// https://syzkaller.appspot.com/bug?id=3c2b9b261ff8f9a531b03e71a54c80257af306ce
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <sched.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <unistd.h>

#include <linux/capability.h>
#include <linux/rfkill.h>

#ifndef __NR_ioctl
#define __NR_ioctl 29
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_socket
#define __NR_socket 198
#endif
#ifndef __NR_socketpair
#define __NR_socketpair 199
#endif

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

#define BTPROTO_HCI 1
#define ACL_LINK 1
#define SCAN_PAGE 2

typedef struct {
  uint8_t b[6];
} __attribute__((packed)) bdaddr_t;

#define HCI_COMMAND_PKT 1
#define HCI_EVENT_PKT 4
#define HCI_VENDOR_PKT 0xff

struct hci_command_hdr {
  uint16_t opcode;
  uint8_t plen;
} __attribute__((packed));

struct hci_event_hdr {
  uint8_t evt;
  uint8_t plen;
} __attribute__((packed));

#define HCI_EV_CONN_COMPLETE 0x03
struct hci_ev_conn_complete {
  uint8_t status;
  uint16_t handle;
  bdaddr_t bdaddr;
  uint8_t link_type;
  uint8_t encr_mode;
} __attribute__((packed));

#define HCI_EV_CONN_REQUEST 0x04
struct hci_ev_conn_request {
  bdaddr_t bdaddr;
  uint8_t dev_class[3];
  uint8_t link_type;
} __attribute__((packed));

#define HCI_EV_REMOTE_FEATURES 0x0b
struct hci_ev_remote_features {
  uint8_t status;
  uint16_t handle;
  uint8_t features[8];
} __attribute__((packed));

#define HCI_EV_CMD_COMPLETE 0x0e
struct hci_ev_cmd_complete {
  uint8_t ncmd;
  uint16_t opcode;
} __attribute__((packed));

#define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a

#define HCI_OP_READ_BUFFER_SIZE 0x1005
struct hci_rp_read_buffer_size {
  uint8_t status;
  uint16_t acl_mtu;
  uint8_t sco_mtu;
  uint16_t acl_max_pkt;
  uint16_t sco_max_pkt;
} __attribute__((packed));

#define HCI_OP_READ_BD_ADDR 0x1009
struct hci_rp_read_bd_addr {
  uint8_t status;
  bdaddr_t bdaddr;
} __attribute__((packed));

#define HCI_EV_LE_META 0x3e
struct hci_ev_le_meta {
  uint8_t subevent;
} __attribute__((packed));

#define HCI_EV_LE_CONN_COMPLETE 0x01
struct hci_ev_le_conn_complete {
  uint8_t status;
  uint16_t handle;
  uint8_t role;
  uint8_t bdaddr_type;
  bdaddr_t bdaddr;
  uint16_t interval;
  uint16_t latency;
  uint16_t supervision_timeout;
  uint8_t clk_accurancy;
} __attribute__((packed));

struct hci_dev_req {
  uint16_t dev_id;
  uint32_t dev_opt;
};

struct vhci_vendor_pkt_request {
  uint8_t type;
  uint8_t opcode;
} __attribute__((packed));

struct vhci_pkt {
  uint8_t type;
  union {
    struct {
      uint8_t opcode;
      uint16_t id;
    } __attribute__((packed)) vendor_pkt;
    struct hci_command_hdr command_hdr;
  };
} __attribute__((packed));

#define HCIDEVUP _IOW('H', 201, int)
#define HCISETSCAN _IOW('H', 221, int)

static int vhci_fd = -1;

static void rfkill_unblock_all()
{
  int fd = open("/dev/rfkill", O_WRONLY);
  if (fd < 0)
    exit(1);
  struct rfkill_event event = {0};
  event.idx = 0;
  event.type = RFKILL_TYPE_ALL;
  event.op = RFKILL_OP_CHANGE_ALL;
  event.soft = 0;
  event.hard = 0;
  if (write(fd, &event, sizeof(event)) < 0)
    exit(1);
  close(fd);
}

