// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #ifndef __NR_io_uring_enter #define __NR_io_uring_enter 426 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif uint64_t r[3] = {0xffffffffffffffff, 0x0, 0x0}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000098 = -1; memset((void*)0x2000009c, 0, 12); res = -1; res = syz_io_uring_setup(0x1f63, 0x20000080, 0x20001000, 0x20003000, 0x20000180, 0x200001c0); if (res != -1) { r[0] = res; r[1] = *(uint64_t*)0x20000180; r[2] = *(uint64_t*)0x200001c0; } *(uint8_t*)0x20000040 = 0x1f; *(uint8_t*)0x20000041 = 0; *(uint16_t*)0x20000042 = 0; *(uint32_t*)0x20000044 = 0x8842; *(uint64_t*)0x20000048 = 0; *(uint64_t*)0x20000050 = 0; *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x2000005c = 0; *(uint64_t*)0x20000060 = 0; *(uint16_t*)0x20000068 = 0; *(uint16_t*)0x2000006a = 0; memset((void*)0x2000006c, 0, 20); syz_io_uring_submit(r[1], r[2], 0x20000040, 0); *(uint64_t*)0x20001ac0 = 0; *(uint32_t*)0x20001ac8 = 0; *(uint64_t*)0x20001ad0 = 0x20001800; *(uint64_t*)0x20001800 = 0x20000800; memcpy((void*)0x20000800, "\x02\x73\x1e\x7b\x4d\x2e\x5b\x4b\x70\x0d\xb6\xca\xa3\xa9\x9c\x1a\x22\x10\x26\x3f\x29\x71\xb8\x76\x1a\x2f\x81\xbf\x72\xdf\xf0\x2b\xba\xb8\x64\xa8\x22\xc9\x51\xcf\xbc\xe9\x3d\xcb\x97\x25\x01\x79\x69\x0a\x8d\x00\x01\x95\x1e\x6b\x48\x63\x24\x86\xc1\x7f\xbe\xca\xbd\xe8\x84\x2a\xa9\x75\x74\x5b\x1f\x86\x27\x94\x5a\x84\xf6\x5f\x24\xed\x71\x17\x32\xcd\xc2\x82\xb2\x53\x96\x1d\xf3\x3e\x53\xd0\x7a\xbb\x20\x15\x36\xb6\x54\xf6\xb0\x7f\x8a\x2d\x17\xc5\xa2\x3f\xa8\xc0\x09\xff\xf6\x91\x7a\x41\x5a\x21\xc7\x06\x27\x32\x05\x29\x83\x93\x54\x55\x4b\x80\xdd\x91\xfa\xf4\x89\x88\x3b\x6a\x74\xeb\x94\x35\x21\xb7\x2a\x32\xda\x9a\xd1\x8d\x3c\xd5\x4a\x9e\x7a\xdc\xad\xae\xac\x1c\x78\xe4\x7b\xf7\xf1\x28\x85\x3a\x4f\x15\x14\x30\x83\x34\xa8\x42\x0f\x0c\x76\xad\x29\x67\x13\x28\xeb\x3d\x3c\xbe\x19\x40\x4d\x7e\x7e\xf2\x7d\x39\x2a\xa1\x4c\x75\x9a\xb9\xdb\x74\xdd\x15\xbf\xa4\xf6\xed\x43\x49\xf1\x29\x90\xcf\x36\x67\xcd\x1e\x42\x3e\x