*)0x200000005360 = 0; *(uint32_t*)0x200000005364 = 0x1000; *(uint64_t*)0x200000005368 = 4; *(uint64_t*)0x200000005370 = 5; *(uint64_t*)0x200000005378 = 0; *(uint64_t*)0x200000005380 = 2; *(uint64_t*)0x200000005388 = 0x7f; *(uint64_t*)0x200000005390 = 0xd; *(uint32_t*)0x200000005398 = 0xfffffffa; *(uint32_t*)0x20000000539c = 0x117; *(uint32_t*)0x2000000053a0 = 6; *(uint32_t*)0x2000000053a4 = 0x2000; *(uint32_t*)0x2000000053a8 = 0x3ff; *(uint32_t*)0x2000000053ac = r[23]; *(uint32_t*)0x2000000053b0 = r[24]; *(uint32_t*)0x2000000053b4 = 0xb737; *(uint32_t*)0x2000000053b8 = 0xd; *(uint32_t*)0x2000000053bc = 0; *(uint64_t*)0x2000000053c0 = 5; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff8; *(uint32_t*)0x2000000053d0 = 6; *(uint32_t*)0x2000000053d4 = 8; memset((void*)0x2000000053d8, 255, 6); *(uint64_t*)0x2000000053e0 = 5; *(uint64_t*)0x2000000053e8 = 3; *(uint64_t*)0x2000000053f0 = 8; *(uint64_t*)0x2000000053f8 = 0xd; *(uint32_t*)0x200000005400 = 0x8000; *(uint32_t*)0x200000005404 = 0x7ff; *(uint64_t*)0x200000005408 = 1; *(uint64_t*)0x200000005410 = 5; *(uint64_t*)0x200000005418 = 4; *(uint64_t*)0x200000005420 = 0xfffffffffffffffd; *(uint64_t*)0x200000005428 = 0; *(uint64_t*)0x200000005430 = 0xd; *(uint32_t*)0x200000005438 = 7; *(uint32_t*)0x20000000543c = 4; *(uint32_t*)0x200000005440 = 0xef; *(uint32_t*)0x200000005444 = 0x8000; *(uint32_t*)0x200000005448 = 7; *(uint32_t*)0x20000000544c = r[25]; *(uint32_t*)0x200000005450 = r[26]; *(uint32_t*)0x200000005454 = 8; *(uint32_t*)0x200000005458 = 3; *(uint32_t*)0x20000000545c = 0; *(uint64_t*)0x200000005460 = 2; *(uint64_t*)0x200000005468 = 1; *(uint32_t*)0x200000005470 = 0; *(uint32_t*)0x200000005474 = 7; *(uint64_t*)0x200000005cb0 = 0x200000005700; *(uint32_t*)0x200000005700 = 0xa0; *(uint32_t*)0x200000005704 = 0; *(uint64_t*)0x200000005708 = 0x73f5b767; *(uint64_t*)0x200000005710 = 5; *(uint64_t*)0x200000005718 = 2; *(uint64_t*)0x200000005720 = 5; *(uint64_t*)0x200000005728 = 0x8001; *(uint32_t*)0x200000005730 = 0x4c3; *(uint32_t*)0x200000005734 = 2; *(uint64_t*)0x200000005738 = 5; *(uint64_t*)0x200000005740 = 7; *(uint64_t*)0x200000005748 = 0x800; *(uint64_t*)0x200000005750 = 5; *(uint64_t*)0x200000005758 = 0xa; *(uint64_t*)0x200000005760 = 0x1000; *(uint32_t*)0x200000005768 = 0x7f; *(uint32_t*)0x20000000576c = 9; *(uint32_t*)0x200000005770 = 6; *(uint32_t*)0x200000005774 = 0x1000; *(uint32_t*)0x200000005778 = 0; *(uint32_t*)0x20000000577c = r[27]; *(uint32_t*)0x200000005780 = -1; *(uint32_t*)0x200000005784 = 8; *(uint32_t*)0x200000005788 = 0x18; *(uint32_t*)0x20000000578c = 0; *(uint64_t*)0x200000005790 = 0; *(uint32_t*)0x200000005798 = 0xb; *(uint32_t*)0x20000000579c = 0; *(uint64_t*)0x200000005cb8 = 0x2000000057c0; *(uint32_t*)0x2000000057c0 = 0x20; *(uint32_t*)0x2000000057c4 = 0xfffffff5; *(uint64_t*)0x2000000057c8 = 0x100000001; *(uint32_t*)0x2000000057d0 = 1; *(uint32_t*)0x2000000057d4 = 0; *(uint32_t*)0x2000000057d8 = 9; *(uint32_t*)0x2000000057dc = 0x40000000; *(uint64_t*)0x200000005cc0 = 0x200000005b00; *(uint32_t*)0x200000005b00 = 0x130; *(uint32_t*)0x200000005b04 = 0; *(uint64_t*)0x200000005b08 = 0xffffffffffffff98; *(uint64_t*)0x200000005b10 = 2; *(uint32_t*)0x200000005b18 = 0xa; *(uint32_t*)0x200000005b1c = 0; memset((void*)0x200000005b20, 0, 16); *(uint32_t*)0x200000005b30 = 0x200; *(uint32_t*)0x200000005b34 = 9; *(uint64_t*)0x200000005b38 = 0x400; *(uint32_t*)0x200000005b40 = 0x200; *(uint32_t*)0x200000005b44 = r[28]; *(uint32_t*)0x200000005b48 = r[29]; *(uint16_t*)0x200000005b4c = 0x8000; memset((void*)0x200000005b4e, 0, 2); *(uint64_t*)0x200000005b50 = 3; *(uint64_t*)0x200000005b58 = 9; *(uint64_t*)0x200000005b60 = 5; *(uint64_t*)0x200000005b68 = 6; *(uint64_t*)0x200000005b70 = 0xefac; *(uint32_t*)0x200000005b78 = 9; *(uint32_t*)0x200000005b7c = 0; *(uint64_t*)0x200000005b80 = 8; *(uint32_t*)0x200000005b88 = 0x7f; *(uint32_t*)0x200000005b8c = 0; *(uint64_t*)0x200000005b90 = 0x635; *(uint32_t*)0x200000005b98 = 5; *(uint32_t*)0x200000005b9c = 0; *(uint64_t*)0x200000005ba0 = 0xf; *(uint32_t*)0x200000005ba8 = 9; *(uint32_t*)0x200000005bac = 0; *(uint32_t*)0x200000005bb0 = 0x8001; *(uint32_t*)0x200000005bb4 = 0xb; *(uint32_t*)0x200000005bb8 = 0xd; *(uint32_t*)0x200000005bbc = 0x4dc9; memset((void*)0x200000005bc0, 0, 112); syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000000c40, /*len=*/0x2000, /*res=*/0x200000005c40); break; case 37: memcpy((void*)0x200000005d00, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000005d00, /*fd=*/r[4]); break; case 38: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 39: *(uint32_t*)0x200000005d44 = 0xf86d; *(uint32_t*)0x200000005d48 = 4; *(uint32_t*)0x200000005d4c = 0; *(uint32_t*)0x200000005d50 = 0x11b; *(uint32_t*)0x200000005d58 = -1; memset((void*)0x200000005d5c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x2407, /*params=*/0x200000005d40, /*ring_params_ptr=*/0x200000005dc0, /*ring_ptr=*/0x200000005e00, /*sqes_ptr=*/0x200000005e40); if (res != -1) { r[30] = res; r[31] = *(uint64_t*)0x200000005dc0; } break; case 40: res = syscall(__NR_mmap, /*addr=*/0x200000ffd000ul, /*len=*/0x1000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ*/0x1000009ul, /*flags=MAP_POPULATE*/0x8000ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (res != -1) r[32] = res; break; case 41: res = -1; res = syz_io_uring_complete(/*ring_params_ptr=*/r[31], /*ring_ptr=*/r[32]); if (res != -1) r[33] = res; break; case 42: *(uint32_t*)0x200000005e84 = 0x64a3; *(uint32_t*)0x200000005e88 = 0x2006; *(uint32_t*)0x200000005e8c = 1; *(uint32_t*)0x200000005e90 = 0x3e2; *(uint32_t*)0x200000005e98 = r[30]; memset((void*)0x200000005e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x29b9, /*params=*/0x200000005e80, /*ring_params_ptr=*/0x200000005f00, /*ring_ptr=*/0x200000005f40, /*sqes_ptr=*/0x200000005f80); if (res != -1) { r[34] = *(uint64_t*)0x200000005f00; r[35] = *(uint64_t*)0x200000005f80; } break; case 43: syz_io_uring_modify_offsets(/*ring_params_ptr=*/r[34], /*ring_ptr=*/r[32], /*off=SQ_FLAGS_OFFSET*/0x38, /*value=*/0); break; case 44: *(uint32_t*)0x200000005fc4 = 0x1e2b; *(uint32_t*)0x200000005fc8 = 0x800; *(uint32_t*)0x200000005fcc = 1; *(uint32_t*)0x200000005fd0 = 0x2ab; *(uint32_t*)0x200000005fd8 = -1; memset((void*)0x200000005fdc, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x48a, /*params=*/0x200000005fc0, /*ring_params_ptr=*/0x200000006040, /*ring_ptr=*/0x200000006080, /*sqes_ptr=*/0x2000000060c0); if (res != -1) { r[36] = *(uint64_t*)0x200000006040; r[37] = *(uint64_t*)0x200000006080; } break; case 45: *(uint8_t*)0x200000006140 = 0xd; *(uint8_t*)0x200000006141 = 0x24; *(uint16_t*)0x200000006142 = 0; *(uint32_t*)0x200000006144 = r[33]; *(uint64_t*)0x200000006148 = 0x200000006100; *(uint32_t*)0x200000006100 = 0; *(uint64_t*)0x200000006150 = 0; *(uint32_t*)0x200000006158 = 0; *(uint32_t*)0x20000000615c = 0x81000; *(uint64_t*)0x200000006160 = 1; *(uint16_t*)0x200000006168 = 0; *(uint16_t*)0x20000000616a = 0; memset((void*)0x20000000616c, 0, 20); syz_io_uring_submit(/*ring_params_ptr=*/r[36], /*ring_ptr=*/r[37], /*sqes_ptr=*/r[35], /*sqe=*/0x200000006140); break; case 46: memset((void*)0x200000006180, 36, 1); memcpy((void*)0x200000006280, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xbd\xfd\x57\x7d\x9b\x71\x97\xf5\x66\x39\x3b\x22\x8c\xca\x01\xc4\x38\x5b\xaa\x7b\xb4\x18\xfa\x8f\x4f\x4d\x37\x3f\xe5\x8f\xb1\x57\xb4\x5a\x06\xce\x1a\xa0\xaa\xb1\x29\x2a\x2a\x28\x9e\xc8\x34\x63\x27\x86\x44\xd9\xa5\xc3\xb2\x41\x9a\xcc\x6b\xf9\xff\x6d\xed\xd3\x6c\x7c\x83\x8e\x89\xa7\x2a\x34\xad\xe9\x1f\x58\xe3\x7d\x88\x4b\xf0\xcb\xc4\x0d\xf6\xeb\x8a\xd5\x46\xea\xb7\x30\xf2\x0b\xeb\xa1\xd2\x1d\xed\xa9\xc9\xe1\x81\xc8\xd8\x66\xbf\xf9\x96\xc8\x56\x38\x86\xc1\xe0\x4f\x00\x2f\xcc\x94\x15\xcb\xc0\x94\xac\x5b\x1a\x44\x29\x80\xb1\x76\xbf\xf5\xd7\x5d\x34\x5e\x0a\x9a\xed\x89\x90\xa6\x46\xd0\xc9\x2e\x00\x1a\x91\xa3\x39\xa2\x30\x4c\x26\xc5\xc0\x00\x00\x00\x00\x00\x00\x00\x00", 208); syz_kfuzztest_run(/*name=*/0x200000006180, /*data=*/0x2000000061c0, /*len=*/0xd0, /*buf=*/0x200000006280); break; case 47: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[33], /*usermem=*/0x200000c00000); if (res != -1) r[38] = res; break; case 48: *(uint64_t*)0x200000016800 = 0; *(uint64_t*)0x200000016808 = 0x200000016280; *(uint64_t*)0x200000016280 = 0x17f; *(uint64_t*)0x200000016288 = 0x10; *(uint64_t*)0x200000016290 = 0x17d; *(uint64_t*)0x200000016298 = 0x20; *(uint64_t*)0x2000000162a0 = 0x58000; *(uint64_t*)0x2000000162a8 = 0x50df; *(uint64_t*)0x2000000162b0 = 0x182; *(uint64_t*)0x2000000162b8 = 0x18; *(uint64_t*)0x2000000162c0 = 2; *(uint64_t*)0x2000000162c8 = 0x12d; *(uint64_t*)0x2000000162d0 = 0x18; *(uint64_t*)0x2000000162d8 = 3; *(uint64_t*)0x2000000162e0 = 0x64; *(uint64_t*)0x2000000162e8 = 0x18; *(uint32_t*)0x2000000162f0 = 0xf; *(uint32_t*)0x2000000162f4 = 0x9a97; *(uint64_t*)0x2000000162f8 = 0x17d; *(uint64_t*)0x200000016300 = 0x20; *(uint64_t*)0x200000016308 = 0xfec00000; *(uint64_t*)0x200000016310 = 0x1781; *(uint64_t*)0x200000016318 = 0x17d; *(uint64_t*)0x200000016320 = 0x20; *(uint64_t*)0x200000016328 = 0x1000; *(uint64_t*)0x200000016330 = 0x691; *(uint64_t*)0x200000016338 = 0x182; *(uint64_t*)0x200000016340 = 0x18; *(uint64_t*)0x200000016348 = 3; *(uint64_t*)0x200000016350 = 0x17f; *(uint64_t*)0x200000016358 = 0x10; *(uint64_t*)0x200000016360 = 0x12e; *(uint64_t*)0x200000016368 = 0x79; *(uint64_t*)0x200000016370 = 0; memcpy((void*)0x200000016378, "\x67\x47\x0f\x48\x7f\x05\x41\x0f\xc7\x28\x0f\x20\xd8\x35\x08\x00\x00\x00\x0f\x22\xd8\x8f\x29\x78\xcb\x3d\x08\x00\x00\x00\x0f\x20\xc0\x35\x04\x00\x00\x00\x0f\x22\xc0\xc7\x44\x24\x00\xd0\xf6\x00\x00\xc7\x44\x24\x02\x00\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24\x0f\x00\x95\xbf\xfb\x00\x00\xb9\x8b\x00\x00\x00\x0f\x32\x43\x0f\x01\xf8\x36\x3e\x3e\x66\x44\x0f\x38\x3c\x6e\x0e", 97); *(uint64_t*)0x2000000163d9 = 0x182; *(uint64_t*)0x2000000163e1 = 0x18; *(uint64_t*)0x2000000163e9 = 0; *(uint64_t*)0x2000000163f1 = 0x17d; *(uint64_t*)0x2000000163f9 = 0x20; *(uint64_t*)0x200000016401 = 1; *(uint64_t*)0x200000016409 = 0x2a0c; *(uint64_t*)0x200000016411 = 0x17c; *(uint64_t*)0x200000016419 = 0x38; *(uint64_t*)0x200000016421 = 0; *(uint64_t*)0x200000016429 = 0x4a9; *(uint64_t*)0x200000016431 = 5; *(uint64_t*)0x200000016439 = 0xffffffff80000001; *(uint64_t*)0x200000016441 = 