Syzkaller hit 'WARNING: refcount bug in perf_mmap' bug.

audit: type=1400 audit(1769331402.322:11): avc:  denied  { read } for  pid=1256 comm="syz.3.17" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1256 at lib/refcount.c:25 refcount_warn_saturate+0x13c/0x1b0 lib/refcount.c:25
Modules linked in:
CPU: 0 UID: 0 PID: 1256 Comm: syz.3.17 Not tainted 6.18.5 #1 PREEMPT(voluntary) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
RIP: 0010:refcount_warn_saturate+0x13c/0x1b0 lib/refcount.c:25
Code: f0 40 ff 80 3d 70 44 61 03 00 0f 85 52 ff ff ff e8 c9 f0 40 ff c6 05 5e 44 61 03 01 90 48 c7 c7 80 43 7c 9a e8 75 5d 0f ff 90 <0f> 0b 90 90 e9 2f ff ff ff e8 a6 f0 40 ff 80 3d 3d 44 61 03 00 0f
RSP: 0018:ffff8881036bf678 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8881027387c0 RCX: ffffffff9757110c
RDX: ffff888102cb4800 RSI: 0000000000000008 RDI: ffff88811b228000
RBP: 0000000000000002 R08: fffffbfff3659644 R09: ffffed10206d7e8c
R10: ffffed10206d7e8b R11: ffff8881036bf45f R12: 0000000000000000
R13: ffff88810e816310 R14: ffff88810e816300 R15: ffff8881027387a0
FS:  000055558ca3a540(0000) GS:ffff88817e683000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000078 CR3: 000000010406c005 CR4: 0000000000770ff0
PKRU: 55555554
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:289 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 perf_mmap_rb kernel/events/core.c:7005 [inline]
 perf_mmap+0x126d/0x1990 kernel/events/core.c:7163
 vfs_mmap include/linux/fs.h:2405 [inline]
 mmap_file mm/internal.h:167 [inline]
 __mmap_new_file_vma mm/vma.c:2413 [inline]
 __mmap_new_vma mm/vma.c:2476 [inline]
 __mmap_region+0xea5/0x2250 mm/vma.c:2670
 mmap_region+0x267/0x350 mm/vma.c:2740
 do_mmap+0x769/0xe50 mm/mmap.c:558
 vm_mmap_pgoff+0x1e1/0x330 mm/util.c:581
 ksys_mmap_pgoff+0x35d/0x4b0 mm/mmap.c:604
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x116/0x180 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xac/0x2a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4a5add3b9d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe1d5a4a68 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f4a5b029fa0 RCX: 00007f4a5add3b9d
RDX: 000000000100000b RSI: 0000000000001000 RDI: 0000200000186000
RBP: 00007f4a5ae5700a R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000013 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000001067 R15: 00007f4a5b029fa0
 </TASK>
---[ end trace 0000000000000000 ]---


Syzkaller reproducer:
# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
pkey_mprotect(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x5, 0xffffffffffffffff)
r0 = perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0x8, 0x1, 0x8, 0x1, 0x0, 0x2, 0x84143, 0x10, 0x1, 0x1, 0x1, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3, 0x1, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x0, 0x0, 0x1, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x7fff, 0x2, @perf_config_ext={0x29a, 0x8}, 0x1800, 0x7, 0x10000, 0x1, 0x4, 0xffffff7f, 0xfffe, 0x0, 0x8000003, 0x0, 0x7}, 0x0, 0x1, 0xffffffffffffffff, 0x8)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x0, 0x11, r0, 0x0)
r1 = perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0x8, 0x1, 0x8, 0x1, 0x0, 0x2, 0x84143, 0x10, 0x1, 0x1, 0x1, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3, 0x1, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x0, 0x0, 0x1, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x7fff, 0x2, @perf_config_ext={0x29a, 0x8}, 0x1800, 0x7, 0x10000, 0x1, 0x4, 0xffffff7f, 0xfffe, 0x0, 0x8000003, 0x0, 0x7}, 0x0, 0x1, r0, 0x2)
mmap(&(0x7f0000186000/0x1000)=nil, 0x1000, 0x100000b, 0x13, r1, 0x0)


C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_pkey_mprotect
#define __NR_pkey_mprotect 329
#endif

static __thread int clone_ongoing;
static __thread int skip_segv;
static __thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
  if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) {
    exit(sig);
  }
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
  int valid = addr < prog_start || addr > prog_end;
  if (skip && valid) {
    _longjmp(segv_env, 1);
