// https://syzkaller.appspot.com/bug?id=c3b2047d09b799449f1053396db04feda6fb9a7f
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#include <linux/capability.h>

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

#define MAX_FDS 30

static void setup_common()
{
  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
  }
}

static void loop();

static void sandbox_common()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  setsid();
  struct rlimit rlim;
  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
  setrlimit(RLIMIT_AS, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
  setrlimit(RLIMIT_MEMLOCK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  setrlimit(RLIMIT_FSIZE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_STACK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 0;
  setrlimit(RLIMIT_CORE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 256;
  setrlimit(RLIMIT_NOFILE, &rlim);
  if (unshare(CLONE_NEWNS)) {
  }
  if (unshare(CLONE_NEWIPC)) {
  }
  if (unshare(0x02000000)) {
  }
  if (unshare(CLONE_NEWUTS)) {
  }
  if (unshare(CLONE_SYSVSEM)) {
  }
  typedef struct {
    const char* name;
    const char* value;
  } sysctl_t;
  static const sysctl_t sysctls[] = {
      {"/proc/sys/kernel/shmmax", "16777216"},
      {"/proc/sys/kernel/shmall", "536870912"},
      {"/proc/sys/kernel/shmmni", "1024"},
      {"/proc/sys/kernel/msgmax", "8192"},
      {"/proc/sys/kernel/msgmni", "1024"},
      {"/proc/sys/kernel/msgmnb", "1024"},
      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
  };
  unsigned i;
  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
    write_file(sysctls[i].name, sysctls[i].value);
}

int wait_for_loop(int pid)
{
  if (pid < 0)
    exit(1);
  int status = 0;
  while (waitpid(-1, &status, __WALL) != pid) {
  }
  return WEXITSTATUS(status);
}

static void drop_caps(void)
{
  struct __user_cap_header_struct cap_hdr = {};
  struct __user_cap_data_struct cap_data[2] = {};
  cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
  cap_hdr.pid = getpid();
  if (syscall(SYS_capget, &cap_hdr, &cap_data))
    exit(1);
  const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
  cap_data[0].effective &= ~drop;
  cap_data[0].permitted &= ~drop;
  cap_data[0].inheritable &= ~drop;
  if (syscall(SYS_capset, &cap_hdr, &cap_data))
    exit(1);
}

static int do_sandbox_none(void)
{
  if (unshare(CLONE_NEWPID)) {
  }
  int pid = fork();
  if (pid != 0)
    return wait_for_loop(pid);
  setup_common();
  sandbox_common();
  drop_caps();
  if (unshare(CLONE_NEWNET)) {
  }
  loop();
  exit(1);
}

static void close_fds()
{
  int fd;
  for (fd = 3; fd < MAX_FDS; fd++)
    close(fd);
}

uint64_t r[1] = {0xffffffffffffffff};

