Re: net/tcp: warning in tcp_try_coalesce/skb_try_coalesce
From: Andrey Konovalov
Date: Wed Apr 26 2017 - 08:09:08 EST
On Tue, Jan 31, 2017 at 2:17 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
> Hi,
>
> I've got the following error report while running the syzkaller fuzzer.
>
> On commit 566cf877a1fcb6d6dc0126b076aad062054c2637 (4.10-rc6).
>
> The fuzzer hits this issue quite often, but I don't have a working reproducer.
I still see this on 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8).
I also have a reproducer now, attached.
It takes around 10 seconds for the warning to trigger.
>
> WARNING: CPU: 3 PID: 7091 at net/core/skbuff.c:4331
> skb_try_coalesce+0x14b1/0x1f80 net/core/skbuff.c:4331
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 3 PID: 7091 Comm: syz-executor4 Not tainted 4.10.0-rc6+ #116
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:15 [inline]
> dump_stack+0x292/0x398 lib/dump_stack.c:51
> panic+0x1cb/0x3a9 kernel/panic.c:179
> __warn+0x1c4/0x1e0 kernel/panic.c:539
> warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
> skb_try_coalesce+0x14b1/0x1f80 net/core/skbuff.c:4331
> tcp_try_coalesce+0x178/0x560 net/ipv4/tcp_input.c:4337
> tcp_queue_rcv+0x13c/0x7a0 net/ipv4/tcp_input.c:4572
> tcp_data_queue+0x97e/0x46b0 net/ipv4/tcp_input.c:4681
> tcp_rcv_state_process+0xd92/0x42d0 net/ipv4/tcp_input.c:6130
> tcp_v4_do_rcv+0x571/0x940 net/ipv4/tcp_ipv4.c:1426
> sk_backlog_rcv include/net/sock.h:893 [inline]
> __release_sock+0x127/0x3a0 net/core/sock.c:2053
> release_sock+0xa5/0x2b0 net/core/sock.c:2540
> inet_shutdown+0x1a8/0x350 net/ipv4/af_inet.c:833
> SYSC_shutdown net/socket.c:1840 [inline]
> SyS_shutdown+0x253/0x2f0 net/socket.c:1831
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x4457d9
> RSP: 002b:00007f73b41a5b58 EFLAGS: 00000282 ORIG_RAX: 0000000000000030
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004457d9
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000005
> RBP: 00000000006e2170 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000708000
> R13: 0000000000000005 R14: 0000000000000029 R15: 000000000000003f
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
Attachment:
.config
Description: Binary data
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_write
#define __NR_write 1
#endif
#ifndef __NR_sendto
#define __NR_sendto 44
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#define _GNU_SOURCE
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>
