// https://syzkaller.appspot.com/bug?id=e2dc9aea0465d1eea101bb24cb463e2a7efe7d17
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <errno.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

__attribute__((noreturn)) static void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}

#include <errno.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

const int kFailStatus = 67;
const int kRetryStatus = 69;

static void fail(const char* msg, ...)
{
  int e = errno;
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

static void exitf(const char* msg, ...)
{
  int e = errno;
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(kRetryStatus);
}

static uint64_t current_time_ms()
{
  struct timespec ts;

  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    fail("clock_gettime failed");
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void use_temporary_dir()
{
  char tmpdir_template[] = "./syzkaller.XXXXXX";
  char* tmpdir = mkdtemp(tmpdir_template);
  if (!tmpdir)
    fail("failed to mkdtemp");
  if (chmod(tmpdir, 0777))
    fail("failed to chmod");
  if (chdir(tmpdir))
    fail("failed to chdir");
}

static void remove_dir(const char* dir)
{
  DIR* dp;
  struct dirent* ep;
  int iter = 0;
retry:
  dp = opendir(dir);
  if (dp == NULL) {
    if (errno == EMFILE) {
      exitf("opendir(%s) failed due to NOFILE, exiting");
    }
    exitf("opendir(%s) failed", dir);
  }
  while ((ep = readdir(dp))) {
    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
      continue;
    char filename[FILENAME_MAX];
    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
    struct stat st;
    if (lstat(filename, &st))
      exitf("lstat(%s) failed", filename);
    if (S_ISDIR(st.st_mode)) {
      remove_dir(filename);
      continue;
    }
    int i;
    for (i = 0;; i++) {
      if (unlink(filename) == 0)
        break;
      if (errno == EROFS) {
        break;
      }
      if (errno != EBUSY || i > 100)
        exitf("unlink(%s) failed", filename);
      if (umount2(filename, MNT_DETACH))
        exitf("umount(%s) failed", filename);
    }
  }
  closedir(dp);
  int i;
  for (i = 0;; i++) {
    if (rmdir(dir) == 0)
      break;
    if (i < 100) {
      if (errno == EROFS) {
        break;
      }
      if (errno == EBUSY) {
        if (umount2(dir, MNT_DETACH))
          exitf("umount(%s) failed", dir);
        continue;
      }
      if (errno == ENOTEMPTY) {
        if (iter < 100) {
          iter++;
          goto retry;
        }
      }
    }
    exitf("rmdir(%s) failed", dir);
  }
}

static void test();

void loop()
{
  int iter;
  for (iter = 0;; iter++) {
    char cwdbuf[256];
    sprintf(cwdbuf, "./%d", iter);
    if (mkdir(cwdbuf, 0777))
      fail("failed to mkdir");
    int pid = fork();
    if (pid < 0)
      fail("clone failed");
    if (pid == 0) {
      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
      setpgrp();
      if (chdir(cwdbuf))
        fail("failed to chdir");
      test();
      doexit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      int res = waitpid(-1, &status, __WALL | WNOHANG);
      if (res == pid)
        break;
      usleep(1000);
      if (current_time_ms() - start > 5 * 1000) {
        kill(-pid, SIGKILL);
        kill(pid, SIGKILL);
        while (waitpid(-1, &status, __WALL) != pid) {
        }
        break;
      }
    }
    remove_dir(cwdbuf);
  }
}

