xref: /freebsd/tools/test/stress2/misc/syzkaller95.sh (revision 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82) 
1#!/bin/sh
2
3# Kernel page fault with the following non-sleepable locks held:
4# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006bd2cd0) locked @ cam/scsi/scsi_pass.c:1766
5# stack backtrace:
6# #0 0xffffffff80c4787c at witness_debugger+0x6c
7# #1 0xffffffff80c49189 at witness_warn+0x4c9
8# #2 0xffffffff81131d8c at trap_pfault+0x8c
9# #3 0xffffffff811015a8 at calltrap+0x8
10# #4 0xffffffff803d9061 at passsendccb+0x61
11# #5 0xffffffff803d8821 at passdoioctl+0x3a1
12# #6 0xffffffff803d8102 at passioctl+0x22
13# #7 0xffffffff80a413b1 at devfs_ioctl+0xd1
14# #8 0xffffffff81204821 at VOP_IOCTL_APV+0x51
15# #9 0xffffffff80cf0890 at vn_ioctl+0x160
16# #10 0xffffffff80a41a7e at devfs_ioctl_f+0x1e
17# #11 0xffffffff80c4e3c1 at kern_ioctl+0x2a1
18# #12 0xffffffff80c4e0bf at sys_ioctl+0x12f
19# #13 0xffffffff811327d9 at amd64_syscall+0x169
20# #14 0xffffffff81101e9b at fast_syscall_common+0xf8
21#
22#
23# Fatal trap 12: page fault while in kernel mode
24# cpuid = 4; apic id = 04
25# fault virtual address   = 0x800000006
26# fault code              = supervisor read data, page not present
27# instruction pointer     = 0x20:0xffffffff8112edf5
28# frame pointer           = 0x28:0xfffffe010003fab0
29# code segment            = base 0x0, limit 0xfffff, type 0x1b
30#                         = DPL 0, pres 1, long 1, def32 0, gran 1
31# processor eflags        = interrupt enabled, resume, IOPL = 0
32# current process         = 5440 (syzkaller95)
33# rdi: fffffe010003fac0 rsi: 0000000800000006 rdx: 0000000000000002
34# rcx: 0000000000000002  r8: 0000000800000006  r9: 06eb28196e3b02c0
35# rax: 0000000000000000 rbx: fffff80003e97800 rbp: fffffe010003fab0
36# r10: fffff80003e978c8 r11: fffff800048e5550 r12: fffffe010003fac0
37# r13: fffff80006350d80 r14: fffff80306280800 r15: fffff80006bd6100
38# trap number             = 12
39# panic: page fault
40# cpuid = 4
41# time = 1773848380
42# KDB: stack backtrace:
43# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe010003f7e0
44# vpanic() at vpanic+0x136/frame 0xfffffe010003f910
45# panic() at panic+0x43/frame 0xfffffe010003f970
46# trap_pfault() at trap_pfault+0x422/frame 0xfffffe010003f9e0
47# calltrap() at calltrap+0x8/frame 0xfffffe010003f9e0
48# --- trap 0xc, rip = 0xffffffff8112edf5, rsp = 0xfffffe010003fab0, rbp = 0xfffffe010003fab0 ---
49# copyin_nosmap_erms() at copyin_nosmap_erms+0x115/frame 0xfffffe010003fab0
50# passsendccb() at passsendccb+0x61/frame 0xfffffe010003fb30
51# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe010003fb80
52# passioctl() at passioctl+0x22/frame 0xfffffe010003fbc0
53# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe010003fc10
54# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe010003fc40
55# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe010003fcb0
56# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe010003fcd0
57# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe010003fd40
58# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe010003fe00
59# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe010003ff30
60# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe010003ff30
61# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823c07eca, rsp = 0x8209c6ce8, rbp = 0x8209c6d10 ---
62# KDB: enter: panic
63# [ thread pid 5440 tid 100235 ]
64# Stopped at      kdb_enter+0x33: movq    $0,0x15e9d32(%rip)
65# db> x/s version
66# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
67# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
68# db>
69
70# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
71# Bug 293892 - Fatal trap NUM: page fault while in kernel mode in passsendccb
72
73[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
74
75. ../default.cfg
76set -u
77prog=$(basename "$0" .sh)
78cat > /tmp/$prog.c <<EOF
79// autogenerated by syzkaller (https://github.com/google/syzkaller)
80
81#define _GNU_SOURCE
82
83#include <pwd.h>
84#include <stdarg.h>
85#include <stdbool.h>
86#include <stdint.h>
87#include <stdio.h>
88#include <stdlib.h>
89#include <string.h>
90#include <sys/endian.h>
91#include <sys/syscall.h>
92#include <unistd.h>
93
94uint64_t r[1] = {0xffffffffffffffff};
95
96int main(void)
97{
98  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
99          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
100          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
101          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
102  const char* reason;
103  (void)reason;
104  intptr_t res = 0;
105  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
106  }
107  //  ioctl\$MDIOCDETACH arguments: [
108  //    fd: fd_md (resource)
109  //    cmd: const = 0xc1c06d01 (8 bytes)
110  //    arg: ptr[inout, md_ioctl] {
111  //      md_ioctl {
112  //        md_version: int32 = 0xe (4 bytes)
113  //        md_unit: int32 = 0x3 (4 bytes)
114  //        md_type: md_types_flags = 0x0 (4 bytes)
115  //        pad = 0x0 (4 bytes)
116  //        md_file: nil
117  //        md_mediasize: int64 = 0x81 (8 bytes)
118  //        md_sectorsize: int32 = 0x4 (4 bytes)
119  //        md_options: int32 = 0x5 (4 bytes)
120  //        md_base: int64 = 0x6 (8 bytes)
121  //        md_fwheads: int32 = 0x4 (4 bytes)
122  //        md_fwsectors: int32 = 0x1 (4 bytes)
123  //        md_label: nil
124  //        md_pad: array[int32] {
125  //          int32 = 0x8 (4 bytes)
126  //          int32 = 0x5 (4 bytes)
127  //          int32 = 0x6 (4 bytes)
128  //          int32 = 0xc3b (4 bytes)
129  //          int32 = 0x2 (4 bytes)
130  //          int32 = 0x4 (4 bytes)
131  //          int32 = 0xa (4 bytes)
132  //          int32 = 0xfffffffe (4 bytes)
133  //          int32 = 0x2 (4 bytes)
134  //          int32 = 0x80 (4 bytes)
135  //          int32 = 0xd22 (4 bytes)
136  //          int32 = 0xa1a5 (4 bytes)
137  //          int32 = 0x0 (4 bytes)
138  //          int32 = 0xfffffff8 (4 bytes)
139  //          int32 = 0x4 (4 bytes)
140  //          int32 = 0xffffffff (4 bytes)
141  //          int32 = 0x100 (4 bytes)
142  //          int32 = 0x4 (4 bytes)
143  //          int32 = 0x8 (4 bytes)
144  //          int32 = 0x5b8f6f5f (4 bytes)
145  //          int32 = 0x9 (4 bytes)
146  //          int32 = 0xfffffffb (4 bytes)
