// https://syzkaller.appspot.com/bug?id=26f9acc61df47dcc8a5677eea2cae46b700c70c6
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

__attribute__((noreturn)) static void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}
#include <errno.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

const int kFailStatus = 67;
const int kRetryStatus = 69;

static void fail(const char* msg, ...)
{
  int e = errno;
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

static void exitf(const char* msg, ...)
{
  int e = errno;
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(kRetryStatus);
}

static void use_temporary_dir()
{
  char tmpdir_template[] = "./syzkaller.XXXXXX";
  char* tmpdir = mkdtemp(tmpdir_template);
  if (!tmpdir)
    fail("failed to mkdtemp");
  if (chmod(tmpdir, 0777))
    fail("failed to chmod");
  if (chdir(tmpdir))
    fail("failed to chdir");
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);

  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    close(fd);
    return false;
  }
  close(fd);
  return true;
}

static int inject_fault(int nth)
{
  int fd;
  char buf[16];

  fd = open("/proc/thread-self/fail-nth", O_RDWR);
  if (fd == -1)
    exitf("failed to open /proc/thread-self/fail-nth");
  sprintf(buf, "%d", nth + 1);
  if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
    exitf("failed to write /proc/thread-self/fail-nth");
  return fd;
}

long r[1];
void loop()
{
  memset(r, -1, sizeof(r));
  syscall(__NR_mmap, 0x20000000, 0x3000, 3, 0x32, -1, 0);
  *(uint16_t*)0x20002000 = 0x1a;
  *(uint16_t*)0x20002002 = htobe16(0);
  *(uint8_t*)0x20002004 = 0;
  *(uint8_t*)0x20002005 = 0;
  *(uint8_t*)0x20002006 = 0;
  *(uint8_t*)0x20002007 = 0;
  *(uint8_t*)0x20002008 = 0;
  *(uint8_t*)0x20002009 = 0;
  *(uint8_t*)0x2000200a = 0;
  *(uint8_t*)0x2000200b = 0;
  *(uint8_t*)0x2000200c = 0;
  *(uint8_t*)0x2000200d = 0;
  *(uint8_t*)0x2000200e = 0;
  *(uint8_t*)0x2000200f = 0;
  syscall(__NR_sendto, -1, 0x20001000, 0, 0, 0x20002000, 0x10);
  memcpy((void*)0x20000ff7, "/dev/ppp", 9);
  r[0] = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000ff7, 0, 0);
  write_file("/sys/kernel/debug/failslab/ignore-gfp-wait", "N");
  write_file("/sys/kernel/debug/fail_futex/ignore-private", "N");
  inject_fault(4);
  syscall(__NR_ioctl, r[0], 0xc004743e, 0x20001000);
}

int main()
{
  use_temporary_dir();
  loop();
  return 0;
}