  }
  exit(sig);
}

static void install_segv_handler(void)
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                        \
  ({                                                                           \
    int ok = 1;                                                                \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
    if (_setjmp(segv_env) == 0) {                                              \
      __VA_ARGS__;                                                             \
    } else                                                                     \
      ok = 0;                                                                  \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
    ok;                                                                        \
  })

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)               \
  *(type*)(addr) =                                                             \
      htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) |           \
            (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  install_segv_handler();
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  pkey_mprotect arguments: [
  //    addr: VMA[0x2000]
  //    len: len = 0x2000 (8 bytes)
  //    prot: mmap_prot = 0x5 (8 bytes)
  //    key: pkey (resource)
  //  ]
  syscall(__NR_pkey_mprotect, /*addr=*/0x200000000000ul, /*len=*/0x2000ul,
          /*prot=PROT_READ|PROT_EXEC*/ 5ul, /*key=*/(intptr_t)-1);
  //  perf_event_open arguments: [
  //    attr: ptr[in, perf_event_attr] {
  //      perf_event_attr {
  //        type: perf_event_type = 0x2 (4 bytes)
  //        size: len = 0x80 (4 bytes)
  //        config0: int8 = 0x8 (1 bytes)
  //        config1: int8 = 0x1 (1 bytes)
  //        config2: int8 = 0x8 (1 bytes)
  //        config3: int8 = 0x1 (1 bytes)
  //        config4: const = 0x0 (4 bytes)
  //        sample_freq: int64 = 0x2 (8 bytes)
  //        sample_type: perf_sample_type = 0x84143 (8 bytes)
  //        read_format: perf_read_format = 0x10 (8 bytes)
  //        disabled: int64 = 0x1 (0 bytes)
  //        inherit: int64 = 0x1 (0 bytes)
  //        pinned: int64 = 0x1 (0 bytes)
  //        exclusive: int64 = 0x0 (0 bytes)
  //        exclude_user: int64 = 0x0 (0 bytes)
  //        exclude_kernel: int64 = 0x1 (0 bytes)
  //        exclude_hv: int64 = 0x1 (0 bytes)
  //        exclude_idle: int64 = 0x1 (0 bytes)
  //        mmap: int64 = 0x0 (0 bytes)
  //        comm: int64 = 0x1 (0 bytes)
  //        freq: int64 = 0x0 (0 bytes)
  //        inherit_stat: int64 = 0x0 (0 bytes)
  //        enable_on_exec: int64 = 0x0 (0 bytes)
  //        task: int64 = 0x1 (0 bytes)
  //        watermark: int64 = 0x0 (0 bytes)
  //        precise_ip: int64 = 0x3 (0 bytes)
  //        mmap_data: int64 = 0x1 (0 bytes)
  //        sample_id_all: int64 = 0x1 (0 bytes)
  //        exclude_host: int64 = 0x0 (0 bytes)
  //        exclude_guest: int64 = 0x0 (0 bytes)
  //        exclude_callchain_kernel: int64 = 0x1 (0 bytes)
  //        exclude_callchain_user: int64 = 0x0 (0 bytes)
  //        mmap2: int64 = 0x1 (0 bytes)
  //        comm_exec: int64 = 0x1 (0 bytes)
  //        use_clockid: int64 = 0x0 (0 bytes)
  //        context_switch: int64 = 0x0 (0 bytes)
  //        write_backward: int64 = 0x1 (0 bytes)
  //        namespaces: int64 = 0x0 (0 bytes)
  //        ksymbol: int64 = 0x0 (0 bytes)
  //        bpf_event: int64 = 0x1 (0 bytes)
  //        aux_output: int64 = 0x0 (0 bytes)
  //        cgroup: int64 = 0x0 (0 bytes)
  //        text_poke: int64 = 0x0 (0 bytes)
  //        build_id: int64 = 0x0 (0 bytes)
  //        inherit_thread: int64 = 0x1 (0 bytes)
  //        remove_on_exec: int64 = 0x0 (0 bytes)
  //        sigtrap: int64 = 0x0 (0 bytes)
  //        __reserved_1: const = 0x0 (8 bytes)
  //        wakeup_events: int32 = 0x7fff (4 bytes)
  //        bp_type: perf_bp_type = 0x2 (4 bytes)
  //        bp_config: union perf_bp_config {
  //          perf_config_ext: perf_config_ext {
  //            config1: int64 = 0x29a (8 bytes)
  //            config2: int64 = 0x8 (8 bytes)