0xd; *(uint64_t*)0x200000016449 = 0x130; *(uint64_t*)0x200000016451 = 0x18; *(uint64_t*)0x200000016459 = 1; *(uint64_t*)0x200000016461 = 0x181; *(uint64_t*)0x200000016469 = 0x30; *(uint64_t*)0x200000016471 = 3; *(uint64_t*)0x200000016479 = 0xff; *(uint64_t*)0x200000016481 = 1; *(uint64_t*)0x200000016489 = 1; *(uint64_t*)0x200000016491 = 0x130; *(uint64_t*)0x200000016499 = 0x18; *(uint64_t*)0x2000000164a1 = 2; *(uint64_t*)0x2000000164a9 = 0x65; *(uint64_t*)0x2000000164b1 = 0x20; *(uint64_t*)0x2000000164b9 = 0xc001103a; *(uint64_t*)0x2000000164c1 = 0; *(uint64_t*)0x2000000164c9 = 0xa; *(uint64_t*)0x2000000164d1 = 0x64; memcpy((void*)0x2000000164d9, "\xc4\xa1\xf9\xe6\x53\x00\x66\xba\xf8\x0c\xb8\x3c\x05\x0c\x8a\xef\x66\xba\xfc\x0c\xb0\xea\xee\xc4\x01\x7a\x70\x5e\x47\x02\x36\x0f\x01\xc9\xb8\x05\x00\x00\x00\xb9\x00\x00\x01\x00\x0f\x01\xd9\xc4\x82\x99\xf7\x74\xfd\x26\xb9\x49\x03\x00\x00\x0f\x32\xc4\xc1\x15\xfa\xba\x67\x36\xc9\x58\xb8\x01\x00\x00\x00\x0f\x01\xc1\x64\x43\x0f\x01\xca", 83); *(uint8_t*)0x20000001652c = 0xc3; *(uint64_t*)0x20000001652d = 0x6a; *(uint64_t*)0x200000016535 = 0x28; *(uint64_t*)0x20000001653d = 0xb7cb; *(uint64_t*)0x200000016545 = 1; *(uint64_t*)0x20000001654d = 9; *(uint64_t*)0x200000016555 = 0x136; *(uint64_t*)0x20000001655d = 0x58; *(uint64_t*)0x200000016565 = 2; *(uint64_t*)0x20000001656d = 2; *(uint64_t*)0x200000016575 = 0x154; *(uint64_t*)0x20000001657d = 0x38; *(uint64_t*)0x200000016585 = 2; *(uint64_t*)0x20000001658d = 0x2006; *(uint64_t*)0x200000016595 = 6; *(uint64_t*)0x20000001659d = 0xdd07; *(uint64_t*)0x2000000165a5 = 5; *(uint64_t*)0x2000000165ad = 0; *(uint64_t*)0x2000000165b5 = 0x18; *(uint64_t*)0x2000000165bd = 8; *(uint64_t*)0x2000000165c5 = 0x136; *(uint64_t*)0x2000000165cd = 0x80; *(uint64_t*)0x2000000165d5 = 0; *(uint64_t*)0x2000000165dd = 0x1ff; *(uint64_t*)0x2000000165e5 = 0xc8; *(uint64_t*)0x2000000165ed = 0x20; *(uint64_t*)0x2000000165f5 = 0x6a; *(uint64_t*)0x2000000165fd = 0; *(uint64_t*)0x200000016605 = 0x17e; *(uint64_t*)0x20000001660d = 0x10; *(uint64_t*)0x200000016615 = 0x17f; *(uint64_t*)0x20000001661d = 0x10; *(uint64_t*)0x200000016625 = 0xc8; *(uint64_t*)0x20000001662d = 0x20; *(uint64_t*)0x200000016635 = 0x76; *(uint64_t*)0x20000001663d = 1; *(uint64_t*)0x200000016645 = 0x183; *(uint64_t*)0x20000001664d = 0x18; *(uint64_t*)0x200000016655 = 3; *(uint64_t*)0x20000001665d = 0xc8; *(uint64_t*)0x200000016665 = 0x20; *(uint64_t*)0x20000001666d = 0xcd; *(uint64_t*)0x200000016675 = 2; *(uint64_t*)0x20000001667d = 0x180; *(uint64_t*)0x200000016685 = 0x38; *(uint64_t*)0x20000001668d = 2; *(uint64_t*)0x200000016695 = 0x96; *(uint64_t*)0x20000001669d = 2; *(uint64_t*)0x2000000166a5 = 9; *(uint64_t*)0x2000000166ad = 2; *(uint64_t*)0x2000000166b5 = 0x64; *(uint64_t*)0x2000000166bd = 0x18; *(uint32_t*)0x2000000166c5 = 1; *(uint32_t*)0x2000000166c9 = 0xffff; *(uint64_t*)0x2000000166cd = 0xa; *(uint64_t*)0x2000000166d5 = 0x6c; memcpy((void*)0x2000000166dd, "\x41\x0f\x01\x3a\xc7\x44\x24\x00\x72\x00\x00\x00\xc7\x44\x24\x02\x03\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xc7\x44\x24\x00\xc7\xd2\xb5\x38\xc7\x44\x24\x02\x39\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\xb8\x01\x00\x00\x00\x0f\x01\xc1\x40\x0f\x79\x16\x66\xb8\xbc\x00\x8e\xc0\x26\x44\x0f\x01\xc5\x41\x0f\x01\xd0\x0f\x08\x0f\x09", 91); *(uint8_t*)0x200000016738 = 0xc3; *(uint64_t*)0x200000016739 = 0x180; *(uint64_t*)0x200000016741 = 0x38; *(uint64_t*)0x200000016749 = 1; *(uint64_t*)0x200000016751 = 0xa2; *(uint64_t*)0x200000016759 = 3; *(uint64_t*)0x200000016761 = 0x40; *(uint64_t*)0x200000016769 = 3; *(uint64_t*)0x200000016771 = 0x67; *(uint64_t*)0x200000016779 = 0x20; *(uint64_t*)0x200000016781 = 2; *(uint64_t*)0x200000016789 = 0; *(uint64_t*)0x200000016791 = 0x181; *(uint64_t*)0x200000016799 = 0x30; *(uint64_t*)0x2000000167a1 = 1; *(uint64_t*)0x2000000167a9 = 8; *(uint64_t*)0x2000000167b1 = 1; *(uint64_t*)0x2000000167b9 = 1; *(uint64_t*)0x200000016810 = 0x541; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[38], /*text=*/0x200000016800); if (res != -1) r[39] = res; break; case 49: res = syscall(__NR_mmap, /*addr=*/0x200000ffa000ul, /*len=*/0ul, /*prot=*/0ul, /*flags=MAP_SHARED*/1ul, /*cpufd=*/r[39], /*offset=*/0ul); if (res != -1) r[40] = res; break; case 50: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[40], /*exitcode=*/4); break; case 51: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[33], /*run=*/r[40], /*exitcode=*/6); break; case 52: *(uint64_t*)0x200000016840 = 0x1000; res = syscall(__NR_socketcall, /*call=*/0xful, /*args=*/0x200000016840ul); if (res != -1) r[41] = res; break; case 53: *(uint64_t*)0x200000016ac0 = 0; *(uint64_t*)0x200000016ac8 = 0x200000016880; memcpy((void*)0x200000016880, "\xa6\x00\xc0\x7f\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x05\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x05\x00\xf7\x62\x00\x00\x00\x3f\x00\x00\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x09\x00\xf7\x62\x00\x00\x00\x3f\xa3\x20\x18\x63\x00\x00\x17\x93\x00\x00\xe0\x3e\x00\x00\xf7\x62\x04\x00\xf7\x7a\x00\x00\xf7\x66\x0d\x00\xf7\x62\xff\xff\x00\x3f\x4b\x45\x18\x63\x00\x00\x17\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x05\x00\x84\x60\x22\x00\x00\x44\xe4\x03\x00\x7c\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x03\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x5b\x92\x00\x60\x00\x00\x20\x3c\x00\x00\x21\x60\x00\x00\x20\x90\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x5b\x92\x84\x60\x22\x00\x00\x44\x88\x9c\x7f\x13\x85\x79\x3c\x11\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xef\x63\x60\xae\x43\x80\x3c\x0b\x69\x84\x60\x04\x00\x84\x78\x32\xd2\x84\x64\x64\xab\x84\x60\x9f\x20\xa0\x3c\xa8\xed\xa5\x60\x04\x00\xa5\x78\xb6\x40\xa5\x64\xb1\xf3\xa5\x60\x72\x95\xc0\x3c\xe2\xa3\xc6\x60\x04\x00\xc6\x78\x0a\xb5\xc6\x64\xb4\x56\xc6\x60\x7a\xf7\xe0\x3c\x4f\x1e\xe7\x60\x04\x00\xe7\x78\x6d\xaf\xe7\x64\x73\x5d\xe7\x60\x6e\xd4\x00\x3d\xea\x68\x08\x61\x04\x00\x08\x79\x84\x3e\x08\x65\x2b\x1e\x08\x61\x0f\x08\x20\x3d\x57\x99\x29\x61\x04\x00\x29\x79\x2e\xa5\x29\x65\xa3\x3a\x29\x61\x10\xda\x40\x3d\x21\xf4\x4a\x61\x04\x00\x4a\x79\x6b\x7d\x4a\x65\x1a\xc9\x4a\x61\x7a\xd9\x60\x3d\x84\x78\x6b\x61\x04\x00\x6b\x79\xf9\xf1\x6b\x65\x62\xee\x6b\x61\x22\x00\x00\x44\x8c\x30\x80\x3d\xde\x99\x8c\x61\x04\x00\x8c\x79\xc3\x84\x8c\x65\xc4\x00\x8c\x61\x42\x7e\xf3\x13\x08\xdb\x47\xfd\x63\x10\xe0\x3f\xa7\x1c\xff\x63\x04\x00\xff\x7b\x58\x16\xff\x67\x60\xa0\xff\x63\x26\xff\xa1\x7f", 532); *(uint64_t*)0x200000016ad0 = 0x214; *(uint64_t*)0x200000016b00 = 1; *(uint64_t*)0x200000016b08 = 9; syz_kvm_setup_cpu(/*fd=*/r[33], /*cpufd=*/r[41], /*usermem=*/0x200000efc000, /*text=*/0x200000016ac0, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PR*/8, /*opts=*/0x200000016b00, /*nopt=*/1); break; case 54: syz_kvm_setup_syzos_vm(/*fd=*/r[41], /*usermem=*/0x200000c00000); break; case 55: memcpy((void*)0x200000016b40, "\xe5\xb3\x1e\x15\x1b\x44\xd5\xa7\xe6\xd4\x31\x8c\x23\x84\x1c\xad\x91\x1c\xec\x23\xf0\xd3\x9a\x4b\xed\x97\x7a\x0a\x13\xd9\xf9\xd1\x06\xf5\x92\xbf\x97\xea\x28\xb0\x48\xc1\x76\x41\x55\xa6\x98\xd4\x13\xbe\x97\x12\xcc\xb2\x98\xc0\xb8\x9c\xa6\x70\x76\xbe\x69\xd8\x34\x91\xff\x71\xbc\x77\x33\xd0", 72); syz_memcpy_off(/*dst=*/r[40], /*off=*/0x20, /*src=*/0x200000016b40, /*src_off=*/0, /*nbytes=*/0x48); break; case 56: memcpy((void*)0x200000016bc0, "adfs\000", 5); memcpy((void*)0x200000016c00, "./file1\000", 8); memcpy((void*)0x200000016c40, "othmask", 7); *(uint8_t*)0x200000016c47 = 0x3d; sprintf((char*)0x200000016c48, "%023llo", (long long)6); *(uint8_t*)0x200000016c5f = 0x2c; memcpy((void*)0x200000016c60, "uid", 3); *(uint8_t*)0x200000016c63 = 0x3d; sprintf((char*)0x200000016c64, "0x%016llx", (long long)r[12]); *(uint8_t*)0x200000016c76 = 0x2c; memcpy((void*)0x200000016c77, "smackfstransmute", 16); *(uint8_t*)0x200000016c87 = 0x3d; memcpy((void*)0x200000016c88, "wlan1\000", 6); *(uint8_t*)0x200000016c8e = 0x2c; *(uint8_t*)0x200000016c8f = 0; memcpy((void*)0x200000016cc0, "\x78\x9c\x00\x00\x10\xff\xef\xe0\xf3\x2e\xee\x67\x26\x57\xd8\xe1\x2f\x0d\xef\x1e\xdc\xec\x7d\x6e\xe8\xb8\x00\xf9\xec\x5d\xce\xfa\x4e\x2f\x34\x00\xaf\xbf\xeb\x7c\xd1\x40\x1d\xf9\xc0\xa3\x6a\xaf\xe6\x78\x4e\xe5\x0c\xa0\x63\x41\xa0\x1b\x3f\xe4\x49\xf8\xfa\xc4\xd6\x1f\xc5\x7a\x81\xb5\xe1\xbb\x9d\x8d\xd5\xb7\x2d\x1f\x7f\x6d\xef\xc5\x36\x05\xcf\x95\x1f\xc6\x87\x84\xa1\xbb\x5a\x5a\xff\xb5\xa2\x0d\xd8\xc6\x4d\x9d\x5e\x7d\x68\xe8\x9f\x48\x96\xf0\xa5\x0b\xe4\x7d\x9d\x61\x0d\x02\x2f\x14\x97\x14\x80\x49\x98\x9a\x7b\x7e\xa6\x86\xaf\x0a\x6a\xde\xa7\x00\x81\xac\x0b\x4f\xaf\xed\x16\x14\x12\x9a\xe4\x1d\xec\x8b\xa2\x02\xc1\x9f\xe3\x15\x1a\xb7\x4d\x7b\x20\x51\xad\xb0\xc8\xed\xf3\x10\xcb\x88\x65\x0e\xc7\x74\x9b\xde\x4e\xaa\xb1\x51\x7b\x98\x8c\xd7\x18\x19\xab\x09\x74\x20\xc0\xeb\x23\x86\x52\xbf\x48\xcd\x2b\x1f\x50\x0e\x05\x74\xac\x4a\x7d\x2f\x54\xa8\xf0\x15\xae\xb2\x18\x8f\xc9\xaa\x13\x0b\x3e\x1e\xe5\x48\xf6\xca\x8f\x2a\x4c\x3b\xcf\xd9\xe4\x56\xee\x03\x4a\x04\xac\x28\xed\xbc\xbc\x9d\x55\xcc\x3a\xce\x6a\xe9\x26\x0e\x9b\xe2\x2f\xd0\x47\x7e\xbd\xc5\x8c\xea\x74\xc5\x73\x92\x1c\x08\xa9\x6c\xa3\x97\x9a\x94\x8c\x16\x11\x5b\x86\xba\xe4\x0b\x72\x7b\x4d\x01\x95\x0a\xd2\x6c\x2f\xd4\xc7\x73\x16\x35\x04\xe5\x5a\x63\x08\x55\x33\x79\x9f\x81\xaa\x9e\x99\x25\x6d\x11\x3a\x4c\xb8\x98\x13\xf6\x21\x0a\x4b\xc9\x69\x20\x88\x47\x8d\x0d\xe7\x55\xb7\x40\xa6\xdc\x1e\x4b\x34\x6f\xa3\x3b\x30\xa2\x67\x63\x3d\x3b\x70\x92\x3f\xab\x75\x19\x72\xa9\xb5\x3f\xd5\x28\x15\xf3\x90\x37\xb5\x3c\xb4\x69\x70\xd8\xe5\x03\xc4\x5b\x5f\x7f\x18\x6a\x25\x4b\x38\x89\x9f\xb7\x75\x1b\x21\x76\xc9\xe9\x40\x93\xc1\xfe\x7a\xab\xba\xe2\xd3\x1a\xaa\x79\xa0\x76\xa6\x70\xb2\x4e\xaa\xad\xfb\x8f\xf6\x9c\x80\xdc\x09\x8d\x95\x14\x72\x9b\x60\x52\x62\x2e\x13\x08\x0a\x09\xff\x94\x97\x3c\x24\xe4\x30\x60\x6a\x7a\x3b\x03\x43\x4d\x5b\xbb\xd3\x95\xeb\x14\x7e\xdd\x99\x9e\xc8\xe3\x8d\x0d\x98\xf4\x56\x80\x9b\x9f\xdc\xf7\x42\x30\xd6\x1e\xce\x5c\x18\xdb\x04\x04\x2d\x1a\x90\xf0\x1f\x24\x15\x28\xd9\x7d\x38\x32\xcf\xc6\x20\xe5\x97\x36\xfb\x11\xb8\x31\x36\x8d\x45\x9a\x3e\x26\x34\xa1\xdf\xda\xe8\xad\x9b\x34\x2c\x5d\x70\xae\x32\xfe\xf3\xfc\x64\x0e\xe1\x28\x81\x38\xda\x4e\x7a\xef\x89\xe3\x24\x2e\x3c\x4b\x53\x4d\xf9\x04\x92\x8d\xc4\x21\x9f\x74\xe9\xab\x62\xaa\xe9\x59\xc4\x2c\x9f\x4b\xc3\xa7\x1b\xa8\x3c\x9c\x90\x2a\x1d\xe6\x0e\x6e\x51\xe4\x99\x65\x55\xaf\xf5\x98\x9e\x35\xa2\x86\xf4\xa1\x03\x0f\x85