long r[70];
void test()
{
  memset(r, -1, sizeof(r));
  r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  r[1] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul);
  r[2] = syscall(__NR_close, r[1]);
  r[3] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul);
  *(uint16_t*)0x20219fa8 = (uint16_t)0x26;
  memcpy((void*)0x20219faa,
         "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00",
         14);
  *(uint32_t*)0x20219fb8 = (uint32_t)0x0;
  *(uint32_t*)0x20219fbc = (uint32_t)0x0;
  memcpy((void*)0x20219fc0,
         "\x73\x61\x6c\x73\x61\x32\x30\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00",
         64);
  r[9] = syscall(__NR_bind, r[1], 0x20219fa8ul, 0x58ul);
  memcpy((void*)0x20001f3a, "\xad\x56\xb6\xc5\x82\x0f\xae\xb9\x95\x29"
                            "\x89\x92\xea\x54\xc7\xbe",
         16);
  r[11] = syscall(__NR_setsockopt, r[3], 0x117ul, 0x1ul, 0x20001f3aul,
                  0x10ul);
  r[12] = syscall(__NR_accept, r[1], 0x0ul, 0x0ul);
  *(uint64_t*)0x202fefc8 = (uint64_t)0x0;
  *(uint32_t*)0x202fefd0 = (uint32_t)0x0;
  *(uint64_t*)0x202fefd8 = (uint64_t)0x20985000;
  *(uint64_t*)0x202fefe0 = (uint64_t)0x1;
  *(uint64_t*)0x202fefe8 = (uint64_t)0x20632f70;
  *(uint64_t*)0x202feff0 = (uint64_t)0x78;
  *(uint32_t*)0x202feff8 = (uint32_t)0x1;
  *(uint64_t*)0x20985000 = (uint64_t)0x20a59000;
  *(uint64_t*)0x20985008 = (uint64_t)0x39d;
  memcpy(
      (void*)0x20a59000,
      "\x8b\x65\xca\xa2\x48\x81\xe0\x85\x8f\xea\xdb\xf4\x2d\xe0\x93\x60"
      "\x03\xe4\x50\x49\x3b\xa9\xc5\xe9\x7a\x51\xc1\xa2\x51\x11\x6c\x91"
      "\x2a\x6f\x5d\xb5\xcc\x0c\xa0\xc8\xa3\xe4\xe4\x99\x13\xe2\xd9\xec"
      "\x9b\xad\x61\xb4\x57\x84\xf9\xea\x09\xfb\x67\x4b\x40\xbd\x74\xf7"
      "\x28\xbc\x15\xae\xf9\x07\x02\x11\x02\x5f\x29\x32\x30\xd7\x83\x76"
      "\x89\x2d\xad\x76\x4a\x3a\x4f\x02\x76\x38\xf8\x59\x71\xed\x42\xd7"
      "\x6b\x49\x92\x13\xc9\x31\xff\x83\x1b\x6e\x88\x37\x60\xdb\xec\xf9"
      "\x0a\xdc\x29\x39\x75\xc3\xaf\x79\xd5\xa2\x18\xad\xfe\xa8\xb9\x20"
      "\x48\x07\x74\x27\x5b\x85\xfd\x84\x80\x07\xe5\x6e\x78\x10\x20\x6e"
      "\x3c\x53\x2b\x02\xdf\xd5\xa3\x22\xbf\x4e\xcb\x30\x65\x14\x2a\xca"
      "\x3a\x94\xb3\xc0\xf4\x03\x59\x75\x83\x84\x7e\x63\x34\x79\xe7\x9f"
      "\xa0\x63\xd8\xc2\x00\x9f\xc9\xf3\xf1\x70\x28\xd4\xc5\x8e\x2c\x40"
      "\xa2\xc2\x51\x39\x32\xfe\xa8\x58\x8a\x4b\x7e\x1d\xd7\x23\x1f\x27"
      "\x9e\xe8\xe5\xcf\x45\x43\x29\xad\x53\x31\xca\x4f\xc4\xa8\xa7\x38"
      "\x19\xb0\xff\xfc\xae\xbb\x66\xd9\x08\x3c\xc4\xac\xca\x47\x45\x5b"
      "\x80\xa7\xcf\xff\x97\xae\x01\xb1\xf3\x9e\xaa\xa1\x53\x25\xa0\xdc"