static void hci_send_event_packet(int fd, uint8_t evt, void* data,
                                  size_t data_len)
{
  struct iovec iv[3];
  struct hci_event_hdr hdr;
  hdr.evt = evt;
  hdr.plen = data_len;
  uint8_t type = HCI_EVENT_PKT;
  iv[0].iov_base = &type;
  iv[0].iov_len = sizeof(type);
  iv[1].iov_base = &hdr;
  iv[1].iov_len = sizeof(hdr);
  iv[2].iov_base = data;
  iv[2].iov_len = data_len;
  if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0)
    exit(1);
}

static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data,
                                        size_t data_len)
{
  struct iovec iv[4];
  struct hci_event_hdr hdr;
  hdr.evt = HCI_EV_CMD_COMPLETE;
  hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len;
  struct hci_ev_cmd_complete evt_hdr;
  evt_hdr.ncmd = 1;
  evt_hdr.opcode = opcode;
  uint8_t type = HCI_EVENT_PKT;
  iv[0].iov_base = &type;
  iv[0].iov_len = sizeof(type);
  iv[1].iov_base = &hdr;
  iv[1].iov_len = sizeof(hdr);
  iv[2].iov_base = &evt_hdr;
  iv[2].iov_len = sizeof(evt_hdr);
  iv[3].iov_base = data;
  iv[3].iov_len = data_len;
  if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0)
    exit(1);
}

static bool process_command_pkt(int fd, char* buf, ssize_t buf_size)
{
  struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf;
  if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) ||
      hdr->plen != buf_size - sizeof(struct hci_command_hdr))
    exit(1);
  switch (hdr->opcode) {
  case HCI_OP_WRITE_SCAN_ENABLE: {
    uint8_t status = 0;
    hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status));
    return true;
  }
  case HCI_OP_READ_BD_ADDR: {
    struct hci_rp_read_bd_addr rp = {0};
    rp.status = 0;
    memset(&rp.bdaddr, 0xaa, 6);
    hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp));
    return false;
  }
  case HCI_OP_READ_BUFFER_SIZE: {
    struct hci_rp_read_buffer_size rp = {0};
    rp.status = 0;
    rp.acl_mtu = 1021;
    rp.sco_mtu = 96;
    rp.acl_max_pkt = 4;
    rp.sco_max_pkt = 6;
    hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp));
    return false;
  }
  }
  char dummy[0xf9] = {0};
  hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy));
  return false;
}

static void* event_thread(void* arg)
{
  while (1) {
    char buf[1024] = {0};
    ssize_t buf_size = read(vhci_fd, buf, sizeof(buf));
    if (buf_size < 0)
      exit(1);
    if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) {
      if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1))
        break;
    }
  }
  return NULL;
}
#define HCI_HANDLE_1 200
#define HCI_HANDLE_2 201