\x8e\xdf\xc5\x02\x0e\xe4\x28\x0e\x72\x54\xeb\x4c\x2d\xe6\x3b\xd7\x3d\x6f\x2b\xe7\x98\x4d\x27\xc7\xfa\x17\xea\x39\x86\x0e\xeb\x82\x5b\x91\x2b\xa2\x97\xea\x17\x8d\xa5\x26\x62\xc7\x92\x2c\x52\x96\xfd\xac\x90\x31\xa1\x99\x82\x64\xbf\x07\x1a\x03\x74\x1a\x4b\xfb\xe9\xab\x43\x45\xf8\x2c\x0a\x67\x5c\x93\x6f\x5b\xd6\x8a\xa3\xd5\x62\x1a\xba\x90\x03\xdb\xcd\xdf\x81\x99\x66\xf1\x27\x26\x93\x09\x47\x3a\xd1\x46\x24\xbb\xff\x49\xf9\x52\xcb\x1a\x41\x30\x80\x18\xe9\xb3\xb4\xc4\x64\x64\xff\x4a\x3a\x49\xfc\xaa\x7e\xfe\xc8\xf8\xa4\xec\xe2\x95\xf1\xab\x79\xa0\xd0\x91\x1b\x3e\xa7\xa1\xf7\xf8\x25\x22\x19\x3e\xee\x1b\x17\x1e\x82\x7d\xf2\x3b\x40\xfd\x76\x5d\x99\x87\x10\x54\xdc\x08\xa7\x05\x32\xbf\xfa\x45\xc5\x08\xdb\x35\x90\x65\x04\xfb\xb1\xee\x48\x8c\xd9\x82\xe3\x3e\x0d\x88\x31\x37\x00\x2a\x44\xe8\xb0\x22\x37\x12\x7b\x07\x22\x00\xad\x96\x7f\xd3\x7d\x28\x8d\x32\xf5\x59\x9b\x39\x9d\x76\xdb\xa3\x6d\xfb\x67\x6b\xa4\x5c\xfe\x79\x3e\xd8\x42\x50\xf3\x1d\xd9\xc0\x10\x5d\x02\xe8\x8d\xd6\xb3\x56\x01\xc5\x01\xf0\x32\x67\x20\x54\x6a\x22\xde\x47\x36\x3b\x87\x69\x9f\xb4\xa1\xc0\x8b\xf1\x5f\x24\x4a\x6d\x3d\xdd\xef\x77\x06\xd3\x9e\xf0\x13\xf9\x55\xf0\x12\xb1\xd8\x18\x5a\x00\x4a\xcf\x8c\x33\x90\x04\xf1\xbe\x62\x8f\xa4\x01\x4b\xe2\x95\xa6\x67\x67\x04\xa7\xf0\x99\x7f\x22\x5f\x11\x56\x36\x8e\x06\x42\x88\x9b\xe3\x06\xf3\x39\xf7\xcd\xfb\x04\x40\xb2\xb9\x9d\x99\x88\x5c\x36\x35\x63\xdc\x58\xee\x4e\x14\xb2\x26\xfd\x90\xe4\x1e\x18\xb0\xbd\xb8\xd1\xfb\x37\xe0\xf9\x19\x13\xf0\x3d\xa2\x22\xc9\x8d\xf6\x47\x83\xab\x64\x86\xd0\x31\x19\xbc\xa2\x08\x0b\xef\x6a\x46\x73\xa9\x21\x68\xf1\x78\xce\xd4\xd7\x30\x3d\x0e\x58\x0a\xfe\x16\x32\x1e\xef\x24\x6b\x34\xa9\x21\x94\xc2\x46\x5b\x05\x7f\x3b\x63\xf6\x72\xd1\xdc\xfc\x11\x08\xc6\x91\xbf\xf9\x23\x63\xed\x8f\xa7\x24\x58\x29\x7e\xac\xd4\xb9\x12\x34\x9a\x46\x31\x95\xa6\x18\x6a\x0a\x48\x99\x70\x0d\xfa\x45\x85\x84\xb1\xbd\xb3\x43\xa9\x88\xc4\x35\x7a\x4d\x86\xff\xbc\x45\x0d\x4b\x90\x58\xa0\xc0\xc8\x91\x24\x8d\x6c\x71\x7e\x0e\xce\x95\x36\x92\x7c\xce\x4d\xfa\x71\xca\x13\x42\x70\xa9\x89\x19\x09\x2f\xf7\x67\x66\x1c\xf6\x57\xf9\x43\x2c\xc9\x09\x73\x6d\xea\x51\x13\x7e\x32\x27\xc0\xad\xba\x93\x90\x56\x80\x27\x11\x24\x35\x04\xd3\xe1\xff\x31\x3a\x23\x5d\x17\x46\xd2\x4c\xbf\x18\xf8\x3e\xad\xec\x6b\x03\x82\x39\x15\x40\xed\x24\x6b\xa8\xf9\x4f\x62\x1a\xf8\xb2\xa3\x66\xa7\x0d\xf1\x4e\xeb\xa4\xa6\xc2\x46\xb2\x2a\xab\xc2\x98\xd5\x1c\xb2\x89\x2f\x3d\x45\xfd\x57\x27\x21\x00\x38\xb6\xe8\xd1\x95\x02\x9e\x8a\x34\x54\xbc\xac\x1e\x16\x3c\xfb\x38\x71\xc1\x81\xfd\xc0\x69\x9e\x72\x2b\x77\x1f\xf5\x55\x20\xe8\x9f\x69\x48\x5f\xa8\xf4\x30\xfe\x2a\xc3\xb0\x0d\x4c\xe8\x88\x73\x25\x42\x4e\x9e\x5d\xd6\x40\x1f\x69\x9a\x37\x42\x01\x43\x1f\x39\x52\x0a\x8a\xfa\x32\x93\xdf\x4a\x41\x83\x73\x55\xfa\x00\xde\x61\x34\x1c\x98\x3e\x10\x7e\x28\x32\xa2\x31\x8f\x22\x10\xc5\x10\x2d\x62\xe0\xd7\xde\xe8\x47\x2b\x26\xeb\x4b\x89\x81\x99\xef\x5f\x2a\x70\xa3\x67\xd4\x03\x0b\x87\x66\x61\x73\xc5\x26\x31\x54\xbd\xfd\x5e\xd5\x72\xf9\x90\xbf\xce\xae\x68\x31\x42\x71\x80\x68\x21\x5c\xe2\x77\xab\x36\xe6\xde\xdd\xac\x97\x48\x62\xc0\x8a\x49\xb0\x86\xaf\x6c\x2a\xe5\xb4\xb9\x10\x6e\x0a\x8e\xf7\xe8\x27\xad\xca\x80\xfd\x66\x22\xb1\x34\x2a\x26\x61\x61\xbc\x5f\xd5\x78\xbd\x2e\x0d\x6e\x1f\xd8\x99\x9f\x57\xb5\x0a\xff\xba\x43\xc5\xc7\x57\xaa\x6c\xf9\xd4\x57\x3b\xe6\x5c\x06\x53\x3a\xd1\xf4\x97\x1a\x4f\x74\x4c\x4b\xee\x98\x48\x25\x09\x79\x5e\xdc\x82\x3c\x54\x8f\x10\x04\xf8\xc9\xa0\xf2\x3a\x03\x97\x83\x81\xce\x02\xab\xed\x8c\x34\x99\xf9\x08\x2c\x71\xc3\x89\x08\x84\xd2\xde\x99\x5f\x24\x45\x8e\x62\xa9\x69\xd8\x6b\x8a\x92\x20\xf4\xfe\xaf\x7f\xc1\xfa\x8a\x0e\x8e\x42\xce\xd7\x62\xd4\x7b\x52\xb0\x7b\x50\x4b\x43\xd1\x1f\x40\x25\xac\x1b\x30\x6e\x3a\x1d\x0b\x83\xd4\xff\x75\xa6\x46\xb3\xb3\x4f\x8c\x1a\x16\xdb\xce\xc0\xbc\xe8\x97\x55\xf8\xa0\x7a\xca\x9c\x27\x26\x2d\x8b\x01\x57\xf6\x37\xd4\x92\x03\xde\x1c\xfc\xb2\x30\x36\x41\x3e\x8d\x0b\xe6\x53\xc3\xa4\x26\xc2\x86\x50\xa7\xd2\xcd\x7e\xe2\x28\x99\xc1\xd0\xf8\xfb\x37\x68\xc8\x0d\x14\x16\x77\xe0\x72\x0a\x8e\xf6\x73\x98\xee\xbf\xad\x8f\x71\x50\xde\x0b\x99\xda\x75\x26\xee\xd6\xa3\x47\xd1\xc0\xfd\xdd\x06\x72\x30\x58\xa4\x9e\x58\x45\xc8\x17\x21\xcd\xca\xa8\x24\x39\xb1\x16\x83\xc5\xb6\xfd\x1a\x8c\x82\xc0\x75\xf0\x77\x73\xb2\x34\xd1\xf8\x1d\x9f\x0c\x80\xd6\x48\x2c\xd2\x1f\x34\xe5\xcf\x71\x58\xf6\x08\xd4\xca\xdf\xc1\x57\x9f\x1b\x68\x64\x5e\x1e\x50\x15\x69\x4e\xa8\x42\x07\xfa\x41\xa4\x30\x6b\xb6\x1a\x64\x87\x76\xb5\xa7\x14\x03\x62\x18\x24\x86\xc0\xf3\x5b\x19\x83\xcf\xdb\xa1\xd7\xc7\x58\x4e\x4c\x50\x97\xff\xb9\x8d\x12\xd3\xd0\xea\xa1\x69\xb3\x7a\xd8\xc7\x46\xd8\xb6\x96\xa7\x07\xe4\x5a\x3f\xf0\xf6\xb0\xc9\x31\x8d\x71\x29\xb6\xa4\x6c\x9f\x86\xde\x6e\xab\x4c\x89\xc3\x5b\x18\x5b\xc6\xc6\x93\x46\x4a\x27\x87\x81\x7b\xc3\xcd\xd8\xfe\x8c\xc6\xbc\x3d\x6f\xae\x79\x19\x8f\x87\xc7\x13\xe2\x11\xa0\xc5\x18\x75\x23\xea\x19\x4c\x08\xf9\x65\x7a\x38\xdc\xae\xb1\xeb\x73\x46\x17\xd5\x9b\xf6\xf8\xa1\xeb\x9d\x5f\xdc\x15\x5c\x96\x5a\x94\xc1\x08\xe6\xc0\x8b\x3b\x12\xee\x2b\x6e\xb3\xff\x0f\x08\xa6\xbc\x61\x17\x51\x39\xa6\x45\xfd\xf3\xb5\x1d\x4b\x70\xf8\x69\xc4\x29\xf9\x62\x2b\x78\x1a\x61\xff\x00\x53\x98\x4c\xdc\x94\xd0\x6e\x2e\xde\x17\x2a\xa8\x93\xdf\x4f\xb9\x13\xc7\x30\x79\xd1\xd6\xdb\xb0\x0a\x3e\x60\x7a\xc7\x2a\x58\x82\x00\x8d\x62\x60\x55\x32\x4b\xf3\xda\xc6\x6b\x41\x38\x94\x8b\xc7\x2a\x7d\x6d\x59\x9f\x5d\x37\xa2\x99\x9d\x7f\x5b\x79\xb6\x8e\x6b\xaa\x47\xeb\x94\xa6\x23\x40\x6d\x35\xd2\xcc\xbc\x2e\x05\x1e\x9d\xbf\xb5\x74\x8e\x62\xf5\x1d\xec\xff\x7d\x9b\x90\x1a\xc2\x70\x1b\x9e\x86\xa8\x17\xec\x00\x43\x64\x23\x4c\xf0\x76\xc4\xec\x62\xd5\x0d\x6f\x60\x85\xff\x37\x88\xeb\x10\xe2\x55\x4f\x36\x74\xfd\x61\x80\xb6\xf4\x34\x84\x04\x14\xc8\xcb\x15\x37\x38\x9c\xbf\x95\xe5\xa4\x15\x26\xbc\xf4\xde\x48\xab\xba\xc8\xec\xd1\x37\xf1\x0d\x4e\xd8\x99\x5b\x35\xa9\x91\xa9\x90\x17\x95\xe9\x50\x5d\xe0\xe2\xbb\x96\x72\x75\x1a\xc4\xe9\xd6\x52\x5c\x69\x48\xf8\x92\xff\xbf\x7d\x12\x58\x28\xb9\x4e\xe5\xa9\x24\x47\xe6\x77\xce\xd8\xa6\x81\xa2\xf3\x6e\xa6\xaa\x9f\x38\xba\x6f\x46\x24\xb0\x35\xbf\x3b\x87\x04\x95\x07\x37\x47\xa0\xef\xb7\x4e\x92\x71\x88\xa7\xba\x16\x4a\xa1\x31\xf9\x45\x16\xd4\x8b\x5b\x57\x38\xb2\x62\x94\x0b\xc6\x85\x22\xa0\xd1\x4e\xba\xab\x16\x74\x48\xfd\xf9\xd8\xd1\xbf\xce\x14\x4f\x8c\x6d\xae\x28\xaa\x55\x8d\x57\xc5\x34\x10\xcb\x23\x5d\x7c\x76\xdf\x41\x53\x31\xd0\xc7\x0d\xaf\x43\x0e\x1d\x7d\x76\x79\x5a\x8f\xc4\x3f\x1b\x6d\x47\xa9\xf5\xef\x1a\x9d\x4d\xbb\xe9\x0b\x61\x09\xa9\x52\x16\x2e\x2a\x97\x59\x6f\x0a\x61\xab\x94\x72\xf1\x96\x01\x75\x39\x3d\x5f\x2c\x94\xe2\xee\xfd\xa7\x23\xaa\xc8\xc8\xe0\x94\xc3\xae\x8c\x17\xd5\x33\xb5\x1b\xc9\x06\xef\xcb\xe8\xbf\x61\xc8\x61\x66\x9d\xca\xe4\xb7\xa9\x67\x9e\xd5\x62\x73\x3c\x7a\xe9\x7c\x61\x8f\x30\xd5\x75\x76\xab\x3b\x1f\xe2\xda\x72\xef\x43\xf4\xd4\xaa\xad\x88\x13\x69\x6a\xd4\x85\x20\xc1\x1d\x0b\x02\x7c\x81\xed\x84\xc0\x7e\x8b\x1a\x12\x2f\x5d\x15\x08\x70\x2e\xd8\x31\x33\xb2\x7f\x44\x50\x76\x9a\x30\x08\x5e\x37\x2b\x99\x4b\x68\x82\x67\xa3\xae\xf2\x8c\xf9\xe9\xa0\x8b\xae\x19\xb4\xb7\x95\x48\x2a\xff\x78\x0b\x25\x2b\xf8\xa3\xef\x4f\x5c\x9f\x20\xae\xbe\xa6\x8e\x3c\x28\xa9\xd7\xc9\xe5\x9a\x95\xe9\x83\xa1\xd4\x96\xda\xeb\x63\xa8\x26\x8b\x73\x76\xe3\x94\x2a\xb2\x12\x66\xee\x37\x4e\x3b\x01\x60\x72\x28\xb2\x75\x09\xe3\xad\x89\xe8\x1d\xf4\xef\xd2\x43\x85\xdf\x15\xa9\x67\xe5\x30\xcc\x4c\xdc\x8d\xbd\x21\xe4\xf1\x1e\xc8\xc8\x7a\xc9\xc5\x4a\x5d\xda\x96\xc8\xd3\x6e\x9b\xd0\x06\xc4\xc5\x49\x19\xd6\xbc\x56\xb0\xc8\x2b\x5c\xcf\xb8\x29\xcf\xa9\xb9\x89\x68\x86\xfd\x78\x3e\x2a\x76\xee\x65\x57\x06\x6b\xd7\xf3\x01\xe6\xff\x17\x27\xf5\xc3\x0f\x98\xee\xc0\x52\xd2\x36\xda\xc5\xf5\x71\xf1\xea\x9a\xc2\x15\xd2\x2f\x9b\xc3\xc1\x05\x27\x50\xb6\x89\x18\x81\xf4\x5c\xf3\x27\x5d\xee\xb0\xe4\xc0\x59\x2a\x80\xb7\xf5\x41\x41\x61\x55\xc3\xc7\xf3\xfc\x2f\xab\x83\x2e\x09\x16\x9b\x08\xc8\x41\x14\xf9\xce\xe8\xcf\x33\xad\x18\x45\xd9\x9f\x3d\x54\x28\x7e\xaf\x9f\x1b\x96\x41\x2f\x36\xa9\xd7\x0a\x57\xec\x7e\x4b\x11\x21\x19\x40\xa2\xf8\x4e\xe1\x80\x38\xfe\x2f\xdb\xb0\x99\x8b\xf1\x49\x4d\xd1\x38\x28\x5c\x3c\x76\xdd\x95\x2b\xab\x27\xa2\x5d\x38\xca\x58\x74\x12\x0e\x77\x8b\x31\x72\x8b\x9b\x91\x6e\x04\xee\x0a\x46\x8c\x7f\x2f\xff\x5a\xb0\xfd\xb8\xb7\x1a\x71\xd6\x58\x4a\x7d\x3c\x74\xe1\x3e\xcf\x94\xbd\xc4\xe2\x41\xa3\x4b\x8d\xa5\xcd\xcb\xf9\xb2\x81\xc0\xe7\xa9\x1f\x75\x3d\xba\xca\xa8\x50\x3e\x95\x2f\x1e\xbc\xf7\xe5\x9d\xcd\x3a\xf2\xba\xff\xe6\x51\x66\xed\x82\xd1\x02\x03\xf2\x6e\xd2\x21\x33\x16\x75\x71\x24\x74\x35\xef\xbd\x98\xa0\x6a\xbb\xe9\x6f\x6f\xe9\x96\x94\x05\x0f\xf8\x1f\xd0\x90\x41\x4b\xc9\xde\x21\x0e\x03\xf7\x9f\x80\x79\xef\x40\x40\xd1\x89\xbf\x03\x2a\x99\x7f\x43\x8e\x13\xb5\xd2\x46\x9e\x09\x69\x00\xe2\xb9\x86\x09\x9f\xe8\x75\xaf\x6e\x26\x0c\x37\xbe\x4c\xaa\x08\x9a\x94\x0a\xc0\x7e\x58\x49\xeb\xc0\x27\xbc\xf2\x89\xf6\x15\xf3\x73\x13\x05\x8f\x61\x35\xaf\x25\xf8\x25\xfc\x5f\x28\xce\x77\xa7\xf7\x31\x50\xd0\x06\xa0\x70\x31\x0f\x9c\xf2\x1f\xc5\x20\x7b\xc4\x00\xa6\x69\xd1\xeb\x66\x10\xfd\x12\x67\x8c\x1d\x23\xa7\x84\x34\xaf\x46\xbf\x7f\x25\xd8\x58\xf5\x6e\xc4\x19\x98\xd4\xb1\x7a\x96\x46\x14\xf2\xb5\xdd\xef\x2f\x10\x23\x15\x35\x53\xc8\x35\xcb\x7b\x82\x4a\x53\x11\xae\x38\xd6\xf2\x40\xf4\x1f\x45\x33\x00\x0e\x9b\xde\xd8\x22\x47\xb9\x04\x43\xe4\xed\x02\xdc\xad\xab\x7d\x6c\xe1\xf4\x32\xfe\x1a\x37\x2c\xb8\x13\xc3\x1a\xd1\x3e\xd8\xdc\x8e\xe1\x5b\xc6\xfe\x29\xf9\xa1\xbc\x5b\xaf\xcf\xf4\x40\x56\xac\xbc\xbc\x7e\xff\xfe\xac\x32\xc5\x10\x5d\x43\x50\x7d\x9c\xf2\xf5\x42\x9c\xa7\x18\x97\xc1\x6b\xe9\x71\x96\xb6\xda\x7d\x69\x19\x9b\x09\xfc\x36\xad\xd0\x7b\x0e\x18\x9a\xca\xc5\x23\x66\xd1\x10\x44\x22\xf3\x96\x4c\xd5\xc8\x14\x92\xb2\x55\x0a\x7f\x7f\x17\xa6\xe3\x8f\xf9\xbc\xf3\xe9\x72\x55\x52\x97\xf1\x97\x21\x52\x93\xe0\xdd\x78\x8f\x0d\x8a\x1f\x76\x52\x4c\xf5\x4c\x72\xc0\x3e\xba\x64\x92\xf9\x3b\x43\x68\x99\x9b\xb3\x07\xcd\xa5\x7b\xbb\x03\x9a\xf5\xe0\x31\x9c\x27\x62\x5c\x85\x89\x44\xa2\xa7\xc5\x56\xf0\x90\x61\x24\xc6\x1c\xb7\x38\x5d\x1f\x65\x1d\x8c\x5f\xee\x23\x81\xcc\x17\x51\x9d\x20\x60\x80\x99\xd6\xce\x7e\xdf\x9b\xa8\xfd\x02\x49\x26\x30\xf8\x6e\xc6\xe7\xa6\x81\xf8\xe0\x29\x20\x95\x01\x28\xdf\xef\x59\x81\x4a\x29\x21\x37\xaa\x1a\xe7\xee\x2b\x25\x0a\x87\xda\x9d\xfb\x01\x31\x20\x5f\x96\xe6\x12\xd1\x17\x8d\xff\xd4\xf9\xf5\xad\xf3\xb6\x82\x70\xc4\x8c\xb4\x67\x72\x00\xca\xee\x70\x9f\xa3\x73\x3c\x17\xa9\xa3\xa7\x1a\x36\x41\x88\xec\x12\x17\x9a\x1a\x22\x86\x4b\xba\xc0\x09\x72\xe1\x9e\x35\xce\x6e\xe8\x4a\x6d\xf1\xdc\x95\xc5\x5b\xda\xf3\x7c\xe0\x3f\xcc\xf1\xf0\x9e\xdb\xe7\xce\x23\x1b\x06\x46\x47\xae\xc7\x4c\xd0\xe4\x5a\x22\x4d\xd4\x21\xe6\xa9\x47\x19\x98\xa0\xd4\