// https://syzkaller.appspot.com/bug?id=d369eafab7836fe0dd2e027d2689da06cad8e1a3
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <errno.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kRetryStatus = 69;

__attribute__((noreturn)) static void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}

__attribute__((noreturn)) static void fail(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) static void exitf(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(kRetryStatus);
}

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len)                          \
  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)              \
  if ((bf_off) == 0 && (bf_len) == 0) {                                \
    *(type*)(addr) = (type)(val);                                      \
  } else {                                                             \
    type new_val = *(type*)(addr);                                     \
    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));             \
    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);  \
    *(type*)(addr) = new_val;                                          \
  }

struct csum_inet {
  uint32_t acc;
};

static void csum_inet_init(struct csum_inet* csum)
{
  csum->acc = 0;
}

static void csum_inet_update(struct csum_inet* csum,
                             const uint8_t* data, size_t length)
{
  if (length == 0)
    return;

  size_t i;
  for (i = 0; i < length - 1; i += 2)
    csum->acc += *(uint16_t*)&data[i];

  if (length & 1)
    csum->acc += (uint16_t)data[length - 1];

  while (csum->acc > 0xffff)
    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}

static uint16_t csum_inet_digest(struct csum_inet* csum)
{
  return ~csum->acc;
}

static uint64_t current_time_ms()
{
  struct timespec ts;

  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    fail("clock_gettime failed");
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void test();

void loop()
{
  int iter;
  for (iter = 0;; iter++) {
    int pid = fork();
    if (pid < 0)
      fail("clone failed");
    if (pid == 0) {
      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
      setpgrp();
      test();
      doexit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      int res = waitpid(-1, &status, __WALL | WNOHANG);
      if (res == pid)
        break;
      usleep(1000);
      if (current_time_ms() - start > 5 * 1000) {
        kill(-pid, SIGKILL);
        kill(pid, SIGKILL);
        while (waitpid(-1, &status, __WALL) != pid) {
        }
        break;
      }
    }
  }
}

