// https://syzkaller.appspot.com/bug?id=f93280f18e5fabaec8bdc954cfc3ace45965971a
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <linux/futex.h>
#include <pthread.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

struct thread_t {
  int created, running, call;
  pthread_t th;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static int collide;

static void* thr(void* arg)
{
  struct thread_t* th = (struct thread_t*)arg;
  for (;;) {
    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
    execute_call(th->call);
    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
    syscall(SYS_futex, &th->running, FUTEX_WAKE);
  }
  return 0;
}

static void execute(int num_calls)
{
  int call, thread;
  running = 0;
  for (call = 0; call < num_calls; call++) {
    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
      struct thread_t* th = &threads[thread];
      if (!th->created) {
        th->created = 1;
        pthread_attr_t attr;
        pthread_attr_init(&attr);
        pthread_attr_setstacksize(&attr, 128 << 10);
        pthread_create(&th->th, &attr, thr, th);
      }
      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
        th->call = call;
        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
        syscall(SYS_futex, &th->running, FUTEX_WAKE);
        if (collide && call % 2)
          break;
        struct timespec ts;
        ts.tv_sec = 0;
        ts.tv_nsec = 20 * 1000 * 1000;
        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
        if (running)
          usleep((call == num_calls - 1) ? 10000 : 1000);
        break;
      }
    }
  }
}

