// https://syzkaller.appspot.com/bug?id=702906331957f4cfed2a64192e9bc6bfb668bf58
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)               \
  *(type*)(addr) =                                                             \
      htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) |           \
            (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

struct csum_inet {
  uint32_t acc;
};

static void csum_inet_init(struct csum_inet* csum)
{
  csum->acc = 0;
}

static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
                             size_t length)
{
  if (length == 0)
    return;
  size_t i;
  for (i = 0; i < length - 1; i += 2)
    csum->acc += *(uint16_t*)&data[i];
  if (length & 1)
    csum->acc += (uint16_t)data[length - 1];
  while (csum->acc > 0xffff)
    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}

static uint16_t csum_inet_digest(struct csum_inet* csum)
{
  return ~csum->acc;
}

uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
                 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  intptr_t res = 0;
  res = syscall(__NR_socket, 0x10ul, 3ul, 6);
  if (res != -1)
    r[0] = res;
  *(uint64_t*)0x2014f000 = 0;
  *(uint32_t*)0x2014f008 = 0;
  *(uint64_t*)0x2014f010 = 0x200001c0;
  *(uint64_t*)0x200001c0 = 0x20000580;
  memcpy((void*)0x20000580,
         "\xcc\x00\x00\x00\x19\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
         "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xfe\x88"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00",
         64);
  *(uint32_t*)0x200005c0 = 0;
  *(uint32_t*)0x200005c4 = 0;
  memcpy((void*)0x200005c8,
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x01\x00\x02\x00\x0c\x00\x0f\x00\x06\x00\x00\x00\x00\x00\x00"
         "\x00\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdc\xa7\xa2\x88"
         "\x31\x05\x87\x55\xd1\x22\x0b\x19\x3a\xda\xa2\x3d\x91\x03\x28\xc0\xf5"
         "\xc8\xf4\x85\x88\x74\x57\xdd\xd3\x39\xa4\x29\x39\xde\x7b\x6f\x20\xa8"
         "\xa0\xab\x91\xb1\x52\x7b\x8a\x48\x7e\xb3\x69\x4f\x61\x2b\x31\x67\x83"
         "\xf1\x6f\x1a\x8f\x03\x7d\x62\x67\x8b\x5f\xdd\x9a\x2d\xb1\xce\xcf\xa4"
         "\xa1\xe7\xdc\x00\x9c\xdf\x2f\x8e\xc9\x52\x1d\x2c\xaa\xdc\x10\xeb\xd7"
         "\xd4\x81\xc2\xc6\xa3\x86\xcb\x6f\x61\xb1\x11\xdb\x62\xd7\x30\xf5\x2d"
         "\x03\xd9\xd7\x80\xe6\x2c\x51\xc5\xfe\x46\xec\x85\x68\xd4\x96\xe3\x7c"
         "\x81\x4f\xa8\xbe\xa6\x09\xc0\x02\x0f\x9f\xcb\x24\x4d\x9f\x91\x43\xfe"
         "\x25\x28\xad\x4b\xde\x0b\x83\x41\x71\xde\xc5\x56\xb3\xd6\x95\x3a\x8c"
         "\x3a\xa1\x25\x80\xfb\x74\x72\xd0\x95\xaf\xbd\xb0\x7d\xc9\xd2\xf7\xab"
         "\x1a\x8d\xa3\x4d\x37\x95\x28\x89\xf4\xc5\xaa\x89\x17\xe8\x6b\xec\x49"
         "\x93\xab\x3a\x20\xbd",
         328);
  *(uint64_t*)0x200001c8 = 0xcc;
  *(uint64_t*)0x2014f018 = 1;
  *(uint64_t*)0x2014f020 = 0;
  *(uint64_t*)0x2014f028 = 0;
  *(uint32_t*)0x2014f030 = 0;
  syscall(__NR_sendmsg, r[0], 0x2014f000ul, 0ul);
  res = syscall(__NR_socket, 2ul, 0xaul, 0);