#define HCI_PRIMARY 0
#define HCI_OP_RESET 0x0c03

static void initialize_vhci()
{
  int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);
  if (hci_sock < 0)
    exit(1);
  vhci_fd = open("/dev/vhci", O_RDWR);
  if (vhci_fd == -1)
    exit(1);
  const int kVhciFd = 202;
  if (dup2(vhci_fd, kVhciFd) < 0)
    exit(1);
  close(vhci_fd);
  vhci_fd = kVhciFd;
  struct vhci_vendor_pkt_request vendor_pkt_req = {HCI_VENDOR_PKT, HCI_PRIMARY};
  if (write(vhci_fd, &vendor_pkt_req, sizeof(vendor_pkt_req)) !=
      sizeof(vendor_pkt_req))
    exit(1);
  struct vhci_pkt vhci_pkt;
  if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt))
    exit(1);
  if (vhci_pkt.type == HCI_COMMAND_PKT &&
      vhci_pkt.command_hdr.opcode == HCI_OP_RESET) {
    char response[1] = {0};
    hci_send_event_cmd_complete(vhci_fd, HCI_OP_RESET, response,
                                sizeof(response));
    if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt))
      exit(1);
  }
  if (vhci_pkt.type != HCI_VENDOR_PKT)
    exit(1);
  int dev_id = vhci_pkt.vendor_pkt.id;
  pthread_t th;
  if (pthread_create(&th, NULL, event_thread, NULL))
    exit(1);
  int ret = ioctl(hci_sock, HCIDEVUP, dev_id);
  if (ret) {
    if (errno == ERFKILL) {
      rfkill_unblock_all();
      ret = ioctl(hci_sock, HCIDEVUP, dev_id);
    }
    if (ret && errno != EALREADY)
      exit(1);
  }
  struct hci_dev_req dr = {0};
  dr.dev_id = dev_id;
  dr.dev_opt = SCAN_PAGE;
  if (ioctl(hci_sock, HCISETSCAN, &dr))
    exit(1);
  struct hci_ev_conn_request request;
  memset(&request, 0, sizeof(request));
  memset(&request.bdaddr, 0xaa, 6);
  *(uint8_t*)&request.bdaddr.b[5] = 0x10;
  request.link_type = ACL_LINK;
  hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request,
                        sizeof(request));
  struct hci_ev_conn_complete complete;
  memset(&complete, 0, sizeof(complete));
  complete.status = 0;
  complete.handle = HCI_HANDLE_1;
  memset(&complete.bdaddr, 0xaa, 6);
  *(uint8_t*)&complete.bdaddr.b[5] = 0x10;
  complete.link_type = ACL_LINK;
  complete.encr_mode = 0;
  hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete,
                        sizeof(complete));
  struct hci_ev_remote_features features;
  memset(&features, 0, sizeof(features));
  features.status = 0;
  features.handle = HCI_HANDLE_1;
  hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features,
                        sizeof(features));
  struct {
    struct hci_ev_le_meta le_meta;
    struct hci_ev_le_conn_complete le_conn;
  } le_conn;
  memset(&le_conn, 0, sizeof(le_conn));
  le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE;
  memset(&le_conn.le_conn.bdaddr, 0xaa, 6);
  *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11;
  le_conn.le_conn.role = 1;
  le_conn.le_conn.handle = HCI_HANDLE_2;
  hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn));
  pthread_join(th, NULL);
  close(hci_sock);
}

static void setup_common()
{
  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
  }
}

static void setup_binderfs()
{
  if (mkdir("/dev/binderfs", 0777)) {
  }
  if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
  }
  if (symlink("/dev/binderfs", "./binderfs")) {
  }
}

static void loop();

static void sandbox_common()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setsid();
  struct rlimit rlim;
  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
  setrlimit(RLIMIT_AS, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
  setrlimit(RLIMIT_MEMLOCK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  setrlimit(RLIMIT_FSIZE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_STACK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
  setrlimit(RLIMIT_CORE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 256;
  setrlimit(RLIMIT_NOFILE, &rlim);
  if (unshare(CLONE_NEWNS)) {
  }
  if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
  }
  if (unshare(CLONE_NEWIPC)) {
  }
  if (unshare(0x02000000)) {
  }
  if (unshare(CLONE_NEWUTS)) {
  }
  if (unshare(CLONE_SYSVSEM)) {
  }
  typedef struct {
    const char* name;
    const char* value;
  } sysctl_t;
  static const sysctl_t sysctls[] = {
      {"/proc/sys/kernel/shmmax", "16777216"},
      {"/proc/sys/kernel/shmall", "536870912"},
      {"/proc/sys/kernel/shmmni", "1024"},
      {"/proc/sys/kernel/msgmax", "8192"},
      {"/proc/sys/kernel/msgmni", "1024"},
      {"/proc/sys/kernel/msgmnb", "1024"},
      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
  };
  unsigned i;
  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
    write_file(sysctls[i].name, sysctls[i].value);
}

static int wait_for_loop(int pid)
{
  if (pid < 0)
    exit(1);
  int status = 0;
  while (waitpid(-1, &status, __WALL) != pid) {
  }
  return WEXITSTATUS(status);
}

static void drop_caps(void)
{
  struct __user_cap_header_struct cap_hdr = {};
  struct __user_cap_data_struct cap_data[2] = {};
  cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
  cap_hdr.pid = getpid();
  if (syscall(SYS_capget, &cap_hdr, &cap_data))
    exit(1);
  const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
  cap_data[0].effective &= ~drop;
  cap_data[0].permitted &= ~drop;
  cap_data[0].inheritable &= ~drop;
  if (syscall(SYS_capset, &cap_hdr, &cap_data))
    exit(1);
}