  //          }
  //        }
  //        branch_sample_type: perf_branch_sample_type = 0x1800 (8 bytes)
  //        sample_regs_user: int64 = 0x7 (8 bytes)
  //        sample_stack_user: int32 = 0x10000 (4 bytes)
  //        clockid: clock_type = 0x1 (4 bytes)
  //        sample_regs_intr: int64 = 0x4 (8 bytes)
  //        aux_watermark: int32 = 0xffffff7f (4 bytes)
  //        sample_max_stack: int16 = 0xfffe (2 bytes)
  //        __reserved_2: const = 0x0 (2 bytes)
  //        aux_sample_size: int32 = 0x8000003 (4 bytes)
  //        __reserved_3: const = 0x0 (4 bytes)
  //        sig_data: int64 = 0x7 (8 bytes)
  //      }
  //    }
  //    pid: pid (resource)
  //    cpu: intptr = 0x1 (8 bytes)
  //    group: fd_perf (resource)
  //    flags: perf_flags = 0x8 (8 bytes)
  //  ]
  //  returns fd_perf
  NONFAILING(*(uint32_t*)0x200000000000 = 2);
  NONFAILING(*(uint32_t*)0x200000000004 = 0x80);
  NONFAILING(*(uint8_t*)0x200000000008 = 8);
  NONFAILING(*(uint8_t*)0x200000000009 = 1);
  NONFAILING(*(uint8_t*)0x20000000000a = 8);
  NONFAILING(*(uint8_t*)0x20000000000b = 1);
  NONFAILING(*(uint32_t*)0x20000000000c = 0);
  NONFAILING(*(uint64_t*)0x200000000010 = 2);
  NONFAILING(*(uint64_t*)0x200000000018 = 0x84143);
  NONFAILING(*(uint64_t*)0x200000000020 = 0x10);
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 0, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 1, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 2, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 3, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 4, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 5, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 6, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 7, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 8, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 9, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 10, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 11, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 12, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 13, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 14, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 3, 15, 2));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 17, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 18, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 19, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 20, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 21, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 22, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 23, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 24, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 25, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 26, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 27, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 28, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 29, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 30, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 31, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 32, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 33, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 34, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 35, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 36, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 37, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 38, 26));
  NONFAILING(*(uint32_t*)0x200000000030 = 0x7fff);
  NONFAILING(*(uint32_t*)0x200000000034 = 2);
  NONFAILING(*(uint64_t*)0x200000000038 = 0x29a);
  NONFAILING(*(uint64_t*)0x200000000040 = 8);
  NONFAILING(*(uint64_t*)0x200000000048 = 0x1800);
  NONFAILING(*(uint64_t*)0x200000000050 = 7);
  NONFAILING(*(uint32_t*)0x200000000058 = 0x10000);
  NONFAILING(*(uint32_t*)0x20000000005c = 1);
  NONFAILING(*(uint64_t*)0x200000000060 = 4);
  NONFAILING(*(uint32_t*)0x200000000068 = 0xffffff7f);
  NONFAILING(*(uint16_t*)0x20000000006c = 0xfffe);
  NONFAILING(*(uint16_t*)0x20000000006e = 0);
  NONFAILING(*(uint32_t*)0x200000000070 = 0x8000003);