96\xca\xce\xe5\x84\xd6\xc4\xd5\x52\x48\x6e\x7e\x78\xca\x40\xce\xbe\xfb\x13\x6e\x17\x7c\xed\x37\x8f\x16\xae\x88\x2f\xb2\x17\x26\xec\xdf\x7f\xc6\x25\xa3\x0b\xbe\x54\x9b\xc5\x72\xb3\x15\x6c\x80\x5b\xd1\x1c\xda\x2a\x36\x3b\x95\xbc\xd7\x04\xab\x3c\x08\x49\x30\xff\x3a\x8f\x68\xca\xee\xd7\xa6\xf3\x15\x33\xa3\xf7\x50\xb5\xdf\x6d\x06\x3f\x43\x2a\x6e\x31\xc2\x8d\x2f\xdf\x6f\xb9\xef\x11\x14\xec\x57\xf1\x17\x0d\xb9\x4c\x25\x17\x4e\x91\x00\x90\xe8\xc4\x81\xd7\x98\x59\xb2\x84\xdd\xf8\xfe\x0d\x93\x0c\x34\x06\x4b\x97\x8a\x45\xb6\x53\xa1\xb2\x5d\x1e\xc2\xf3\xaa\x09\xea\xd5\x38\x10\x7d\x5e\x89\x32\xb7\xfe\xcc\x0d\x37\x0e\xcf\x02\x52\xf1\x27\xbe\x39\x0b\x47\xc8\x65\x19\xee\xfe\xed\x5e\xee\x04\x1e\x57\x35\x33\x9b\x0c\xe6\x9e\x03\xf3\xdb\xcd\xa6\xff\xd4\x27\xf1\x2b\x6d\x66\x00\x0a\xf8\x53\x7b\x6c\x14\x2a\x00\x28\x1a\x29\xda\x43\x0a\xcc\x1c\x9f\x45\x9f\xd0\x8f\x6e\xbe\x38\x77\xf2\x9d\x5c\xa0\x13\xb3\x23\x6c\x3f\xc3\x9d\x85\x69\x90\x9b\x70\xdc\x0b\xed\x2e\x86\x59\xbe\xd3\xa5\x08\xd4\xbf\xbf\x56\xc3\x58\x88\xd4\x78\x16\xce\x32\x87\x86\x80\xac\x11\xef\xcf\x4d\xa7\x1a\x37\xb8\x55\x13\xa8\x39\xa0\xea\x0c\x58\xee\x13\x97\xb8\x24\x64\xf0\x65\xb1\xdb\xe0\x75\x3a\xbc\xa6\x9c\x4b\x80\xbf\x9a\xac\x49\x82\x99\xc9\xcc\x2a\x6f\x2a\xf8\xe6\x2e\x10\xd0\x31\xca\xff\x5f\x1d\x7c\x11\xa4\xba\x4a\xbd\xf2\xd1\x99\x59\xd5\x97\xd0\xa8\x28\x92\x04\x27\x9a\xde\xcc\x93\xb7\xf7\x03\x1f\x47\xcf\xa2\x6c\x66\x07\x89\xcd\xc1\x81\x2f\x9d\x90\x36\x41\x3e\xa9\x0f\xde\x72\x82\x5f\x25\x1a\x0e\x98\x80\x59\x8b\x0f\xfc\x07\xea\x44\xc6\x16\xfe\xa5\xd9\xa5\x36\x93\x5c\xe2\xfc\x24\xc6\xb4\xfe\xf4\xeb\xae\xc8\xb0\x3d\xa9\x4e\x29\x5b\xbd\xca\x6f\x27\x0c\x18\xcd\x8c\xa0\x81\x66\x89\xfa\x16\x8f\xf1\x75\x26\x80\x52\x83\x86\xba\xb5\x4b\x02\xa5\xf4\x03\xcc\x5b\x32\x4b\x3a\x0d\xdd\xe7\xd1\x62\x52\x22\x73\x20\x6e\xc2\xe8\x15\x1e\xb8\xc5\xb6\x5b\x13\x5e\x12\x61\xf4\x3b\x59\x58\x1e\x51\x50\x5a\xd7\x17\x3c\xc6\x16\xfd\x1e\x68\xc0\x1e\x1b\x59\x7c\xab\xbe\xc6\xed\x32\xd5\xfb\xf3\xc6\x3f\xee\x49\x66\x8f\xb8\x40\x9b\x48\xd4\xbc\x22