static int do_sandbox_none(void)
{
  if (unshare(CLONE_NEWPID)) {
  }
  int pid = fork();
  if (pid != 0)
    return wait_for_loop(pid);
  setup_common();
  initialize_vhci();
  sandbox_common();
  drop_caps();
  if (unshare(CLONE_NEWNET)) {
  }
  write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
  setup_binderfs();
  loop();
  exit(1);
}

static int inject_fault(int nth)
{
  int fd;
  fd = open("/proc/thread-self/fail-nth", O_RDWR);
  if (fd == -1)
    exit(1);
  char buf[16];
  sprintf(buf, "%d", nth);
  if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
    exit(1);
  return fd;
}

static void setup_fault()
{
  static struct {
    const char* file;
    const char* val;
    bool fatal;
  } files[] = {
      {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
      {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
  };
  unsigned i;
  for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
    if (!write_file(files[i].file, files[i].val)) {
      if (files[i].fatal)
        exit(1);
    }
  }
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

void loop(void)
{
  intptr_t res = 0;
  res = -1;
  res = syz_open_dev(0xc, 4, 1);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000080 = 2;
  *(uint32_t*)0x20000084 = 0;
  *(uint32_t*)0x20000088 = 0;
  *(uint32_t*)0x2000008c = 0;
  *(uint32_t*)0x20000090 = 0;
  *(uint64_t*)0x20000098 = 0;
  syscall(__NR_ioctl, r[0], 0x4b72, 0x20000080ul);
  syscall(__NR_socketpair, 1ul, 1ul, 0, 0ul);
  *(uint32_t*)0x20002800 = 1;
  memcpy((void*)0x20002804,
         "vlan0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
         "\000\000\000",
         24);
  *(uint32_t*)0x2000281c = 0;
  *(uint16_t*)0x20002834 = 0x40;
  syscall(__NR_ioctl, -1, 0x8982, 0x20002800ul);
  res = -1;
  res = syz_open_dev(0xc, 4, 1);
  if (res != -1)
    r[1] = res;
  *(uint32_t*)0x20000000 = 0;
  *(uint32_t*)0x20000004 = 0;
  *(uint32_t*)0x20000008 = 0x1d;
  *(uint32_t*)0x2000000c = 1;
  *(uint32_t*)0x20000010 = 0x100;
  *(uint64_t*)0x20000018 = 0x20000880;
  memcpy(
      (void*)0x20000880,
      "\xe5\x89\x15\x55\x33\xe2\x3d\xca\x2f\x88\x76\xad\xe9\x80\xda\xcd\xa9\xad"
      "\x76\xce\x9d\xca\xbb\xfc\x3c\xbb\x9b\x98\x7a\x3e\x99\x1d\xa7\xf5\x19\x88"
      "\xdb\x36\x2e\x4e\xc4\xc3\x61\x52\xbd\x9d\xec\x4e\xa7\xa7\xe8\xe4\x0b\x51"
