// https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <linux/futex.h>
#include <pthread.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

struct thread_t {
  int created, running, call;
  pthread_t th;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;

static void* thr(void* arg)
{
  struct thread_t* th = (struct thread_t*)arg;
  for (;;) {
    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
    execute_call(th->call);
    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
    syscall(SYS_futex, &th->running, FUTEX_WAKE);
  }
  return 0;
}

static void execute(int num_calls)
{
  int call, thread;
  running = 0;
  for (call = 0; call < num_calls; call++) {
    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
      struct thread_t* th = &threads[thread];
      if (!th->created) {
        th->created = 1;
        pthread_attr_t attr;
        pthread_attr_init(&attr);
        pthread_attr_setstacksize(&attr, 128 << 10);
        pthread_create(&th->th, &attr, thr, th);
      }
      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
        th->call = call;
        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
        syscall(SYS_futex, &th->running, FUTEX_WAKE);
        struct timespec ts;
        ts.tv_sec = 0;
        ts.tv_nsec = 20 * 1000 * 1000;
        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
        if (running)
          usleep((call == num_calls - 1) ? 10000 : 1000);
        break;
      }
    }
  }
}

uint64_t r[1] = {0xffffffffffffffff};
void execute_call(int call)
{
  long res;
  switch (call) {
  case 0:
    res = syscall(__NR_socket, 0xa, 3, 0x3c);
    if (res != -1)
      r[0] = res;
    break;
  case 1:
    *(uint16_t*)0x20000300 = 0xa;
    *(uint16_t*)0x20000302 = htobe16(0);
    *(uint32_t*)0x20000304 = 0;
    *(uint64_t*)0x20000308 = htobe64(0);
    *(uint64_t*)0x20000310 = htobe64(1);
    *(uint32_t*)0x20000318 = 0;
    syscall(__NR_connect, r[0], 0x20000300, 0x1c);
    break;
  case 2:
    *(uint64_t*)0x200000c0 = 0;
    *(uint32_t*)0x200000c8 = 0;
    *(uint64_t*)0x200000d0 = 0x20000200;
    *(uint64_t*)0x200000d8 = 0;
    *(uint64_t*)0x200000e0 = 0x20000140;
    *(uint64_t*)0x200000e8 = 0;
    *(uint32_t*)0x200000f0 = 0;
    syscall(__NR_sendmsg, r[0], 0x200000c0, 0xc100);
    break;
  case 3:
    *(uint32_t*)0x20000400 = 0x398;
    syscall(__NR_setsockopt, r[0], 0x29, 0x4a, 0x20000400, 4);
    break;
  case 4:
    *(uint64_t*)0x200004c0 = 0x20000040;
    *(uint32_t*)0x200004c8 = 0x80;
    *(uint64_t*)0x200004d0 = 0x20000400;
    *(uint64_t*)0x200004d8 = 0;
    *(uint64_t*)0x200004e0 = 0x20000480;
    *(uint64_t*)0x200004e8 = 0x28;
    *(uint32_t*)0x200004f0 = 0;
    syscall(__NR_recvmsg, r[0], 0x200004c0, 0);
    break;
  case 5:
    *(uint64_t*)0x20000a40 = 0;
    *(uint32_t*)0x20000a48 = 0;
    *(uint64_t*)0x20000a50 = 0x20000100;
    *(uint64_t*)0x20000100 = 0x20000500;
    memcpy(
        (void*)0x20000500,
        "\xd0\x9a\x0e\x63\xc9\x47\x62\x88\xb6\x71\xaf\xdb\xd5\x3a\x59\x94\xe1"
        "\x37\x38\x1f\x62\x02\x1d\x19\x51\xb6\x27\xb8\xdd\xa5\x7a\x5d\x17\xd7"
        "\x44\x64\x8c\x81\xc5\x70\x3e\xd8\x14\x6a\xb1\xb0\x17\x1f\x89\x09\x1b"
        "\x1d\xd3\x23\x8d\x03\xdb\xb6\x86\xdf\x46\x09\x63\x24\x5d\xed\xf2\x01"
        "\x3e\xe5\x55\xaf\x99\x49\x9e\x44\xad\x42\x0d\xbf\x65\xfd\x46\xfb\xc9"