\x62\xd1\x3e\xdf\xdf\x8a\x58\xa1\x97\x0e\x10\x16\xb1\x19\xad\x13\x1f\x25\xe5\x65\xb9\xb3\xe0\x4c\x93\xf3\x49\x64\xaa\x03\x54\x3f\xb1\xb2\x86\xac\xc0\x5c\x8a\x7c\x65\xd6\x32\x32\xc0\x57\xe5\xbc\x62\xf1\xd4\xe5\x05\xbf\x3e\x5f\xb3\x05\x79\xe1\x5f\x14\x1e\x7d\xcc\xb2\x12\xf9\xaa\x26\xad\xd5\x35\xbf\xd5\x88\xe5\x6a\xbc\xa9\x77\xd8\xab\x4a\xfa\xd3\x17\x74\xfa\xd7\x58\x86\x82\xcf\x09\x61\xe9\xbe\xdd\xa3\xc6\xc0\x60\x77\x5e\xf9\xd1\x46\xdc\x1c\x62\x5d\x85\xdc\x87\xf6\x0b\xa4\xf5\xb5\xd4\x85\x02\x97\x02\x50\xee\x99\xa4\xa4\x58\xbb\x97\x47\x6d\x89\x30\xe8\x55\xcd\x25\xbf\x6c\x39\x0a\xd5\x21\xab\xf6\x02\x1a\xb2\xc3\x17\x8d\xba\xa2\x13\xb7\xb3\x18\xff\xf1\xeb\x39\x8a\xa7\x86\xcc\x5c\x79\xb2\x97\x5a\x5b\xf8\x5a\xd8\xf1\xfa\xef\x73\x80\xb5\xb4\x0a\x81\x4a\xcc\x6f\x5f\x7c\x66\xc4\x7d\xf2\xb8\x7d\x43\x7a\xe2\x14\xad\xf2\xdd\x6f\x1e\xa3\x2b\x25\xeb\xa0\x1e\x87\x69\x71\x04\x20\xfe\xab\xac\x97\xf5\x50\x1e\x68\xe0\xf0\x57\x10\x6e\x88\x48\x8e\x5f\x69\xe8\xdb\xa0\x8e\x6a\xde\x79\x74\x1b\xe1\x5b\x6a\x28\x06\x2e\xb4\xbc\x3c\x25\x76\x64\x8d\xfa\xc0\xd4\x77\xfc\x18\x68\xe1\xa9\x68\x5a\x81\xe0\x04\xeb\xc8\xeb\x2c\xdd\xcc\xe9\x46\xa5\xb6\x66\x46\x4a\x4c\x25\x94\xb2\x22\x19\xc0\x32\x60\xb2\xb4\x73\x84\x1f\xb7\xca\xaa\x0d\x4d\x93\x2c\x1f\x9a\xd6\xc0\x84\xa4\xa6\x3f\x1a\x3d\xff\xdd\xf6\x2b\x5b\x33\x81\x43\xa3\x3e\x37\x31\xfd\x10\xa6\x8c\x95\x82\x80\x5e\x41\x6a\x38\x7b\x89\x45\x97\x8a\xe0\x22\xed\x5b\xe2\xa4\x3e\x61\xb1\x4b\x97\x6b\xa1\xbe\x2b\x9f\x49\x72\xed\x27\xb8\x0a\x55\x8a\x0d\xfa\xad\xac\xf1\x6e\xdb\x98\x30\xb4\x0d\x7a\x7f\x7d\x07\x6f\xb6\x73\xf0\x1e\xae\x30\x08\xe5\x1a\x86\x61\xe2\x0c\x3c\x0d\x94\x35\xef\x25\x18\x56\x44\x90\xef\x22\xfa\xb4\x80\x3d\x50\xb7\x53\x67\x1b\xa6\x52\x76\xf6\x62\x38\x2f\xd4\xbc\x47\x05\x5f\x05\x88\x4d\x72\xd5\x89\xbb\xe2\xb2\x3a\x8a\xf4\xf6\x58\x7e\x2a\x12\x52\xfb\x7a\x1f\xc0\x9d\x5c\xda\x87\x3f\x81\xcb\x03\x79\x69\x00\x95\xbd\xa5\x6e\x8c\xd0\x2a\xff\xa2\xa0\xfd\x23\x46\x72\x37\xfa\x2d\x9f\x33\x10\x2f\x67\x34\x86\x0e\x4a\xaa\x56\x91\x07\x8e\x93\x1a\