// https://syzkaller.appspot.com/bug?id=28bc35dd6f026b2878e30804670f6f0c39932f16
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

#include <stdint.h>
#include <string.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
            (uint8_t)a1, (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif

long r[2];
void loop()
{
  memset(r, -1, sizeof(r));
  syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
          0xfffffffffffffffful, 0x0ul);
  memcpy((void*)0x20977ff5, "/dev/loop#", 11);
  r[0] = syz_open_dev(0x20977ff5ul, 0x5ul, 0x2ul);
  memcpy((void*)0x20000000, "\xff\xf8", 2);
  r[1] = syscall(__NR_memfd_create, 0x20000000ul, 0x0ul);
  *(uint64_t*)0x2060bfa0 = (uint64_t)0x20607f0d;
  *(uint64_t*)0x2060bfa8 = (uint64_t)0x1;
  memcpy((void*)0x20607f0d, "\x98", 1);
  syscall(__NR_pwritev, r[1], 0x2060bfa0ul, 0x1ul, 0x80000ul);
  syscall(__NR_ioctl, r[0], 0x4c00ul, r[1]);
  *(uint64_t*)0x20e5b000 = (uint64_t)0x0;
  *(uint64_t*)0x20e5b008 = (uint64_t)0x0;
  *(uint64_t*)0x20e5b010 = (uint64_t)0x0;
  *(uint64_t*)0x20e5b018 = (uint64_t)0x2;
  *(uint64_t*)0x20e5b020 = (uint64_t)0x9ee7;
  *(uint32_t*)0x20e5b028 = (uint32_t)0x0;
  *(uint32_t*)0x20e5b02c = (uint32_t)0x7;
  *(uint32_t*)0x20e5b030 = (uint32_t)0x13;
  *(uint32_t*)0x20e5b034 = (uint32_t)0x0;
  memcpy((void*)0x20e5b038,
         "\xa4\xa3\x0a\x66\xcc\x54\x26\x36\x9a\xe9\x79\xca\x7a\xe6\x20"
         "\xa7\xcd\xc8\x5e\xb7\xd4\xc5\x22\x47\x87\x73\x40\xc2\x2e\x1a"
         "\x09\x9f\x4f\x7f\x9a\xea\x20\xe1\x6b\x5c\x6f\xd3\x04\xd0\xa2"
         "\x19\x51\xa4\x41\xb2\x8c\x27\xe2\x0e\xe4\xb1\xac\x12\x15\xa6"
         "\x50\x4e\x4e\xb1",
         64);
  memcpy((void*)0x20e5b078,
         "\x61\x71\x5a\xab\x84\x9f\x52\x46\xb0\x9b\x90\xd4\x06\xbd\xce"
         "\x0f\xf0\x58\xda\x4e\xf8\xa2\x25\xdf\x29\x12\x9c\x1e\x4a\x78"
         "\x98\x82\x5f\xfa\xc2\x8d\xba\x61\x59\xeb\x09\x80\x62\x1b\xe2"
         "\xc1\x55\x8f\x57\xa2\xc0\xdd\xd8\x71\x2b\x93\x4d\x03\xd7\x3c"
         "\x36\x1f\x35\x7d",
         64);
  memcpy((void*)0x20e5b0b8, "\x70\x91\xd5\xc1\x96\x0b\xcf\x0a\x9f\xf3"
                            "\xb9\x7e\xcc\x15\x42\xbe\xfd\x16\x91\xba"
                            "\x82\x86\x57\xde\x3c\x9a\x8d\x46\xdf\xaf"
                            "\x07\x5a",
         32);
  *(uint64_t*)0x20e5b0d8 = (uint64_t)0xc16;
  *(uint64_t*)0x20e5b0e0 = (uint64_t)0x7;
  syscall(__NR_ioctl, r[0], 0x4c04ul, 0x20e5b000ul);
  *(uint64_t*)0x203f4000 = (uint64_t)0x0;
  syscall(__NR_sendfile, r[0], r[1], 0x203f4000ul, 0x3df1ul);
}

int main()
{
  loop();
  return 0;
}