// https://syzkaller.appspot.com/bug?id=6dcd14a729df98f989c7b76d254226ae67084efd
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

#ifndef __NR_write
#define __NR_write 4
#endif
#ifndef __NR_read
#define __NR_read 3
#endif
#ifndef __NR_mmap
#define __NR_mmap 192
#endif
#undef __NR_mmap
#define __NR_mmap __NR_mmap2

long r[1];
void loop()
{
  memset(r, -1, sizeof(r));
  syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000000, "/dev/sg#", 9);
  r[0] = syz_open_dev(0x20000000, 0, 2);
  *(uint8_t*)0x20e6f000 = 0;
  *(uint8_t*)0x20e6f001 = 0;
  *(uint8_t*)0x20e6f002 = 0;
  *(uint8_t*)0x20e6f003 = 0;
  *(uint32_t*)0x20e6f004 = 0;
  *(uint32_t*)0x20e6f008 = 0;
  *(uint8_t*)0x20e6f00c = 0;
  *(uint8_t*)0x20e6f00d = 0;
  *(uint8_t*)0x20e6f00e = 0;
  *(uint8_t*)0x20e6f00f = 1;
  *(uint32_t*)0x20e6f010 = 0x10000;
  *(uint32_t*)0x20e6f014 = 8;
  *(uint8_t*)0x20e6f01c = 0xd;
  *(uint8_t*)0x20e6f01d = 3;
  *(uint8_t*)0x20e6f01e = 7;
  *(uint8_t*)0x20e6f01f = 9;
  *(uint32_t*)0x20e6f020 = 0x80000001;
  *(uint8_t*)0x20e6f028 = 2;
  *(uint8_t*)0x20e6f029 = 0;
  *(uint8_t*)0x20e6f02a = 1;
  *(uint8_t*)0x20e6f02b = 7;
  *(uint32_t*)0x20e6f02c = 0;
  *(uint32_t*)0x20e6f030 = 0x2009a000;
  *(uint8_t*)0x20e6f038 = 8;
  *(uint8_t*)0x20e6f039 = 2;
  *(uint8_t*)0x20e6f03a = 0x12;
  *(uint8_t*)0x20e6f03b = 0x7f;
  *(uint32_t*)0x20e6f03c = 0xff;
  *(uint8_t*)0x20e6f044 = 0;
  *(uint8_t*)0x20e6f045 = 0x3d;
  *(uint8_t*)0x20e6f046 = 8;
  *(uint8_t*)0x20e6f047 = 0xb5;
  *(uint8_t*)0x20e6f048 = 1;
  *(uint32_t*)0x20e6f04c = 0xfffffff9;
  *(uint32_t*)0x20e6f050 = 0;
  *(uint8_t*)0x20e6f054 = 0x47;
  *(uint8_t*)0x20e6f055 = 0;
  *(uint8_t*)0x20e6f056 = 0;
  *(uint8_t*)0x20e6f057 = 0xf8;
  *(uint32_t*)0x20e6f058 = 0x77359400;
  *(uint32_t*)0x20e6f05c = 0;
  *(uint8_t*)0x20e6f060 = 0;
  *(uint8_t*)0x20e6f061 = 3;
  *(uint8_t*)0x20e6f062 = 0x7f;
  *(uint8_t*)0x20e6f063 = 9;
  *(uint32_t*)0x20e6f064 = 0;
  *(uint32_t*)0x20e6f068 = 0x200c1f17;
  *(uint8_t*)0x20e6f070 = 0x5b;
  *(uint8_t*)0x20e6f071 = 7;
  *(uint8_t*)0x20e6f072 = 0xf9;
  *(uint8_t*)0x20e6f073 = -1;
  *(uint32_t*)0x20e6f074 = 0x77359400;
  *(uint32_t*)0x20e6f078 = 0;
  *(uint8_t*)0x20e6f07c = -1;
  *(uint8_t*)0x20e6f07d = 0;
  *(uint8_t*)0x20e6f07e = 0x75;
  *(uint8_t*)0x20e6f07f = 0xce;
  *(uint8_t*)0x20e6f080 = 9;
  *(uint8_t*)0x20e6f081 = 3;
  *(uint8_t*)0x20e6f082 = 0x6e;
  *(uint8_t*)0x20e6f083 = 0x6e;
  syscall(__NR_write, r[0], 0x20e6f000, 0xf0);
  syscall(__NR_read, r[0], 0x2097a000, 0);
}

int main()
{
  loop();
  return 0;
}