#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;
__attribute__((noreturn)) void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}
__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}
__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}
static int flag_debug;
void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}
__thread int skip_segv;
__thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
debug("SIGSEGV on %p, skipping\n", addr);
_longjmp(segv_env, 1);
}
debug("SIGSEGV on %p, exiting\n", addr);
doexit(sig);
for (;;) {
}
}
static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}
static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}
static void setup_main_process()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}
static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;
sandbox_common();
loop();
doexit(1);
}
static void remove_dir(const char* dir)
{
DIR* dp;
struct dirent* ep;
int iter = 0;
retry:
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exitf("opendir(%s) failed due to NOFILE, exiting");
}
exitf("opendir(%s) failed", dir);
}
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
debug("unlink(%s)\n", filename);
if (unlink(filename) == 0)
break;
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
debug("umount(%s)\n", filename);
if (umount2(filename, MNT_DETACH))
exitf("umount(%s) failed", filename);
}
}
closedir(dp);
int i;
for (i = 0;; i++) {
debug("rmdir(%s)\n", dir);
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno == EBUSY) {
debug("umount(%s)\n", dir);
if (umount2(dir, MNT_DETACH))
exitf("umount(%s) failed", dir);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exitf("rmdir(%s) failed", dir);
}
}
static uint64_t current_time_ms()
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
fail("clock_gettime failed");
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void test();
void loop()
{
int iter;
for (iter = 0;; iter++) {
char cwdbuf[256];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
fail("failed to mkdir");
int pid = fork();
if (pid < 0)
fail("clone failed");
if (pid == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
if (chdir(cwdbuf))
fail("failed to chdir");
test();
doexit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
int res = waitpid(-1, &status, __WALL | WNOHANG);
if (res == pid)
break;
usleep(1000);
if (current_time_ms() - start > 5 * 1000) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