147  //          int32 = 0x2 (4 bytes)
148  //          int32 = 0x3 (4 bytes)
149  //          int32 = 0x6 (4 bytes)
150  //          int32 = 0x1 (4 bytes)
151  //          int32 = 0x800 (4 bytes)
152  //          int32 = 0x6b0000 (4 bytes)
153  //          int32 = 0x4 (4 bytes)
154  //          int32 = 0x4 (4 bytes)
155  //          int32 = 0x7ff (4 bytes)
156  //          int32 = 0x2 (4 bytes)
157  //          int32 = 0x7 (4 bytes)
158  //          int32 = 0x9 (4 bytes)
159  //          int32 = 0x9 (4 bytes)
160  //          int32 = 0x8000 (4 bytes)
161  //          int32 = 0x2 (4 bytes)
162  //          int32 = 0x5be (4 bytes)
163  //          int32 = 0xf0000000 (4 bytes)
164  //          int32 = 0x1db (4 bytes)
165  //          int32 = 0x3 (4 bytes)
166  //          int32 = 0x0 (4 bytes)
167  //          int32 = 0x8 (4 bytes)
168  //          int32 = 0x18000000 (4 bytes)
169  //          int32 = 0xfd6 (4 bytes)
170  //          int32 = 0x1 (4 bytes)
171  //          int32 = 0x8 (4 bytes)
172  //          int32 = 0x4 (4 bytes)
173  //          int32 = 0x0 (4 bytes)
174  //          int32 = 0x2 (4 bytes)
175  //          int32 = 0xe2 (4 bytes)
176  //          int32 = 0x0 (4 bytes)
177  //          int32 = 0x5 (4 bytes)
178  //          int32 = 0x1cd (4 bytes)
179  //          int32 = 0xcf58 (4 bytes)
180  //          int32 = 0x6 (4 bytes)
181  //          int32 = 0x2e7 (4 bytes)
182  //          int32 = 0x64d (4 bytes)
183  //          int32 = 0x2a4 (4 bytes)
184  //          int32 = 0x7 (4 bytes)
185  //          int32 = 0x6 (4 bytes)
186  //          int32 = 0x8 (4 bytes)
187  //          int32 = 0x9 (4 bytes)
188  //          int32 = 0x7 (4 bytes)
189  //          int32 = 0x6 (4 bytes)
190  //          int32 = 0x9 (4 bytes)
191  //          int32 = 0x2 (4 bytes)
192  //          int32 = 0xfffffff8 (4 bytes)
193  //          int32 = 0x5 (4 bytes)
194  //          int32 = 0xe53 (4 bytes)
195  //          int32 = 0x81 (4 bytes)
196  //          int32 = 0x3 (4 bytes)
197  //          int32 = 0x0 (4 bytes)
198  //          int32 = 0x80000001 (4 bytes)
199  //          int32 = 0x5 (4 bytes)
200  //          int32 = 0x54 (4 bytes)
201  //          int32 = 0x401 (4 bytes)
202  //          int32 = 0x9 (4 bytes)
203  //          int32 = 0x3 (4 bytes)
204  //          int32 = 0x4 (4 bytes)
205  //          int32 = 0x2 (4 bytes)
206  //          int32 = 0x1 (4 bytes)
207  //          int32 = 0x9 (4 bytes)
208  //          int32 = 0xed (4 bytes)
209  //          int32 = 0x1f (4 bytes)
210  //          int32 = 0x5 (4 bytes)
211  //          int32 = 0xd (4 bytes)
212  //          int32 = 0x8001 (4 bytes)
213  //          int32 = 0xfff (4 bytes)
214  //          int32 = 0x2 (4 bytes)
215  //          int32 = 0x7fffffff (4 bytes)
216  //          int32 = 0xd (4 bytes)
217  //          int32 = 0x1 (4 bytes)
218  //          int32 = 0x401 (4 bytes)
219  //          int32 = 0x4 (4 bytes)
220  //          int32 = 0xa043 (4 bytes)
221  //        }
222  //      }
223  //    }
224  //  ]
225  *(uint32_t*)0x200000000300 = 0xe;
226  *(uint32_t*)0x200000000304 = 3;
227  *(uint32_t*)0x200000000308 = 0;
228  *(uint64_t*)0x200000000310 = 0;
