// https://syzkaller.appspot.com/bug?id=4462682cd32aee8ff03a43c8b9be3963743bc506
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
            (uint8_t)a1, (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

long r[13];
void loop()
{
  memset(r, -1, sizeof(r));
  r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  memcpy((void*)0x20012ff7, "\x2f\x64\x65\x76\x2f\x73\x67\x23\x00", 9);
  r[2] = syz_open_dev(0x20012ff7ul, 0x0ul, 0x2ul);
  *(uint64_t*)0x20028fe0 = (uint64_t)0x20049fcc;
  *(uint64_t*)0x20028fe8 = (uint64_t)0x31;
  *(uint64_t*)0x20028ff0 = (uint64_t)0x20049f1c;
  *(uint64_t*)0x20028ff8 = (uint64_t)0xe4;
  memcpy((void*)0x20049fcc, "\xcf\x42\x0e\x6d\x0c\xd5\x50\xe6\x16\xdd"
                            "\x86\xa7\xda\x4a\x6b\xb8\x30\x95\x9d\x07"
                            "\x6d\x1e\xf7\xf6\x7d\x67\x2a\x4c\x43\x3b"
                            "\x3b\x50\xf0\x84\xc4\xea\x94\x89\xb7\x1a"
                            "\x9f\x75\x99\xb0\xec\x91\x04\xb8\x8f",
         49);
  memcpy((void*)0x20049f1c,
         "\xb2\xf2\xb2\x32\x34\xb5\xff\x50\x3d\xf9\xfa\x1a\x4b\x59\x2e"
         "\xef\x67\x3d\xf4\xbd\x57\xae\xdc\x4c\x47\x07\x3f\xa4\x7e\x3d"
         "\xcf\xdc\x03\x5a\x65\x71\x40\xc8\x7f\x3c\xa9\xff\xb5\xec\xa7"
         "\x41\x51\x8c\xf9\x3b\xa6\x14\xca\x6f\x52\x9f\x47\x84\x9f\x82"
         "\x30\xad\xbc\xb5\xdd\xb9\x22\xc3\xc8\xb5\xf9\xde\x20\x09\x6c"
         "\xb2\x3d\x24\x3a\x78\x21\xde\x1e\xa2\x3a\xe6\x92\x3f\x91\xac"
         "\xa1\xac\x90\xd6\x22\xd9\x2f\x2d\xc2\x8f\x7e\x4d\x37\xa7\x74"
         "\xfa\x30\x26\xb1\x2f\x60\xf2\x47\x84\x6f\x70\x12\xea\x02\x01"
         "\x9a\x43\x5d\x79\x59\x5c\x7c\xe1\x3b\xd4\x7c\xdf\x52\xf1\x87"
         "\x4e\xa1\x18\xdc\xd0\xf8\x9b\x81\x79\xb9\x7a\xfa\xd2\x1c\xe9"
         "\x35\xc2\x11\xc6\xad\x8b\x0d\xa8\x57\xf8\x60\x70\x75\x0c\xf8"
         "\xa0\x50\x18\xdd\x6d\xda\xf3\x46\x3e\xc2\x86\x49\x34\x6d\x7b"
         "\x4d\x43\xd2\x7e\x27\xc0\xaf\x4f\xf2\x55\x9b\x8e\x8e\xa7\x71"
         "\x29\x17\x55\x05\xc2\xdf\x8d\xec\xa2\xb4\x4a\xda\x0d\x9d\x1d"
         "\x39\x36\xe3\x88\x31\x2e\xa9\x86\xc6\x8d\xf3\x5f\xc8\xef\x0c"
         "\xb8\xa6\x36",
         228);
  r[9] = syscall(__NR_writev, r[2], 0x20028fe0ul, 0x2ul);
  *(uint64_t*)0x20346ff0 = (uint64_t)0x20477000;
  *(uint64_t*)0x20346ff8 = (uint64_t)0x36;
  r[12] = syscall(__NR_readv, r[2], 0x20346ff0ul, 0x1ul);
}

int main()
{
  loop();
  return 0;
}