x71\x70\x0c\xd4\x7a\x61\xfd\xc7\x28\x65\x18\xfa\x88\x9f\xf8\x07\x7c\x39\x50\xab\x0e\x72\x4a\xc8\x7d\xdb\x80\x43\xe6\x9c\x6d\x71\xd2\xc0\xb6\x07\xe4\x27\x6f\x19\xec\xc0\x23\x63\x34\x89\x5d\xc5\xb5\xa6\x6b\x32\x3c\xfb\xb7\x66\xd5\xdc\x1c\x3c\x30\x1c\x0e\xbe\x2b\x47\x17\x5b\xf0\x19\x2f\x3e\x2c\xc0\x25\x0c\xcb\x80\x7c\x0d\x46\x6b\x8b\x0a\x85\x28\x01\xbc\xf1\x2c\x27\x0e\x2a\xcf\xee\x34\xc7\xcd\x17\x6e\xf9\xb3\x8b\x3d\x59\x5c\x00\x89\x80\xf4\x56\x5d\x02\x02\x3c\x40\x73\x20\x83\xff\x6e\x9d\x70\x0d\x58\x23\x27\xe0\x64\xab\x33\x56\x11\x0c\xf3\x50\x7a\x43\xa0\x53\x8f\x30\xda\x27\x4c\xf0\x45\x6a\x6e\x8f\x98\x47\xa2\x39\xe7\x2b\x99\x62\x1c\xde\x34\xe1\xb6\x02\x63\xd3\xae\x53\xe2\xfd\x10\xd1\xb3\xef\x75\x44\x26\xee\xf7\x1b\xc1\xf7\x0f\xb2\xfb\x34\x21\xc4\x24\x9b\xad\xb3\xc1\x95\x92\x55\xd8\xa4\x0f\x66\xe1\x90\x64\xc4\xee\x01\x18\x50\x0d\x78\x05\x9c\x52\x86\xff\x7a\xa3\xb8\x3e\xc9\x0b\x7f\x6a\x06\xc9\xf2\x06\x76\x8e\xc3\xdc\xac\x63\x05\xc5\x8d\x10\x5c\xa2\xee\xe5\x32\xbe\x2f\xfb\x02\x13\xb3\x11\x3a\x97\x58\xe6\x81\xc8\x91\x01\xd9\xfb\x08\xbb\x4c\x63\x41\xf4\x66\x19\xaa\x56\xb5\x77\x79\xf7\xb9\x2a\x10\x17\x5e\x4e\xff\xa4\xd6\x11\x96\x67\x69\x94\x2a\x05\x97\x70\x7c\x64\x21\x36\x64\x9a\xbb\xb3\x5d\xd2\xc8\xf8\x34\x70\xfc\xb9\x58\xc4\x3f\xd6\x3e\x0d\x2c\x17\xcf\x1f\xf0\x07\x5c\xc4\x61\xd8\x30\x42\x9a\x3e\x08\xe4\x71\xce\x12\x7e\xcc\xc3\x27\x56\xec\xb3\x00\xcd\x86\xd0\x09\xbc\x96\xda\xc0\x15\xc7\xb6\x29\xde\xc2\x79\xa4\xa4\x50\xed\x24\x22\xc2\x3c\x6b\x31\x1e\x66\x3a\x0a\x90\xe1\xaa\x20\x4e\xbd\x0b\xbc\x71\x03\xe3\x18\x79\xb0\x4a\x47\x74\x58\x8e\xd8\x65\xb8\xa5\x51\x01\x7d\x4e\x85\xe7\x30\xb2\x00\xda\xfd\x7f\x4b\x5e\x7e\xb4\x8f\x35\xa7\x33\x4d\xcb\x74\x43\xc0\xe8\xa3\x4c\x38\x13\x0b\x53\x4a\x3c\x2e\xc7\x5d\x36\x89\x7e\x3a\xb9\x6b\xfa\xa4\x0a\x99\x05\x44\x73\x5e\x35\x97\xcf\xa6\xad\xa2\x45\x53\x14\xa7\x21\xe5\x33\x34\xc8\x4c\x73\x62\x45\xfb\x2d\x4d\x98\x63\x10\x35\x73\x4c\x0d\x69\x2b\xb6\x95\xbc\x5d\xc7\xff\xf6\x8e\x71\xe6\xc6\x72\x1b\x01\xa2\x83\xa7\x98\x4b\x55\xa8\x8b\x3e\x73\x0c\xee\x64\xb9\xe9\xe6\x34\x3e\xa3\xc1\x8f\x42\x7c\x01\x84\xcb\x44\x90\x46\x89\x01\xe8\xac\x07\xe8\x8a\x0e\x68\xf2\x8c\x1d\xb6\x40\x6d\x09\x85\x3b\xd3\xe0\x97\xda\x56\xc1\xff\x58\x1e\x93\x2d\xfa\xb3\xfd\x2a\x76\xe9\x1a\xc6\x5c\x5c\x51\x27\x73\x06\x0b\xa4\xcc\x3e\xea\x4c\x6b\xa4\x56\x76\x51\x78\xb8\xad\xbc\x75\x14\xb0\xc9\xab\x48\x62\x1b\xbd\x0d\x31\x47\x1d\x15\x67\x9e\xcf\xa9\x94\x46\x32\x53\x90\x6e\x60\xee\x8d\xb9\xe8\xab\x1f\xa1\x35\x97\x62\xc0\x2d\x61\xca\x4e\xf8\x6e\xd5\x91\x62\x60\x0d\xce\x33\x62\x2e\x6e\x88\x16\xee\x18\x6b\x00\xa3\x06\x22\x08\x9e\x90\x39\xfb\xc1\x97\xc5\xd1\x90\x67\xaa\xcb\xdf\xd4\x37\x6c\x75\x3f\x66\xf0\xb2\xa6\x95\x89\x90\xcc\x8d\x81\x6e\x3e\xae\x6b\x94\xa6\x5b\xfa\x17\x36\xed\x98\x7a\x9d\xab\x75\xb5\x41\x72\xb3\xc9\xd9\xba\xae\x4c\xf2\x29\x75\x39\xd0\xfc\x7f\x72\x4b\x59\x96\x4b\x6b\x50\x4c\x52\x28\x64\xae\x30\x47\xf2\x61\x44\xfc\xdf\x29\xee\x2d\xa8\xb0\xde\x86\xc7\x35\x2b\x20\x54\xd0\xa5\xd5\xa4\x97\x8a\x25\x60\xd9\x80\xee\x75\x1d\x28\xc4\xc7\x50\x0a\x7e\x46\xc6\x97\x85\x14\xf0\x3c\xf8\xdf\x75\x5e\xba\xbd\x3a\x89\xaf\x41\xfa\x67\x34\xdd\x6d\xf5\x75\x6f\xc1\x13\x0d\xcc\xe4\x44\x0f\x57\xb0\x04\x87\xa2\xef\x7c\xe7\x06\x87\x55\x3b\xfd\x1d\xce\xcb\x0c\x25\xbc\x1c\xb4\x21\xb0\x0b\x19\x12\x18\xec\x1d\x63\x45\x5c\xc8\x58\xda\x4f\x66\x97\x99\xca\x4d\x39\xfc\xa4\x1a\xa1\x58\x90\x68\xdb\xbb\x2e\x3c\xf9\x11\x1a\x5b\x02\xc7\xf9\xcf\xaa\x1b\x04\x62\xd4\x5b\x9c\xa1\xa7\xd3\xdf\xc5\xad\x5c\x15\x2c\xf8\xa4\x89\x2e\x9f\xde\xf9\x9f\xa8\xa4\x9d\x02\x7f\xb6\xd1\x63\xc6\x08\x37\x0f\x9d\x22\x98\x98\xee\xc2\x72\xd8\x8c\xb0\xc9\xf3\xcf\x80\x6b\xf8\xcb\xf4\x37\xd4\xca\xd3\xab\xd2\xa9\x4d\x53\xb3\x26\xb3\x00\xd9\xeb\x01\xd2\x00\x35\xb4\x19\x5b\x05\xa7\xcf\x75\xd7\xe3\xaf\xf4\x27\x74\xd2\x03\xc8\xc9\xe3\xe9\x2f\xc8\x98\xb0\xff\x50\x81\xbc\x7b\x2e\xbb\xfc\x48\xad\x18\x03\x01\x00\x00\xff\xff\x8b\xe0\xeb\xc3", 4112); syz_mount_image(/*fs=*/0x200000016bc0, /*dir=*/0x200000016c00, /*flags=MS_SLAVE|MS_REMOUNT|MS_NOEXEC|MS_NODIRATIME*/0x80828, /*opts=*/0x200000016c40, /*chdir=*/0, /*size=*/0x1010, /*img=*/0x200000016cc0); break; case 57: memcpy((void*)0x200000017d00, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000017d00, /*id=*/9, /*flags=__O_TMPFILE|O_NOCTTY|O_EXCL|O_DIRECT|O_CLOEXEC|0x400*/0x484580); break; case 58: res = syscall(__NR_getpgid, /*pid=*/r[16]); if (res != -1) r[42] = res; break; case 59: memcpy((void*)0x200000017d40, "net/if_inet6\000", 13); syz_open_procfs(/*pid=*/r[42], /*file=*/0x200000017d40); break; case 60: syz_open_pts(/*fd=*/r[33], /*flags=O_PATH|O_NONBLOCK|O_LARGEFILE*/0x208800); break; case 61: syz_pidfd_open(/*pid=*/r[19], /*flags=*/0); break; case 62: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[43] = res; break; case 63: syz_pkey_set(/*key=*/r[43], /*val=PKEY_DISABLE_ACCESS*/1); break; case 64: memcpy((void*)0x200000017d80, "\x78\x9c\x00\x93\x00\x6c\xff\xa4\x51\x5c\x20\x6d\xec\x63\x25\x4e\xaf\x44\xc2\x33\xe0\x2f\x98\x97\x92\x6a\x17\x55\xe9\x12\xa6\x87\xbb\x89\xb1\xfa\xa0\x5f\xf9\x0f\xf6\x40\x2b\xc5\xe9\x75\x6f\x02\x03\x9a\xe3\xb9\x2c\xdc\xbc\x20\x3e\xfb\x43\x79\x97\x11\x96\x1f\x15\xf1\xa9\x29\x78\x2c\xb9\x86\xa7\x76\xe7\xb0\xfe\x60\x61\xbd\x20\x65\xdc\xa6\x1f\x00\xc5\x5b\xc5\x43\x7b\x98\x0f\xfc\x36\x79\x9e\x29\x87\x3d\xb9\x38\x2c\xdb\x1c\x64\x53\x5e\x09\xdb\x7a\xcd\xc3\x61\xf2\x2f\xd3\xb1\xd5\x64\x09\x9d\x55\xe5\xeb\xb0\x07\x85\x92\xcd\x5e\x96\xc5\xdf\xe6\x1b\x08\x36\x81\x36\x77\xf3\xce\xd9\x1b\x16\x07\xe4\x38\x9b\x94\x8b\x98\x40\x01\x00\x00\xff\xff\xda\x37\x48\x83", 163); syz_read_part_table(/*size=*/0xa3, /*img=*/0x200000017d80); break; case 65: syz_socket_connect_nvme_tcp(); break; case 66: *(uint8_t*)0x200000017e40 = 0x12; *(uint8_t*)0x200000017e41 = 1; *(uint16_t*)0x200000017e42 = 0x200; *(uint8_t*)0x200000017e44 = 0x8d; *(uint8_t*)0x200000017e45 = 0xd8; *(uint8_t*)0x200000017e46 = 0x82; *(uint8_t*)0x200000017e47 = 0x10; *(uint16_t*)0x200000017e48 = 0x1bbb; *(uint16_t*)0x200000017e4a = 0x203; *(uint16_t*)0x200000017e4c = 0xa779; *(uint8_t*)0x200000017e4e = 1; *(uint8_t*)0x200000017e4f = 2; *(uint8_t*)0x200000017e50 = 3; *(uint8_t*)0x200000017e51 = 1; *(uint8_t*)0x200000017e52 = 9; *(uint8_t*)0x200000017e53 = 2; *(uint16_t*)0x200000017e54 = 0x733; *(uint8_t*)0x200000017e56 = 3; *(uint8_t*)0x200000017e57 = 0xb; *(uint8_t*)0x200000017e58 = 1; *(uint8_t*)0x200000017e59 = 0x80; *(uint8_t*)0x200000017e5a = 1; *(uint8_t*)0x200000017e5b = 9; *(uint8_t*)0x200000017e5c = 4; *(uint8_t*)0x200000017e5d = 2; *(uint8_t*)0x200000017e5e = 5; *(uint8_t*)0x200000017e5f = 0; *(uint8_t*)0x200000017e60 = 0xf; *(uint8_t*)0x200000017e61 = 0xcd; *(uint8_t*)0x200000017e62 = 0x1f; *(uint8_t*)0x200000017e63 = 0xf3; *(uint8_t*)0x200000017e64 = 6; *(uint8_t*)0x200000017e65 = 0x24; *(uint8_t*)0x200000017e66 = 6; *(uint8_t*)0x200000017e67 = 0; *(uint8_t*)0x200000017e68 = 1; memset((void*)0x200000017e69, 60, 1); *(uint8_t*)0x200000017e6a = 5; *(uint8_t*)0x200000017e6b = 0x24; *(uint8_t*)0x200000017e6c = 0; *(uint16_t*)0x200000017e6d = 0x80; *(uint8_t*)0x200000017e6f = 0xd; *(uint8_t*)0x200000017e70 = 0x24; *(uint8_t*)0x200000017e71 = 0xf; *(uint8_t*)0x200000017e72 = 1; *(uint32_t*)0x200000017e73 = 2; *(uint16_t*)0x200000017e77 = 8; *(uint16_t*)0x200000017e79 = 3; *(uint8_t*)0x200000017e7b = 1; *(uint8_t*)0x200000017e7c = 6; *(uint8_t*)0x200000017e7d = 0x24; *(uint8_t*)0x200000017e7e = 0x1a; *(uint16_t*)0x200000017e7f = 7; *(uint8_t*)0x200000017e81 = 6; *(uint8_t*)0x200000017e82 = 8; *(uint8_t*)0x200000017e83 = 0x24; *(uint8_t*)0x200000017e84 = 0x1c; *(uint16_t*)0x200000017e85 = 0xc; *(uint8_t*)0x200000017e87 = 6; *(uint16_t*)0x200000017e88 = 0x122; *(uint8_t*)0x200000017e8a = 0x12; *(uint8_t*)0x200000017e8b = 0x24; *(uint8_t*)0x200000017e8c = 7; *(uint8_t*)0x200000017e8d = 0x8b; *(uint16_t*)0x200000017e8e = 7; *(uint16_t*)0x200000017e90 = 0xfff9; *(uint16_t*)0x200000017e92 = 5; *(uint16_t*)0x200000017e94 = 3; *(uint16_t*)0x200000017e96 = 0xad97; *(uint16_t*)0x200000017e98 = 3; *(uint16_t*)0x200000017e9a = 0; *(uint8_t*)0x200000017e9c = 0xac; *(uint8_t*)0x200000017e9d = 0x24; *(uint8_t*)0x200000017e9e = 0x13; *(uint8_t*)0x200000017e9f = 0xb; memcpy((void*)0x200000017ea0, "\x78\x4f\x7b\xf4\x55\x93\xf2\x14\x5d\x18\xe4\x9b\xc5\x2e\xdb\x01\x14\x22\x49\x1e\xba\x8f\xc4\x0e\xbe\xd3\x4d\x5d\x81\x30\x4d\xa0\xa3\x55\x65\xec\x20\x36\x11\x7b\xec\x4b\x01\xef\x8f\x75\xc9\xd5\x4e\x74\xb4\x53\x16\xd0\xe1\x67\x2a\x97\xb6\x31\x72\x9b\xcb\x7d\xc9\x9b\xde\x68\x28\x91\xbd\x59\x54\xd9\x45\xf4\x12\x97\x9e\xca\xe7\xee\x08\x6c\x36\x50\xd3\xf9\x76\xa9\x90\xed\xea\x93\x2d\xc3\x08\x5d\x9c\x08\xf2\x0b\xad\xce\xbf\x87\xa9\x7b\xa3\x61\x51\x78\x8d\xaa\x2e\x6b\xe4\x56\x75\x38\x01\x39\xcb\x89\xa1\x7f\x95\xa6\x5c\x87\xa2\x72\xb1\x83\x87\x36\x60\xc9\xb6\x3c\xee\x55\xc4\x3a\xe5\xdf\x58\xb4\x5f\xbe\x08\xf0\x0a\x86\xc6\xb1\xdf\xbd\x51\x7b\x7d\xcd\xca\x1c\x6c\x75\xcd\x37", 168); *(uint8_t*)0x200000017f48 = 6; *(uint8_t*)0x200000017f49 = 0x24; *(uint8_t*)0x200000017f4a = 7; *(uint8_t*)0x200000017f4b = 1; *(uint16_t*)0x200000017f4c = 0xa; *(uint8_t*)0x200000017f4e = 9; *(uint8_t*)0x200000017f4f = 0x21; *(uint16_t*)0x200000017f50 = 0x9a; *(uint8_t*)0x200000017f52 = 8; *(uint8_t*)0x200000017f53 = 1; *(uint8_t*)0x200000017f54 = 0x22; *(uint16_t*)0x200000017f55 = 0x373; *(uint8_t*)0x200000017f57 = 9; *(uint8_t*)0x200000017f58 = 4; *(uint8_t*)0x200000017f59 = 0xb8; *(uint8_t*)0x200000017f5a = 0xc; *(uint8_t*)0x200000017f5b = 0xf; *(uint8_t*)0x200000017f5c = 0xc3; *(uint8_t*)0x200000017f5d = 0x47; *(uint8_t*)0x200000017f5e = 0xe8; *(uint8_t*)0x200000017f5f = 0x7f; *(uint8_t*)0x200000017f60 = 9; *(uint8_t*)0x200000017f61 = 5; *(uint8_t*)0x200000017f62 = 0x80; *(uint8_t*)0x200000017f63 = 2; *(uint16_t*)0x200000017f64 = 0x410; *(uint8_t*)0x200000017f66 = 0xd9; *(uint8_t*)0x200000017f67 = 0xf6; *(uint8_t*)0x200000017f68 = 0xe; *(uint8_t*)0x200000017f69 = 7; *(uint8_t*)0x200000017f6a = 0x25; *(uint8_t*)0x200000017f6b = 1; *(uint8_t*)0x200000017f6c = 0xc; *(uint8_t*)0x200000017f6d = 5; *(uint16_t*)0x200000017f6e = 2; *(uint8_t*)0x200000017f70 = 9; *(uint8_t*)0x200000017f71 = 5; *(uint8_t*)0x200000017f72 = 0xc; *(uint8_t*)0x200000017f73 = 0; *(uint16_t*)0x200000017f74 = 0x40; *(uint8_t*)0x200000017f76 = 2; *(uint8_t*)0x200000017f77 = 2; *(uint8_t*)0x200000017f78 = 6; *(uint8_t*)0x200000017f79 = 9; *(uint8_t*)0x200000017f7a = 5; *(uint8_t*)0x200000017f7b = 0xb; *(uint8_t*)0x200000017f7c = 3; *(uint16_t*)0x200000017f7d = 0x7b4d; *(uint8_t*)0x200000017f7f = 6; *(uint8_t*)0x200000017f80 = 8; *(uint8_t*)0x200000017f81 = 5; *(uint8_t*)0x200000017f82 = 0x82; *(uint8_t*)0x200000017f83 = 0x11; memcpy((void*)0x200000017f84, "\x45\x83\x6f\x6c\x3f\x51\x25\x72\x5e\xd5\xb9\x6b\x96\xb2\x91\x1a\xdb\x85\x37\x0c\xeb\x59\x89\x89\x4b\xd8\x34\x17\xee\x42\x27\x6c\xe8\x0f\xe7\x34\xdb\x8d\x2d\x94\xf2\xfe\x8c\x75\xbf\xd0\x42\xfb\x63\x2c\xfa\x5d\x52\x54\xf9\xb0\xfa\xdc\x88\x5d\x62\x8a\x0d\xc9\x2e\x27\x4c\x02\xcd\x3b\xe0\x42\x1b\x60\x8e\x2c\x53\x8d\xe2\x0b\x20\x8e\xaa\xea\x7b\x51\xdc\x13\xbd\xf7\xf2\xe0\x0a\x6c\xbd\x30\x30\xdf\x9b\xac\xa6\x67\xe6\xcc\xc4\x2b\xdc\x2f\x5d\x82\x2a\x3f\xc2\x98\xb0\x60\xda\x91\x26\x5d\xd0\x15\x83\x22\x1a\x09\x89\x9f", 128); *(uint8_t*)0x200000018004 = 9; *(uint8_t*)0x200000018005 = 5; *(uint8_t*)0x200000018006 = 1; *(uint8_t*)0x200000018007 = 0x10; *(uint16_t*)0x200000018008 = 8; *(uint8_t*)0x20000001800a = 4; *(uint8_t*)0x20000001800b = 1; *(uint8_t*)0x20000001800c = 0xfc; *(uint8_t*)0x20000001800d = 9; *(uint8_t*)0x20000001800e = 5; *(uint8_t*)0x20000001800f = 5; *(uint8_t*)0x200000018010 = 0; *(uint16_t*)0x200000018011 = 0x3ff; *(uint8_t*)0x200000018013 = 0xd7; *(uint8_t*)0x200000018014 = 0; *(uint8_t*)0x200000018015 = 0; *(uint8_t*)0x200000018016 = 0xf6; *(uint8_t*)0x200000018017 = 0x22; memcpy((void*)0x200000018018, "\x67\x43\x9d\x73\x1f\x50\x70\x17\xa6\x2a\xb8\x9e\xb7\x11\x8e\x31\x5a\xab\x47\xbc\xe0\x0c\xfe\x09\x2f\x9b\x6b\x65\x27\x81\x2c\x05\x1d\x98\x78\x9a\x34\x1c\xd8\x57\x9c\x0c\x0f\x64\xf3\x53\xfa\xa6\x41\x37\x28\x67\x64\x0b\x73\x3b\xac\x8b\x88\x00\xb7\xba\xf1\x06\xd0\x3b\x36\xb9\x34\xeb\xf2\x4e\x84\xf5\x54\xe1\x48\x9e\x48\x41\x65\x47\xbb\x7c\x90\x48\x2f\xa4\x70\x64\x67\x39\x07\x68\x59\x8b\xfd\xde\xee\x37\xf9\x6a\x28\x6a\x2f\x72\x6e\xd8\x9e\x5c\xfe\xb0\xdc\xa1\x49\x45\x14\x5d\x57\x27\xfb\xd9\xb2\x94\x9f\x95\x28\xd0\x1e\x94\x8e\x63\x05\x19\x1b\xbb\xdf\xe6\x0f\x22\x3a\xe3\xa1\x98\x23\xce\x4a\x87\x97\xdf\x00\x4c\x04\x8b\x9c\x0d\x79\x3d\x17\x3e\x5a\x39\xaf\xc5\xea\xfe\x8e\xd8\x2b\x45\xd9\xac\x82\xfd\xfd\x1e\xf5\x90\xfa\x30\x0f\x32\xa4\x96\x84\x63\x0a\x4b\x39\x2f\xf5\x80\xee\xae\xff\x43\xc6\x07\xa9\x51\x69\x52\x55\x30\xc2\x4b\x18\x9d\xee\x91\x3c\xf7\xb9\xe1\xc1\xba\xfb\x11\x77\x1b\x05\xc7\x84\x72\x0c\x28\xeb\x00\x1a\xd2\x18\xd0\xa9\x2c\x1e\x32\x07\x16\x06\x73\x4e\xd9\x56\xb6", 244); *(uint8_t*)0x20000001810c = 7; *(uint8_t*)0x20000001810d = 0x25; *(uint8_t*)0x20000001810e = 1; *(uint8_t*)0x20000001810f = 4; *(uint8_t*)0x200000018110 = 3; *(uint16_t*)0x200000018111 = 0xd57d; *(uint8_t*)0x200000018113 = 9; *(uint8_t*)0x200000018114 = 5; *(uint8_t*)0x200000018115 = 1; *(uint8_t*)0x200000018116 = 0; *(uint16_t*)0x200000018117 = 0x400; *(uint8_t*)0x200000018119 = 0x93; *(uint8_t*)0x20000001811a = -1; *(uint8_t*)0x20000001811b = 0x5e; *(uint8_t*)0x20000001811c = 0x9f; *(uint8_t*)0x20000001811d = 0x22; memcpy((void*)0x20000001811e, "\xfa\xae\x6b\x7b\x5c\xb6\x0b\xaa\xbd\xbe\x69\xda\x80\xd6\x30\x6c\xc5\xc4\x8a\x7e\xee\xdd\x7a\x47\xa9\x2b\x69\x3f\x17\x79\x43\x85\xe5\xdf\x43\x42\x8f\xf8\x61\xb3\x89\xff\xfa\x4e\x90\x3a\x47\xcb\xec\x60\xc7\x94\xd7\x8a\x72\x87\xaf\xfd\x41\x62\x73\xfa\xe9\x78\xb7\x31\x3e\xbd\x0b\x4b\xa9\x0d\x2c\x47\xc1\xa1\xa6\x6f\x6a\x69\x8d\xca\xd6\x7c\x6b\x40\xc4\x82\xa0\x9d\x3b\x92\xc0\x54\x22\xf1\xee\xed\x15\x8b\xe3\x73\xe6\x62\x3f\x40\xf8\x2b\x25\x69\x7f\x8f\x79\x34\xc6\x0a\x81\xa4\x03\xf2\x2d\x91\x91\x66\xe0\x11\xd3\x1a\x64\x97\xa0\xc7\xa5\x12\xe4\xdd\xd8\x41\xb5\x44\x14\x54\xc1\xe1\x5d\x8a\x2a\xb3\xe7\x8f\x86\xa5\xcf\x03\xe7\x92\xe7", 157); *(uint8_t*)0x2000000181bb = 7; *(uint8_t*)0x2000000181bc = 0x25; *(uint8_t*)0x2000000181bd = 1; *(uint8_t*)0x2000000181be = 0xc; *(uint8_t*)0x2000000181bf = 1; *(uint16_t*)0x2000000181c0 = 9; *(uint8_t*)0x2000000181c2 = 9; *(uint8_t*)0x2000000181c3 = 5; *(uint8_t*)0x2000000181c4 = 3; *(uint8_t*)0x2000000181c5 = 0xc; *(uint16_t*)0x2000000181c6 = 0x10; *(uint8_t*)0x2000000181c8 = 0xb; *(uint8_t*)0x2000000181c9 = 3; *(uint8_t*)0x2000000181ca = 2; *(uint8_t*)0x2000000181cb = 0xb1; *(uint8_t*)0x2000000181cc = 0; memcpy((void*)0x2000000181cd, "\x33\xe5\xf9\x75\x6d\x19\xa3\xeb\x39\x2b\xa4\x5b\x9f\x38\x1d\xc2\xb0\x62\xee\x3c\xe9\x42\xa4\x85\xe6\x78\xa8\xea\x13\xf6\xc9\xea\xc7\x4e\xc9\x64\x1b\x11\x9d\x78\xa9\xe3\x6b\x32\x32\x7c\xfb\x53\x5d\x6e\xe4\x02\x91\x7d\x7b\x92\xa3\xef\x09\xa7\x93\x23\x73\x5d\xbe\xd9\xb6\x23\xca\x4b\x83\xdb\x01\x17\xd5\x37\xe5\xc5\x8c\x64\x05\xbb\x0f\xe3\x3b\xda\x56\xba\x38\x4b\x95\xfd\x46\x87\xdf\x02\x17\xb2\x23\xa0\xa5\x25\x06\x2e\xf2\x59\x59\x1d\xba\x73\xdb\x93\x6a\x7f\x85\xb8\x2d\xdd\xce\xd8\x21\x6a\xa4\xbc\x4e\xd6\x36\xa5\x7f\xc6\xe6\x83\xe3\xce\xb1\x0a\x63\xbe\x63\x33\x0c\x0e\xa4\xd2\xa5\xcf\xf5\xdb\x4a\xc7\x1a\xc1\x0c\xdc\xe3\xf5\xbd\x50\xc2\x9c\xa7\xd1\x55\x8d\xc5\xed\x7f\x06\xb2\x1d\xd7\xba\x9a\x0d\xc6", 175); *(uint8_t*)0x20000001827c = 9; *(uint8_t*)0x20000001827d = 5; *(uint8_t*)0x20000001827e = 5; *(uint8_t*)0x20000001827f = 0x10; *(uint16_t*)0x200000018280 = 8; *(uint8_t*)0x200000018282 = 0xd4; *(uint8_t*)0x200000018283 = 8; *(uint8_t*)0x200000018284 = 8; *(uint8_t*)0x200000018285 = 7; *(uint8_t*)0x200000018286 = 0x25; *(uint8_t*)0x200000018287 = 1; *(uint8_t*)0x200000018288 = 0xc; *(uint8_t*)0x200000018289 = 0; *(uint16_t*)0x20000001828a = 0x20a; *(uint8_t*)0x20000001828c = 7; *(uint8_t*)0x20000001828d = 0x25; *(uint8_t*)0x20000001828e = 1; *(uint8_t*)0x20000001828f = 0xc; *(uint8_t*)0x200000018290 = 9; *(uint16_t*)0x200000018291 = 5; *(uint8_t*)0x200000018293 = 9; *(uint8_t*)0x200000018294 = 5; *(uint8_t*)0x200000018295 = 5; *(uint8_t*)0x200000018296 = 0; *(uint16_t*)0x200000018297 = 8; *(uint8_t*)0x200000018299 = 7; *(uint8_t*)0x20000001829a = 7; *(uint8_t*)0x20000001829b = 1; *(uint8_t*)0x20000001829c = 0xd4; *(uint8_t*)0x20000001829d = 0xf; memcpy((void*)0x20000001829e, "\x73\x7d\x3a\x43\x15\x65\x8a\x8f\xfa\xd1\x24\xef\x25\x69\x21\x25\x49\x4e\x37\x60\x89\xb7\x0b\x3f\xa6\x3c\x98\xd5\x48\x31\x91\x45\xd9\xa4\x32\xc0\xa3\xa9\x10\x83\x5f\x2c\x89\xb9\x7e\x71\x68\xde\x3f\x5a\x68\xfc\x6d\x30\x86\xb5\xab\xbd\x9c\xad\x99\xb9\xf5\x7d\xf6\x6d\x7a\x2a\xf8\xb1\x1c\x90\x04\x1d\xd4\x4e\xa5\xcb\x90\xb0\x84\x93\xf1\xcc\x38\x39\x1a\xb3\x93\xed\xca\x7a\xfe\x19\xad\xa6\x84\xd6\x2c\x76\x02\x8a\x42\x83\xd3\xf7\xc4\xb6\xa2\x95\x30\xb4\x34\x5f\x74\xfe\xdf\x78\x70\x9f\x1a\x61\x72\xae\x09\x1c\x18\x10\x37\xaa\x8d\x41\x50\x3c\x85\x4f\x5d\x64\xa4\xe1\x77\x29\x82\xed\xb2\xfa\xeb\x1f\x1a\x4f\xfb\x5f\x1b\x62\x41\x5e\x46\xf1\xbb\x27\x37\x4d\x48\x24\x50\x31\xd0\x50\xdc\x55\x28\xc7\xd1\x9e\x7d\x9f\x4f\x71\x98\x39\x84\xe4\x4a\x63\x35\x75\xf1\xb7\x92\xd0\x6d\xb2\xad\xa0\xca\x60\xeb\x38\x96\xc7\xe5\x17\x98\x1d\x56\x7f\xe7\xb5\x8a\xd2", 210); *(uint8_t*)0x200000018370 = 9; *(uint8_t*)0x200000018371 = 5; *(uint8_t*)0x200000018372 = 2; *(uint8_t*)0x200000018373 = 0; *(uint16_t*)0x200000018374 = 0x3ff; *(uint8_t*)0x200000018376 = 5; *(uint8_t*)0x200000018377 = 0x47; *(uint8_t*)0x200000018378 = -1; *(uint8_t*)0x200000018379 = 9; *(uint8_t*)0x20000001837a = 5; *(uint8_t*)0x20000001837b = 0xd; *(uint8_t*)0x20000001837c = 4; *(uint16_t*)0x20000001837d = 0x10; *(uint8_t*)0x20000001837f = 9; *(uint8_t*)0x200000018380 = 9; *(uint8_t*)0x200000018381 = 4; *(uint8_t*)0x200000018382 = 7; *(uint8_t*)0x200000018383 = 0x25; *(uint8_t*)0x200000018384 = 1; *(uint8_t*)0x200000018385 = 8; *(uint8_t*)0x200000018386 = 5; *(uint16_t*)0x200000018387 = 1; *(uint8_t*)0x200000018389 = 0x84; *(uint8_t*)0x20000001838a = 4; memcpy((void*)0x20000001838b, "\xc2\x5a\x3f\xb7\x3a\x08\xd8\xb8\x8a\x25\xe3\x96\xfe\xe4\xb0\x18\xb4\x48\x7b\xcc\xab\xbf\xfe\x8a\xc9\x64\x09\x7b\x47\xdd\x92\x6e\x5c\xb6\x85\xc9\x56\x8c\x47\x38\xe1\xbc\x09\x72\xad\x10\xf1\x27\x89\xa9\xa8\x08\x0d\x7a\x49\x26\x30\xe9\xa1\x55\xa1\x2e\x26\x76\x04\xf5\x37\x73\xb1\xf3\xa6\x03\xc1\x9d\x4d\xc0\xf4\xc5\xcc\xee\x5e\x95\x71\x70\x6e\x99\x0d\xc8\x62\x31\x2f\xb3\xd2\x6c\xc3\x7b\x01\x1d\x95\xf3\x15\x9d\x13\xc4\xac\x34\xab\x08\x4c\x1a\x06\x60\x50\x9a\xe1\x3f\xa6\xf8\x4d\x60\x68\xb3\x3e\x5f\xf1\xda\x2a\x32\x37\x3a", 130); *(uint8_t*)0x20000001840d = 9; *(uint8_t*)0x20000001840e = 5; *(uint8_t*)0x20000001840f = 2; *(uint8_t*)0x200000018410 = 0; *(uint16_t*)0x200000018411 = 0x400; *(uint8_t*)0x200000018413 = 0xa; *(uint8_t*)0x200000018414 = 8; *(uint8_t*)0x200000018415 = 4; *(uint8_t*)0x200000018416 = 9; *(uint8_t*)0x200000018417 = 5; *(uint8_t*)0x200000018418 = 0xe; *(uint8_t*)0x200000018419 = 0; *(uint16_t*)0x20000001841a = 8; *(uint8_t*)0x20000001841c = 6; *(uint8_t*)0x20000001841d = 4; *(uint8_t*)0x20000001841e = 0x96; *(uint8_t*)0x20000001841f = 7; *(uint8_t*)0x200000018420 = 0x25; *(uint8_t*)0x200000018421 = 1; *(uint8_t*)0x200000018422 = 0; *(uint8_t*)0x200000018423 = 0xbe; *(uint16_t*)0x200000018424 = 0xda; *(uint8_t*)0x200000018426 = 7; *(uint8_t*)0x200000018427 = 0x25; *(uint8_t*)0x200000018428 = 1; *(uint8_t*)0x200000018429 = 8; *(uint8_t*)0x20000001842a = 0; *(uint16_t*)0x20000001842b = 0; *(uint8_t*)0x20000001842d = 9; *(uint8_t*)0x20000001842e = 5; *(uint8_t*)0x20000001842f = 8; *(uint8_t*)0x200000018430 = 2; *(uint16_t*)0x200000018431 = 0x10; *(uint8_t*)0x200000018433 = 0xb; *(uint8_t*)0x200000018434 = 5; *(uint8_t*)0x200000018435 = 0x8f; *(uint8_t*)0x200000018436 = 0x77; *(uint8_t*)0x200000018437 = 0xf7; memcpy((void*)0x200000018438, "\xe6\xda\x68\x32\x66\x5e\x8f\xc3\x6a\x0e\x8f\x94\x15\x7f\x6a\x5f\xbd\x96\xba\x60\x85\xfa\x6c\xc0\xde\x01\x63\x51\x50\x75\x1f\xa9\x08\x0a\x8c\xe5\xaa\xa4\xe5\x0b\xdd\xbe\xfe\x64\x9a\x98\x85\x24\x4d\x8f\xd8\x77\x92\x0b\x57\x0d\x69\x13\xac\x5e\xf7\x4d\x87\x13\x9a\x81\x21\x5a\xce\x97\x2e\x76\x9b\x6e\x70\x7e\x21\x02\xde\x59\x3a\x66\x1d\x40\x8d\x0c\xbc\xe3\x85\xec\xdc\x66\xd0\x0e\x64\x9d\xd5\x50\x4e\x8b\x1f\x2a\xee\xdf\x02\xeb\x08\xbd\x9a\x2b\x21\x02\xf3\x79\x27\xbf\xb9", 117); *(uint8_t*)0x2000000184ad = 7; *(uint8_t*)0x2000000184ae = 0x25; *(uint8_t*)0x2000000184af = 1; *(uint8_t*)0x2000000184b0 = 0xc; *(uint8_t*)0x2000000184b1 = 0x40; *(uint16_t*)0x2000000184b2 = 0x8000; *(uint8_t*)0x2000000184b4 = 9; *(uint8_t*)0x2000000184b5 = 5; *(uint8_t*)0x2000000184b6 = 0xd; *(uint8_t*)0x2000000184b7 = 0xc; *(uint16_t*)0x2000000184b8 = 0x40; *(uint8_t*)0x2000000184ba = 6; *(uint8_t*)0x2000000184bb = 0; *(uint8_t*)0x2000000184bc = 9; *(uint8_t*)0x2000000184bd = 9; *(uint8_t*)0x2000000184be = 4; *(uint8_t*)0x2000000184bf = 0x1e; *(uint8_t*)0x2000000184c0 = 8; *(uint8_t*)0x2000000184c1 = 3; *(uint8_t*)0x2000000184c2 = 0x90; *(uint8_t*)0x2000000184c3 = 0x1b; *(uint8_t*)0x2000000184c4 = 0x5d; *(uint8_t*)0x2000000184c5 = 9; *(uint8_t*)0x2000000184c6 = 9; *(uint8_t*)0x2000000184c7 = 0x24; *(uint8_t*)0x2000000184c8 = 2; *(uint8_t*)0x2000000184c9 = 1; *(uint8_t*)0x2000000184ca = 3; *(uint8_t*)0x2000000184cb = 1; *(uint8_t*)0x2000000184cc = 0; *(uint8_t*)0x2000000184cd = 0x35; *(uint8_t*)0x2000000184ce = 8; *(uint8_t*)0x2000000184cf = 9; *(uint8_t*)0x2000000184d0 = 0x24; *(uint8_t*)0x2000000184d1 = 2; *(uint8_t*)0x2000000184d2 = 1; *(uint8_t*)0x2000000184d3 = 4; *(uint8_t*)0x2000000184d4 = 3; *(uint8_t*)0x2000000184d5 = 4; *(uint8_t*)0x2000000184d6 = 0xf6; *(uint8_t*)0x2000000184d7 = 0x80; *(uint8_t*)0x2000000184d8 = 0xa; *(uint8_t*)0x2000000184d9 = 0x24; *(uint8_t*)0x2000000184da = 2; *(uint8_t*)0x2000000184db = 2; *(uint16_t*)0x2000000184dc = 5; *(uint16_t*)0x2000000184de = 0x35c6; *(uint8_t*)0x2000000184e0 = 1; *(uint8_t*)0x2000000184e1 = 3; *(uint8_t*)0x2000000184e2 = 0xa; *(uint8_t*)0x2000000184e3 = 0x24; *(uint8_t*)0x2000000184e4 = 1; *(uint16_t*)0x2000000184e5 = 0x8001; *(uint16_t*)0x2000000184e7 = 0x51; *(uint8_t*)0x2000000184e9 = 2; *(uint8_t*)0x2000000184ea = 1; *(uint8_t*)0x2000000184eb = 2; *(uint8_t*)0x2000000184ec = 9; *(uint8_t*)0x2000000184ed = 0x24; *(uint8_t*)0x2000000184ee = 6; *(uint8_t*)0x2000000184ef = 4; *(uint8_t*)0x2000000184f0 = 3; *(uint8_t*)0x2000000184f1 = 1; *(uint16_t*)0x2000000184f2 = 4; *(uint8_t*)0x2000000184f4 = 8; *(uint8_t*)0x2000000184f5 = 0xb; *(uint8_t*)0x2000000184f6 = 0x24; *(uint8_t*)0x2000000184f7 = 7; *(uint8_t*)0x2000000184f8 = 4; *(uint16_t*)0x2000000184f9 = 3; *(uint8_t*)0x2000000184fb = 9; memcpy((void*)0x2000000184fc, "\xd6\xe5\xbe\xc9", 4); *(uint8_t*)0x200000018500 = 9; *(uint8_t*)0x200000018501 = 0x24; *(uint8_t*)0x200000018502 = 7; *(uint8_t*)0x200000018503 = 1; *(uint16_t*)0x200000018504 = 1; *(uint8_t*)0x200000018506 = 6; memcpy((void*)0x200000018507, "CO", 2); *(uint8_t*)0x200000018509 = 0xc; *(uint8_t*)0x20000001850a = 0x24; *(uint8_t*)0x20000001850b = 2; *(uint8_t*)0x20000001850c = 2; *(uint16_t*)0x20000001850d = 0x204; *(uint8_t*)0x20000001850f = 5; *(uint8_t*)0x200000018510 = 9; *(uint16_t*)0x200000018511 = 9; *(uint8_t*)0x200000018513 = 1; *(uint8_t*)0x200000018514 = 0xd4; *(uint8_t*)0x200000018515 = 0x11; *(uint8_t*)0x200000018516 = 0x24; *(uint8_t*)0x200000018517 = 6; *(uint8_t*)0x200000018518 = 5; *(uint8_t*)0x200000018519 = 6; *(uint8_t*)0x20000001851a = 5; *(uint16_t*)0x20000001851b = 3; *(uint16_t*)0x20000001851d = 0xa; *(uint16_t*)0x20000001851f = 3; *(uint16_t*)0x200000018521 = 9; *(uint16_t*)0x200000018523 = 3; *(uint8_t*)0x200000018525 = 3; *(uint8_t*)0x200000018526 = 0xd; *(uint8_t*)0x200000018527 = 0x24; *(uint8_t*)0x200000018528 = 8; *(uint8_t*)0x200000018529 = 2; *(uint16_t*)0x20000001852a = 5; *(uint8_t*)0x20000001852c = 0xfa; memcpy((void*)0x20000001852d, "\xcf\x52\x1f\xd9\x77\x8e", 6); *(uint8_t*)0x200000018533 = 9; *(uint8_t*)0x200000018534 = 5; *(uint8_t*)0x200000018535 = 0; *(uint8_t*)0x200000018536 = 1; *(uint16_t*)0x200000018537 = 0x200; *(uint8_t*)0x200000018539 = 3; *(uint8_t*)0x20000001853a = 9; *(uint8_t*)0x20000001853b = 6; *(uint8_t*)0x20000001853c = 9; *(uint8_t*)0x20000001853d = 5; *(uint8_t*)0x20000001853e = 1; *(uint8_t*)0x20000001853f = 0x10; *(uint16_t*)0x200000018540 = 0; *(uint8_t*)0x200000018542 = 7; *(uint8_t*)0x200000018543 = 3; *(uint8_t*)0x200000018544 = 1; *(uint8_t*)0x200000018545 = 9; *(uint8_t*)0x200000018546 = 5; *(uint8_t*)0x200000018547 = 9; *(uint8_t*)0x200000018548 = 3; *(uint16_t*)0x200000018549 = 0x20; *(uint8_t*)0x20000001854b = 0xf; *(uint8_t*)0x20000001854c = 4; *(uint8_t*)0x20000001854d = 5; *(uint8_t*)0x20000001854e = 0x30; *(uint8_t*)0x20000001854f = 0x30; memcpy((void*)0x200000018550, "\x9a\xf3\xfe\x71\x51\xc3\xb3\xad\x7b\xd1\xa1\xc8\xe2\xee\x7c\x94\x95\xbf\xb5\x20\x94\xd1\xdc\x13\xf4\x1f\x06\xa7\x6b\x11\x1e\xbf\x90\x89\xa2\x37\x2b\x32\x34\x99\xe8\x15\x36\xed\x22\xf6", 46); *(uint8_t*)0x20000001857e = 7; *(uint8_t*)0x20000001857f = 0x25; *(uint8_t*)0x200000018580 = 1; *(uint8_t*)0x200000018581 = 0; *(uint8_t*)0x200000018582 = 0xd; *(uint16_t*)0x200000018583 = 0x1000; *(uint32_t*)0x2000000187c0 = 0xa; *(uint64_t*)0x2000000187c4 = 0x2000000185c0; *(uint8_t*)0x2000000185c0 = 0xa; *(uint8_t*)0x2000000185c1 = 6; *(uint16_t*)0x2000000185c2 = 0x200; *(uint8_t*)0x2000000185c4 = 0xe; *(uint8_t*)0x2000000185c5 = 0x7c; *(uint8_t*)0x2000000185c6 = 5; *(uint8_t*)0x2000000185c7 = 0x40; *(uint8_t*)0x2000000185c8 = 6; *(uint8_t*)0x2000000185c9 = 0; *(uint32_t*)0x2000000187cc = 0xec; *(uint64_t*)0x2000000187d0 = 0x200000018600; *(uint8_t*)0x200000018600 = 5; *(uint8_t*)0x200000018601 = 0xf; *(uint16_t*)0x200000018602 = 0xec; *(uint8_t*)0x200000018604 = 5; *(uint8_t*)0x200000018605 = 0xb; *(uint8_t*)0x200000018606 = 0x10; *(uint8_t*)0x200000018607 = 1; *(uint8_t*)0x200000018608 = 4; *(uint16_t*)0x200000018609 = 8; *(uint8_t*)0x20000001860b = 0x7f; *(uint8_t*)0x20000001860c = 4; *(uint16_t*)0x20000001860d = 0x10; *(uint8_t*)0x20000001860f = 0; *(uint8_t*)0x200000018610 = 3; *(uint8_t*)0x200000018611 = 0x10; *(uint8_t*)0x200000018612 = 0xb; *(uint8_t*)0x200000018613 = 0x14; *(uint8_t*)0x200000018614 = 0x10; *(uint8_t*)0x200000018615 = 4; *(uint8_t*)0x200000018616 = 0x19; memcpy((void*)0x200000018617, "\x37\x08\x89\x2f\x9f\x72\x25\xbe\x3a\x60\x09\x55\x99\x65\xad\x74", 16); *(uint8_t*)0x200000018627 = 0xb; *(uint8_t*)0x200000018628 = 0x10; *(uint8_t*)0x200000018629 = 1; *(uint8_t*)0x20000001862a = 4; *(uint16_t*)0x20000001862b = 0x20; *(uint8_t*)0x20000001862d = 0xc9; *(uint8_t*)0x20000001862e = 3; *(uint16_t*)0x20000001862f = 3; *(uint8_t*)0x200000018631 = 8; *(uint8_t*)0x200000018632 = 0xba; *(uint8_t*)0x200000018633 = 0x10; *(uint8_t*)0x200000018634 = 3; memcpy((void*)0x200000018635, "\x2a\x04\x52\xf8\xe5\x6a\xc2\xff\xae\xe6\xcb\x1f\xc6\xfa\xea\x42\x98\x66\x4f\x03\x26\x76\xda\x02\xee\x36\xca\xc0\xdf\x47\x2c\x05\xb6\xa8\x95\xc8\x7b\x06\x14\x5c\x8c\xb2\xbf\x15\x63\xd9\x15\xfb\x74\x59\xdf\xa3\x7e\x7b\x01\x0a\x23\x07\xd7\x6e\xd4\xc7\x5a\x0c\x19\x62\x07\x4d\x24\xf9\x83\x6e\x05\xdf\x96\x5f\xdf\x4e\x24\x60\x07\x6f\x7f\x10\x97\x08\x23\x08\x72\xab\xfc\x7b\x89\xd4\xe5\xe0\x8d\x5d\x7b\x3b\x28\xbe\x99\x66\x61\x69\xe4\xbe\xaa\x1e\xd7\x09\x9d\x4e\xad\x2e\x0a\xea\xb9\xe0\x1f\xf1\xbf\x20\xb5\x9a\x78\xa6\xd9\x85\x29\x89\xb4\xc4\x73\x25\x50\xc7\x0f\x84\x3d\xaa\x0c\x88\xd8\x2e\xf8\x06\xec\xe5\x08\xcc\x95\x53\xfe\x81\x34\xcf\xad\xc5\x76\x9b\xff\x04\x6d\xca\x8f\x1f\xe0\x31\xf2\x5d\xba\xe9\x23\x96\x22\x56\xa0\xd9\x62\xf0\x81", 183); *(uint32_t*)0x2000000187d8 = 2; *(uint32_t*)0x2000000187dc = 0x5f; *(uint64_t*)0x2000000187e0 = 0x200000018700; *(uint8_t*)0x200000018700 = 0x5f; *(uint8_t*)0x200000018701 = 3; memcpy((void*)0x200000018702, "\x15\x9f\xae\xf0\x2b\x24\x6d\xab\x7c\xba\x3e\xfc\x4a\x7f\xed\x8d\x17\x4b\xd7\x06\xd4\x84\x57\xf2\x61\xad\x8f\xe8\x8d\xc0\x42\x6f\xe7\x1a\x32\x29\x1e\xe9\x35\x75\xbf\x34\x7c\xbf\xc2\x13\x23\xb2\x08\xf1\x5a\x79\x2a\xbb\xf3\x01\x70\x92\xaa\x8e\x55\x1f\xcb\xd8\x51\xca\x73\x90\x61\x2f\x9e\x58\x48\x73\x8c\x87\x2b\x63\x87\x38\x75\x5a\xdf\xa7\xd4\x32\xea\xb1\xcd\xf1\x12\x46\xe6", 93); *(uint32_t*)0x2000000187e8 = 4; *(uint64_t*)0x2000000187ec = 0x200000018780; *(uint8_t*)0x200000018780 = 4; *(uint8_t*)0x200000018781 = 3; *(uint16_t*)0x200000018782 = 0x41d; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x745, /*dev=*/0x200000017e40, /*conn_descs=*/0x2000000187c0); if (res != -1) r[44] = res; break; case 67: *(uint8_t*)0x200000018800 = 0x12; *(uint8_t*)0x200000018801 = 1; *(uint16_t*)0x200000018802 = 0x200; *(uint8_t*)0x200000018804 = -1; *(uint8_t*)0x200000018805 = -1; *(uint8_t*)0x200000018806 = -1; *(uint8_t*)0x200000018807 = 0x40; *(uint16_t*)0x200000018808 = 0xcf3; *(uint16_t*)0x20000001880a = 0x9271; *(uint16_t*)0x20000001880c = 0x108; *(uint8_t*)0x20000001880e = 1; *(uint8_t*)0x20000001880f = 2; *(uint8_t*)0x200000018810 = 3; *(uint8_t*)0x200000018811 = 1; *(uint8_t*)0x200000018812 = 9; *(uint8_t*)0x200000018813 = 2; *(uint16_t*)0x200000018814 = 0x48; *(uint8_t*)0x200000018816 = 1; *(uint8_t*)0x200000018817 = 1; *(uint8_t*)0x200000018818 = 0; *(uint8_t*)0x200000018819 = 0x80; *(uint8_t*)0x20000001881a = 0xfa; *(uint8_t*)0x20000001881b = 9; *(uint8_t*)0x20000001881c = 4; *(uint8_t*)0x20000001881d = 0; *(uint8_t*)0x20000001881e = 0; *(uint8_t*)0x20000001881f = 6; *(uint8_t*)0x200000018820 = -1; *(uint8_t*)0x200000018821 = 0; *(uint8_t*)0x200000018822 = 0; *(uint8_t*)0x200000018823 = 0; *(uint8_t*)0x200000018824 = 9; *(uint8_t*)0x200000018825 = 5; *(uint8_t*)0x200000018826 = 1; *(uint8_t*)0x200000018827 = 2; *(uint16_t*)0x200000018828 = 0x200; *(uint8_t*)0x20000001882a = 0; *(uint8_t*)0x20000001882b = 0; *(uint8_t*)0x20000001882c = 0; *(uint8_t*)0x20000001882d = 9; *(uint8_t*)0x20000001882e = 5; *(uint8_t*)0x20000001882f = 0x82; *(uint8_t*)0x200000018830 = 2; *(uint16_t*)0x200000018831 = 0x200; *(uint8_t*)0x200000018833 = 0; *(uint8_t*)0x200000018834 = 0; *(uint8_t*)0x200000018835 = 0; *(uint8_t*)0x200000018836 = 9; *(uint8_t*)0x200000018837 = 5; *(uint8_t*)0x200000018838 = 0x83; *(uint8_t*)0x200000018839 = 3; *(uint16_t*)0x20000001883a = 0x40; *(uint8_t*)0x20000001883c = 1; *(uint8_t*)0x20000001883d = 0; *(uint8_t*)0x20000001883e = 0; *(uint8_t*)0x20000001883f = 9; *(uint8_t*)0x200000018840 = 5; *(uint8_t*)0x200000018841 = 4; *(uint8_t*)0x200000018842 = 3; *(uint16_t*)0x200000018843 = 0x40; *(uint8_t*)0x200000018845 = 1; *(uint8_t*)0x200000018846 = 0; *(uint8_t*)0x200000018847 = 0; *(uint8_t*)0x200000018848 = 9; *(uint8_t*)0x200000018849 = 5; *(uint8_t*)0x20000001884a = 5; *(uint8_t*)0x20000001884b = 2; *(uint16_t*)0x20000001884c = 0x200; *(uint8_t*)0x20000001884e = 0; *(uint8_t*)0x20000001884f = 0; *(uint8_t*)0x200000018850 = 0; *(uint8_t*)0x200000018851 = 9; *(uint8_t*)0x200000018852 = 5; *(uint8_t*)0x200000018853 = 6; *(uint8_t*)0x200000018854 = 2; *(uint16_t*)0x200000018855 = 0x200; *(uint8_t*)0x200000018857 = 0; *(uint8_t*)0x200000018858 = 0; *(uint8_t*)0x200000018859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000018800, /*conn_descs=*/0); if (res != -1) r[45] = res; break; case 68: *(uint32_t*)0x200000018a00 = 0x2c; *(uint64_t*)0x200000018a04 = 0x200000018880; *(uint8_t*)0x200000018880 = 0x20; *(uint8_t*)0x200000018881 = 0xa; *(uint32_t*)0x200000018882 = 6; *(uint8_t*)0x200000018886 = 6; *(uint8_t*)0x200000018887 = 0x11; memcpy((void*)0x200000018888, "\x11\xbe\x69\x06", 4); *(uint64_t*)0x200000018a0c = 0x2000000188c0; *(uint8_t*)0x2000000188c0 = 0; *(uint8_t*)0x2000000188c1 = 3; *(uint32_t*)0x2000000188c2 = 0x4b; *(uint8_t*)0x2000000188c6 = 0x4b; *(uint8_t*)0x2000000188c7 = 3; memcpy((void*)0x2000000188c8, "\x54\xf1\x66\xc5\x04\xf7\x90\xb8\xfd\x21\x67\xab\x4d\x22\x07\xfa\xf4\xe0\xd9\xb9\x06\x85\x64\xc8\xfe\xe8\x2a\x31\xe2\xa5\x6d\x9b\x86\x3c\x41\x88\xc8\x02\xbd\x1e\x73\x79\x93\xba\x22\xa3\x23\x79\x5c\xb0\xb4\xf4\xe9\x4c\xb7\x96\x75\x88\x40\xf7\xc8\x88\x98\x69\x4a\x05\x9b\xe7\x6c\x02\x85\xd6\x91", 73); *(uint64_t*)0x200000018a14 = 0x200000018940; *(uint8_t*)0x200000018940 = 0; *(uint8_t*)0x200000018941 = 0xf; *(uint32_t*)0x200000018942 = 0x1a; *(uint8_t*)0x200000018946 = 5; *(uint8_t*)0x200000018947 = 0xf; *(uint16_t*)0x200000018948 = 0x1a; *(uint8_t*)0x20000001894a = 2; *(uint8_t*)0x20000001894b = 0xb; *(uint8_t*)0x20000001894c = 0x10; *(uint8_t*)0x20000001894d = 1; *(uint8_t*)0x20000001894e = 2; *(uint16_t*)0x20000001894f = 1; *(uint8_t*)0x200000018951 = 4; *(uint8_t*)0x200000018952 = 0xa; *(uint16_t*)0x200000018953 = 4; *(uint8_t*)0x200000018955 = 0x10; *(uint8_t*)0x200000018956 = 0xa; *(uint8_t*)0x200000018957 = 0x10; *(uint8_t*)0x200000018958 = 3; *(uint8_t*)0x200000018959 = 0; *(uint16_t*)0x20000001895a = 4; *(uint8_t*)0x20000001895c = 6; *(uint8_t*)0x20000001895d = 0; *(uint16_t*)0x20000001895e = 1; *(uint64_t*)0x200000018a1c = 0x200000018980; *(uint8_t*)0x200000018980 = 0x20; *(uint8_t*)0x200000018981 = 0x29; *(uint32_t*)0x200000018982 = 0xf; *(uint8_t*)0x200000018986 = 0xf; *(uint8_t*)0x200000018987 = 0x29; *(uint8_t*)0x200000018988 = 0x7e; *(uint16_t*)0x200000018989 = 0; *(uint8_t*)0x20000001898b = 2; *(uint8_t*)0x20000001898c = 7; memcpy((void*)0x20000001898d, "\x3c\x68\x95\xab", 4); memcpy((void*)0x200000018991, "\x13\x82\x53\xae", 4); *(uint64_t*)0x200000018a24 = 0x2000000189c0; *(uint8_t*)0x2000000189c0 = 0x20; *(uint8_t*)0x2000000189c1 = 0x2a; *(uint32_t*)0x2000000189c2 = 0xc; *(uint8_t*)0x2000000189c6 = 0xc; *(uint8_t*)0x2000000189c7 = 0x2a; *(uint8_t*)0x2000000189c8 = 0xe; *(uint16_t*)0x2000000189c9 = 1; *(uint8_t*)0x2000000189cb = 0xb5; *(uint8_t*)0x2000000189cc = 2; *(uint8_t*)0x2000000189cd = 6; *(uint16_t*)0x2000000189ce = 7; *(uint16_t*)0x2000000189d0 = 9; *(uint32_t*)0x200000018e40 = 0x84; *(uint64_t*)0x200000018e44 = 0x200000018a40; *(uint8_t*)0x200000018a40 = 0x20; *(uint8_t*)0x200000018a41 = 0xc; *(uint32_t*)0x200000018a42 = 2; memcpy((void*)0x200000018a46, "\xd8\x0b", 2); *(uint64_t*)0x200000018e4c = 0x200000018a80; *(uint8_t*)0x200000018a80 = 0; *(uint8_t*)0x200000018a81 = 0xa; *(uint32_t*)0x200000018a82 = 1; *(uint8_t*)0x200000018a86 = 7; *(uint64_t*)0x200000018e54 = 0x200000018ac0; *(uint8_t*)0x200000018ac0 = 0; *(uint8_t*)0x200000018ac1 = 8; *(uint32_t*)0x200000018ac2 = 1; *(uint8_t*)0x200000018ac6 = 5; *(uint64_t*)0x200000018e5c = 0x200000018b00; *(uint8_t*)0x200000018b00 = 0x20; *(uint8_t*)0x200000018b01 = 0; *(uint32_t*)0x200000018b02 = 4; *(uint16_t*)0x200000018b06 = 0; *(uint16_t*)0x200000018b08 = 2; *(uint64_t*)0x200000018e64 = 0x200000018b40; *(uint8_t*)0x200000018b40 = 0x20; *(uint8_t*)0x200000018b41 = 0; *(uint32_t*)0x200000018b42 = 8; *(uint16_t*)0x200000018b46 = 0x1160; *(uint16_t*)0x200000018b48 = 2; *(uint32_t*)0x200000018b4a = 0x1e0ff; *(uint64_t*)0x200000018e6c = 0x200000018b80; *(uint8_t*)0x200000018b80 = 0x40; *(uint8_t*)0x200000018b81 = 7; *(uint32_t*)0x200000018b82 = 2; *(uint16_t*)0x200000018b86 = 0; *(uint64_t*)0x200000018e74 = 0x200000018bc0; *(uint8_t*)0x200000018bc0 = 0x40; *(uint8_t*)0x200000018bc1 = 9; *(uint32_t*)0x200000018bc2 = 1; *(uint8_t*)0x200000018bc6 = 0x81; *(uint64_t*)0x200000018e7c = 0x200000018c00; *(uint8_t*)0x200000018c00 = 0x40; *(uint8_t*)0x200000018c01 = 0xb; *(uint32_t*)0x200000018c02 = 2; memcpy((void*)0x200000018c06, "~s", 2); *(uint64_t*)0x200000018e84 = 0x200000018c40; *(uint8_t*)0x200000018c40 = 0x40; *(uint8_t*)0x200000018c41 = 0xf; *(uint32_t*)0x200000018c42 = 2; *(uint16_t*)0x200000018c46 = 0xa; *(uint64_t*)0x200000018e8c = 0x200000018c80; *(uint8_t*)0x200000018c80 = 0x40; *(uint8_t*)0x200000018c81 = 0x13; *(uint32_t*)0x200000018c82 = 6; memset((void*)0x200000018c86, 170, 5); *(uint8_t*)0x200000018c8b = 0x17; *(uint64_t*)0x200000018e94 = 0x200000018cc0; *(uint8_t*)0x200000018cc0 = 0x40; *(uint8_t*)0x200000018cc1 = 0x17; *(uint32_t*)0x200000018cc2 = 6; memset((void*)0x200000018cc6, 170, 5); *(uint8_t*)0x200000018ccb = 0x3d; *(uint64_t*)0x200000018e9c = 0x200000018d00; *(uint8_t*)0x200000018d00 = 0x40; *(uint8_t*)0x200000018d01 = 0x19; *(uint32_t*)0x200000018d02 = 2; memcpy((void*)0x200000018d06, "\xb3\x62", 2); *(uint64_t*)0x200000018ea4 = 0x200000018d40; *(uint8_t*)0x200000018d40 = 0x40; *(uint8_t*)0x200000018d41 = 0x1a; *(uint32_t*)0x200000018d42 = 2; *(uint16_t*)0x200000018d46 = 6; *(uint64_t*)0x200000018eac = 0x200000018d80; *(uint8_t*)0x200000018d80 = 0x40; *(uint8_t*)0x200000018d81 = 0x1c; *(uint32_t*)0x200000018d82 = 1; *(uint8_t*)0x200000018d86 = 0xfa; *(uint64_t*)0x200000018eb4 = 0x200000018dc0; *(uint8_t*)0x200000018dc0 = 0x40; *(uint8_t*)0x200000018dc1 = 0x1e; *(uint32_t*)0x200000018dc2 = 1; *(uint8_t*)0x200000018dc6 = 9; *(uint64_t*)0x200000018ebc = 0x200000018e00; *(uint8_t*)0x200000018e00 = 0x40; *(uint8_t*)0x200000018e01 = 0x21; *(uint32_t*)0x200000018e02 = 1; *(uint8_t*)0x200000018e06 = 8; syz_usb_control_io(/*fd=*/r[44], /*descs=*/0x200000018a00, /*resps=*/0x200000018e40); break; case 69: syz_usb_disconnect(/*fd=*/r[45]); break; case 70: syz_usb_ep_read(/*fd=*/r[45], /*ep=*/0xd2, /*len=*/0xde, /*data=*/0x200000018f00); break; case 71: *(uint8_t*)0x200000019000 = 0x12; *(uint8_t*)0x200000019001 = 1; *(uint16_t*)0x200000019002 = 0x110; *(uint8_t*)0x200000019004 = 0; *(uint8_t*)0x200000019005 = 0; *(uint8_t*)0x200000019006 = 0; *(uint8_t*)0x200000019007 = 0x10; *(uint16_t*)0x200000019008 = 0x1430; *(uint16_t*)0x20000001900a = 0x474b; *(uint16_t*)0x20000001900c = 0x40; *(uint8_t*)0x20000001900e = 1; *(uint8_t*)0x20000001900f = 2; *(uint8_t*)0x200000019010 = 3; *(uint8_t*)0x200000019011 = 1; *(uint8_t*)0x200000019012 = 9; *(uint8_t*)0x200000019013 = 2; *(uint16_t*)0x200000019014 = 0xcc; *(uint8_t*)0x200000019016 = 1; *(uint8_t*)0x200000019017 = 1; *(uint8_t*)0x200000019018 = 9; *(uint8_t*)0x200000019019 = 0; *(uint8_t*)0x20000001901a = 9; *(uint8_t*)0x20000001901b = 9; *(uint8_t*)0x20000001901c = 4; *(uint8_t*)0x20000001901d = 0; *(uint8_t*)0x20000001901e = 0; *(uint8_t*)0x20000001901f = 5; *(uint8_t*)0x200000019020 = 1; *(uint8_t*)0x200000019021 = 3; *(uint8_t*)0x200000019022 = 0; *(uint8_t*)0x200000019023 = 0xa; *(uint8_t*)0x200000019024 = 7; *(uint8_t*)0x200000019025 = 0x24; *(uint8_t*)0x200000019026 = 1; *(uint16_t*)0x200000019027 = 0; *(uint16_t*)0x200000019029 = 7; *(uint8_t*)0x20000001902b = 0x11; *(uint8_t*)0x20000001902c = 0x24; *(uint8_t*)0x20000001902d = 3; *(uint8_t*)0x20000001902e = 0; *(uint8_t*)0x20000001902f = 0xf5; *(uint8_t*)0x200000019030 = 5; *(uint8_t*)0x200000019031 = 4; *(uint8_t*)0x200000019032 = 0; *(uint8_t*)0x200000019033 = 7; *(uint8_t*)0x200000019034 = 7; *(uint8_t*)0x200000019035 = 0xc1; *(uint8_t*)0x200000019036 = 0; *(uint8_t*)0x200000019037 = 3; *(uint8_t*)0x200000019038 = 3; *(uint8_t*)0x200000019039 = 2; *(uint8_t*)0x20000001903a = 0xc; *(uint8_t*)0x20000001903b = 0xd4; *(uint8_t*)0x20000001903c = 0x13; *(uint8_t*)0x20000001903d = 0x24; *(uint8_t*)0x20000001903e = 3; *(uint8_t*)0x20000001903f = 2; *(uint8_t*)0x200000019040 = 0xd; *(uint8_t*)0x200000019041 = 6; *(uint8_t*)0x200000019042 = 0x13; *(uint8_t*)0x200000019043 = 0x80; *(uint8_t*)0x200000019044 = 2; *(uint8_t*)0x200000019045 = 0xe; *(uint8_t*)0x200000019046 = 1; *(uint8_t*)0x200000019047 = 3; *(uint8_t*)0x200000019048 = 8; *(uint8_t*)0x200000019049 = 7; *(uint8_t*)0x20000001904a = 7; *(uint8_t*)0x20000001904b = 4; *(uint8_t*)0x20000001904c = 0xeb; *(uint8_t*)0x20000001904d = 6; *(uint8_t*)0x20000001904e = 4; *(uint8_t*)0x20000001904f = 7; *(uint8_t*)0x200000019050 = 0x24; *(uint8_t*)0x200000019051 = 1; *(uint16_t*)0x200000019052 = 3; *(uint16_t*)0x200000019054 = 7; *(uint8_t*)0x200000019056 = 9; *(uint8_t*)0x200000019057 = 0x24; *(uint8_t*)0x200000019058 = 3; *(uint8_t*)0x200000019059 = 0; *(uint8_t*)0x20000001905a = 6; *(uint8_t*)0x20000001905b = 1; *(uint8_t*)0x20000001905c = 2; *(uint8_t*)0x20000001905d = 0x53; *(uint8_t*)0x20000001905e = 0; *(uint8_t*)0x20000001905f = 9; *(uint8_t*)0x200000019060 = 5; *(uint8_t*)0x200000019061 = 0xc; *(uint8_t*)0x200000019062 = 0; *(uint16_t*)0x200000019063 = 8; *(uint8_t*)0x200000019065 = 0; *(uint8_t*)0x200000019066 = 3; *(uint8_t*)0x200000019067 = 0xef; *(uint8_t*)0x200000019068 = 0xf; *(uint8_t*)0x200000019069 = 0x25; *(uint8_t*)0x20000001906a = 1; *(uint8_t*)0x20000001906b = 0xb; memcpy((void*)0x20000001906c, "\x8d\xca\x6f\x86\xba\x15\x43\xf9\xfd\x54\x17", 11); *(uint8_t*)0x200000019077 = 9; *(uint8_t*)0x200000019078 = 5; *(uint8_t*)0x200000019079 = 1; *(uint8_t*)0x20000001907a = 2; *(uint16_t*)0x20000001907b = 0x10; *(uint8_t*)0x20000001907d = 0xa5; *(uint8_t*)0x20000001907e = 8; *(uint8_t*)0x20000001907f = 3; *(uint8_t*)0x200000019080 = 0x13; *(uint8_t*)0x200000019081 = 0x25; *(uint8_t*)0x200000019082 = 1; *(uint8_t*)0x200000019083 = 0xf; memcpy((void*)0x200000019084, "\xfc\x2a\xb7\xfa\xb0\x2e\x86\xb9\xc8\x3c\x1a\x1c\x2e\xe5\xba", 15); *(uint8_t*)0x200000019093 = 9; *(uint8_t*)0x200000019094 = 5; *(uint8_t*)0x200000019095 = 0xc; *(uint8_t*)0x200000019096 = 8; *(uint16_t*)0x200000019097 = 0x400; *(uint8_t*)0x200000019099 = 3; *(uint8_t*)0x20000001909a = 0; *(uint8_t*)0x20000001909b = 0xbe; *(uint8_t*)0x20000001909c = 0x13; *(uint8_t*)0x20000001909d = 0x25; *(uint8_t*)0x20000001909e = 1; *(uint8_t*)0x20000001909f = 0xf; memcpy((void*)0x2000000190a0, "\xd9\x81\x1e\x1e\xd3\x64\x2b\xab\x8c\x2a\x71\xbc\x25\xbf\x6c", 15); *(uint8_t*)0x2000000190af = 9; *(uint8_t*)0x2000000190b0 = 5; *(uint8_t*)0x2000000190b1 = 3; *(uint8_t*)0x2000000190b2 = 0; *(uint16_t*)0x2000000190b3 = 0x3ff; *(uint8_t*)0x2000000190b5 = 0x7f; *(uint8_t*)0x2000000190b6 = 0x96; *(uint8_t*)0x2000000190b7 = 7; *(uint8_t*)0x2000000190b8 = 0xf; *(uint8_t*)0x2000000190b9 = 0x25; *(uint8_t*)0x2000000190ba = 1; *(uint8_t*)0x2000000190bb = 