long r[248];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                   0xfffffffffffffffful, 0x0ul);
    break;
  case 1:
    *(uint32_t*)0x20000000 = (uint32_t)0x0;
    *(uint16_t*)0x20000004 = (uint16_t)0x0;
    *(uint16_t*)0x20000006 = (uint16_t)0x0;
    r[4] = syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x84ul,
                   0x17ul, 0x20000000ul, 0x8ul);
    break;
  case 2:
    r[5] = syscall(__NR_socket, 0x2ul, 0x400000005ul, 0xfffful);
    break;
  case 3:
    memcpy((void*)0x2022c000, "\xb9\x0e\x18\x66\x44\xf6", 6);
    *(uint8_t*)0x2022c006 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c007 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c008 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c009 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c00a = (uint8_t)0xaa;
    *(uint8_t*)0x2022c00b = (uint8_t)0x0;
    *(uint16_t*)0x2022c00c = (uint16_t)0x8;
    STORE_BY_BITMASK(uint8_t, 0x2022c00e, 0x10001, 0, 4);
    STORE_BY_BITMASK(uint8_t, 0x2022c00e, 0x6, 4, 4);
    memcpy((void*)0x2022c00f, "\x11\xe8\x74", 3);
    *(uint16_t*)0x2022c012 = (uint16_t)0x1401;
    *(uint8_t*)0x2022c014 = (uint8_t)0x6c;
    *(uint8_t*)0x2022c015 = (uint8_t)0x5;
    *(uint8_t*)0x2022c016 = (uint8_t)0xfe;
    *(uint8_t*)0x2022c017 = (uint8_t)0x80;
    *(uint8_t*)0x2022c018 = (uint8_t)0x0;
    *(uint8_t*)0x2022c019 = (uint8_t)0x0;
    *(uint8_t*)0x2022c01a = (uint8_t)0x0;
    *(uint8_t*)0x2022c01b = (uint8_t)0x0;
    *(uint8_t*)0x2022c01c = (uint8_t)0x0;
    *(uint8_t*)0x2022c01d = (uint8_t)0x0;
    *(uint8_t*)0x2022c01e = (uint8_t)0x0;
    *(uint8_t*)0x2022c01f = (uint8_t)0x0;
    *(uint8_t*)0x2022c020 = (uint8_t)0x0;
    *(uint8_t*)0x2022c021 = (uint8_t)0x0;
    *(uint8_t*)0x2022c022 = (uint8_t)0x0;
    *(uint8_t*)0x2022c023 = (uint8_t)0x0;
    *(uint8_t*)0x2022c024 = (uint8_t)0x0;
    *(uint8_t*)0x2022c025 = (uint8_t)0xbb;
    *(uint8_t*)0x2022c026 = (uint8_t)0xfe;
    *(uint8_t*)0x2022c027 = (uint8_t)0x80;
    *(uint8_t*)0x2022c028 = (uint8_t)0x0;
    *(uint8_t*)0x2022c029 = (uint8_t)0x0;
    *(uint8_t*)0x2022c02a = (uint8_t)0x0;
    *(uint8_t*)0x2022c02b = (uint8_t)0x0;
    *(uint8_t*)0x2022c02c = (uint8_t)0x0;
    *(uint8_t*)0x2022c02d = (uint8_t)0x0;
    *(uint8_t*)0x2022c02e = (uint8_t)0x0;
    *(uint8_t*)0x2022c02f = (uint8_t)0x0;
    *(uint8_t*)0x2022c030 = (uint8_t)0x0;
    *(uint8_t*)0x2022c031 = (uint8_t)0x0;
    *(uint8_t*)0x2022c032 = (uint8_t)0x0;
    *(uint8_t*)0x2022c033 = (uint8_t)0x0;
    *(uint8_t*)0x2022c034 = (uint8_t)0x0;
    *(uint8_t*)0x2022c035 = (uint8_t)0xbb;
    *(uint8_t*)0x2022c036 = (uint8_t)0x0;
    *(uint8_t*)0x2022c037 = (uint8_t)0x0;
    *(uint8_t*)0x2022c038 = (uint8_t)0x0;
    *(uint8_t*)0x2022c039 = (uint8_t)0x0;
    *(uint8_t*)0x2022c03a = (uint8_t)0x0;
    *(uint8_t*)0x2022c03b = (uint8_t)0x0;
    *(uint8_t*)0x2022c03c = (uint8_t)0x0;
    *(uint8_t*)0x2022c03d = (uint8_t)0x0;
    *(uint8_t*)0x2022c03e = (uint8_t)0xc9;
    *(uint8_t*)0x2022c03f = (uint8_t)0x0;
    *(uint8_t*)0x2022c040 = (uint8_t)0xff;
    *(uint8_t*)0x2022c041 = (uint8_t)0x0;
    *(uint8_t*)0x2022c042 = (uint8_t)0xbf;
    *(uint8_t*)0x2022c043 = (uint8_t)0x6;
    *(uint8_t*)0x2022c044 = (uint8_t)0x1;