      "\x8f\xe4\x6e\x1c\xb5\x53\xd2\x55\x8f\x75\x13\x97\x98\xa5\x98\x1d\xa6\x68"
      "\xc8\xa2\xc5\xb3\xe1\x2d\x33\x23\x2f\xa2\x71\xd3\x31\x31\x8c\x05\x7f\xb8"
      "\x96\x27\x88\xee\xc7\xd4\x3d\x21\x68\x4b\x49\xc7\x02\x79\xfa\x03\x5c\x37"
      "\xa5\xea\xa9\x50\xf8\xc1\xbd\x0d\x72\x82\x02\xcf\x39\xcb\x75\xfb\x73\xf5"
      "\xf5\xcb\xad\x2e\xba\x51\xe0\x90\x01\x4c\xa3\x7f\x58\xbf\x93\xa6\xcf\xe1"
      "\xaf\xbb\x1b\x60\x10\xd9\x7a\x11\x66\x12\x0f\xa2\x65\x8d\x5a\x06\x52\x9c"
      "\x39\xe6\xc7\x68\x86\x79\x21\xe3\x7f\x75\x39\xf9\x56\x33\xc8\x7a\xc8\xcd"
      "\x81\x1d\x06\xf8\x1a\x36\x5c\x8e\xee\x87\xf5\x71\xe3\xf9\x02\xca\x7d\x45"
      "\x31\xee\x80\x9b\x81\x2a\x16\x44\xd1\x2f\xe9\x29\xa0\x56\x26\x4a\x97\x43"
      "\x37\x5a\x02\x78\x93\x3b\xc1\x81\x62\x06\xef\x12\xec\xb3\xa9\xae\xd0\xbb"
      "\x77\x72\x1c\x01\xad\x84\xd6\x86\xe9\xb5\x2d\xdd\xa9\x0f\xb4\x6c\x7b\xe0"
      "\xef\xdc\x15\x2b\xfc\x38\x9f\xac\x08\xa3\x42\xa2\x4c\x3a\x4e\x45\x86\x5b"
      "\xf0\xa6\x00\x40\x58\x79\xfd\x79\x6e\x9f\xaf\xdb\xd0\xdf\x75\x62\x6c\xa0"
      "\x0a\x33\x87\xb7\x8c\x5f\x07\x17\xec\x82\x49\x8d\x24\xd2\x4e\xcf\xc2\xa6"
      "\x79\x4f\xf5\xb5\x49\x03\x05\xce\x02\x93\x2b\x52\x19\xb7\x33\x3c\xc5\xb8"
      "\x9a\x6d\x0a\x7c\x3d\xe3\x77\x9d\x1f\x3f\xed\x70\x30\x07\xb5\x38\x3e\x22"
      "\xdf\x79\xf4\xae\x61\x88\xd3\x56\xf7\xb7\x15\x85\x9f\x9a\xab\x43\x4c\xbc"
      "\xe3\x34\x9b\x00\x00\x91\x55\xe6\x35\xb9\xfb\xd5\xde\x7c\xd6\x08\x7f\x42"
      "\x14\x47\xcb\x09\x16\x92\x87\x56\x09\x9f\x2f\x2e\x2f\x2e\x6a\x7e\x32\x81"
      "\x71\x22\x27\xd2\x30\x84\x7e\x0d\x5a\x52\x8d\x5e\xaa\x25\x6b\x29\x2e\x1e"
      "\xd0\xdd\x49\x5c\x18\xfe\x58\x36\x06\xb0\xd3\xb2\xaa\x19\xfe\xe6\x79\x1c"
      "\xd6\xf2\x9c\xff\x50\x92\xac\x1a\xef\x9e\xfd\x86\x80\x61\xae\xfc\xc3\x0a"
      "\x0d\x24\x1e\xb8\x3c\xab\xfd\x0c\x31\xed\x70\xe3\x84\xd7\x90\x5d\xcd\xd9"
      "\xe5\xb5\xae\xa0\xaf\x8d\xc0\x04\x54\x86\x6d\x84\x1d\x87\x99\x36\xab\x66"
      "\x4f\xbd\xc1\x94\x9e\x51\x5d\x45\x92\x0c\x2a\xf5\x2a\x8c\x29\xeb\x34\x4a"
      "\x2e\x07\x12\xec\x33\x22\xe7\x37\x29\xbb\x73\xe2\x62\xab\x18\xd5\x00\x56"
      "\xf2\x68\x17\x4a\x2f\x37\x96\xed\x58\xbc\xfe\xb0\x60\x5d\xbc\x84\x49\x72"
      "\xf9\x05\xa1\xdd\x14\x3a\x2b\xcc\x23\x16\xc2\xc8\xcb\x7a\xcb\x76\x5d\xf7"