long r[2];
void execute_call(int call)
{
  switch (call) {
  case 0:
    syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
    break;
  case 1:
    r[0] = syscall(__NR_socket, 0x10, 2, 6);
    break;
  case 2:
    *(uint64_t*)0x20616fc8 = 0x20000000;
    *(uint32_t*)0x20616fd0 = 0;
    *(uint64_t*)0x20616fd8 = 0x20664000;
    *(uint64_t*)0x20616fe0 = 1;
    *(uint64_t*)0x20616fe8 = 0x2061e000;
    *(uint64_t*)0x20616ff0 = 0;
    *(uint32_t*)0x20616ff8 = 0;
    *(uint64_t*)0x20664000 = 0x20d9efdf;
    *(uint64_t*)0x20664008 = 0x20;
    *(uint32_t*)0x20d9efdf = 0x20;
    *(uint16_t*)0x20d9efe3 = 0x24;
    *(uint16_t*)0x20d9efe5 = 1;
    *(uint32_t*)0x20d9efe7 = 0;
    *(uint32_t*)0x20d9efeb = 0x25dfdbfb;
    memcpy((void*)0x20d9efef,
           "\x23\x00\xfb\x06\x0b\x00\x03\x00\x00\x00\x00\x00\xff\xff\xff", 15);
    syscall(__NR_sendmsg, r[0], 0x20616fc8, 0);
    break;
  case 3:
    r[1] = syscall(__NR_socket, 0xa, 2, 0);
    break;
  case 4:
    *(uint8_t*)0x20d51f18 = 0xac;
    *(uint8_t*)0x20d51f19 = 0x14;
    *(uint8_t*)0x20d51f1a = 0;
    *(uint8_t*)0x20d51f1b = 0xbb;
    *(uint8_t*)0x20d51f28 = 0xfe;
    *(uint8_t*)0x20d51f29 = 0x80;
    *(uint8_t*)0x20d51f2a = 0;
    *(uint8_t*)0x20d51f2b = 0;
    *(uint8_t*)0x20d51f2c = 0;
    *(uint8_t*)0x20d51f2d = 0;
    *(uint8_t*)0x20d51f2e = 0;
    *(uint8_t*)0x20d51f2f = 0;
    *(uint8_t*)0x20d51f30 = 0;
    *(uint8_t*)0x20d51f31 = 0;
    *(uint8_t*)0x20d51f32 = 0;
    *(uint8_t*)0x20d51f33 = 0;
    *(uint8_t*)0x20d51f34 = 0;
    *(uint8_t*)0x20d51f35 = 0;
    *(uint8_t*)0x20d51f36 = 0;
    *(uint8_t*)0x20d51f37 = 0xbb;
    *(uint16_t*)0x20d51f38 = htobe16(0x4e20);
    *(uint16_t*)0x20d51f3a = 0;
    *(uint16_t*)0x20d51f3c = htobe16(0x4e20);
    *(uint16_t*)0x20d51f3e = 0;
    *(uint16_t*)0x20d51f40 = 2;
    *(uint8_t*)0x20d51f42 = 0;
    *(uint8_t*)0x20d51f43 = 0;
    *(uint8_t*)0x20d51f44 = 0;
    *(uint32_t*)0x20d51f48 = 0;
    *(uint32_t*)0x20d51f4c = 0;
    *(uint64_t*)0x20d51f50 = 0;
    *(uint64_t*)0x20d51f58 = 0;
    *(uint64_t*)0x20d51f60 = 0;
    *(uint64_t*)0x20d51f68 = 0;
    *(uint64_t*)0x20d51f70 = 0;
    *(uint64_t*)0x20d51f78 = 0;
    *(uint64_t*)0x20d51f80 = 0;
    *(uint64_t*)0x20d51f88 = 0;
    *(uint64_t*)0x20d51f90 = 0;
    *(uint64_t*)0x20d51f98 = 0;
    *(uint64_t*)0x20d51fa0 = 0;
    *(uint64_t*)0x20d51fa8 = 0;
    *(uint32_t*)0x20d51fb0 = 0;
    *(uint32_t*)0x20d51fb4 = 0x6e6bb0;
    *(uint8_t*)0x20d51fb8 = 0;
    *(uint8_t*)0x20d51fb9 = 0;
    *(uint8_t*)0x20d51fba = 0;
    *(uint8_t*)0x20d51fbb = 0;
    *(uint8_t*)0x20d51fc0 = 0xac;
    *(uint8_t*)0x20d51fc1 = 0x14;
    *(uint8_t*)0x20d51fc2 = 0;
    *(uint8_t*)0x20d51fc3 = 0xaa;
    *(uint32_t*)0x20d51fd0 = htobe32(0x4d2);
    *(uint8_t*)0x20d51fd4 = 0;
    *(uint16_t*)0x20d51fd8 = 0;
    *(uint8_t*)0x20d51fdc = 0;
    *(uint8_t*)0x20d51fdd = 0;
    *(uint8_t*)0x20d51fde = 0;
    *(uint8_t*)0x20d51fdf = 0;
    *(uint8_t*)0x20d51fe0 = 0;
    *(uint8_t*)0x20d51fe1 = 0;
    *(uint8_t*)0x20d51fe2 = 0;
    *(uint8_t*)0x20d51fe3 = 0;
    *(uint8_t*)0x20d51fe4 = 0;
    *(uint8_t*)0x20d51fe5 = 0;
    *(uint8_t*)0x20d51fe6 = 0;
    *(uint8_t*)0x20d51fe7 = 0;
    *(uint8_t*)0x20d51fe8 = 0;
    *(uint8_t*)0x20d51fe9 = 0;
    *(uint8_t*)0x20d51fea = 0;
    *(uint8_t*)0x20d51feb = 0;
    *(uint32_t*)0x20d51fec = 0x34ff;
    *(uint8_t*)0x20d51ff0 = 0;
    *(uint8_t*)0x20d51ff1 = 0;
    *(uint8_t*)0x20d51ff2 = 0;
    *(uint32_t*)0x20d51ff4 = 0;
    *(uint32_t*)0x20d51ff8 = 0;
    *(uint32_t*)0x20d51ffc = 0;
    syscall(__NR_setsockopt, r[1], 0x29, 0x23, 0x20d51f18, 0xe8);
    break;
  }
}

void loop()
{
  memset(r, -1, sizeof(r));
  execute(5);
  collide = 1;
  execute(5);
}

int main()
{
  loop();
  return 0;
}