    STORE_BY_BITMASK(uint8_t, 0x2022c045, 0x2, 0, 1);
    STORE_BY_BITMASK(uint8_t, 0x2022c045, 0x3, 1, 2);
    STORE_BY_BITMASK(uint8_t, 0x2022c045, 0x1f, 3, 5);
    *(uint32_t*)0x2022c046 = (uint32_t)0x66;
    *(uint8_t*)0x2022c04a = (uint8_t)0xff;
    *(uint8_t*)0x2022c04b = (uint8_t)0x101;
    *(uint8_t*)0x2022c04c = (uint8_t)0xfffffffffffffe00;
    STORE_BY_BITMASK(uint8_t, 0x2022c04d, 0x2, 0, 1);
    STORE_BY_BITMASK(uint8_t, 0x2022c04d, 0x401, 1, 2);
    STORE_BY_BITMASK(uint8_t, 0x2022c04d, 0xfffffffffffffff7, 3, 5);
    *(uint32_t*)0x2022c04e = (uint32_t)0x66;
    *(uint8_t*)0x2022c052 = (uint8_t)0x8;
    *(uint8_t*)0x2022c053 = (uint8_t)0x6;
    *(uint8_t*)0x2022c054 = (uint8_t)0x0;
    *(uint8_t*)0x2022c055 = (uint8_t)0x2;
    *(uint32_t*)0x2022c056 = (uint32_t)0x1f000000;
    *(uint8_t*)0x2022c05a = (uint8_t)0xfe;
    *(uint8_t*)0x2022c05b = (uint8_t)0x80;
    *(uint8_t*)0x2022c05c = (uint8_t)0x0;
    *(uint8_t*)0x2022c05d = (uint8_t)0x0;
    *(uint8_t*)0x2022c05e = (uint8_t)0x0;
    *(uint8_t*)0x2022c05f = (uint8_t)0x0;
    *(uint8_t*)0x2022c060 = (uint8_t)0x0;
    *(uint8_t*)0x2022c061 = (uint8_t)0x0;
    *(uint8_t*)0x2022c062 = (uint8_t)0x0;
    *(uint8_t*)0x2022c063 = (uint8_t)0x0;
    *(uint8_t*)0x2022c064 = (uint8_t)0x0;
    *(uint8_t*)0x2022c065 = (uint8_t)0x0;
    *(uint8_t*)0x2022c066 = (uint8_t)0x0;
    *(uint8_t*)0x2022c067 = (uint8_t)0x0;
    *(uint8_t*)0x2022c068 = (uint8_t)0x0;
    *(uint8_t*)0x2022c069 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c06a = (uint8_t)0x0;
    *(uint8_t*)0x2022c06b = (uint8_t)0x0;
    *(uint8_t*)0x2022c06c = (uint8_t)0x0;
    *(uint8_t*)0x2022c06d = (uint8_t)0x0;
    *(uint8_t*)0x2022c06e = (uint8_t)0x0;
    *(uint8_t*)0x2022c06f = (uint8_t)0x0;
    *(uint8_t*)0x2022c070 = (uint8_t)0x0;
    *(uint8_t*)0x2022c071 = (uint8_t)0x0;
    *(uint8_t*)0x2022c072 = (uint8_t)0x0;
    *(uint8_t*)0x2022c073 = (uint8_t)0x0;
    *(uint8_t*)0x2022c074 = (uint8_t)0x0;
    *(uint8_t*)0x2022c075 = (uint8_t)0x0;
    *(uint8_t*)0x2022c076 = (uint8_t)0x0;
    *(uint8_t*)0x2022c077 = (uint8_t)0x0;
    *(uint8_t*)0x2022c078 = (uint8_t)0x0;
    *(uint8_t*)0x2022c079 = (uint8_t)0x0;
    *(uint64_t*)0x2022c07a = (uint64_t)0x0;
    *(uint64_t*)0x2022c082 = (uint64_t)0x100000000000000;
    *(uint8_t*)0x2022c08a = (uint8_t)0xff;
    *(uint8_t*)0x2022c08b = (uint8_t)0xa;
    *(uint8_t*)0x2022c08c = (uint8_t)0x3;
    *(uint8_t*)0x2022c08d = (uint8_t)0x20;
    *(uint32_t*)0x2022c08e = (uint32_t)0x7f000000;
    *(uint8_t*)0x2022c092 = (uint8_t)0xfe;
    *(uint8_t*)0x2022c093 = (uint8_t)0x80;
    *(uint8_t*)0x2022c094 = (uint8_t)0x0;
    *(uint8_t*)0x2022c095 = (uint8_t)0x0;
    *(uint8_t*)0x2022c096 = (uint8_t)0x0;
    *(uint8_t*)0x2022c097 = (uint8_t)0x0;
    *(uint8_t*)0x2022c098 = (uint8_t)0x0;
    *(uint8_t*)0x2022c099 = (uint8_t)0x0;
    *(uint8_t*)0x2022c09a = (uint8_t)0x0;
    *(uint8_t*)0x2022c09b = (uint8_t)0x0;
    *(uint8_t*)0x2022c09c = (uint8_t)0x0;
    *(uint8_t*)0x2022c09d = (uint8_t)0x0;
    *(uint8_t*)0x2022c09e = (uint8_t)0x0;
    *(uint8_t*)0x2022c09f = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a0 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a1 = (uint8_t)0xbb;
    *(uint8_t*)0x2022c0a2 = (uint8_t)0xfe;
