// https://syzkaller.appspot.com/bug?id=4f84384a2ca04a1b1cc8447a418778cf2ec42d07
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
  if ((bf_off) == 0 && (bf_len) == 0) {                                        \
    *(type*)(addr) = (type)(val);                                              \
  } else {                                                                     \
    type new_val = *(type*)(addr);                                             \
    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
    *(type*)(addr) = new_val;                                                  \
  }

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

static void execute_one();
extern unsigned long long procid;

void loop()
{
  while (1) {
    execute_one();
  }
}

#ifndef __NR_mmap
#define __NR_mmap 192
#endif
#ifndef __NR_ioctl
#define __NR_ioctl 54
#endif
#ifndef __NR_set_thread_area
#define __NR_set_thread_area 243
#endif
#undef __NR_mmap
#define __NR_mmap __NR_mmap2

uint64_t r[1] = {0xffffffffffffffff};
unsigned long long procid;
void execute_one()
{
  long res = 0;
  memcpy((void*)0x20000100, "/dev/binder#", 13);
  res = syz_open_dev(0x20000100, 0, 0);
  if (res != -1)
    r[0] = res;
  *(uint64_t*)0x20000040 = 0x44;
  *(uint64_t*)0x20000048 = 0;
  *(uint64_t*)0x20000050 = 0x200003c0;
  *(uint32_t*)0x200003c0 = 0x40406300;
  *(uint32_t*)0x200003c4 = 1;
  *(uint32_t*)0x200003c8 = 0;
  *(uint64_t*)0x200003cc = 0;
  *(uint32_t*)0x200003d4 = 0;
  *(uint32_t*)0x200003d8 = 0;
  *(uint32_t*)0x200003dc = 0;
  *(uint32_t*)0x200003e0 = 0;
  *(uint64_t*)0x200003e4 = 0;
  *(uint64_t*)0x200003ec = 0;
  *(uint64_t*)0x200003f4 = 0x20000280;
  *(uint64_t*)0x200003fc = 0x200002c0;
  *(uint64_t*)0x20000058 = 0;
  *(uint64_t*)0x20000060 = 0;
  *(uint64_t*)0x20000068 = 0x20000080;
  syscall(__NR_ioctl, r[0], 0xc0306201, 0x20000040);
  *(uint32_t*)0x20000000 = 8;
  *(uint32_t*)0x20000004 = 0x20000000;
  *(uint32_t*)0x20000008 = 0;
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 8, 0, 1);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, -1, 1, 2);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 0xfffffff9, 3, 1);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 0xc000000, 4, 1);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 1, 5, 1);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 4, 6, 1);
  STORE_BY_BITMASK(uint32_t, 0x2000000c, 7, 7, 1);
  syscall(__NR_set_thread_area, 0x20000000);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  for (procid = 0; procid < 8; procid++) {
    if (fork() == 0) {
      for (;;) {
        loop();
      }
    }
  }
  sleep(1000000);
  return 0;
}