x17\xd3\x67\xd4\xdb\x06\xd8\x1f\xc5\xf2\xdd\x89\xc5\xa6\xa5\x10\xb5\x76\xf6\x46\x00\xbb\x62\xc2\xf4\x22\x1c\xbe\xa6\x31\x63\xa6\xc9\xe7\x13\xb5\x75\x20\x7a\xa2\x0d\x6b\xad\x04\x9a\xa6\xbc\xed\xe2\xd2\x9a\x4d\x7e\x00\x3f\x09\xb5\x68\x9e\x7c\x65\x02\x12\xdc\xf0\xc5\x81\x2b\x22\x27\x9c\x0c\x0c\x92\xd6\x6f\x12\xa1\xc2\x4a\x14\xaa\x2a\x3d\x02\x96\xdf\xa0\xfe\x22\xea\xd8\x04\xec\x0f\xcc\x27\x4f\xf9\xc0\x31\xed\xa4\xc6\xe9\x3d\xac\xee\x60\x52\xa5\xe3\x2f\x7f\x49\x17\x06\xe2\xe7\x2f\x99\xf1\x38\x9f\x75\x90\xb7\x5d\x87\x96\xb1\x51\x1e\x81\x0b\xbe\x93\x93\xd6\x98\x2b\x0c\x49\x07\x3c\x93\xa6\x6d\x09\x7b\xeb\x40\x6f\x63\xe7\xcd\xd1\x64\x39\x69\x60\x8a\x59\xf6\xde\xed\x90\xbb\xeb\x93\x68\xc1\xf7\x2b\xba\xd9\x47\x48\xe8\xcf\x3f\x03\x19\xc5\xaf\xf8\x83\x9a\xea\xfa\xf9\x2f\x2c\x13\x66\xa0\x25\x8d\x6a\x5c\x10\x87\x5b\x3e\x16\x0f\xc1\xee\x47\x2a\x16\x9b\x4a\x1c\x5a\x11\x34\x5c\x3a\xd3\x75\xe1\x88\x97\x2f\x82\x70\x2b\x65\x92\x11\xaf\x0d\x41\x18\xcd\x53\x67\x03\xa4\x3a\x16\x60\x05\xd3\x3d\xb3\x30\x8b\xf6\xcb\x48\x05\xdf\x70\x05\x03\xc0\xde\x06\x31\x81\xe7\x49\x26\xd8\x65\xf9\xa5\xbf\x42\xac\x19\x08\xbe\xa1\x5e\x83\x8c\xa5\x7b\x3f\xa4\x75\xe3\x20\x9e\x00\xe8\xa7\x71\xe6\xba\x81\x70\x17\xcc\x75\x6c\xe8\x2d\x06\xae\xc9\x6a\x46\xda\xcc\x32\xb8\x9b\x5c\xb7\xba\x5d\x8a\x73\xb8\x49\xe7\x13\xcd\x72\xb8\xd5\xe7\x71\x44\x29\xb3\x13\x4a\x13\x5a\x53\x30\x45\xd0\xb6\xd8\x3c\x91\xb0\xe4\x9a\x6b\xfb\xbe\x4a\xb2\x30\x2c\x29\x8d\x1e\x46\x1f\x5e\x01\x07\xa6\x2d\xd6\xa6\x14\x29\x63\x74\x59\x21\x10\xce\x38\x2e\x05\x0c\xa8\x93\xa6\x06\x70\x41\x57\x91\xac\x1a\xab\x27\xe4\xef\x28\x8d\xe5\xff\x37\x82\xec\x9b\x24\x69\x7f\xa0\x57\xe4\xb2\xd1\x35\x7e\x43\xb2\x4a\xa0\x43\x38\x5a\xdd\x34\x5c\x2e\x7c\x2e\x8e\x20\x91\x80\x89\xa1\xe6\xab\xc8\x90\x95\x9c\xe1\xce\xfd\x34\x15\x1f\x8d\xcc\x91\x20\xfd\x44\x78\x89\xfb\x43\x80\xc4\x72\x15\xd6\x8e\xf9\xe7\x9d\x53\x65\x3e\x28\x5c\xaa\x7a\xc3\x7e\x07\x5f\x50\x2c\xb4\xce\xfd\xaf\x13\x48\x6c\x99\xce\xe8\xf4\xd7\x07\x0a\x26\xb5\x8a\xc6\x41\xd6\xb9\x50\x7c\x50\x3f\x0