void loop(void)
{
  intptr_t res = 0;
  res = syscall(__NR_socket, 0x2000000000000021ul, 2ul, 2);
  if (res != -1)
    r[0] = res;
  *(uint16_t*)0x20000040 = 0x21;
  *(uint16_t*)0x20000042 = 0;
  *(uint16_t*)0x20000044 = 2;
  *(uint16_t*)0x20000046 = 0x10;
  *(uint16_t*)0x20000048 = 2;
  *(uint16_t*)0x2000004a = htobe16(0);
  *(uint32_t*)0x2000004c = htobe32(0);
  syscall(__NR_connect, r[0], 0x20000040ul, 0x24ul);
  *(uint64_t*)0x20005c00 = 0;
  *(uint32_t*)0x20005c08 = 0;
  *(uint64_t*)0x20005c10 = 0;
  *(uint64_t*)0x20005c18 = 0;
  *(uint64_t*)0x20005c20 = 0x20000880;
  memcpy(
      (void*)0x20000880,
      "\x18\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x01\x00\x00\x00\x77\x00"
      "\x00\xf2\x00\x00\x00\x00\xa6\xe2\x17\xb9\x1c\x3b\x0d\x87\x37\x22\xb4\x1a"
      "\xfb\x8e\xd5\x8f\x21\x09\xe4\x48\xe6\xcc\x4b\xd0\xf1\x1a\x26\xf4\x23\x3e"
      "\x3b\xa1\xff\x40\xe0\x62\xa4\x3f\x80\xb1\xba\xe2\x72\x83\x16\xe6\x3e\x58"
      "\xaf\xdf\x28\x47\x32\xbd\x1e\x19\x70\x88\x1d\xdd\x3c\x9f\x31\x0f\x82\x7c"
      "\x19\x5f\x3c\x5d\x57\xc6\x7a\x08\x46\x65\x17\xba\x13\x00\x00\x00\x00\x85"
      "\x80\x03\xff\xff\xff\xff\xff\xff\xff\xff\x3e\x26\xb5\xca\x26\xbb\x43\x4d"
      "\xbd\x0e\x48\x85\xc2\x14\xe5\x77\xbb\x08\x18\x76\xe6\x3e\x7c\x28\x34\x57"
      "\x39\x25\xdb\x8b\x54\xb3\x3d\xa7\xb9\xc7\xae\xfc\xa1\xf9\xc4\x9c\x64\x00"
      "\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x61\xe2\x44\x8f\x23\xa7\xe4"
      "\x97\x36\xa3\x35\x44\x0c\x5b\x76\x81\xc5\x8d\xc6\x47\x49\x4f\x0d\xbc\x81"
      "\x1b\xec\xd7\xc4\x87\xd2\x83\xb2\xd0\x57\x45\x10\x10\x3a\xf9\x81\xad\xeb"
      "\xcd\x75\x35\xc0\xb3\xa3\xdf\x61\x0d\x99\x75\xd1\xd9\x57\xc3\xb4\x10\xc2"
      "\xab\x65\x97\x7d\xa5\x98\xff\xa0\x69\xc0\x1b\x3d\x38\x6c\x15\xd3\x4a\x59"
      "\x18\xd6\x90\x91\x92\xec\x97\x03\x2c\x32\x00\x44\xfa\x93\x4b\xf9\x44\xd6"
      "\xd5\xce\x62\x1d\x91\xc1\x7f\x1c\x43\x77\xa5\x4c\x7f\xeb\xb4\x6f\x83\xa7"
      "\x84\x28\x16\x02\x3b\x60\x41\x73\x88\x19\x6a\x22\x09\x1c\x9f\x82\xe8\xe0"
      "\x29\x1f\x40\x82\xd9\x2d\x0a\xe7\x6b\x94\xa1\x86\x47\xbb\x44\xcb\xe9\x36"
      "\x6a\x08\xfb\x3f\x00\x00\x64\x43\x07\xc5\x10\x85\xf7\x21\x5f\xd4\x46\x35"
      "\xe5\x96\x7f\x21\xe8\xf5\x9b\xd0\x21\xf3\x09\xd9\x10\xcb\x5d\x37\xcb\x16"
      "\x45\x02\x44\xef\x26\x1a\x37\x25\x5a\x06\xc9\x7f\x19\xfa\x0e\x68\x83\x65"
      "\x43\x17\x47\x45\x68\x40\x37\xcc\x7b\xba\x99\xaa\x1c\xbe\xfc\xdd\x62\xf7"
      "\x99\xa5\xfb\x35\xab\xc5\xaf\x3a\xb4\x3a\x5f\xc4\x0e\xb3\x52\xe6\xff\x07"
      "\x8f\xad\x68\x18\x28\x45\xf1\xf6\xb7\xff\x6c\x20\x0c\x10\x3b\x64\x60\x84"
      "\x04\xb4\x1f\xce\x73\x18\x6e\x55\x19\x3d\x3d\x96\xfa\xab\x58\x80\x48\x34"
      "\x9b\x35\xe4\x31\x91\x4b\xfd\xe3\xc0\x7f\x14\x19\xda\xc1\x19\x95\xad\xed"
      "\x30\xb4\x4e\xad\x71\x42\xa7\xb3\x97\xa9\x13\xf6\xba\xc2\xea\xc4\x1c\x32"
      "\xd1\x08\x63\xc3\xe6\xdd\x9e\x88\xd4\x48\x42\x95\x1e\x15\xd6\xd6\x31\x99"
      "\x5f\x07\x14\x34\x16\xb7\x37\x46\xd0\x83\x3f\xf3\xa7\x66\xa4\xb0\x94\xbc"
      "\x6d\x5c\x69\xbd\x6b\x19\xe0\x04\x3b\xa9\x7c\xab\x85\x06\xb2\x98\xa9\x6b"
      "\x47\x07\x00\x00\x00\xb7\x72\x70\xf8\x4d\x17\xc3\xd8\x9c\x98\xae\xc4\x79"
      "\x77\x36\x96\xf1\x6e\x5b\x9c\xd5\xbe\x45\x27\x42\xba\x37\xca\x72\x22\x00"
      "\xd5\x25\x6a\x04\xcd\x2f\xf6\x00\x8b\xd2\x6f\x1f\xe8\x5d\x60\xce\x47\x6b"
      "\xff\xc9\x36\xca\x19\xe9\xd0\x03",
      602);
  *(uint64_t*)0x20005c28 = 0x18;
  *(uint32_t*)0x20005c30 = 0;
  *(uint32_t*)0x20005c38 = 0;
  syscall(__NR_sendmmsg, r[0], 0x20005c00ul, 1ul, 0x4048000ul);
  close_fds();
}
int main(void)
{
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
  do_sandbox_none();
  return 0;
}