    *(uint8_t*)0x2022c0a3 = (uint8_t)0x80;
    *(uint8_t*)0x2022c0a4 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a5 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a6 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a7 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a8 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0a9 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0aa = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ab = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ac = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ad = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ae = (uint8_t)0x0;
    *(uint8_t*)0x2022c0af = (uint8_t)0x0;
    *(uint8_t*)0x2022c0b0 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0b1 = (uint8_t)0xbb;
    *(uint64_t*)0x2022c0b2 = (uint64_t)0x0;
    *(uint64_t*)0x2022c0ba = (uint64_t)0x100000000000000;
    *(uint8_t*)0x2022c0c2 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c3 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c4 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c5 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c6 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c7 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c8 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0c9 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ca = (uint8_t)0x0;
    *(uint8_t*)0x2022c0cb = (uint8_t)0x0;
    *(uint8_t*)0x2022c0cc = (uint8_t)0x0;
    *(uint8_t*)0x2022c0cd = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ce = (uint8_t)0x0;
    *(uint8_t*)0x2022c0cf = (uint8_t)0x0;
    *(uint8_t*)0x2022c0d0 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0d1 = (uint8_t)0x0;
    *(uint64_t*)0x2022c0d2 = (uint64_t)0x0;
    *(uint64_t*)0x2022c0da = (uint64_t)0x100000000000000;
    *(uint8_t*)0x2022c0e2 = (uint8_t)0x7f;
    *(uint8_t*)0x2022c0e3 = (uint8_t)0xa;
    *(uint8_t*)0x2022c0e4 = (uint8_t)0x2;
    *(uint8_t*)0x2022c0e5 = (uint8_t)0x7;
    *(uint32_t*)0x2022c0e6 = (uint32_t)0x100000;
    *(uint8_t*)0x2022c0ea = (uint8_t)0xfe;
    *(uint8_t*)0x2022c0eb = (uint8_t)0x80;
    *(uint8_t*)0x2022c0ec = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ed = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ee = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ef = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f0 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f1 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f2 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f3 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f4 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f5 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f6 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f7 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f8 = (uint8_t)0x0;
    *(uint8_t*)0x2022c0f9 = (uint8_t)0xaa;
    *(uint8_t*)0x2022c0fa = (uint8_t)0xfe;
    *(uint8_t*)0x2022c0fb = (uint8_t)0x80;
    *(uint8_t*)0x2022c0fc = (uint8_t)0x0;
    *(uint8_t*)0x2022c0fd = (uint8_t)0x0;
    *(uint8_t*)0x2022c0fe = (uint8_t)0x0;
    *(uint8_t*)0x2022c0ff = (uint8_t)0x0;
    *(uint8_t*)0x2022c100 = (uint8_t)0x0;
    *(uint8_t*)0x2022c101 = (uint8_t)0x0;