  NONFAILING(*(uint32_t*)0x200000000074 = 0);
  NONFAILING(*(uint64_t*)0x200000000078 = 7);
  res = syscall(__NR_perf_event_open, /*attr=*/0x200000000000ul, /*pid=*/0,
                /*cpu=*/1ul, /*group=*/(intptr_t)-1,
                /*flags=PERF_FLAG_FD_CLOEXEC*/ 8ul);
  if (res != -1)
    r[0] = res;
  //  mmap arguments: [
  //    addr: VMA[0x1000]
  //    len: len = 0x1000 (8 bytes)
  //    prot: mmap_prot = 0x0 (8 bytes)
  //    flags: mmap_flags = 0x11 (8 bytes)
  //    fd: fd (resource)
  //    offset: intptr = 0x0 (8 bytes)
  //  ]
  syscall(__NR_mmap, /*addr=*/0x200000002000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_SHARED*/ 0x11ul, /*fd=*/r[0], /*offset=*/0ul);
  //  perf_event_open arguments: [
  //    attr: ptr[in, perf_event_attr] {
  //      perf_event_attr {
  //        type: perf_event_type = 0x2 (4 bytes)
  //        size: len = 0x80 (4 bytes)
  //        config0: int8 = 0x8 (1 bytes)
  //        config1: int8 = 0x1 (1 bytes)
  //        config2: int8 = 0x8 (1 bytes)
  //        config3: int8 = 0x1 (1 bytes)
  //        config4: const = 0x0 (4 bytes)
  //        sample_freq: int64 = 0x2 (8 bytes)
  //        sample_type: perf_sample_type = 0x84143 (8 bytes)
  //        read_format: perf_read_format = 0x10 (8 bytes)
  //        disabled: int64 = 0x1 (0 bytes)
  //        inherit: int64 = 0x1 (0 bytes)
  //        pinned: int64 = 0x1 (0 bytes)
  //        exclusive: int64 = 0x0 (0 bytes)
  //        exclude_user: int64 = 0x0 (0 bytes)
  //        exclude_kernel: int64 = 0x1 (0 bytes)
  //        exclude_hv: int64 = 0x1 (0 bytes)
  //        exclude_idle: int64 = 0x1 (0 bytes)
  //        mmap: int64 = 0x0 (0 bytes)
  //        comm: int64 = 0x1 (0 bytes)
  //        freq: int64 = 0x0 (0 bytes)
  //        inherit_stat: int64 = 0x0 (0 bytes)
  //        enable_on_exec: int64 = 0x0 (0 bytes)
  //        task: int64 = 0x1 (0 bytes)
  //        watermark: int64 = 0x0 (0 bytes)
  //        precise_ip: int64 = 0x3 (0 bytes)
  //        mmap_data: int64 = 0x1 (0 bytes)
  //        sample_id_all: int64 = 0x1 (0 bytes)
  //        exclude_host: int64 = 0x0 (0 bytes)
  //        exclude_guest: int64 = 0x0 (0 bytes)
  //        exclude_callchain_kernel: int64 = 0x1 (0 bytes)
  //        exclude_callchain_user: int64 = 0x0 (0 bytes)
  //        mmap2: int64 = 0x1 (0 bytes)
  //        comm_exec: int64 = 0x1 (0 bytes)
  //        use_clockid: int64 = 0x0 (0 bytes)
  //        context_switch: int64 = 0x0 (0 bytes)
  //        write_backward: int64 = 0x1 (0 bytes)
  //        namespaces: int64 = 0x0 (0 bytes)
  //        ksymbol: int64 = 0x0 (0 bytes)
  //        bpf_event: int64 = 0x1 (0 bytes)
  //        aux_output: int64 = 0x0 (0 bytes)
  //        cgroup: int64 = 0x0 (0 bytes)
  //        text_poke: int64 = 0x0 (0 bytes)
  //        build_id: int64 = 0x0 (0 bytes)
  //        inherit_thread: int64 = 0x1 (0 bytes)
  //        remove_on_exec: int64 = 0x0 (0 bytes)
  //        sigtrap: int64 = 0x0 (0 bytes)
  //        __reserved_1: const = 0x0 (8 bytes)
  //        wakeup_events: int32 = 0x7fff (4 bytes)
  //        bp_type: perf_bp_type = 0x2 (4 bytes)
  //        bp_config: union perf_bp_config {
  //          perf_config_ext: perf_config_ext {
  //            config1: int64 = 0x29a (8 bytes)
  //            config2: int64 = 0x8 (8 bytes)
  //          }
  //        }
  //        branch_sample_type: perf_branch_sample_type = 0x1800 (8 bytes)
  //        sample_regs_user: int64 = 0x7 (8 bytes)
  //        sample_stack_user: int32 = 0x10000 (4 bytes)
  //        clockid: clock_type = 0x1 (4 bytes)
  //        sample_regs_intr: int64 = 0x4 (8 bytes)
  //        aux_watermark: int32 = 0xffffff7f (4 bytes)
  //        sample_max_stack: int16 = 0xfffe (2 bytes)
  //        __reserved_2: const = 0x0 (2 bytes)
  //        aux_sample_size: int32 = 0x8000003 (4 bytes)
  //        __reserved_3: const = 0x0 (4 bytes)
  //        sig_data: int64 = 0x7 (8 bytes)
  //      }
  //    }
  //    pid: pid (resource)
  //    cpu: intptr = 0x1 (8 bytes)
  //    group: fd_perf (resource)
  //    flags: perf_flags = 0x2 (8 bytes)
  //  ]
  //  returns fd_perf
