// https://syzkaller.appspot.com/bug?id=ed27fa17fde97218578a0f64a9cc69ccadfc8fb8
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <pthread.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <unistd.h>

#include <stdint.h>
#include <string.h>

static void test();

void loop()
{
  while (1) {
    test();
  }
}

long r[48];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                   0xfffffffffffffffful, 0x0ul);
    break;
  case 1:
    r[1] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul);
    break;
  case 2:
    *(uint16_t*)0x20f3b000 = (uint16_t)0x26;
    memcpy((void*)0x20f3b002,
           "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
           14);
    *(uint32_t*)0x20f3b010 = (uint32_t)0x0;
    *(uint32_t*)0x20f3b014 = (uint32_t)0x0;
    memcpy((void*)0x20f3b018,
           "\x73\x65\x71\x69\x76\x28\x72\x66\x63\x34\x31\x30\x36\x28"
           "\x67\x63\x6d\x28\x61\x65\x73\x29\x29\x29\x00\x00\x00\x00"
           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
           "\x00\x00\x00\x00\x00\x00\x00\x00",
           64);
    r[7] = syscall(__NR_bind, r[1], 0x20f3b000ul, 0x58ul);
    break;
  case 3:
    memcpy((void*)0x20890fec, "\x79\x73\x39\x76\xd8\xc3\x0a\x4a\xea\xd9"
                              "\x60\xf2\xbd\x08\xcf\xe6\x27\x85\xce"
                              "\x10",
           20);
    r[9] = syscall(__NR_setsockopt, r[1], 0x117ul, 0x1ul, 0x20890fecul,
                   0x14ul);
    break;
  case 4:
    r[10] = syscall(__NR_accept, r[1], 0x0ul, 0x0ul);
    break;
  case 5:
    *(uint64_t*)0x204a6fc8 = (uint64_t)0x0;
    *(uint32_t*)0x204a6fd0 = (uint32_t)0x0;
    *(uint64_t*)0x204a6fd8 = (uint64_t)0x20bbe000;
    *(uint64_t*)0x204a6fe0 = (uint64_t)0x0;
    *(uint64_t*)0x204a6fe8 = (uint64_t)0x203aa000;
    *(uint64_t*)0x204a6ff0 = (uint64_t)0x18;
    *(uint32_t*)0x204a6ff8 = (uint32_t)0x0;
    *(uint64_t*)0x203aa000 = (uint64_t)0x18;
    *(uint32_t*)0x203aa008 = (uint32_t)0x117;
    *(uint32_t*)0x203aa00c = (uint32_t)0x3;
    *(uint32_t*)0x203aa010 = (uint32_t)0x1;
    r[22] =
        syscall(__NR_sendmmsg, r[10], 0x204a6fc8ul, 0x1ul, 0x8000ul);
    break;
  case 6:
    *(uint64_t*)0x20539fc8 = (uint64_t)0x20276000;
    *(uint32_t*)0x20539fd0 = (uint32_t)0x8;
    *(uint64_t*)0x20539fd8 = (uint64_t)0x20a3bff0;
    *(uint64_t*)0x20539fe0 = (uint64_t)0x1;
    *(uint64_t*)0x20539fe8 = (uint64_t)0x20bdafd2;
    *(uint64_t*)0x20539ff0 = (uint64_t)0x0;
    *(uint32_t*)0x20539ff8 = (uint32_t)0x0;
    *(uint64_t*)0x20a3bff0 = (uint64_t)0x20537fac;
    *(uint64_t*)0x20a3bff8 = (uint64_t)0x10;
    r[32] = syscall(__NR_recvmsg, r[10], 0x20539fc8ul, 0x0ul);
    break;
  case 7:
    *(uint64_t*)0x203fffc8 = (uint64_t)0x0;
    *(uint32_t*)0x203fffd0 = (uint32_t)0x0;
    *(uint64_t*)0x203fffd8 = (uint64_t)0x20b11000;
    *(uint64_t*)0x203fffe0 = (uint64_t)0x1;
    *(uint64_t*)0x203fffe8 = (uint64_t)0x20f81000;
    *(uint64_t*)0x203ffff0 = (uint64_t)0x18;
    *(uint32_t*)0x203ffff8 = (uint32_t)0x84;
    *(uint64_t*)0x20b11000 = (uint64_t)0x20fd2000;
    *(uint64_t*)0x20b11008 = (uint64_t)0x1;
    memcpy((void*)0x20fd2000, "\x64", 1);
    *(uint64_t*)0x20f81000 = (uint64_t)0x18;
    *(uint32_t*)0x20f81008 = (uint32_t)0x117;
    *(uint32_t*)0x20f8100c = (uint32_t)0x4;
    *(uint32_t*)0x20f81010 = (uint32_t)0x3;
    r[47] = syscall(__NR_sendmsg, r[10], 0x203fffc8ul, 0x8000ul);
    break;
  }
  return 0;
}

void test()
{
  long i;
  pthread_t th[16];

  memset(r, -1, sizeof(r));
  for (i = 0; i < 8; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(rand() % 10000);
  }
  usleep(rand() % 100000);
}

int main()
{
  loop();
  return 0;
}