// https://syzkaller.appspot.com/bug?id=4b0e06a6714d9421fac0f2e13ca91140b579fb52
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static unsigned long long procid;

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    unsigned long nb = a1;
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(nb % 10);
      nb /= 10;
    }
    return open(buf, a2 & ~O_CREAT, 0);
  }
}

static void kill_and_wait(int pid, int* status)
{
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
      return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent)
        break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      sleep_ms(10);
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[2] = {0x0, 0xffffffffffffffff};

void execute_one(void)
{
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  ioctl$KVM_CREATE_IRQCHIP arguments: [
  //    fd: fd_kvmvm (resource)
  //    cmd: const = 0xae60 (4 bytes)
  //  ]
  syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xae60, 0);
  //  prlimit64 arguments: [
  //    pid: pid (resource)
  //    res: rlimit_type = 0xe (8 bytes)
  //    new: ptr[in, rlimit] {
  //      rlimit {
  //        soft: intptr = 0x8 (8 bytes)
  //        hard: intptr = 0x8b (8 bytes)
  //      }
  //    }
  //    old: nil
  //  ]
  *(uint64_t*)0x200000000140 = 8;
  *(uint64_t*)0x200000000148 = 0x8b;
  syscall(__NR_prlimit64, /*pid=*/0, /*res=RLIMIT_RTPRIO*/ 0xeul,
          /*new=*/0x200000000140ul, /*old=*/0ul);
  //  sched_setscheduler arguments: [
  //    pid: pid (resource)
  //    policy: sched_policy = 0x1 (8 bytes)
  //    prio: ptr[in, int32] {
  //      int32 = 0x7 (4 bytes)
  //    }
  //  ]
  *(uint32_t*)0x200000000080 = 7;
  syscall(__NR_sched_setscheduler, /*pid=*/0, /*policy=SCHED_FIFO*/ 1ul,
          /*prio=*/0x200000000080ul);
  //  getpid arguments: [
  //  ]
  //  returns pid
  res = syscall(__NR_getpid);
  if (res != -1)
    r[0] = res;
  //  sched_setscheduler arguments: [
  //    pid: pid (resource)
  //    policy: sched_policy = 0x2 (8 bytes)
  //    prio: ptr[in, int32] {
  //      int32 = 0x6 (4 bytes)
  //    }
  //  ]
  *(uint32_t*)0x200000000200 = 6;
  syscall(__NR_sched_setscheduler, /*pid=*/r[0], /*policy=SCHED_RR*/ 2ul,
          /*prio=*/0x200000000200ul);
  //  mmap arguments: [
  //    addr: VMA[0xb36000]
  //    len: len = 0xb36000 (8 bytes)
  //    prot: mmap_prot = 0xb635773f06ebbeee (8 bytes)
  //    flags: mmap_flags = 0x8031 (8 bytes)
  //    fd: fd (resource)
  //    offset: intptr = 0x0 (8 bytes)
  //  ]
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
          /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_EXEC|0xb635773f04ebbee0*/
          0xb635773f06ebbeeeul,
          /*flags=MAP_POPULATE|MAP_FIXED|MAP_ANONYMOUS|MAP_SHARED*/ 0x8031ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  //  socketpair$unix arguments: [
  //    domain: const = 0x1 (8 bytes)
  //    type: unix_socket_type = 0x2 (8 bytes)
  //    proto: const = 0x0 (4 bytes)
  //    fds: nil
  //  ]
  syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0,
          /*fds=*/0ul);
  //  connect$unix arguments: [
  //    fd: sock_unix (resource)
  //    addr: nil
  //    addrlen: len = 0x0 (8 bytes)
  //  ]
  syscall(__NR_connect, /*fd=*/(intptr_t)-1, /*addr=*/0ul, /*addrlen=*/0ul);
  //  sendmmsg$unix arguments: [
  //    fd: sock_unix (resource)
  //    mmsg: ptr[in, array[send_mmsghdr_un]] {
  //      array[send_mmsghdr_un] {
  //      }
  //    }
  //    vlen: len = 0x651 (8 bytes)
  //    f: send_flags = 0x0 (8 bytes)
  //  ]
  syscall(__NR_sendmmsg, /*fd=*/(intptr_t)-1, /*mmsg=*/0x200000000000ul,
          /*vlen=*/0x651ul, /*f=*/0ul);
  //  recvmmsg arguments: [
  //    fd: sock (resource)
  //    mmsg: ptr[in, array[recv_mmsghdr]] {
  //      array[recv_mmsghdr] {
  //      }