      "\xff\x74\xe3\x33\xf0\xaf\xc8\x97\xe1\x23\x6d\x25\x57\xd7\xbe\x7d\x48\x3b"
      "\xb1\x9a\x7c\x9e\x25\x11\x16\xaa\xa3\x68\x09\xa7\xc9\x6c\xaa\x14\x2f\x66"
      "\x2f\x16\x94\x70\x42\xeb\xd2\xf9\x45\x5d\xe8\x1a\x7c\xec\x0f\x02\x6b\x5c"
      "\x4a\x08\xad\x24\xa1\x65\x8c\x54\x3d\x64\x67\xb0\x9f\xba\x84\xc9\x42\x4a"
      "\xdd\x69\x63\xd8\x4d\x24\x18\x4a\xc0\xa4\xaa\xf9\x1b\x4d\x92\x7b\x69\x25"
      "\xb0\x27\x2a\xf9\x53\x1c\x99\xfa\x00\xa4\x0b\x5d\x72\x84\xbe\xa4\x42\x01"
      "\x16\xd7\x19\x8e\xc9\x90\x9a\xd3\x4a\x32\xef\x87\x86\xb0\x8e\x4c\x97\x3f"
      "\x5b\x5f\xaa\xd5\x5d\x01\xf2\x40\x87\x46\xfe\xdb\xee\xf4\x1b\xf6\x62\xc5"
      "\xe8\xf2\x16\xda\x4f\xd3\xa4\x3b\x3b\xfc\x13\xb0\x5c\x0b\xf9\x02\x63\x7d"
      "\x35\x8f\x7f\x08\x98\x14\xad\x07\x58\x2b\xc7\x83\xcd\x00\xe4\xd0\x7a\x10"
      "\xb5\x8c\x6c\x8c\x84\x90\x50\x6b\xa9\x21\x15\x2e\x00\x7e\xeb\x30\x96\x3b"
      "\x9c\x39\xc1\x55\x0f\x5d\xce\x85\x18\xc5\xcb\x0c\x2d\x0e\x75\xa0\xc6\x22"
      "\x41\x67\x13\xa9\xcf\xe0\x6d\x50\x29\xe0\x51\x60\x18\x01\xd0\xea\xa1\x8a"
      "\x27\x41\x58\xbd\xe5\x5c\x7c\x1e\xb8\x31\x6e\x83\xd2\x42\x81\x8f\x47\xe5"
      "\x24\xa0\x98\x43\x9c\xe4\x15\x6e\x3d\xa3\x60\x5f\xd7\x43\x36\xd1\x69\xde"
      "\x63\x11\x4f\x23\x45\x9f\xab\x62\xcb\xc9\x45\x66\xf9\xf4\x0e\x0d\x05\x9c"
      "\x26\x58\xef\x1e\x16\x5c\x8d\x02\x27\x42\xa7\xdc\x08\xb5\xaf\x6d\xaf\x4c"
      "\x60\x6a\xb4\x75\x9d\xef\x61\xe9\xeb\x12\x52\xbf\x5b\x62\x88\x1b\x9c\xeb"
      "\xd2\x4a\xd2\xac\x74\x4e\x2f\xd5\xec\x43\xe1\x9d\x6b\x7e\x9d\x22\x04\x11"
      "\xed\x15\x98\xad\x2c\x0a\x52\x9d\x19\xce\x94\xc3\xa9\x78\xfb\xaf\x79\xe4"
      "\x94\x20\x58\xec\xed\xe3\x94\xc1\x27\x15\x37\xe3\x1c\xa9\x7c\xb1\x72\x2e"
      "\xd4\x4a\xd2\x05\x46\x7f\x3e\xc6\x13\xec\x31\xea\x0f\xc2\xaa\xbe\x8e\xc9"
      "\xfe\x83\xd3\x03\xe1\x0f\x89\x32\x2f\x88\xb7\xac\x1e\xac\x12\xaf\x2d\x4f"
      "\x7b\x44\xbb\x3e\x28\xf8\x27\x15\x0f\x94\xeb\xd3\x3e\x2f\xaf\x37\xc7\x42"
      "\x18\x86\x8a\xad\x38\xa5\xf5\xd3\x15\x55\xf9\x1e\x10\xdf\xf9\xeb\x2e\xb6"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
      1024);
  inject_fault(7);
  syscall(__NR_ioctl, r[1], 0x4b72, 0x20000000ul);
  syscall(__NR_socket, 0x10ul, 3ul, 0);
}
int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  setup_fault();
  do_sandbox_none();
  return 0;
}