// https://syzkaller.appspot.com/bug?id=8029c7296c5e7960eaaecc7a5cf05316ccd7aa4a
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef SYS_fcntl
#define SYS_fcntl 92
#endif
#ifndef SYS_ioctl
#define SYS_ioctl 54
#endif
#ifndef SYS_ktrace
#define SYS_ktrace 45
#endif
#ifndef SYS_mknod
#define SYS_mknod 450
#endif
#ifndef SYS_mmap
#define SYS_mmap 197
#endif
#ifndef SYS_open
#define SYS_open 5
#endif
#ifndef SYS_pwritev
#define SYS_pwritev 290
#endif

static unsigned long long procid;

static void kill_and_wait(int pid, int* status)
{
  kill(pid, SIGKILL);
  while (waitpid(-1, status, 0) != pid) {
  }
}

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void execute_one(void);

#define WAIT_FLAGS 0

static void loop(void)
{
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0};

void execute_one(void)
{
  intptr_t res = 0;
  memcpy((void*)0x20000080, "./file0\000", 8);
  syscall(SYS_mknod, /*file=*/0x20000080ul, /*mode=*/0x2876ul,
          /*dev=*/0x40000800ul);
  memcpy((void*)0x200000c0, "./file0\000", 8);
  res = syscall(SYS_open, /*file=*/0x200000c0ul, /*flags=*/0ul, /*mode=*/0ul);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000040 = 5;
  syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x80047401ul, /*arg=*/0x20000040ul);
  memcpy((void*)0x20000000, "./file0\000", 8);
  res = syscall(SYS_open, /*file=*/0x20000000ul, /*flags=*/0x40000400001803c1ul,
                /*mode=*/0ul);
  if (res != -1)
    r[1] = res;
  *(uint64_t*)0x20000440 = 0x20000180;
  *(uint64_t*)0x20000448 = 0;
  *(uint64_t*)0x20000450 = 0;
  *(uint64_t*)0x20000458 = 0;
  *(uint64_t*)0x20000460 = 0x20000300;
  *(uint64_t*)0x20000468 = 0;
  syscall(SYS_pwritev, /*fd=*/r[1], /*vec=*/0x20000440ul, /*vlen=*/3ul,
          /*off=*/0ul);
  *(uint64_t*)0x20000440 = 0x20000180;
  memcpy((void*)0x20000180,
         "\x32\xaa\x2f\x67\xb0\x2a\x2e\x76\x16\xae\xd4\x98\x7b\x87\x11\x53\xd4"
         "\xee\x5a\xf1\xd8\xc8\x0c\x4c\x7d\x43\xa2\xcf\x69\x2a\xfb\xc6\xda\xb4"
         "\x9d\x2c\xe2\x73\x22\x27\x22\x6f\x93\x44\xb0\x96\x0c\xa9\xae\xf1\xdc"
         "\x56\x86\xac\xc9\xd9\x0c\xcf\xaf\x2c\x90\xa7\x6d\xbd\x3e\xcb\x9b\xa1"
         "\xbd\xcc\x3b\x2a\x71\x5b\xca\xf6\x0f\xf7\x6e\x86\x12\x06\xc0\xa8\x56"
         "\xb6\xda\xb8\xda\x07\x39\x48\xc1\xe5\x57\x24\x79\x38\xcb\xdb\x5b\xf8"
         "\xb1\x92\x71\x1b\x9e\xa4\xd7\x4e\xc3\x0c\x57\x07\x7e\x9d\x79\xe1\x95"
         "\x94\x10\xd2\x93\x0b\x1b\x72\xa4\xb6\x74\xac\x05\x63\x81\xdf\xfb\x1c"