229  *(uint64_t*)0x200000000318 = 0x81;
230  *(uint32_t*)0x200000000320 = 4;
231  *(uint32_t*)0x200000000324 = 5;
232  *(uint64_t*)0x200000000328 = 6;
233  *(uint32_t*)0x200000000330 = 4;
234  *(uint32_t*)0x200000000334 = 1;
235  *(uint64_t*)0x200000000338 = 0;
236  *(uint32_t*)0x200000000340 = 8;
237  *(uint32_t*)0x200000000344 = 5;
238  *(uint32_t*)0x200000000348 = 6;
239  *(uint32_t*)0x20000000034c = 0xc3b;
240  *(uint32_t*)0x200000000350 = 2;
241  *(uint32_t*)0x200000000354 = 4;
242  *(uint32_t*)0x200000000358 = 0xa;
243  *(uint32_t*)0x20000000035c = 0xfffffffe;
244  *(uint32_t*)0x200000000360 = 2;
245  *(uint32_t*)0x200000000364 = 0x80;
246  *(uint32_t*)0x200000000368 = 0xd22;
247  *(uint32_t*)0x20000000036c = 0xa1a5;
248  *(uint32_t*)0x200000000370 = 0;
249  *(uint32_t*)0x200000000374 = 0xfffffff8;
250  *(uint32_t*)0x200000000378 = 4;
251  *(uint32_t*)0x20000000037c = -1;
252  *(uint32_t*)0x200000000380 = 0x100;
253  *(uint32_t*)0x200000000384 = 4;
254  *(uint32_t*)0x200000000388 = 8;
255  *(uint32_t*)0x20000000038c = 0x5b8f6f5f;
256  *(uint32_t*)0x200000000390 = 9;
257  *(uint32_t*)0x200000000394 = 0xfffffffb;
258  *(uint32_t*)0x200000000398 = 2;
259  *(uint32_t*)0x20000000039c = 3;
260  *(uint32_t*)0x2000000003a0 = 6;
261  *(uint32_t*)0x2000000003a4 = 1;
262  *(uint32_t*)0x2000000003a8 = 0x800;
263  *(uint32_t*)0x2000000003ac = 0x6b0000;
264  *(uint32_t*)0x2000000003b0 = 4;
265  *(uint32_t*)0x2000000003b4 = 4;
266  *(uint32_t*)0x2000000003b8 = 0x7ff;
267  *(uint32_t*)0x2000000003bc = 2;
268  *(uint32_t*)0x2000000003c0 = 7;
269  *(uint32_t*)0x2000000003c4 = 9;
270  *(uint32_t*)0x2000000003c8 = 9;
271  *(uint32_t*)0x2000000003cc = 0x8000;
272  *(uint32_t*)0x2000000003d0 = 2;
273  *(uint32_t*)0x2000000003d4 = 0x5be;
274  *(uint32_t*)0x2000000003d8 = 0xf0000000;
275  *(uint32_t*)0x2000000003dc = 0x1db;
276  *(uint32_t*)0x2000000003e0 = 3;
277  *(uint32_t*)0x2000000003e4 = 0;
278  *(uint32_t*)0x2000000003e8 = 8;
279  *(uint32_t*)0x2000000003ec = 0x18000000;
280  *(uint32_t*)0x2000000003f0 = 0xfd6;
281  *(uint32_t*)0x2000000003f4 = 1;
282  *(uint32_t*)0x2000000003f8 = 8;
283  *(uint32_t*)0x2000000003fc = 4;
284  *(uint32_t*)0x200000000400 = 0;
285  *(uint32_t*)0x200000000404 = 2;
286  *(uint32_t*)0x200000000408 = 0xe2;
287  *(uint32_t*)0x20000000040c = 0;
288  *(uint32_t*)0x200000000410 = 5;
289  *(uint32_t*)0x200000000414 = 0x1cd;
290  *(uint32_t*)0x200000000418 = 0xcf58;
291  *(uint32_t*)0x20000000041c = 6;
292  *(uint32_t*)0x200000000420 = 0x2e7;
293  *(uint32_t*)0x200000000424 = 0x64d;
294  *(uint32_t*)0x200000000428 = 0x2a4;
295  *(uint32_t*)0x20000000042c = 7;
296  *(uint32_t*)0x200000000430 = 6;
297  *(uint32_t*)0x200000000434 = 8;
298  *(uint32_t*)0x200000000438 = 9;
299  *(uint32_t*)0x20000000043c = 7;
300  *(uint32_t*)0x200000000440 = 6;
301  *(uint32_t*)0x200000000444 = 9;
302  *(uint32_t*)0x200000000448 = 2;
303  *(uint32_t*)0x20000000044c = 0xfffffff8;
304  *(uint32_t*)0x200000000450 = 5;
305  *(uint32_t*)0x200000000454 = 0xe53;
306  *(uint32_t*)0x200000000458 = 0x81;
307  *(uint32_t*)0x20000000045c = 3;
308  *(uint32_t*)0x200000000460 = 0;
309  *(uint32_t*)0x200000000464 = 0x80000001;