  if (res != -1)
    r[1] = res;
  *(uint64_t*)0x20000100 = 0;
  *(uint16_t*)0x20000108 = 2;
  *(uint16_t*)0x2000010a = 0;
  *(uint32_t*)0x2000010c = htobe32(0);
  *(uint32_t*)0x20000110 = 3;
  *(uint32_t*)0x20000114 = 0;
  *(uint16_t*)0x20000118 = 6;
  memcpy((void*)0x2000011a, "\x38\x7e\xcd\x35\x77\xf2", 6);
  *(uint16_t*)0x20000128 = 2;
  *(uint16_t*)0x2000012a = htobe16(0x4e24);
  *(uint32_t*)0x2000012c = htobe32(0);
  *(uint16_t*)0x20000138 = 0;
  *(uint16_t*)0x2000013a = 0;
  *(uint64_t*)0x20000140 = 0;
  *(uint64_t*)0x20000148 = 0;
  *(uint16_t*)0x20000150 = 0;
  *(uint64_t*)0x20000158 = 0x20000080;
  memcpy((void*)0x20000080, "bridge_slave_0\000\000", 16);
  *(uint64_t*)0x20000160 = 0xff;
  *(uint64_t*)0x20000168 = 0xecb;
  *(uint16_t*)0x20000170 = 1;
  syscall(__NR_ioctl, r[1], 0x890b, 0x20000100ul);
  memcpy((void*)0x20000080, "/dev/net/tun\000", 13);
  res =
      syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000080ul, 0x88002ul, 0ul);
  if (res != -1)
    r[2] = res;
  memcpy((void*)0x20000300, "syzkaller1\000\000\000\000\000\000", 16);
  *(uint16_t*)0x20000310 = 0x5001;
  syscall(__NR_ioctl, r[2], 0x400454ca, 0x20000300ul);
  res = syscall(__NR_socket, 0x10ul, 3ul, 0);
  if (res != -1)
    r[3] = res;
  memcpy((void*)0x20000140, "syzkaller1\000\000\000\000\000\000", 16);
  *(uint16_t*)0x20000150 = 7;
  *(uint16_t*)0x20000152 = htobe16(0);
  *(uint32_t*)0x20000154 = htobe32(0);
  syscall(__NR_ioctl, r[3], 0x8914, 0x20000140ul);
  *(uint8_t*)0x20000240 = 0;
  *(uint8_t*)0x20000241 = 0;
  *(uint16_t*)0x20000242 = 0;
  *(uint16_t*)0x20000244 = 0;
  *(uint16_t*)0x20000246 = 0;
  *(uint16_t*)0x20000248 = 0;
  STORE_BY_BITMASK(uint8_t, , 0x2000024a, 8, 0, 4);
  STORE_BY_BITMASK(uint8_t, , 0x2000024a, 4, 4, 4);
  STORE_BY_BITMASK(uint8_t, , 0x2000024b, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, , 0x2000024b, 0, 2, 6);
  *(uint16_t*)0x2000024c = htobe16(0x2c);
  *(uint16_t*)0x2000024e = htobe16(0);
  *(uint16_t*)0x20000250 = htobe16(0);
  *(uint8_t*)0x20000252 = 0;
  *(uint8_t*)0x20000253 = 0x2f;
  *(uint16_t*)0x20000254 = htobe16(0);
  *(uint8_t*)0x20000256 = 0xac;
  *(uint8_t*)0x20000257 = 0x14;
  *(uint8_t*)0x20000258 = 0x14;
  *(uint8_t*)0x20000259 = 0;
  *(uint8_t*)0x2000025a = 0xac;
  *(uint8_t*)0x2000025b = 0x14;
  *(uint8_t*)0x2000025c = 8;
  *(uint8_t*)0x2000025d = 0xbb;
  *(uint8_t*)0x2000025e = 0xd;
  *(uint8_t*)0x2000025f = 0;
  *(uint16_t*)0x20000260 = htobe16(0);
  *(uint16_t*)0x20000262 = htobe16(0);
  *(uint16_t*)0x20000264 = htobe16(0);
  *(uint32_t*)0x20000266 = htobe32(0);
  *(uint32_t*)0x2000026a = htobe32(0);
  *(uint32_t*)0x2000026e = htobe32(0);
  struct csum_inet csum_1;
  csum_inet_init(&csum_1);
  csum_inet_update(&csum_1, (const uint8_t*)0x2000025e, 20);
  *(uint16_t*)0x20000260 = csum_inet_digest(&csum_1);
  struct csum_inet csum_2;
  csum_inet_init(&csum_2);
  csum_inet_update(&csum_2, (const uint8_t*)0x2000024a, 20);
  *(uint16_t*)0x20000254 = csum_inet_digest(&csum_2);
  syscall(__NR_write, r[2], 0x20000240ul, 0x100cul);
  return 0;
}