        "\x9a\x12\x74\x42\x9e\x2d\x57\x83\x75\x18\x15\x82\x8e\xc8\xcb\x35\x53"
        "\x11\x0c\xca\x66\x46\x02\x15\x35\x3d\x19\xf6\xd8\xbb\xd8\xfb\x26\x4e"
        "\xdd\xea\x60\xb1\x8e\x16\xc3\x1a\xa5\xe2\x00\x00\x04\x91\x63\x4a\xc2"
        "\xfd\x10\xe2\xcd\x30\xbc\xd7\xfe\xde\x24\x26\x3a\x7f\xff\x16\xe5\x3e"
        "\xa2\x93\xf3\x55\x1b\x71\x47\xc3\x3a\x44\xea\x43\x7f\xb1\x51\x5c\x3e"
        "\x8d\x4f\x16\x2f\xde\xbf\x8e\xbe\x11\xae\x6f\xcd\x93\x72\xc8\xd8\xf1"
        "\x95\x56\xae\x09\x1f\xe9\x42\x15\xae\x94\x34\xda\x41\x2f\x6f\xa4\xcb"
        "\x65\x61\xe5\xf7\x8f\xf9\x70\x78\x44\xee\x5d\x57\x3f\xb2\x94\x43\x77"
        "\x22\xd9\xa0\x6d\xfa\x61\x74\x8c\x32\xc7\x3d\x75\x99\x33\xa8\xdd\x34"
        "\x4c\x94\x7d\x3e\xfd\xbe\x90\xd0\xeb\x04\x9d\xf5\xfb\xb0\xc1\x9f\x67"
        "\x85\x26\x4b\x61\x9c\x53\x0d\x97\x39\x5d\x44\xb0\x4f\x7e\x2a\x28\x0d"
        "\x65\x8c\x78\x71\xad\x37\x3b\x79\x26\x78\xc4\x92\x27\x99\x96\x51\xef"
        "\x3b\x2e\xe1\xbc\x2b\x8f\x30\x35\xdb\x37\x6e\x8e\x09\xaa\x38\x37\x23"
        "\x3c\x87\x13\x06\x5a\x8a\xd1\x31\xd2\x4f\x6c\x42\xa3\x22\x0d\x0e\x07"
        "\xc3\xd3\xe9\x5d\x59\xa5\xdd\x10\xc0\x97\x16\xb5\xf8\x74\xec\xf5\x3a"
        "\xad\xfa\x50\x50\xff\x40\xf2\xc3\xc4\xa6\x29\xb6\x44\x5e\x58\x36\x10"
        "\x0a\xff\xf5\xa8\x97\x75\x83\x65\x3b\x40\xca\x31\x6f\x8f\x11\x41\x6e"
        "\x5c\x1b\xd5\x49\x96\x36\xdd\xae\x25\xfc\x49\x70\xb3\x72\x09\xcf\x5c"
        "\x0b\xf8\xe4\x32\x16\x0c\x25\x8d\x14\x22\x3b\xaa\x52\x79\x8e\x09\x85"
        "\x86\x45\x77\x3d\xd9\x7e\x68\xa9\x53\x10\x72\x71\x3c\xff\x07\x7b\x2e"
        "\x73\xe0\x3e\xd4\xf1\x45\xe9\x19\x9c\x12\x6a\x7f\x23\x5e\x56\x74\xa3"
        "\xc7\xf5\xc7\x12\x9a\xc7\xc1\xa3\x31\x95\x90\x24\x9b\x6d\x34\xef\x6c"
        "\x3d\x8b\x94\xc6\xfc\x7c\xdc\xbd\xdb\x05\x32\x43\x05\x3f\x7b\xc1\xf2"
        "\x30\xd3\xbc\x7d\xfc\x43\x59\xe3\x39\x92\xd0\xa3\x94\x6b\x91\x4a\x09"
        "\x32\x87\xa7\x6a\xc4\xa2\x49\xb5\xb8\x6c\xc7\x54\x76\x46\x6e\x40\x95"
        "\x53\x35\x5f\xef\xab\x75\xe9\x26\x8a\x87\x51\xff\xc9\x48\x1f\xcf\xf1"
        "\xf4\x9c\x47\x56\x99\x59\x5b\x31\x5e\x21\x47\xee\xbe\x8b\x72\x91\x60"
        "\x0c\x6b\x1c\xf7\xc8\xf2\x4d\x58\x7b\x94\x64\xa6\x7e\x5c\xce\xc1\x78"
        "\x20\xe7\x11\xb9\x8f\x4f\x7d\x50\x53\x64\x20\x68\xa3\xff\xf7\x04\xc3"
        "\xfe\x35\xba\x86\x2b\x53\xe2\x62\x2d\x6e\x8b\x4a\x4c\x81\x5f\xb2\xea"
        "\x90\xef\x63\xe1\x41\x20\x9d\xd2\x92\x54\xe5\xab\x5b\xde\x9c\x68\x57"
        "\xb3\xcb\x18\x45\x86\x04\x9e\x77\x41\xb2\xd8\xb5\xb1\xa1\x9e\x99\xe1"
        "\x83\x4a\x25\x95\x91\x55\x72\x0c\x1c\x0e\xf8\x4d\x9d\x3c\x42\xe1\xba"
        "\x28\x28\x47\xd4\x76\xce\xf0\x22\x8b\x14\x22\xab\xa0\x8e\x5f\x3c\x1c"
        "\xd2\x79\xbb\xd1\xc5\x30\x3c\x2e\x9c\x16\xa0\xda\x4f\x88\xf7\x70\xfc"
        "\xa1\x18\xb0\x9e\x92\xb5\x1a\x33\x97\x0e\x32\xad\xe0\xc7\x4e\xee\x1b"
        "\x31\xa4\x20\xd7\x91\x4c\x9d\x75\xdb\x25\x85\x5a\xe3\x27\x98\xed\xc1"
        "\xb4\x7e\x0f\x0f\x88\x42\x9b\x2b\x60\xae\x63",
        725);
    *(uint64_t*)0x20000108 = 0x2d5;
    *(uint64_t*)0x20000a58 = 1;
    *(uint64_t*)0x20000a60 = 0x20003b40;
    *(uint64_t*)0x20000a68 = 0;
    *(uint32_t*)0x20000a70 = 0;
    syscall(__NR_sendmsg, r[0], 0x20000a40, 0);
    break;
  }
}

void loop()
{
  execute(6);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  loop();
  return 0;
}