// https://syzkaller.appspot.com/bug?id=826185a3ca17eb363147ce23a041ca1389b89ce3
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  intptr_t res = 0;
  memcpy((void*)0x20000040, "/dev/video#\000", 12);
  res = -1;
  res = syz_open_dev(0x20000040, 0x80000000, 2);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000000 = 5;
  *(uint32_t*)0x20000004 = 2;
  *(uint32_t*)0x20000008 = 1;
  *(uint32_t*)0x2000000c = 0;
  *(uint8_t*)0x20000010 = 0;
  memset((void*)0x20000011, 0, 3);
  syscall(__NR_ioctl, r[0], 0xc0145608, 0x20000000ul);
  *(uint32_t*)0x200001c0 = 0;
  *(uint32_t*)0x200001c4 = 7;
  *(uint32_t*)0x200001c8 = 2;
  *(uint32_t*)0x200001d0 = 2;
  memcpy((void*)0x200001d8,
         "\x95\x2d\x4c\x6b\xa3\xc7\x91\xa3\xf6\xf3\x6b\x8c\x9b\xa2\xc9\xd1\xa4"
         "\x88\x52\x02\xe3\xd1\x41\xc1\xf2\x76\x39\x6d\x33\xa4\x8b\xbd\x04\x4f"
         "\x3b\x92\x93\x0f\x20\xc2\x03\x8d\x27\xf0\x06\x0b\x7c\x60\x62\x1f\x0a"
         "\xeb\x79\x9a\xe7\xf1\xa0\x6c\xd1\x8e\x16\x9d\xd8\xd3\x1e\x8d\xbe\x86"
         "\x15\x8e\x6c\x81\xfb\xf7\x1d\x4f\x14\x13\xfd\xe2\xe7\x7d\x72\xd0\x39"
         "\x1a\x97\x0a\x74\x9c\xa6\x06\xff\xc1\x9d\xf9\xaa\xdd\x9c\x10\xa9\x85"
         "\xa2\xba\xa7\x90\x47\xb0\xa0\x30\x85\xd1\xdd\xa3\x1e\x1c\x7a\x80\xf4"
         "\xaf\x37\x21\x51\x93\x56\xcb\x08\x7e\xcf\xa8\xb4\x91\x12\xe2\x04\x98"
         "\x7f\x87\x09\x84\x7a\x6d\xf8\xc0\x46\x84\x13\xb2\xf5\x38\x20\x34\x7e"
         "\x2b\x56\x3a\xe5\x32\xb1\x1e\x12\x35\x7c\x80\x48\x5c\x01\x4a\xea\x80"
         "\xd6\xdb\x0a\x02\x6a\x90\xbf\x0a\xe4\x82\x85\x3f\x47\x5a\xc6\x76\x04"
         "\xb2\x16\x2c\x80\xab\x75\x2e\xda\x0f\x1d\xc5\xae\xc4",
         200);
  *(uint32_t*)0x200002a0 = 0;
  memset((void*)0x200002a4, 0, 28);
  syscall(__NR_ioctl, r[0], 0xc100565c, 0x200001c0ul);
  return 0;
}