    *(uint8_t*)0x2022c102 = (uint8_t)0x0;
    *(uint8_t*)0x2022c103 = (uint8_t)0x0;
    *(uint8_t*)0x2022c104 = (uint8_t)0x0;
    *(uint8_t*)0x2022c105 = (uint8_t)0x0;
    *(uint8_t*)0x2022c106 = (uint8_t)0x0;
    *(uint8_t*)0x2022c107 = (uint8_t)0x0;
    *(uint8_t*)0x2022c108 = (uint8_t)0x0;
    *(uint8_t*)0x2022c109 = (uint8_t)0xaa;
    *(uint64_t*)0x2022c10a = (uint64_t)0x0;
    *(uint64_t*)0x2022c112 = (uint64_t)0x100000000000000;
    *(uint64_t*)0x2022c11a = (uint64_t)0x0;
    *(uint64_t*)0x2022c122 = (uint64_t)0x100000000000000;
    *(uint8_t*)0x2022c12a = (uint8_t)0xfe;
    *(uint8_t*)0x2022c12b = (uint8_t)0x80;
    *(uint8_t*)0x2022c12c = (uint8_t)0x0;
    *(uint8_t*)0x2022c12d = (uint8_t)0x0;
    *(uint8_t*)0x2022c12e = (uint8_t)0x0;
    *(uint8_t*)0x2022c12f = (uint8_t)0x0;
    *(uint8_t*)0x2022c130 = (uint8_t)0x0;
    *(uint8_t*)0x2022c131 = (uint8_t)0x0;
    *(uint8_t*)0x2022c132 = (uint8_t)0x0;
    *(uint8_t*)0x2022c133 = (uint8_t)0x0;
    *(uint8_t*)0x2022c134 = (uint8_t)0x0;
    *(uint8_t*)0x2022c135 = (uint8_t)0x0;
    *(uint8_t*)0x2022c136 = (uint8_t)0x0;
    *(uint8_t*)0x2022c137 = (uint8_t)0x0;
    *(uint8_t*)0x2022c138 = (uint8_t)0x0;
    *(uint8_t*)0x2022c139 = (uint8_t)0xbb;
    *(uint16_t*)0x2022c13a = (uint16_t)0x224e;
    *(uint16_t*)0x2022c13c = (uint16_t)0x224e;
    *(uint8_t*)0x2022c13e = (uint8_t)0x4;
    STORE_BY_BITMASK(uint8_t, 0x2022c13f, 0x1, 0, 4);
    STORE_BY_BITMASK(uint8_t, 0x2022c13f, 0x401, 4, 4);
    *(uint16_t*)0x2022c140 = (uint16_t)0x0;
    STORE_BY_BITMASK(uint8_t, 0x2022c142, 0x0, 0, 1);
    STORE_BY_BITMASK(uint8_t, 0x2022c142, 0x8, 1, 4);
    STORE_BY_BITMASK(uint8_t, 0x2022c142, 0x1002, 5, 3);
    memcpy((void*)0x2022c143, "\xa2\xfd\x76", 3);
    *(uint8_t*)0x2022c146 = (uint8_t)0x0;
    memcpy((void*)0x2022c147, "\x3c\xe0\xca", 3);
    struct csum_inet csum_243;
    csum_inet_init(&csum_243);
    csum_inet_update(&csum_243, (const uint8_t*)0x2022c016, 16);
    csum_inet_update(&csum_243, (const uint8_t*)0x2022c026, 16);
    uint32_t csum_243_chunk_2 = 0x10000000;
    csum_inet_update(&csum_243, (const uint8_t*)&csum_243_chunk_2, 4);
    uint32_t csum_243_chunk_3 = 0x21000000;
    csum_inet_update(&csum_243, (const uint8_t*)&csum_243_chunk_3, 4);
    csum_inet_update(&csum_243, (const uint8_t*)0x2022c13a, 16);
    *(uint16_t*)0x2022c140 = csum_inet_digest(&csum_243);
    break;
  case 4:
    memcpy((void*)0x2002aff7, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d\x00",
           9);
    r[246] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x2002aff7ul,
                     0x0ul, 0x0ul);
    break;
  case 5:
    r[247] = syscall(__NR_ioctl, r[246], 0xae01ul, 0x0ul);
    break;
  }
  return 0;
}

void test()
{
  long i;
  pthread_t th[12];

  memset(r, -1, sizeof(r));
  srand(getpid());
  for (i = 0; i < 6; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(rand() % 10000);
  }
  for (i = 0; i < 6; i++) {
    pthread_create(&th[6 + i], 0, thr, (void*)i);
    if (rand() % 2)
      usleep(rand() % 10000);
  }
  usleep(rand() % 100000);
}

int main()
{
  int i;
  for (i = 0; i < 8; i++) {
    if (fork() == 0) {
      loop();
      return 0;
    }
  }
  sleep(1000000);
  return 0;
}