while (waitpid(-1, &status, __WALL) != pid) {
}
break;
}
}
remove_dir(cwdbuf);
}
}
long r[39];
void test()
{
memset(r, -1, sizeof(r));
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xf0a000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul, 0, 0, 0, 0,
0, 0);
NONFAILING(*(uint32_t*)0x20000000 = (uint32_t)0x81);
r[3] = execute_syscall(__NR_setsockopt, r[1], 0x6ul, 0x2ul,
0x20000000ul, 0x4ul, 0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20f02000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20f02002 = (uint16_t)0x234e);
NONFAILING(*(uint32_t*)0x20f02004 = (uint32_t)0x20000e0);
NONFAILING(*(uint8_t*)0x20f02008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f02009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f0200f = (uint8_t)0x0);
r[15] = execute_syscall(__NR_bind, r[1], 0x20f02000ul, 0x10ul, 0, 0,
0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20846ff0 = (uint16_t)0x1);
NONFAILING(*(uint64_t*)0x20846ff8 = (uint64_t)0x20ee6000);
NONFAILING(*(uint16_t*)0x20ee6000 = (uint16_t)0x6);
NONFAILING(*(uint8_t*)0x20ee6002 = (uint8_t)0x1f);
NONFAILING(*(uint8_t*)0x20ee6003 = (uint8_t)0xfffffffffffffffd);
NONFAILING(*(uint32_t*)0x20ee6004 = (uint32_t)0x153);
r[22] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x1aul,
0x20846ff0ul, 0x10ul, 0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20019000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20019002 = (uint16_t)0x234e);
NONFAILING(*(uint32_t*)0x20019004 = (uint32_t)0x0);
NONFAILING(*(uint8_t*)0x20019008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20019009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001900f = (uint8_t)0x0);
r[34] = execute_syscall(__NR_connect, r[1], 0x20019000ul, 0x10ul, 0,
0, 0, 0, 0, 0);
NONFAILING(memcpy(
(void*)0x20f09f47,
"\x57\xbc\xcd\xa2\x95\x42\x68\xfc\x69\x41\x2a\x82\x44\xbd\x49\x16"
"\x17\xf5\x8a\x7c\x67\x66\x29\x85\xb3\x79\xc0\x60\xe2\x28\x17\x37"
"\xb6\xa3\x90\xf6\xd8\x37\x66\x49\x40\x7b\x34\xcb\x48\x58\x38\x47"
"\xcd\x4d\x78\x45\x5c\x02\x34\xaf\x33\x16\x01\x3a\x6e\xb6\x14\x1e"
"\x4b\xa3\xb0\xdb\xdd\xf9\x27\xc0\x92\xa8\x09\x7c\xbe\x0f\x6c\x0e"
"\x36\x51\x6d\x1c\x7a\xac\x21\xa1\x0c\x84\x2b\x5e\x37\xfa\xbc\xfa"
"\xa0\x6b\xd8\xa1\x21\x25\xdc\xa4\xbd\x62\xe2\x2c\x4d\x7c\x90\x78"
"\x26\x57\x54\x3c\x00\x6e\x00\xed\xef\x7d\x99\x6a\x28\x54\x7f\xde"
"\xdf\x08\xde\x97\xe6\x32\xe1\x4f\xa8\x4e\x46\x73\xd2\xab\x65\x77"
"\x70\x32\x61\xa7\x72\x61\xb8\xa6\x2e\xb6\x5e\x49\xe6\xf8\xfa\xb5"