      "\x77\x65\x2e\x26\x0e\xa2\x3f\x79\xcc\x25\x86\x1f\xb0\x0d\xe3\xe9"
      "\x28\x59\x44\x11\xb1\x64\x1a\x6a\xf6\x02\x0a\x6d\x77\xaa\x02\x29"
      "\xcd\xa6\x0e\x97\xb0\x5f\x7e\xa7\x61\xd0\x24\x11\x29\xa9\xb1\x96"
      "\xd5\x6d\x47\xa2\xb1\x1e\x5d\xa5\xab\x07\xf5\x0b\xc7\xb4\x74\x80"
      "\x64\xc6\x91\x19\xb6\x28\x42\x05\xf7\x07\xa1\xe6\x21\x01\x84\x68"
      "\x32\x87\x31\xec\x6a\x01\x7c\xfa\x96\x5c\x10\x7d\x0a\xeb\x3c\xd7"
      "\x0b\x94\x41\x40\x51\x7c\x84\xb0\x93\x99\x5d\xef\x87\xa6\xf4\x60"
      "\xc0\xe2\x5d\x4b\xbe\x00\xc8\x60\x12\xcd\x1d\x62\xf9\xbd\x41\x7f"
      "\x55\x8a\x7e\xa1\xf4\x06\x1f\xde\x9f\x5a\x18\x4c\x62\xba\x7b\x92"
      "\xf7\x85\xf0\xd9\x39\xa7\x04\x95\x45\x7c\xdb\xa2\x88\xe2\x17\x97"
      "\xce\xd8\x71\x95\x07\x93\x68\x8f\x80\x13\x51\x0d\xd9\x26\x7d\xa7"
      "\x93\x51\xba\xc5\xcd\x12\x95\x97\x02\x78\x84\x97\xa3\x5f\xde\x8d"
      "\x5f\x88\x8d\xae\x98\x8c\x0b\x06\xfd\x87\xc8\xec\xc7\xca\xb2\x34"
      "\x5b\x17\xcd\x55\x8c\x3f\xcb\x87\xc9\x60\x21\xe8\x63\x15\x6b\xc9"
      "\xcb\x42\x63\x4a\xcf\x6b\xf8\xd6\xc4\x65\xc6\xe0\x70\x09\xde\xfe"
      "\x8d\xb9\xd8\x40\x2c\x30\x98\x4f\xf7\x1a\x0a\xa4\x89\x71\x6f\xa3"
      "\xe7\x75\x4d\xe5\xbe\xee\x6e\x1e\x6a\xca\x60\x0c\x04\xf3\xc6\xad"
      "\xd7\x9a\x1f\xb2\xd9\x87\xb5\x96\xa5\x29\xcf\x4a\x0e\x7a\x74\x60"
      "\x07\x78\xb6\xf1\xe1\xc1\xa4\x09\xf9\x8b\x5b\xbf\xd8\xa7\x3f\x55"
      "\xe4\x48\xd3\x0f\xa6\x25\x09\xef\x17\xee\x43\x70\xdd\x33\x98\x02"
      "\x26\x7a\x16\xf6\x00\x96\xb7\x8e\x36\x95\x4a\xe0\x21\x34\x35\x51"
      "\x8b\x20\x2e\x1a\x80\x02\x8a\x72\xc0\x2e\xb8\xd9\x41\xaf\x73\x10"
      "\xcd\xfd\x2a\x79\x6d\x4a\x87\x0b\xe4\x71\x51\x3d\x5e\x9e\x4c\x40"
      "\xbc\x5c\xde\x7c\xe9\x17\x66\xff\x01\x54\x3c\xae\x00\xf4\x37\x1e"
      "\xcf\x1d\x97\x2a\x57\x5f\xc9\x6c\x44\xf7\x66\x30\x45\xd2\xa9\xdd"
      "\x2d\xb6\x3e\xd6\x25\xee\xf1\x28\xda\x06\xa6\x58\x0a\xd6\xb2\xa3"
      "\x4f\x0c\x33\xe9\xe0\x3b\xb8\x07\xf5\x6e\xae\x0b\x79\x0c\x58\xa1"
      "\xc4\x7c\x4f\xbb\xd0\x57\x95\xde\xc7\x79\x6d\xc2\xfb\x1b\xfd\xe8"
      "\xf1\x25\x65\x83\xf7\xcd\x95\xb1\x05\x8b\xb0\xe5\x72\x8f\x58\xe8"
      "\x69\x88\xc2\x02\x72\x47\x05\xe0\xa8\x16\x35\xc6\x95\x81\xea\xfa"
      "\x3b\xd0\x3e\x29\xda\x8a\xc4\x4b\x8f\xaf\xcf\x9a\xf8\x84\x84\xa8"
      "\x1c\xf6\x45\x42\x1f\x73\x8d\xb8\x24\x90\x95\x2c\xf4\x9b\xd3\x18"
      "\x93\x41\x79\xcc\x44\x86\xa6\x1b\xd4\x75\x7e\x3f\x1d\x71\x10\x0f"
      "\x06\xc0\x38\x4e\x85\x87\xe2\x60\x8f\x93\x9e\x26\x9b\x30\x34\x69"
      "\x6f\x29\xd3\x51\xb0\x81\xe0\x3f\xe2\x23\x46\xa7\x6d\x2d\xa1\x12"
      "\x48\xec\x48\xfc\x35\x0b\x6e\xf7\x3a\xc4\xdb\x20\x68\x80\xe0\x59"
