// https://syzkaller.appspot.com/bug?id=f0950f973db470e1c7c8d8693fbc545950666ab1
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static __thread int skip_segv;
static __thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
      (addr < prog_start || addr > prog_end)) {
    _longjmp(segv_env, 1);
  }
  exit(sig);
}

static void install_segv_handler(void)
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                        \
  {                                                                            \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
    if (_setjmp(segv_env) == 0) {                                              \
      __VA_ARGS__;                                                             \
    }                                                                          \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
  }

static long syz_open_procfs(volatile long a0, volatile long a1)
{
  char buf[128];
  memset(buf, 0, sizeof(buf));
  if (a0 == 0) {
    NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1));
  } else if (a0 == -1) {
    NONFAILING(snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1));
  } else {
    NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0,
                        (char*)a1));
  }
  int fd = open(buf, O_RDWR);
  if (fd == -1)
    fd = open(buf, O_RDONLY);
  return fd;
}

#ifndef __NR_lseek
#define __NR_lseek 19
#endif
#ifndef __NR_mmap
#define __NR_mmap 192
#endif
#ifndef __NR_openat
#define __NR_openat 295
#endif
#ifndef __NR_write
#define __NR_write 4
#endif
#undef __NR_mmap
#define __NR_mmap __NR_mmap2

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  install_segv_handler();
  intptr_t res = 0;
  NONFAILING(memcpy((void*)0x20000240,
                    "\000\000\000\000\000egy\305\216\313\034\370\217\312\017.?"
                    "\255\256\017\265\2732\311a\234\307\000\353\355X#"
                    "\3434\200O]\207\335\2114\332l;w\370\370\003?v\350$"
                    "\374\360\003\000\000\000WT2\231?$"
                    "\267FW\031\240\333X\t\020\217\254\275",
                    77));
  res = syz_open_procfs(0, 0x20000240);
  if (res != -1)
    r[0] = res;
  NONFAILING(
      memcpy((void*)0x200003c0,
             "mem\000\001y7SwaS."
             "\006ur\211\311B\253\343\372rent\000\252\032\375\256\v\277\330d"
             "\273\2579Q\336\373\037Y\215o\321\026\316(\202\361\277{"
             "5Z\023\025\024\327\270\316\3620\036\300\302\355<?"
             "\307\266s\312\377\226\232}+Q\322\331{"
             "\312\206Vw\336\263\206\221\375\265p\333$ "
             "j\373\370\355w\364\0261a.\307\n\340X?\304\364BW\001\037-"
             "\314\001\320W\310\3609\fV\033|A)\270\332#NP\034\235\223#"
             "V\237\"v\031n{\226\252\2750\216f\235\2708CP(}w\214\273\334%\ax "
             "\020\321\n(\250=\3654\251\313\351\227T\317\317\207t",
             184));
  syscall(__NR_openat, (intptr_t)r[0], 0x200003c0, 0, 0);
  NONFAILING(memcpy((void*)0x20000040, "fd/4\000", 5));
  res = syz_open_procfs(0, 0x20000040);
  if (res != -1)
    r[1] = res;
  syscall(__NR_lseek, (intptr_t)r[1], 0x20400000, 0);
  syscall(__NR_mmap, 0x20000000, 0xb36000, 4, 0x8031, -1, -1);
  NONFAILING(*(uint32_t*)0x20000080 = 0xf);
  NONFAILING(*(uint8_t*)0x20000084 = 0x1f);
  NONFAILING(*(uint16_t*)0x20000085 = 0);
  NONFAILING(*(uint64_t*)0x20000087 = 0);
  syscall(__NR_write, (intptr_t)r[1], 0x20000080, 0x2000008f);
  return 0;
}