310  *(uint32_t*)0x200000000468 = 5;
311  *(uint32_t*)0x20000000046c = 0x54;
312  *(uint32_t*)0x200000000470 = 0x401;
313  *(uint32_t*)0x200000000474 = 9;
314  *(uint32_t*)0x200000000478 = 3;
315  *(uint32_t*)0x20000000047c = 4;
316  *(uint32_t*)0x200000000480 = 2;
317  *(uint32_t*)0x200000000484 = 1;
318  *(uint32_t*)0x200000000488 = 9;
319  *(uint32_t*)0x20000000048c = 0xed;
320  *(uint32_t*)0x200000000490 = 0x1f;
321  *(uint32_t*)0x200000000494 = 5;
322  *(uint32_t*)0x200000000498 = 0xd;
323  *(uint32_t*)0x20000000049c = 0x8001;
324  *(uint32_t*)0x2000000004a0 = 0xfff;
325  *(uint32_t*)0x2000000004a4 = 2;
326  *(uint32_t*)0x2000000004a8 = 0x7fffffff;
327  *(uint32_t*)0x2000000004ac = 0xd;
328  *(uint32_t*)0x2000000004b0 = 1;
329  *(uint32_t*)0x2000000004b4 = 0x401;
330  *(uint32_t*)0x2000000004b8 = 4;
331  *(uint32_t*)0x2000000004bc = 0xa043;
332  syscall(SYS_ioctl, /*fd=*/0xffffff9c, /*cmd=*/0xc1c06d01ul,
333          /*arg=*/0x200000000300ul);
334  //  openat\$pass_pass_cdevsw arguments: [
335  //    fd: const = 0xffffffffffffff9c (8 bytes)
336  //    file: ptr[in, buffer] {
337  //      buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
338  //    }
339  //    flags: open_flags = 0x2 (4 bytes)
340  //    mode: const = 0x0 (4 bytes)
341  //  ]
342  //  returns fd_pass_pass_cdevsw
343  memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
344  res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
345                /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
346  if (res != -1)
347    r[0] = res;
348  //  ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [
349  //    fd: fd_pass_pass_cdevsw (resource)
350  //    cmd: const = 0xc4e01a02 (8 bytes)
351  //    arg: ptr[inout, ccb\$pass_cdevsw] {
352  //      union ccb\$pass_cdevsw {
353  //        cqa: ccb_que_ais\$pass_cdevsw {
354  //          ccb_h: ccb_hdr\$pass_cdevsw {
355  //            pinfo: cam_pinfo\$pass_cdevsw {
356  //              priority: int32 = 0x2 (4 bytes)
357  //              generation: int32 = 0x1 (4 bytes)
358  //              index: int32 = 0x2000000 (4 bytes)
359  //            }
360  //            pad = 0x0 (4 bytes)
361  //            xpt_links: camq_entry\$pass_cdevsw {
362  //              links_next: intptr = 0xfec (8 bytes)
363  //              priority: int32 = 0xfffffffc (4 bytes)
364  //              pad = 0x0 (4 bytes)
365  //            }
366  //            sim_links: camq_entry\$pass_cdevsw {
367  //              links_next: intptr = 0x5 (8 bytes)
368  //              priority: int32 = 0x7 (4 bytes)
369  //              pad = 0x0 (4 bytes)
370  //            }
371  //            periph_links: camq_entry\$pass_cdevsw {
372  //              links_next: intptr = 0x80 (8 bytes)
373  //              priority: int32 = 0x2 (4 bytes)
374  //              pad = 0x0 (4 bytes)
375  //            }
376  //            retry_count: int16 = 0x1 (2 bytes)
377  //            alloc_flags: int16 = 0x6b4 (2 bytes)
378  //            pad = 0x0 (4 bytes)
379  //            cbfcnp: intptr = 0x0 (8 bytes)
380  //            func_code: int32 = 0x8 (4 bytes)
381  //            status: int32 = 0x4 (4 bytes)
382  //            path: intptr = 0xfffffffffffffffc (8 bytes)
383  //            path_id: int32 = 0x9 (4 bytes)
384  //            target_id: int32 = 0x8 (4 bytes)
385  //            target_lun: int64 = 0x7d44 (8 bytes)
386  //            flags: int32 = 0x1 (4 bytes)
387  //            xflags: int32 = 0xfffffff8 (4 bytes)
388  //            periph_priv: buffer: {69 32 82 68 e7 3f ef 85 2d 76 56 88 e5 d9
389  //            10 17} (length 0x10) sim_priv: buffer: {19 45 5e bb 27 da 45 05
390  //            43 c5 32 70 9e cb 83 a1} (length 0x10) qos: buffer: {f6 7d 0f 00
391  //            10 00 00 00 00 32 e5 67 b7 bc 75 2d} (length 0x10) timeout:
392  //            int32 = 0x7 (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval {
393  //              sec: intptr = 0x5 (8 bytes)
394  //              usec: intptr = 0x4 (8 bytes)
395  //            }
396  //          }
397  //          payload: buffer: {f5 6a 42 5c 52 66 05 e3 50 a5 72 71 cd 88 ce 58
398  //          c0 02 3b 6e 19 28 eb 06 ee d4 11 85 f4 29 8a 46 09 8a 1d be bf 87
399  //          fb 73 a4 9e 3f 64 4f f0 18 b6 64 8f ab 32 a0 7b 8f 4a ba a5 02 ba
400  //          96 f8 1d fc} (length 0x40)
401  //        }
402  //      }
403  //    }
404  //  ]
405  *(uint32_t*)0x200000000240 = 2;
406  *(uint32_t*)0x200000000244 = 1;
407  *(uint32_t*)0x200000000248 = 0x2000000;
408  *(uint64_t*)0x200000000250 = 0xfec;
409  *(uint32_t*)0x200000000258 = 0xfffffffc;
410  *(uint64_t*)0x200000000260 = 5;
411  *(uint32_t*)0x200000000268 = 7;
412  *(uint64_t*)0x200000000270 = 0x80;
413  *(uint32_t*)0x200000000278 = 2;
414  *(uint16_t*)0x200000000280 = 1;
415  *(uint16_t*)0x200000000282 = 0x6b4;
416  *(uint64_t*)0x200000000288 = 0;
417  *(uint32_t*)0x200000000290 = 8;
418  *(uint32_t*)0x200000000294 = 4;
419  *(uint64_t*)0x200000000298 = 0xfffffffffffffffc;
420  *(uint32_t*)0x2000000002a0 = 9;
421  *(uint32_t*)0x2000000002a4 = 8;
422  *(uint64_t*)0x2000000002a8 = 0x7d44;
423  *(uint32_t*)0x2000000002b0 = 1;
424  *(uint32_t*)0x2000000002b4 = 0xfffffff8;
425  memcpy((void*)0x2000000002b8,
426         "\x69\x32\x82\x68\xe7\x3f\xef\x85\x2d\x76\x56\x88\xe5\xd9\x10\x17",
427         16);
428  memcpy((void*)0x2000000002c8,
429         "\x19\x45\x5e\xbb\x27\xda\x45\x05\x43\xc5\x32\x70\x9e\xcb\x83\xa1",
430         16);
431  memcpy((void*)0x2000000002d8,
432         "\xf6\x7d\x0f\x00\x10\x00\x00\x00\x00\x32\xe5\x67\xb7\xbc\x75\x2d",
433         16);
434  *(uint32_t*)0x2000000002e8 = 7;
435  *(uint64_t*)0x2000000002f0 = 5;
436  *(uint64_t*)0x2000000002f8 = 4;
437  memcpy((void*)0x200000000300,
438         "\xf5\x6a\x42\x5c\x52\x66\x05\xe3\x50\xa5\x72\x71\xcd\x88\xce\x58\xc0"
439         "\x02\x3b\x6e\x19\x28\xeb\x06\xee\xd4\x11\x85\xf4\x29\x8a\x46\x09\x8a"
440         "\x1d\xbe\xbf\x87\xfb\x73\xa4\x9e\x3f\x64\x4f\xf0\x18\xb6\x64\x8f\xab"
441         "\x32\xa0\x7b\x8f\x4a\xba\xa5\x02\xba\x96\xf8\x1d\xfc",
442         64);
443  syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul,
444          /*arg=*/0x200000000240ul);
445  return 0;
446}
447EOF
448mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
449
450timeout 3m /tmp/$prog > /dev/null 2>&1
451
452rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
453exit 0
454