b\x1f\xa1\x1f\x5b\x6d\x78\x2b\x35\x6f\x23\x25\x0a\x60\xfc\x38\x94\x5f\x2e\xb6\x49\x64\x2d\xd6\x2a\x3f\x76\x08\x99\xbd\x32\xd7\x21\xa9\x13\x54\xfc\x93\xba\x16\x1e\xe2\x1f\x6a\x59\xaa\x47\x8f\x1e\xee\x92\x7a\x83\x11\xbd\x16\x99\x72\x97\x22\x9f\xf5\x73\x9a\x7a\x08\x68\x0e\x42\x95\x09\xb0\x98\x98\x78\xe5\x52\x2e\x9b\x6b\x6e\xd8\xd2\xaa\xf7\x31\x5b\x3b\x5a\xda\x01\xd0\xc1\x6e\xe6\xe9\x1a\x23\xfc\xd9\xed\x5b\xf6\xbc\xee\x80\x45\x1b\xd8\xa6\x74\x6b\x04\xac\xa5\x91\xde\x15\xb1\x76\xd6\x77\xf5\xc1\x65\xf0\xc3\xe5\xa3\x20\xd4\x1f\x01\x81\x21\xf5\x2a\xc3\xec\x7d\xd8\x78\xcf\x2c\x5b\x6d\xd6\x85\xee\xb2\xd0\x12\x78\x56\x97\x40\xac\x2c\x2e\x39\x63\x46\x68\x29\x27\x23\xf9\xdd\xf5\x83\x7b\x9c\x85\xfe\x77\x15\x2f\x00\xcc\x7a\x0b\x4e\xdd\x42\x11\x19\x22\x5c\x42\x05\x83\x6e\x88\x5e\x99\x31\x13\x0d\x2e\x1f\xb3\x6a\x62\xa5\xd3\xbb\x94\xb7\xe5\x96\xa2\xff\xea\xd8\xdc\x08\xca\x78\x7f\x81\x50\xe9\x5b\xb8\x7b\x8d\x97\xca\x54\xfc\x05\x27\xea\x20\x3c\xc8\xf6\xf6\x86\xe4\x41\x2b\x15\x9d\x88\x6a\x0f\xc0\x47\xa5\x96\xda\x20\x92\x74\xd6\x62\x8f\x62\xe1\x83\xf5\x66\x24\xed\xad\x0e\xa8\x1e\x8a\xe5\xb0\xc9\x64\x15\x7f\x0c\xeb\x29\x63\xbf\x9d\x30\x1b\x51\xc4\x3a\x44\x81\x7d\x2f\x6d\xba\x62\x29\xdc\xce\xae\xda\x60\x02\x92\xec\x5e\xea\x87\x4a\x38\xe1\x67\xf0\xca\x9e\x79\x20\x36\x7a\x1a\x99\x8f\xba\x34\x8a\xdc\x96\xdd\x23\xf1\x73\xd4\x46\x0d\x04\x28\x8d\xa2\x1c\xea\x33\xce\xa0\x54\x44\x16\xf1\xb1\x65\xcc\x4d\x55\xd2\xd5\x81\xcf\xde\xa5\xe8\xab\x61\xe6\x31\x25\x23\x07\xaf\x31\x74\xe9\xa9\xf9\x2a\x2d\x5b\xd4\xa5\x1c\x94\x54\x79\xea\xda\x1b\x52\x8e\x73\xc3\x4e\x04\x15\x6b\xbb\x2d\xb5\x7b\xec\xd8\xe2\x04\xf0", 2114); *(uint64_t*)0x20001808 = 0x842; *(uint64_t*)0x20001ad8 = 1; *(uint64_t*)0x20001ae0 = 0; *(uint64_t*)0x20001ae8 = 0; *(uint32_t*)0x20001af0 = 0; syscall(__NR_sendmmsg, -1, 0x20001ac0ul, 1ul, 0ul); syscall(__NR_io_uring_enter, r[0], 0x51cd, 0, 0ul, 0ul, 0ul); syscall(__NR_io_uring_register, r[0], 6ul, 0ul, 0); syscall(__NR_io_uring_enter, r[0], 0x25f1, 0, 0ul, 0ul, 0ul); return 0; }