0xb; memcpy((void*)0x2000000190bc, "\x0e\xc3\xb8\xef\xc0\x22\xfc\x1b\x47\x4c\xae", 11); *(uint8_t*)0x2000000190c7 = 9; *(uint8_t*)0x2000000190c8 = 5; *(uint8_t*)0x2000000190c9 = 1; *(uint8_t*)0x2000000190ca = 0; *(uint16_t*)0x2000000190cb = 0x200; *(uint8_t*)0x2000000190cd = 0x18; *(uint8_t*)0x2000000190ce = 5; *(uint8_t*)0x2000000190cf = 3; *(uint8_t*)0x2000000190d0 = 0xe; *(uint8_t*)0x2000000190d1 = 0x25; *(uint8_t*)0x2000000190d2 = 1; *(uint8_t*)0x2000000190d3 = 0xa; memcpy((void*)0x2000000190d4, "\xe3\xc1\x06\xc5\x4a\x63\x63\x8a\x2e\x82", 10); *(uint32_t*)0x200000019280 = 0xa; *(uint64_t*)0x200000019284 = 0x200000019100; *(uint8_t*)0x200000019100 = 0xa; *(uint8_t*)0x200000019101 = 6; *(uint16_t*)0x200000019102 = 0x110; *(uint8_t*)0x200000019104 = 2; *(uint8_t*)0x200000019105 = 2; *(uint8_t*)0x200000019106 = 8; *(uint8_t*)0x200000019107 = -1; *(uint8_t*)0x200000019108 = 0; *(uint8_t*)0x200000019109 = 0; *(uint32_t*)0x20000001928c = 0x3d; *(uint64_t*)0x200000019290 = 0x200000019140; *(uint8_t*)0x200000019140 = 5; *(uint8_t*)0x200000019141 = 0xf; *(uint16_t*)0x200000019142 = 0x3d; *(uint8_t*)0x200000019144 = 5; *(uint8_t*)0x200000019145 = 0xb; *(uint8_t*)0x200000019146 = 0x10; *(uint8_t*)0x200000019147 = 1; *(uint8_t*)0x200000019148 = 0xc; *(uint16_t*)0x200000019149 = 0x40; *(uint8_t*)0x20000001914b = 0xab; *(uint8_t*)0x20000001914c = 3; *(uint16_t*)0x20000001914d = 0x100; *(uint8_t*)0x20000001914f = 0; *(uint8_t*)0x200000019150 = 0x14; *(uint8_t*)0x200000019151 = 0x10; *(uint8_t*)0x200000019152 = 4; *(uint8_t*)0x200000019153 = 0; memcpy((void*)0x200000019154, "\x56\x99\xf3\x92\x8d\x2d\x0a\x00\x63\x3f\x2b\x02\x58\x4c\x01\x6a", 16); *(uint8_t*)0x200000019164 = 0xb; *(uint8_t*)0x200000019165 = 0x10; *(uint8_t*)0x200000019166 = 1; *(uint8_t*)0x200000019167 = 0xc; *(uint16_t*)0x200000019168 = 0x80; *(uint8_t*)0x20000001916a = 0; *(uint8_t*)0x20000001916b = 8; *(uint16_t*)0x20000001916c = 0x6baa; *(uint8_t*)0x20000001916e = 2; *(uint8_t*)0x20000001916f = 7; *(uint8_t*)0x200000019170 = 0x10; *(uint8_t*)0x200000019171 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019172, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019173, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000019174, 0x98, 0, 16); *(uint8_t*)0x200000019176 = 7; *(uint8_t*)0x200000019177 = 0x10; *(uint8_t*)0x200000019178 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000019179, 0x12, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917a, 3, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001917b, 4, 0, 16); *(uint32_t*)0x200000019298 = 1; *(uint32_t*)0x20000001929c = 0xc1; *(uint64_t*)0x2000000192a0 = 0x200000019180; *(uint8_t*)0x200000019180 = 0xc1; *(uint8_t*)0x200000019181 = 3; memcpy((void*)0x200000019182, "\xb6\x43\x49\xde\x30\xb2\x3e\x68\x3c\x87\xb0\xfe\x59\x34\x1d\x26\xe0\xe3\x91\xac\xdf\x6a\xd0\x57\x1a\xcc\x05\xf8\xe5\xfc\xfd\xc3\x93\x6c\x96\xd9\x99\x06\xc4\xc1\xe5\xd9\xce\x59\x60\x9e\x60\xfc\x39\x40\x29\xa1\x9f\xec\x98\x1c\xfd\xe7\xe9\xd3\x8c\x14\x65\xf6\xa0\x4b\x5b\x0e\xe2\x98\xf5\xf2\x1e\x58\xf7\x1b\x8f\x71\x00\xd1\xbc\x55\xca\x97\xb1\xb3\xab\x63\x48\x5b\x92\xe1\x66\x30\xae\x0c\x53\x93\x15\xc2\x5c\xef\xc3\x47\xd6\x6d\x80\xc2\x53\x1e\x81\xaf\x67\xe1\x79\xc1\x69\x66\xbc\xb8\xe9\x98\xe0\xcd\x1b\x3c\x2b\xdc\x6c\x04\x99\x46\xed\xb3\xea\xaf\xbb\xd9\xb5\xf0\xfe\x7c\x59\x25\xb6\x19\xe8\xe7\xcf\xce\x1a\x62\xc4\xd2\xac\x45\x97\x40\x06\x5e\x9f\x9e\xb7\x22\x02\xc0\xed\xae\x4b\xfc\xf5\xd1\x1b\x93\x14\x58\x1d\x63\xe6\x88\xec\x40\xc0\x37\xa3\xc4\x1c\x02\x20\xbb\x1a", 191); res = -1; res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0xde, /*dev=*/0x200000019000, /*conn_descs=*/0x200000019280); if (res != -1) r[46] = res; break; case 72: memcpy((void*)0x2000000192c0, "\xb7\x25\x34\xd8\x42\x09\xa7\xa8\x62", 9); syz_usb_ep_write(/*fd=*/r[46], /*ep=*/3, /*len=*/9, /*data=*/0x2000000192c0); break; case 73: syz_usbip_server_init(/*speed=USB_SPEED_LOW*/1); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :7298:17: error: '__NR_socketcall' undeclared (first use in this function) :7298:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor272557555 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/20 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/15 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/12 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/26 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/5 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/13 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/3 (0.42s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/23 (0.43s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/28 (0.43s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/16 (0.43s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/25 (0.44s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/24 (0.44s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/9 (0.45s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/10 (0.45s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/6 (0.34s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/2 (0.36s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/8 (0.39s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/1 (0.34s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/32 (0.56s) csource_test.go:159: --- FAIL: TestGenerate/linux/amd64/4 (0.29s) csource_test.go:159: FAIL FAIL github.com/google/syzkaller/pkg/csource 35.898s ok github.com/google/syzkaller/pkg/db 8.195s ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore 1.118s ok github.com/google/syzkaller/pkg/flatrpc 2.061s ok github.com/google/syzkaller/pkg/fuzzer 17.773s ok github.com/google/syzkaller/pkg/fuzzer/queue 3.212s ok github.com/google/syzkaller/pkg/gce 3.297s ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ok github.com/google/syzkaller/pkg/gerrit (cached) ok github.com/google/syzkaller/pkg/hash (cached) ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages 3.054s ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ok github.com/google/syzkaller/pkg/ifuzz/riscv64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/riscv64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/riscv64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image 4.887s ok github.com/google/syzkaller/pkg/instance 5.857s ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig 4.878s ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest 8.149s ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager 8.145s ok github.com/google/syzkaller/pkg/manager/diff 8.168s ok github.com/google/syzkaller/pkg/mgrconfig 6.066s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 11.016s ok github.com/google/syzkaller/pkg/report/crash (cached) ok github.com/google/syzkaller/pkg/repro 6.350s ok github.com/google/syzkaller/pkg/rpcserver 14.822s ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 29.413s ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem 2.364s ok github.com/google/syzkaller/pkg/subsystem/linux 2.549s ok github.com/google/syzkaller/pkg/subsystem/lists 3.364s ok github.com/google/syzkaller/pkg/symbolizer 4.242s ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool 2.511s ? github.com/google/syzkaller/pkg/updater [no test files] ok github.com/google/syzkaller/pkg/validator 3.316s ok github.com/google/syzkaller/pkg/vcs 11.912s ok github.com/google/syzkaller/pkg/vminfo 8.672s ok github.com/google/syzkaller/prog 25.063s ok github.com/google/syzkaller/prog/test 3.882s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux 2.428s ok github.com/google/syzkaller/sys/netbsd 2.357s ok github.com/google/syzkaller/sys/openbsd 1.395s ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ok github.com/google/syzkaller/syz-agent 6.543s ok github.com/google/syzkaller/syz-ci 6.717s ok github.com/google/syzkaller/syz-cluster/controller 2.991s ok github.com/google/syzkaller/syz-cluster/dashboard 2.438s ok github.com/google/syzkaller/syz-cluster/email-reporter 2.071s ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/app (cached) ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller 2.495s ok github.com/google/syzkaller/syz-cluster/pkg/db (cached) ok github.com/google/syzkaller/syz-cluster/pkg/emailclient (cached) ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig 5.425s ok github.com/google/syzkaller/syz-cluster/pkg/report (cached) ok github.com/google/syzkaller/syz-cluster/pkg/reporter 2.153s ok github.com/google/syzkaller/syz-cluster/pkg/retest 4.631s ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/stats 1.737s ok github.com/google/syzkaller/syz-cluster/pkg/triage 4.861s ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker 1.566s ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz 4.285s ? github.com/google/syzkaller/syz-cluster/workflow/retest [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/triage [no test files] ok github.com/google/syzkaller/syz-hub 0.501s ok github.com/google/syzkaller/syz-hub/state 1.654s ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager 4.888s ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/clang [no test files] ? github.com/google/syzkaller/tools/clang/codesearch [no test files] ? github.com/google/syzkaller/tools/clang/declextract [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-aflow [no test files] ? github.com/google/syzkaller/tools/syz-base-commit [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-codesearch [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db 1.702s ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract 5.347s ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen 0.618s ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf 3.622s ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed 3.724s ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.465s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 1.227s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 24.042s ok github.com/google/syzkaller/vm/adb 3.214s ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher (cached) ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated 3.278s ok github.com/google/syzkaller/vm/proxyapp 5.130s ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/virtualbox [no test files] ok github.com/google/syzkaller/vm/vmimpl 2.987s ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL