// https://syzkaller.appspot.com/bug?id=d6b35f18b0ac8eef35920dc40fabc8aa36288069
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <linux/futex.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_pts(uintptr_t a0, uintptr_t a1)
{
  int ptyno = 0;
  if (ioctl(a0, TIOCGPTN, &ptyno))
    return -1;
  char buf[128];
  sprintf(buf, "/dev/pts/%d", ptyno);
  return open(buf, a1, 0);
}

static void execute_one();
extern unsigned long long procid;

void loop()
{
  while (1) {
    execute_one();
  }
}

struct thread_t {
  int created, running, call;
  pthread_t th;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static int collide;

static void* thr(void* arg)
{
  struct thread_t* th = (struct thread_t*)arg;
  for (;;) {
    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
    execute_call(th->call);
    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
    syscall(SYS_futex, &th->running, FUTEX_WAKE);
  }
  return 0;
}

static void execute(int num_calls)
{
  int call, thread;
  running = 0;
  for (call = 0; call < num_calls; call++) {
    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
      struct thread_t* th = &threads[thread];
      if (!th->created) {
        th->created = 1;
        pthread_attr_t attr;
        pthread_attr_init(&attr);
        pthread_attr_setstacksize(&attr, 128 << 10);
        pthread_create(&th->th, &attr, thr, th);
      }
      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
        th->call = call;
        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
        syscall(SYS_futex, &th->running, FUTEX_WAKE);
        if (collide && call % 2)
          break;
        struct timespec ts;
        ts.tv_sec = 0;
        ts.tv_nsec = 20 * 1000 * 1000;
        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
        if (__atomic_load_n(&running, __ATOMIC_RELAXED))
          usleep((call == num_calls - 1) ? 10000 : 1000);
        break;
      }
    }
  }
}

uint64_t r[8] = {0xffffffffffffffff,
                 0xffffffffffffffff,
                 0xffffffffffffffff,
                 0xffffffffffffffff,
                 0xffffffffffffffff,
                 0xffffffffffffffff,
                 0x0,
                 0x0};
void execute_call(int call)
{
  long res;
  switch (call) {
  case 0:
    res = syscall(__NR_timerfd_create, 7, 0x80800);
    if (res != -1)
      r[0] = res;
    break;
  case 1:
    memcpy((void*)0x20000000, "./file0", 8);
    res = syscall(__NR_open, 0x20000000, 0x84000, 0xd7);
    if (res != -1)
      r[1] = res;
    break;
  case 2:
    res = syscall(__NR_dup3, r[0], r[1], 0x80000);
    if (res != -1)
      r[2] = res;
    break;
  case 3:
    memcpy((void*)0x20000040, "./file0", 8);
    res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x20000, 0x84);
    if (res != -1)
      r[3] = res;
    break;
  case 4:
    *(uint32_t*)0x20000080 = 6;
    syscall(__NR_ioctl, r[1], 0x5420, 0x20000080);
    break;
  case 5:
    res = syscall(__NR_dup2, r[1], r[1]);
    if (res != -1)
      r[4] = res;
    break;
  case 6:
    *(uint16_t*)0x200000c0 = 0xf6c;
    *(uint16_t*)0x200000c2 = 8;
    *(uint16_t*)0x200000c4 = 0xff;
    *(uint16_t*)0x200000c6 = 0;
    *(uint8_t*)0x200000c8 = 0x3c;
    *(uint8_t*)0x200000c9 = 6;
    *(uint8_t*)0x200000ca = 0;
    *(uint8_t*)0x200000cb = 0xe1;
    *(uint32_t*)0x200000cc = 0x80;
    *(uint8_t*)0x200000d0 = -1;
    syscall(__NR_ioctl, r[1], 0x5407, 0x200000c0);
    break;
  case 7:
    memcpy((void*)0x20000100, "./file1", 8);
    syscall(__NR_inotify_add_watch, r[3], 0x20000100, 0x2000000);
    break;
  case 8:
    memcpy((void*)0x20000140, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00"
                              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                              "\x00\x00\x00\x00\x00\x00\x00\x00",
           32);
    *(uint32_t*)0x20000160 = 4;
    *(uint64_t*)0x20000168 = 0;
    *(uint64_t*)0x20000170 = 0;
    *(uint64_t*)0x20000178 = 0;
    *(uint64_t*)0x20000180 = 0;
    *(uint64_t*)0x20000188 = 0;
    *(uint64_t*)0x20000190 = 0;
    *(uint64_t*)0x20000198 = 0;
    *(uint64_t*)0x200001a0 = 0;
    syscall(__NR_setsockopt, r[2], 0, 0x61, 0x20000140, 0x68);
    break;
  case 9:
    syscall(__NR_fcntl, r[0], 0xa, 0x1f);
    break;
  case 10:
    *(uint64_t*)0x20004100 = 0;
    *(uint32_t*)0x20004108 = 0;
    *(uint64_t*)0x20004110 = 0x20000480;
    *(uint64_t*)0x20000480 = 0x200001c0;
    *(uint64_t*)0x20000488 = 0xbc;
    *(uint64_t*)0x20000490 = 0x20000280;
    *(uint64_t*)0x20000498 = 0xe8;
    *(uint64_t*)0x200004a0 = 0x20000380;
    *(uint64_t*)0x200004a8 = 0x49;
    *(uint64_t*)0x200004b0 = 0x20000400;
    *(uint64_t*)0x200004b8 = 0x5d;
    *(uint64_t*)0x20004118 = 4;
    *(uint64_t*)0x20004120 = 0x200004c0;
    *(uint64_t*)0x20004128 = 0x52;
    *(uint32_t*)0x20004130 = 0xfffffffd;
    *(uint32_t*)0x20004138 = 0xa23;
    *(uint64_t*)0x20004140 = 0x20000540;
    *(uint32_t*)0x20004148 = 0x80;
    *(uint64_t*)0x20004150 = 0x20000a40;
    *(uint64_t*)0x20000a40 = 0x200005c0;
    *(uint64_t*)0x20000a48 = 0x6e;
    *(uint64_t*)0x20000a50 = 0x20000640;
    *(uint64_t*)0x20000a58 = 0x7e;
    *(uint64_t*)0x20000a60 = 0x200006c0;
    *(uint64_t*)0x20000a68 = 0xe2;
    *(uint64_t*)0x20000a70 = 0x200007c0;
    *(uint64_t*)0x20000a78 = 0x80;
    *(uint64_t*)0x20000a80 = 0x20000840;
    *(uint64_t*)0x20000a88 = 0x7e;
    *(uint64_t*)0x20000a90 = 0x200008c0;
    *(uint64_t*)0x20000a98 = 0xc2;
    *(uint64_t*)0x20000aa0 = 0x200009c0;
    *(uint64_t*)0x20000aa8 = 0x77;
    *(uint64_t*)0x20004158 = 7;
    *(uint64_t*)0x20004160 = 0x20000ac0;
    *(uint64_t*)0x20004168 = 0xe7;
    *(uint32_t*)0x20004170 = 0x3f;
    *(uint32_t*)0x20004178 = 5;
    *(uint64_t*)0x20004180 = 0;
    *(uint32_t*)0x20004188 = 0;
    *(uint64_t*)0x20004190 = 0x20001f80;
    *(uint64_t*)0x20001f80 = 0x20000bc0;
    *(uint64_t*)0x20001f88 = 0x14;
    *(uint64_t*)0x20001f90 = 0x20000c00;
    *(uint64_t*)0x20001f98 = 0xee;
    *(uint64_t*)0x20001fa0 = 0x20000d00;
    *(uint64_t*)0x20001fa8 = 0xad;
    *(uint64_t*)0x20001fb0 = 0x20000dc0;
    *(uint64_t*)0x20001fb8 = 0xa8;
    *(uint64_t*)0x20001fc0 = 0x20000e80;
    *(uint64_t*)0x20001fc8 = 0x1000;
    *(uint64_t*)0x20001fd0 = 0x20001e80;
    *(uint64_t*)0x20001fd8 = 0xde;
    *(uint64_t*)0x20004198 = 6;
    *(uint64_t*)0x200041a0 = 0;
    *(uint64_t*)0x200041a8 = 0;
    *(uint32_t*)0x200041b0 = 2;
    *(uint32_t*)0x200041b8 = 0xa27;
    *(uint64_t*)0x200041c0 = 0;
    *(uint32_t*)0x200041c8 = 0;
    *(uint64_t*)0x200041d0 = 0x20002080;
    *(uint64_t*)0x20002080 = 0x20002000;
    *(uint64_t*)0x20002088 = 0x4b;
    *(uint64_t*)0x200041d8 = 1;
    *(uint64_t*)0x200041e0 = 0x200020c0;
    *(uint64_t*)0x200041e8 = 0x15;
    *(uint32_t*)0x200041f0 = 0x400;
    *(uint32_t*)0x200041f8 = 0xfffffe00;
    *(uint64_t*)0x20004200 = 0x20002100;
    *(uint32_t*)0x20004208 = 0x80;
    *(uint64_t*)0x20004210 = 0x20002440;
    *(uint64_t*)0x20002440 = 0x20002180;
    *(uint64_t*)0x20002448 = 0xf8;
    *(uint64_t*)0x20002450 = 0x20002280;
    *(uint64_t*)0x20002458 = 0xb7;
    *(uint64_t*)0x20002460 = 0x20002340;
    *(uint64_t*)0x20002468 = 0x97;
    *(uint64_t*)0x20002470 = 0x20002400;
    *(uint64_t*)0x20002478 = 0;
    *(uint64_t*)0x20004218 = 4;
    *(uint64_t*)0x20004220 = 0;
    *(uint64_t*)0x20004228 = 0;
    *(uint32_t*)0x20004230 = 7;
    *(uint32_t*)0x20004238 = 3;
    *(uint64_t*)0x20004240 = 0x20002480;
    *(uint32_t*)0x20004248 = 0x80;
    *(uint64_t*)0x20004250 = 0x20002600;
    *(uint64_t*)0x20002600 = 0x20002500;
    *(uint64_t*)0x20002608 = 0xe9;
    *(uint64_t*)0x20004258 = 1;
    *(uint64_t*)0x20004260 = 0;
    *(uint64_t*)0x20004268 = 0;
    *(uint32_t*)0x20004270 = 1;
    *(uint32_t*)0x20004278 = 8;
    *(uint64_t*)0x20004280 = 0x20002640;
    *(uint32_t*)0x20004288 = 0x80;
    *(uint64_t*)0x20004290 = 0x20002900;
    *(uint64_t*)0x20002900 = 0x200026c0;
    *(uint64_t*)0x20002908 = 0x88;
    *(uint64_t*)0x20002910 = 0x20002780;
    *(uint64_t*)0x20002918 = 0xe5;
    *(uint64_t*)0x20002920 = 0x20002880;
    *(uint64_t*)0x20002928 = 0x42;
    *(uint64_t*)0x20004298 = 3;
    *(uint64_t*)0x200042a0 = 0x20002940;
    *(uint64_t*)0x200042a8 = 0x22;
    *(uint32_t*)0x200042b0 = 0xf0000000;
    *(uint32_t*)0x200042b8 = 0xcc;
    *(uint64_t*)0x200042c0 = 0x20002980;
    *(uint32_t*)0x200042c8 = 0x80;
    *(uint64_t*)0x200042d0 = 0x20002a40;
    *(uint64_t*)0x20002a40 = 0x20002a00;
    *(uint64_t*)0x20002a48 = 0xf;
    *(uint64_t*)0x200042d8 = 1;
    *(uint64_t*)0x200042e0 = 0x20002a80;
    *(uint64_t*)0x200042e8 = 0x9a;
    *(uint32_t*)0x200042f0 = 0;
    *(uint32_t*)0x200042f8 = 6;
    *(uint64_t*)0x20004300 = 0x20002b40;
    *(uint32_t*)0x20004308 = 0x80;
    *(uint64_t*)0x20004310 = 0x20002c80;
    *(uint64_t*)0x20002c80 = 0x20002bc0;
    *(uint64_t*)0x20002c88 = 0x98;
    *(uint64_t*)0x20004318 = 1;
    *(uint64_t*)0x20004320 = 0x20002cc0;
    *(uint64_t*)0x20004328 = 0x2c;
    *(uint32_t*)0x20004330 = 0x800;
    *(uint32_t*)0x20004338 = 9;
    *(uint64_t*)0x20004340 = 0x20002d00;
    *(uint32_t*)0x20004348 = 0x80;
    *(uint64_t*)0x20004350 = 0x20004080;
    *(uint64_t*)0x20004080 = 0x20002d80;
    *(uint64_t*)0x20004088 = 0xc7;
    *(uint64_t*)0x20004090 = 0x20002e80;
    *(uint64_t*)0x20004098 = 0xab;
    *(uint64_t*)0x200040a0 = 0x20002f40;
    *(uint64_t*)0x200040a8 = 0x71;
    *(uint64_t*)0x200040b0 = 0x20002fc0;
    *(uint64_t*)0x200040b8 = 0x1000;
    *(uint64_t*)0x200040c0 = 0x20003fc0;
    *(uint64_t*)0x200040c8 = 0x97;
    *(uint64_t*)0x20004358 = 5;
    *(uint64_t*)0x20004360 = 0;
    *(uint64_t*)0x20004368 = 0;
    *(uint32_t*)0x20004370 = 0x3f;
    *(uint32_t*)0x20004378 = 0x81;
    *(uint64_t*)0x20004380 = 0;
    *(uint64_t*)0x20004388 = 0;
    res = syscall(__NR_recvmmsg, r[4], 0x20004100, 0xa, 0x10041, 0x20004380);
    if (res != -1)
      r[5] = *(uint32_t*)0x2000248a;
    break;
  case 11:
    syscall(__NR_fcntl, r[3], 2, 1);
    break;
  case 12:
    *(uint64_t*)0x200043c0 = 0;
    syscall(__NR_ioctl, r[3], 0x40082404, 0x200043c0);
    break;
  case 13:
    res = syscall(__NR_shmat, -1, 0x20fef000, 0x1000);
    if (res != -1)
      r[6] = res;
    break;
  case 14:
    syscall(__NR_shmdt, r[6]);
    break;
  case 15:
    res = syscall(__NR_shmget, 0x798dd815, 0x4000, 0x200, 0x20fef000);
    if (res != -1)
      r[7] = res;
    break;
  case 16:
    syscall(__NR_shmat, r[7], 0x20ff2000, 0x4000);
    break;
  case 17:
    syscall(__NR_ioctl, r[4], 0x540e, 0);
    break;
  case 18:
    syscall(__NR_fcntl, r[4], 4, 0x400);
    break;
  case 19:
    *(uint32_t*)0x20004400 = 7;
    syscall(__NR_setsockopt, r[5], 0x11, 0x64, 0x20004400, 4);
    break;
  case 20:
    syz_open_pts(r[2], 2);
    break;
  case 21:
    memcpy((void*)0x20004440, "./file1", 8);
    syscall(__NR_inotify_add_watch, r[3], 0x20004440, 0x1000104);
    break;
  case 22:
    memcpy((void*)0x20004480, "/dev/full", 10);
    syscall(__NR_openat, 0xffffffffffffff9c, 0x20004480, 0x200340, 0);
    break;
  case 23:
    memcpy((void*)0x200044c0, "./file0", 8);
    syscall(__NR_mknod, 0x200044c0, 0xc004, 6);
    break;
  case 24:
    *(uint32_t*)0x20004540 = 0x40;
    syscall(__NR_getsockopt, r[2], 0, 0x480, 0x20004500, 0x20004540);
    break;
  case 25:
    memcpy((void*)0x20004580, "./file1", 8);
    memcpy((void*)0x200045c0, "./file0", 8);
    syscall(__NR_rename, 0x20004580, 0x200045c0);
    break;
  case 26:
    memcpy((void*)0x20004600, "./file1", 8);
    syscall(__NR_creat, 0x20004600, 1);
    break;
  }
}

void execute_one()
{
  execute(27);
  collide = 1;
  execute(27);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  for (;;) {
    loop();
  }
}