"\x5b\x34\x6f\xa9\xc5\xf0\x31\x9a\xb9\x72\x07\xd9\x80\x75\xcb\x14"
"\x5e\xf4\x4e\x75\xc5\x2e\xaa\xa8\x52",
185));
r[36] = execute_syscall(__NR_write, r[1], 0x20f09f47ul, 0xb9ul, 0, 0,
0, 0, 0, 0);
NONFAILING(memcpy(
(void*)0x20a91000,
"\x4d\x68\x6a\x22\xce\x2f\xa6\xba\x97\x1f\x57\xdb\x54\xcc\x84\x79"
"\x68\x86\x31\xc4\xbb\x9a\xe2\xb3\x1c\x0a\xcf\xe2\xd5\x63\xc8\x89"
"\x3a\x3a\x84\x5f\xbe\x17\xbf\xea\xf6\x79\x59\x14\x74\x28\x7b\x04"
"\xc1\xc7\x7d\xd9\x93\x04\xf8\xf4\xf3\xed\x72\xa3\x89\x4d\x05\xab"
"\xef\xbf\x57\x3a\xc5\x98\x28\xe8\x71\xc4\x50\x3e\x46\x50\xcc\xe6"
"\xc6\x7c\x9f\x05\x34\x00\x1f\x1c\x37\x63\xbc\xb0\xb3\x97\x29\x69"
"\x77\x65\x4e\x49\x16\x12\x24\xd2\x79\xc3\x40\xed\x66\xa5\x1b\xa4"
"\x7d\x16\x49\xb6\xf9\x11\xaa\x9c\xf0\xb1\x99\x1c\x40\xce\x38\xd6"
"\x7b\xe5\xb0\xe6\x1a\xe0\x8e\xde\xcb\xe1\xb5\x33\x92\xe7\xdd\xed"
"\xd3\xe7\xa4\x7b\x9e\x0a\x2c\xc5\xb6\xe2\x95\xcb\xfa\x87\x02\xfb"
"\x94\x9e\x8f\xa0\x66\xe7\x4e\x03\x00\x7c\x29\xae\x20\x9a\xd5\x0e"
"\xda\x31\xb9\x06\x62\x58\x24\x1b\x8b\x74\xb5\xeb\x40\x74\xe8\x6b"
"\x9d\x4c\x5d\x62\xff\x89\xd1\xaa\x26\xd1\x47\x05\x3f\x78\xe6\x22"
"\xaa\xc4\xd9\x4f\xda\x06\xad\x67\x60\xd0\x2a\xa9\x7b\x7d\xc2\x80"
"\xea\xf3\x86\x59\x0a\x71\x6a\xa4\x9a\x5a\xa5\x2f\x00\xc3\xa4\x9b"
"\x36\x5b\x1d\x9e\xf5\xfc\xae\x9d\x22\x22\xea\x86\x76\x9f\xe7\x3e"
"\x2c\xa6\xd2\x05\x42\x14\x42\x66\x61\xf2\x1b\x19\xd4\xab\xe2\x26"
"\xc7\x1f\xf6\xbb\x9c\x35\xff\x58\x56\x24\xb9\xdd\x5d\xdc\x77\xe7"
"\x15\xb4\x71\xd6\x9f\xe8\xbc\x6f\xde\xa1\x55\xd7\xc5\x48\x75\xaa"
"\xff\x56\x36\x51\xeb\xc7\x13\x42\x18\xb9\x40\x8d\x9a\x1a\xd2\xf7"
"\xb2\xad\x4d\x14\x39\xc5\x4d\xe6\x03\x90\xd2\xb6\xcd\x6b\xd1\x08"
"\x7a\xb2\x49\x9d\xed\xde\x8d\xf6\x9f\xa7\x18\x35\x20\xc3\x23\x35"
"\xad\x4d\xa3\xd8\x8f\x90\x78\x0d\xc3\x94\x8f\x6c\x53\x11\x76\xc3"
"\xa8\x64\x6b\x25\x43\xf1\x91\xf0\x7f\xce\x67\x4a\x12\xd2\x45\x31"
"\xcf\x44\x94\x0b\xf1\x0c\xc1\xfe\xd5\xf6\x46\xd1\xe2\x9e\xa6\x3c"
"\x5d\x60\x69\xfd\xfc\xa8\x1a\x0c\x76\x6b\xc0\x5d\x67\x9e\xeb\x0e"
"\x4c\xf2\x91\x36\x40\x2a\x4e\x86\x67\x8e\x94\x2e\xe0\xc7\x38\x5c"
"\x78\xd6\x37\xb0\xd0\x65\xe2\x2d\x59\x77\x89\x44\x6f\xa9\x49\xf5"
"\x6d\x5a\xde\xf9\x80\xbc\x7c\x6f\xad\xf7\x4e\x63\x3d\xe8\x10\x0b"
"\x4f\xbe\x31\xfa\xa3\x7b\xeb\x69\x70\x6c\xb9\xf9\x0a\x5c\x3b\x13"
"\x31\x65\x74\x49\x34\x44\xe7\xef\xa1\xc5\xd7\x1a\xc1\x8b\x68\x59"
"\x40\x30\xe7\x36\x6d\xcb\x8c\xde\x5c\x82\x4d\xfe\x91\x04\xfa\x9f"
"\x72\xa4\x58\x85\x47\x93\x14\x89\x0b\xc4\x49\xac\x1f\x02\xa5\xf1"