  NONFAILING(*(uint32_t*)0x200000000000 = 2);
  NONFAILING(*(uint32_t*)0x200000000004 = 0x80);
  NONFAILING(*(uint8_t*)0x200000000008 = 8);
  NONFAILING(*(uint8_t*)0x200000000009 = 1);
  NONFAILING(*(uint8_t*)0x20000000000a = 8);
  NONFAILING(*(uint8_t*)0x20000000000b = 1);
  NONFAILING(*(uint32_t*)0x20000000000c = 0);
  NONFAILING(*(uint64_t*)0x200000000010 = 2);
  NONFAILING(*(uint64_t*)0x200000000018 = 0x84143);
  NONFAILING(*(uint64_t*)0x200000000020 = 0x10);
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 0, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 1, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 2, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 3, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 4, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 5, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 6, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 7, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 8, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 9, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 10, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 11, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 12, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 13, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 14, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 3, 15, 2));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 17, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 18, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 19, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 20, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 21, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 22, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 23, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 24, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 25, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 26, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 27, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 28, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 29, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 30, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 31, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 32, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 33, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 34, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 1, 35, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 36, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 37, 1));
  NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x200000000028, 0, 38, 26));
  NONFAILING(*(uint32_t*)0x200000000030 = 0x7fff);
  NONFAILING(*(uint32_t*)0x200000000034 = 2);
  NONFAILING(*(uint64_t*)0x200000000038 = 0x29a);
  NONFAILING(*(uint64_t*)0x200000000040 = 8);
  NONFAILING(*(uint64_t*)0x200000000048 = 0x1800);
  NONFAILING(*(uint64_t*)0x200000000050 = 7);
  NONFAILING(*(uint32_t*)0x200000000058 = 0x10000);
  NONFAILING(*(uint32_t*)0x20000000005c = 1);
  NONFAILING(*(uint64_t*)0x200000000060 = 4);
  NONFAILING(*(uint32_t*)0x200000000068 = 0xffffff7f);
  NONFAILING(*(uint16_t*)0x20000000006c = 0xfffe);
  NONFAILING(*(uint16_t*)0x20000000006e = 0);
  NONFAILING(*(uint32_t*)0x200000000070 = 0x8000003);
  NONFAILING(*(uint32_t*)0x200000000074 = 0);
  NONFAILING(*(uint64_t*)0x200000000078 = 7);
  res = syscall(__NR_perf_event_open, /*attr=*/0x200000000000ul, /*pid=*/0,
                /*cpu=*/1ul, /*group=*/r[0], /*flags=PERF_FLAG_FD_OUTPUT*/ 2ul);
  if (res != -1)
    r[1] = res;
  //  mmap arguments: [
  //    addr: VMA[0x1000]
  //    len: len = 0x1000 (8 bytes)
  //    prot: mmap_prot = 0x100000b (8 bytes)
  //    flags: mmap_flags = 0x13 (8 bytes)
  //    fd: fd (resource)
  //    offset: intptr = 0x0 (8 bytes)
  //  ]
  syscall(__NR_mmap, /*addr=*/0x200000186000ul, /*len=*/0x1000ul,
          /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_WRITE|PROT_READ*/ 0x100000bul,
          /*flags=MAP_SHARED_VALIDATE|MAP_FIXED*/ 0x13ul, /*fd=*/r[1],
          /*offset=*/0ul);
  return 0;
}