// https://syzkaller.appspot.com/bug?id=c91a7b4502f991f66e5525c1111bee2128fc33ec
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  intptr_t res = 0;
  res = -1;
  res = syz_open_dev(0xc, 4, 0x15);
  if (res != -1)
    r[0] = res;
  *(uint16_t*)0x20000240 = 0;
  *(uint16_t*)0x20000242 = 0;
  *(uint16_t*)0x20000244 = 0;
  *(uint16_t*)0x20000246 = 0x20;
  *(uint16_t*)0x20000248 = 1;
  *(uint16_t*)0x2000024a = 7;
  syscall(__NR_ioctl, r[0], 0x560a, 0x20000240ul);
  memcpy((void*)0x20002240, "/dev/vcs\000", 9);
  res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002240ul, 0x2601ul, 0ul);
  if (res != -1)
    r[1] = res;
  *(uint32_t*)0x200000c0 = 0x121;
  *(uint32_t*)0x200000c4 = 6;
  *(uint64_t*)0x200000c8 = 0;
  *(uint64_t*)0x200000d0 = 0;
  *(uint64_t*)0x200000d8 = 0;
  *(uint32_t*)0x200000e0 = 0xfffffec2;
  *(uint32_t*)0x200000e4 = 0;
  memcpy((void*)0x200000e8,
         "\325\302\204\201~\006@\231.T*\r\\(\326\257\243|W@:\003\031\310:"
         "\177\276\272\236\336\262\016\001s\255Z\350\177M\362W\325q\341\300\216"
         "\276\005_\273A\360\330\233\301\343\206\321\241$W\333\305>t\2777\365x-"
         "-\326\302\024\243\324\206s\302\306b`"
         "p\202\324\000\000\000\000\000\000\000\000\000\000\000\000\000\000e62"
         "\223L(\227\337\344\312\371o\250\205r\177Y\321\215\r%"
         "\204\246T\037\337\265\t\251\352\211\315<"
         "\341\221\260\263\202\204z\307\315\212\366\364,\214\256\340Y\340{"
         "\253J\214\036Hi!\341\271\341i\212H\251\275\363\330\277\207Q\017)"
         "\270\276/"
         "!\315,=,d\177\200i.$"
         "\257b\213\356\244M\376\301\a\274Q\312\370\004\021Fy\357u0hW\275\201"
         "\262\361}Rd\251\342\335\221\bL\203\337\325\260`"
         "\241\031f\334R\373\324\261\024-\034W\252\226M\001~|5[\227",
         248);
  *(uint8_t*)0x200001e0 = 0;
  syscall(__NR_write, r[1], 0x200000c0ul, 0x121ul);
  return 0;
}