"\xd1\xbd\x81\xc5\x2f\x44\xdb\x4a\x31\x52\xdf\xb4\xcb\xe6\x2a\x93"
"\xe9\x24\x7e\xa2\x55\xc7\x1d\x5f\xc9\x71\xe3\x2b\x46\x47\x08\xd0"
"\xff\x16\x14\x1a\x58\x37\x62\xd8\x84\xd4\xfa\x6b\x18\x3c\x28\x01"
"\xb9\x75\x31\x77\x17\xb8\x40\xb6\x4b\xf2\xc5\x08\x1d\xd3\xa8\x16"
"\x58\x26\x07\x76\xc7\xef\x47\x1c\x9e\xc5\x19\x29\x61\xe4\x9c\x1e"
"\x71\xe5\xd5\x17\xcc\x94\x98\x25\x15\xf7\x83\x6d\x02\xa5\x3d\x8b"
"\xbb\xdf\x11\x5e\x73\x72\x43\x94\x17\x92\x77\x64\xcf\x1c\x9b\xb0"
"\xfe\x2c\xc4\x29\x3d\x02\xdb\x88\x6a\xd8\xe3\xdc\x00\x00\x00\xe3"
"\xf9\x4d\x1e\x28\x10\xea\x01\xb4\xeb\x47\x9a\xcf\x1e\xe8\x49\x96"
"\xfb\xb4\x9a\x2f\x96\x25\x91\x8c\xd1\xc7\xa9\x07\xae\x33\x84\xb2"
"\x8a\xec\xf7\xc6\x36\x5f\x46\x85\xea\x24\x3e\x48\xc5\x09\x31\xaf"
"\xc1\xc7\x1f\x4e\xc2\xf5\x38\x5c\xf0\x9a\x64\xef\xea\x8b\x4d\xc6"
"\x0c\xb6\x10\xd8\x0a\x2a\x59\x6c\x21\x47\x13\x8f\x31\x76\xbf\x8c"
"\xf1\x00\xa4\x4b\xda\x31\x5a\xb7\x4a\x26\x9f\x4c\xe0\xe8\x4a\x0e"
"\xfb\xd6\xe1\x13\x54\x61\x09\x9d\xd1\x37\x90\xd2\xa1\xc3\x87\xfc"
"\xf7\xcf\xd1\x4d\x1d\xbc\xce\x8d\x5b\x86\x30\x6e\x98\x08\x13\xd4"
"\xd0\x2c\xaa\xba\xde\x6b\xae\x9f\xfd\xc0\xaf\x89\x21\x07\x6e\x43"
"\x3e\x2e\x1f\x81\x4f\x00\xef\x01\x1c\x79\x57\x1e\x2d\xb2\x08\xd4"
"\x57\xc3\x74\x58\xa9\x03\x2f\x7d\x2f\xf3\x1b\x5f\xa9\x08\xc7\xf2"
"\xc3\x85\x70\x1e\x8c\xc3\xdb\xfc\x32\x29\x03\xfa\x2e\xbc\xd8\x5f"
"\x5d\xd7\x13\x27\x73\xc6\x55\x63\xd8\x36\x79\x3c\xa8\x04\x11\xd5"
"\xbd\x2a\x2c\x4a\x8b\x09\x56\xa9\x0f\xb9\xdf\xed\xd4\x43\x0a\x64"
"\x3e\x67\xa0\x71\x4d\xcc\xed\xef\x49\xcf\xd4\xe1\x4a\x7a\x8d\x52"
"\x40\x2d\xb6\xb1\x47\x2f\xe2\x22\x36\x6d\x69\x3c\xad\x44\xc6\x9a"
"\x07\x35\x7e\xb0\xf1\x50\x45\xf4\x42\xaa\x66\x7d\xf6\x45\x85\x89"
"\xb4\x46\x61\x57\xee\x5d\xd0\x04\x45\xbd\xfe\x67\x3b\xf0\xf0\xc4"
"\x48\x44\x52\x88\x0d\x24\x1b\x31\x34\xea\xfc\xc9\xca\xd1\x68\x32"
"\xff\x2d\xc4\x87\x56\xae\x6c\x09\x1a\x79\x90\x92\x5a\x3c\xcd\xd9"
"\x14\x2c\xed\x63\x3f\x54\xe5\xb7\x2a\x58\xe5\x76\xc2\x2f\xbc\x1d"
"\x0b\xa0\xc2\x02\xe4\xcb\x28\x2e\x63\x67\x18\xf6\x2d\xd8\xb2\x1c"
"\xed\x5b\xfe\xa0\xf4\xf5\x3d\xd0\x22\x0a\x84\x07\xea\xcc\xf7\x96"
"\x01\x8c\x0c\x21\x3d\xa2\xe7\x70\x2b\x66\x65\x71\x99\xda\x1f\x00"
"\xd3\x2f\x80\xa1\xb3\x00\xea\x28\x04\xe4\xcb\xa0\x17\xe1\x5b\x80"
"\x2f\xaf\x25\x2a\x77\x5a\xdb\x5b\x96\x4b\x23\xec\x72\x32\x13\xbe"
"\x01\x6f\x29\xc2\xfc\x3a\x69\x60\x6e\xd5\x72\x61\x7b\x68\xc5\x3a"
"\x3a\xcb\x0c\xa8\x9c\x90\xf2\xd0\x42\x07\x0e\xdc\xea\x12\x61\x08"
"\x22\xab\xbc\xdd\xea\x18\xa1\x38\x7f\x80\x28\x95\xff\x28\x5c\x4a"