         "\x16\x0c\x5f\xf9\x56\x4f\x33\xa2\xed\x18\x54\x12\x3c\x69\xab\xa5\xac"
         "\x87\x54\x85\x86\xd9\x11\x25\x26\x58\x69\x16\x31\x8a",
         166);
  *(uint64_t*)0x20000448 = 0xa6;
  *(uint64_t*)0x20000450 = 0x20000240;
  memcpy((void*)0x20000240,
         "\xfa\xe8\xa4\x81\xee\xe1\x38\x4c\xec\x30\x11\x93\x44\x53\x39\x4b\x72"
         "\xd6\xf3\x0a\x22\x3c\x22\x47\x3f\x3e\x6f\x96\x1c\x00\xe2\x52\x31\x32"
         "\x15\xc0\x55\x40\x30\x15\x4c\xa0\x93\x6c\x00\x47\x94\xb0\xba\x04\x10"
         "\xa0\xcc\x00\x45\xda\xf0\x63\x95\x1e\xa2\x32\x76\x44\xc7\xb8\xb1\xb8"
         "\x9c\xc1\x03\xdf\x94\xdb\x58\x0b\xeb\x75\xeb\xa0\xab\x37\x70\xa1\x65"
         "\xdf\x89\x39\xb2\xe7\xcf\xad\xfb\x9a\xec\x6f\xa6\x44\x88\x16\xfc\x1c"
         "\x01\xc6\xf8\x3e\x66\xaf\x26\xab\x1b\x62\x69\x7e\x2c\x14\xfd\x90\x2e"
         "\x70\xd6\x8f\xad\xcb\x85\x25\x20\xd8\x31\x92\xbf\x03\xd1\x5d\xc7",
         135);
  *(uint64_t*)0x20000458 = 0x87;
  *(uint64_t*)0x20000460 = 0x20000300;
  memcpy((void*)0x20000300,
         "\x09\x2e\x90\xbf\xe5\xf9\xad\xc9\x98\x7f\x91\x24\xbe\xb4\xa9\x62\xe9"
         "\x4f\x0c\x51\x05\x26\xb2\x06\xe1\xf6\xb9\x4c\x0e\x29\xb1\xa8\x98\xb3"
         "\xe7\x96\x76\xde\x87\xb1\x64\x67\xb1\x94\xf1\x69\x43\xf1\xe3\x95\xdb"
         "\x64\x8b\xf0\x3f\xee\x6f\x76\x3f\x0e\x15\x20\xa5\x7e\x6e\x9f\xb4\xb1"
         "\x8b\x4b\x4f\x09\x55\xc5\x4c\xff\x84\x31\x84\x0b\x9e\x39\x10\x0e\x2d"
         "\x9f\x8c\xf9\x5b\x3b\x9c\x9c\x8a\x42\xaa\x57\xb3\xe9\x11\x2b",
         100);
  *(uint64_t*)0x20000468 = 0x64;
  syscall(SYS_pwritev, /*fd=*/r[1], /*vec=*/0x20000440ul, /*vlen=*/3ul,
          /*off=*/0ul);
  res = syscall(SYS_fcntl, /*fd=*/-1, /*cmd=*/3ul, 0);
  if (res != -1)
    r[2] = res;
  *(uint16_t*)0x200000c0 = 0;
  *(uint16_t*)0x200000c2 = 0;
  *(uint64_t*)0x200000c8 = 0x1ff;
  *(uint64_t*)0x200000d0 = 0;
  *(uint32_t*)0x200000d8 = r[2];
  syscall(SYS_fcntl, /*fd=*/-1, /*cmd=*/0ul, /*lock=*/0x200000c0ul);
  memcpy((void*)0x20000100, "./file0\000", 8);
  syscall(SYS_ktrace, /*tracefile=*/0x20000100ul, /*ops=*/2ul,
          /*trpoints=*/0x10ul, /*pid=*/r[2]);
}
int main(void)
{
  syscall(SYS_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/3ul,
          /*flags=*/0x1012ul, /*fd=*/-1, /*pad=*/0ul, /*offset=*/0ul);
  for (procid = 0; procid < 6; procid++) {
    if (fork() == 0) {
      loop();
    }
  }
  sleep(1000000);
  return 0;
}