      "\x06\xe3\x44\x81\xca\x0c\xfe\x11\x2c\xdc\x9a\x0e\xb8\x23\x8f\x18"
      "\xa9\xf5\x79\xad\xa4\x01\x47\xaa\x2c\xe1\x36\x9e\x06\xc1\x11\xac"
      "\xb6\xb9\x47\x3d\xbc\xbf\x7b\x56\x97\x46\x4d\x69\xe7\x25\x98\x9b"
      "\x6a\x11\x0f\xdc\xde\x87\xb5\x7e\x0d\xef\xde\xc8\xe8\x61\xc7\x1a"
      "\xe6\xca\xf3\x8e\xdb\x67\xbf\xc8\xcf\x26\x65\x65\x58\xb2\x8b\x0d"
      "\x8c\x16\xc0\x48\x49\xb5\x05\x74\x73\x3a\x03\x2e\xe5",
      925);
  *(uint64_t*)0x20632f70 = (uint64_t)0x18;
  *(uint32_t*)0x20632f78 = (uint32_t)0x117;
  *(uint32_t*)0x20632f7c = (uint32_t)0x3;
  *(uint32_t*)0x20632f80 = (uint32_t)0x1;
  *(uint64_t*)0x20632f88 = (uint64_t)0x18;
  *(uint32_t*)0x20632f90 = (uint32_t)0x117;
  *(uint32_t*)0x20632f94 = (uint32_t)0x3;
  *(uint32_t*)0x20632f98 = (uint32_t)0x0;
  *(uint64_t*)0x20632fa0 = (uint64_t)0x18;
  *(uint32_t*)0x20632fa8 = (uint32_t)0x117;
  *(uint32_t*)0x20632fac = (uint32_t)0x3;
  *(uint32_t*)0x20632fb0 = (uint32_t)0x0;
  *(uint64_t*)0x20632fb8 = (uint64_t)0x18;
  *(uint32_t*)0x20632fc0 = (uint32_t)0x117;
  *(uint32_t*)0x20632fc4 = (uint32_t)0x4;
  *(uint32_t*)0x20632fc8 = (uint32_t)0x100000000;
  *(uint64_t*)0x20632fd0 = (uint64_t)0x18;
  *(uint32_t*)0x20632fd8 = (uint32_t)0x117;
  *(uint32_t*)0x20632fdc = (uint32_t)0x4;
  *(uint32_t*)0x20632fe0 = (uint32_t)0x3;
  r[43] = syscall(__NR_sendmsg, r[12], 0x202fefc8ul, 0x1ul);
  *(uint64_t*)0x20b2f000 = (uint64_t)0x208e8000;
  *(uint32_t*)0x20b2f008 = (uint32_t)0x10;
  *(uint64_t*)0x20b2f010 = (uint64_t)0x204f3f73;
  *(uint64_t*)0x20b2f018 = (uint64_t)0x9;
  *(uint64_t*)0x20b2f020 = (uint64_t)0x20590000;
  *(uint64_t*)0x20b2f028 = (uint64_t)0x0;
  *(uint32_t*)0x20b2f030 = (uint32_t)0x36d;
  *(uint64_t*)0x204f3f73 = (uint64_t)0x20366000;
  *(uint64_t*)0x204f3f7b = (uint64_t)0x0;
  *(uint64_t*)0x204f3f83 = (uint64_t)0x20b66000;
  *(uint64_t*)0x204f3f8b = (uint64_t)0x0;
  *(uint64_t*)0x204f3f93 = (uint64_t)0x20284f81;
  *(uint64_t*)0x204f3f9b = (uint64_t)0x0;
  *(uint64_t*)0x204f3fa3 = (uint64_t)0x20978000;
  *(uint64_t*)0x204f3fab = (uint64_t)0x0;
  *(uint64_t*)0x204f3fb3 = (uint64_t)0x203d3f81;
  *(uint64_t*)0x204f3fbb = (uint64_t)0x0;
  *(uint64_t*)0x204f3fc3 = (uint64_t)0x20ca3000;
  *(uint64_t*)0x204f3fcb = (uint64_t)0x0;
  *(uint64_t*)0x204f3fd3 = (uint64_t)0x203aaf16;
  *(uint64_t*)0x204f3fdb = (uint64_t)0x0;
  *(uint64_t*)0x204f3fe3 = (uint64_t)0x2089bff9;
  *(uint64_t*)0x204f3feb = (uint64_t)0x0;
  *(uint64_t*)0x204f3ff3 = (uint64_t)0x203bc000;
  *(uint64_t*)0x204f3ffb = (uint64_t)0xc6;
  r[69] = syscall(__NR_recvmsg, r[12], 0x20b2f000ul, 0x42ul);
}

int main()
{
  use_temporary_dir();
  loop();
  return 0;
}