"\x03\xb5\x5d\x5a\xba\x88\x4f\x60\x28\x21\xe3\x99\x3e\x4e\xf6\xe3"
"\x92\x3f\xf0\x5b\x8f\x66\x54\x88\xfb\xee\x6e\xaa\xd4\xff\xd6\xf3"
"\x89\xbc\x0a\xf6\x39\x6b\x2b\xb6\x61\x2c\xfb\x1a\x28\x52\x4a\x8c"
"\x69\x55\x48\x0f\xe8\xaa\x07\x67\xf6\x30\xd8\x82\x78\xd5\x46\x80"
"\x10\x39\xac\x96\x69\x32\x06\x91\xe7\x07\xb3\x84\x50\x9f\x5c\xdd"
"\xb0\xbc\xbd\x29\x47\x35\x7a\x6e\xca\x5e\xe7\x5f\x4c\xd8\x0e\x62"
"\xaa\x1d\x5c\x1e\x1d\xa6\x49\x31\x28\xb7\x58\xff\x6e\x08\x5d\x24"
"\x12\x11\x8c\x38\xfa\x9a\x43\x84\x9c\x91\xde\x5f\xae\xf5\xec\xcc"
"\x06\xd9\x56\x2a\x66\x1b\xdc\x4f\x90\x0e\x34\x58\x04\x99\x37\xb5"
"\x6a\x29\xc8\xd2\xec\xe5\x7f\x14\x75\xfe\x37\x37\xde\x77\x6e\xae"
"\xd1\x87\x8a\x95\xc6\x86\x81\x0f\x98\xcc\x12\x32\x3a\x6e\x7f\x81"
"\x82\xf9\x52\x42\x81\x84\x28\xd1\x94\x6a\xaf\x2a\x7a\xcb\x8a\xe0"
"\xc8\xf3\x7d\x42\x96\xec\x5c\xda\xc2\x68\xd4\xb5\x2b\x65\xa8\x67"
"\x36\x3f\x87\x2f\x55\xd0\xc7\xfc\xa3\xaa\xda\x55\x63\x31\xbe\x05"
"\xbe\xa6\xbb\x04\xf3\x57\xf1\xb3\x86\x0e\x22\x53\x4a\xc5\x77\xc1"
"\x10\x1c\xdf\x60\x09\xa6\x2e\xc4\x07\xd3\xd9\xb0\x9f\x72\x0f\x59"
"\xd7\xf3\xf9\xda\x99\xb9\xa6\xfd\xbe\xaf\xee\xc0\xfb\x12\xfd\x2c"
"\x77\xae\x70\x3b\xc6\x68\x27\x4d\x21\xd7\xab\x04\xa1\xad\x91\x35"
"\x12\xb2\xc0\x3f\x5b\x7e\x68\x70\x01\x52\x0d\x9b\x5d\xdc\xd4\x2d"
"\xb6\xfd\x15\xb3\xf9\x68\xe9\x5b\xaa\x7c\x8b\xa4\x23\xf0\x44\x0d"
"\x12\xd9\x73\xd4\xd2\xc3\xa6\x3a\x90\xfa\x2b\x06\x3e\x51\x35\xa3"
"\x58\x23\x60\x20\x5c\xbe\x95\xdf\xc8\x61\x43\x5c\x89\x62\x74\x19"
"\x08\xdc\x06\x48\x33\x9d\xde\x89\x28\xaa\x4c\xbb\xa2\x56\x3c\x4d"
"\xc9\x4a\x8f\xaa\xea\x0a\x95\x93\x00\xfd\x98\xa2\x79\xfc\x5b\x9e"
"\x51\xc8\xc3\xd4\x67\xdc\xbc\x79\xf1\x06\xcd\x8b\xa4\x75\x90\xf4"
"\x01\x84\x89\x48\x7b\xab\x0f\x1e\xfa\xf7\x8b\x2b\x9e\x89\x22\xeb"
"\xfc\xcc\x80\xb6\x30\xbd\xea\xc5\xd2\x74\x66\x73\x27\xcf\x3c\xb7"
"\xf3\x23\x10\x98\xb9\xe1\xb7\xb6\xf9\x95\x95\xdd\x04\xa3\xa0\x7f"
"\xaf\x47\x80\xa8\xf1\xed\x8e\x42\x4b\x67\xfc\x09\x66\x48\xa4\x9e"
"\x0d\xb5\x56\xbd\x96\x7c\xa4\x87\x33\xa7\xdf\x97\xe4\xe8\x83\xb3"
"\x08\xf8\x42\x6c\xfa\x7e\xfe\x2a\x64\xbb\xa0\x08\x2d\x15\x4e\xdc"
"\x60\xbd\x47\xb0\xf9\x31\x27\x14\xbe\x0a\x15\x0c\x20\x41\x5b\x78"
"\x4d\x1c\x3e\x1c\x03\xf1\x17\x5a\x2b\x6c\x44\x73\x8a\xbe\x73\xe2"
"\x89\x58\x95\xad\xda\x83\xe1\xab\xe2\x89\x50\x06\xa2\x57\x93\x2c"
"\xdc\x9c\xd9\xe7\x95\xa2\xc4\xbd\x99\x44\xc4\x1d\x36\xb5\x6b\x92"
"\xa5\x3b\x74\xbd\x7a\xc5\xde\xd6\x46\x74\xb4\x88\x03\x23\x16\x0f"
"\xf9\xc3\xa6\xb1\x44\xec\x39\x2c\x63\xb8\x58\x76\xb7\x85\xf8\x67"
"\xb8\xce\xb7\x5e\xed\x74\xfb\x25\xbb\xb9\x8f\x2b\x2f\x9a\x9c\x39"
"\x59\xaf\x7e\x1b\xa8\xac\x1f\xbe\x00\xab\xfa\x82\xaa\x7f\x45\x07"
"\x59\xf8\x37\x96\xaf\x87\x25\xda\x77\x96\x55\x21\xbb\x79\x4a\xc5"
"\x09\xd4\x41\xc9\x15\x16\x00\x00\x00\x00\x00\x00\x00\x05\x88\xc4"
"\xf3\x99\xd8\xab\x7e\x6f\x43\xb2\xaa\xc9\x88\x46\x61\xea\xf5\xa0"
"\x2d\xae\x1a\xf2\x7a\x82\x3d\xf7\x26\xad\x7b\xdc\xca\xfa\x67\xd2"
"\xa8\xb9\xf5\xc8\xec\xaa\x2b\xb5\x23\xb9\xd3\xb2\x4b\x36\x31\xe6"
"\xd5\x50\x42\x2d\x3e\x03\x13\xe0\x6d\x51\x94\x04\xe5\x62\xc7\xb2"
"\x91\x3c\x7f\x7b\x42\x35\x72\x2a\xd4\x29\x85\xaa\xfe\x53\x14\xab"
"\x77\x64\xdf\xbc\xd8\x73\xcb\x35\x95\x68\xff\xe4\x30\x1c\x9e\xed"
"\xdc\xd0\xcb\x2e\x51\x7a\x92\x74\x29\x9c\xf2\x7f\x80\x9b\xc4\x1f"
"\x33\xeb\x52\x0d\x36\x7b\x40\xc0\xe0\xd1\x3d\x50\x7b\x9f\xc3\xde"
"\x71\xa0\x5f\xbf\xa0\x2b\xc3\xac\xc4\xda\x97\xbf\x3e\x14\x9f\x3b"
"\xd5\x06\x9b\x2b\x99\x37\x5e\xa3\x14\xb7\x3e\x7c\x6b\x4a\xbf\xca"
"\x6c\x63\xcc\x2e\xb7\x5d\x9f\x67\x68\x74\x9a\x28\x4e\xf5\xba\x2a"
"\x39\x60\x3f\x68\x14\x6c\x79\x65\xe5\x68\xc8\xfe\x4d\x7a\xe4\x26"
"\x2b\xd8\x24\xaf\x58\x73\xb1\x40\x00\x3c\x68\xf8\xe9\xc7\xdf\xd0"
"\x5b\xb1\xa8\x51\x17\x93\x71\xba\xd5\xa9\x79\x8a\x3d\x2c\xc7\x13"
"\xe7\xc9\xf0\x45\x84\xd0\xfa\x40\x96\xac\xb0\x9b\x30\x3b\xb5\x58"
"\xb9\x19\x38\x93\x14\x17\xf8\x27\x2c\x84\x32\xb2\xfd\x8f\xa6\x01"
"\xc3\x1e\x87\x3b\x31\xff\x72\x6b\x73\x4b\xa0\x3c\xb1\x39\xd0\x9b"
"\x9e\x67\x6e\xaa\x6f\x25\xaa\xd4\xac\xd6\xcf\xc6\x97\x01\x8e\x4e"
"\xc4\x8e\xcf\x77\xb1\x10\x61\x05\x58\x6a\x09\x05\x3e\x3e\x14\x6f"
"\xaf\xaf\x02\x29\x65\xca\x33\x54\x5f\x70\x75\x76\x08\x88\x83\xfb"
"\x31\x64\xfa\x2d\x37\xd4\x96\x14\xdd\x06\xf4\x0d\x00\x40\x00\x7b"
"\x54\x11\xe7\x57\xff\xaf\x63\x30\xa2\xb5\x29\x20\x8e\x47\x16\x30"
"\x01\xac\x5b\x68\xe8\x92\xc6\x2c\x21\x93\x9e\x6e\x52\x07\x9a\xba"
"\x5d\x87\xfb\xec\x3c\x3f\x65\xe9\x8f\x10\x19\x4e\xbc\x67\xb7\x43"
"\x44\x83\x0b\xee\xed\x31\x3a\x55\x76\xae\x41\xf3\x1b\x1e\x72\x25"
"\xf2\x48\x51\xad\x2e\x6e\x0e\xd1\xc0\xe3\xfe\x08\xe3\xb2\xac\xf0"
"\x2c\xc4\x31\xa7\x3e\xbe\x92\x4b\xf3\x4e\x23\x64\xef\xfe\xc7\xc3"
"\xaf\xd0\xc7\xac\xb6\x88\x03\x23\x09\x7d\xc7\x3d\x9c\xa1\x1b\xe7"
"\x80\x10\x39\x9a\x3c\x80\x38\x6f\xfb\x75\xe9\x40\xa9\xf3\x31\x43"
"\x69",
2241));
r[38] = execute_syscall(__NR_sendto, r[1], 0x20a91000ul, 0x8c1ul,
0x4004ul, 0x0ul, 0x0ul, 0, 0, 0);
}
int main()
{
setup_main_process();
int pid = do_sandbox_none(0, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}