  //    }
  //    vlen: len = 0x10106 (8 bytes)
  //    f: recv_flags = 0x2 (8 bytes)
  //    timeout: nil
  //  ]
  syscall(__NR_recvmmsg, /*fd=*/(intptr_t)-1, /*mmsg=*/0x2000000000c0ul,
          /*vlen=*/0x10106ul, /*f=MSG_PEEK*/ 2ul, /*timeout=*/0ul);
  //  syz_open_dev$vcsn arguments: [
  //    dev: ptr[in, buffer] {
  //      buffer: {2f 64 65 76 2f 76 63 73 23 00} (length 0xa)
  //    }
  //    id: intptr = 0x1 (8 bytes)
  //    flags: open_flags = 0x141001 (8 bytes)
  //  ]
  //  returns fd
  memcpy((void*)0x200000000700, "/dev/vcs#\000", 10);
  res = -1;
  res = syz_open_dev(/*dev=*/0x200000000700, /*id=*/1,
                     /*flags=O_SYNC|O_NOATIME|O_WRONLY*/ 0x141001);
  if (res != -1)
    r[1] = res;
  //  write arguments: [
  //    fd: fd (resource)
  //    buf: ptr[in, buffer] {
  //      buffer: {56 05 56 b3 e3 48 31 99 a4 1b 59 15 d0 f1 46 31 6e 34 fc 0c
  //      f2 21 59 b7 d6 1d e0 b1 ba e7 a3 bb e3 71 64 93 e4 38 ca c1 84 3d 8c
  //      66 aa a0 89 cb 35 f1 08 93 62 14 15 36 65 e3 ca 39 2f f7 67 1b c0 d4
  //      60 f5 de 57 1a bb 49 5c b6 81 90 48 12 3f d4 06 36 ea 00 71 2f 16 7d
  //      14 8c 95 8c 2d 3c 5e 93 1c 37 ec 54 65 03 8f f3 b9 06 80 81 70 55 22
  //      d1 b0 36 c3 6d 00 97 36 e2 c5 be 87 0c dc 4f aa 44 a0 a9 ec 70 5a b9
  //      2b a3 e0 99 43 17 6b c8 71 85 f4 9f 37 10 04 75 11 6f ab 99 5b 8d bb
  //      fb 21 85 e6 5c b2 78 bb 67 e3 00 a0 af 80 bf 48 39 7d 0c 52 0f cc 23
  //      9d ed 56 4c 35 9b 12 10 15 8b d8 d8 58 31 a1 08 3e b9 28 52 80 a6 66
  //      1e 61 a5 fb ed fb ef 6c 9b 0e df 9c 4e bc 7f 6d 05 d2 6a eb 3f 18 d8
  //      6d 2d 2e 20 48 33 e4 f9 78 b8 7d 2d 5c 19 93 7e 77 40 6b 4f 0e a2 22
  //      2b 18 17 51 a6 32 61 4c 16 eb 9a 5a 8f 30 aa 0e 54 cb ba 5f a8 f8 56
  //      a1 43 44 c1 c0 e0 63 cb 9f ad 61 e5 21 de 33 8f cb 9b 7d 8d 9f df ad
  //      43 c8 ef 54 e4 12 ff d8 84 a0 20 83 75 9c 79 1d 9d 9a c6 c1 14 b0 4c
  //      5b 81 90 52 0e 13 bc a9 68 da a0 02 2e c2 18 03 43 b2 c8 03 a4 e1 02
  //      7c c6 d3 64 78 3f 64 39 ec 8e 4d b6 1c ef 12 47 2a 34 3a 1d 2d f0 2e
  //      20 5c 7f 1d b4 de fa db 76 44 a8 66 ad aa 9c 54 ee de 9f 83 0b fe 81
  //      fa 52 5e cc ae b2 ef 54 9f 7f 21 53 6a 48 52 bd 6d 93 7a ce 25 64 1f
  //      33 07 56 af 01 52 78 20 2e 8e 99 52 3a 5a c5 66 77 39 ff d5 40 a0 0a
  //      9e bf 56 43 17 f8 3d dd b8 05 13 11 f8 42 ce 8e 07 83 04 28 6c c5 84
  //      60 fe b5 ff e3 0f bb 99 74 97 65 f1 7c f3 1e 08 7b 5f dc 83 b5 ec fd
  //      07 ab 3a e4 59 17 74 90 a7 13 e9 57 06 30 4b 38 6d 0c 2a 9f db fb 64
  //      85 70 81 1a 64 a5 19 c4 8a 27 7d 7b 0b 8b b2 62 66 a2 f8 1a d9 53 b1
  //      7a 96 09 8f dc 5b 90 72 f7 10 10 a5 6e 71 9e 34 7e 45 2f fe c0 42 a7
  //      33 4a 2e 0c d1 7b 63 ca 81 a9 84 72 75 2f 0b dc da 0c 70 e6 c5 00 b1
  //      6e 2e 7b 6c f0 12 59 ca 6a 46 82 1a dd fd 88 51 79 f3 44 0e 44 b1 4c
  //      94 9b d8 96 a9 c1 f6 04 da 02 7f bb 5b 43 93 09 49 74 21 fc 00 b0 d4
  //      24 d6 7d a9 81 59 f1 07 9d} (length 0x273)
  //    }
  //    count: len = 0x273 (8 bytes)
  //  ]
  memcpy(
      (void*)0x200000000a80,
      "\x56\x05\x56\xb3\xe3\x48\x31\x99\xa4\x1b\x59\x15\xd0\xf1\x46\x31\x6e\x34"
      "\xfc\x0c\xf2\x21\x59\xb7\xd6\x1d\xe0\xb1\xba\xe7\xa3\xbb\xe3\x71\x64\x93"
      "\xe4\x38\xca\xc1\x84\x3d\x8c\x66\xaa\xa0\x89\xcb\x35\xf1\x08\x93\x62\x14"
      "\x15\x36\x65\xe3\xca\x39\x2f\xf7\x67\x1b\xc0\xd4\x60\xf5\xde\x57\x1a\xbb"
      "\x49\x5c\xb6\x81\x90\x48\x12\x3f\xd4\x06\x36\xea\x00\x71\x2f\x16\x7d\x14"
      "\x8c\x95\x8c\x2d\x3c\x5e\x93\x1c\x37\xec\x54\x65\x03\x8f\xf3\xb9\x06\x80"
      "\x81\x70\x55\x22\xd1\xb0\x36\xc3\x6d\x00\x97\x36\xe2\xc5\xbe\x87\x0c\xdc"
      "\x4f\xaa\x44\xa0\xa9\xec\x70\x5a\xb9\x2b\xa3\xe0\x99\x43\x17\x6b\xc8\x71"
      "\x85\xf4\x9f\x37\x10\x04\x75\x11\x6f\xab\x99\x5b\x8d\xbb\xfb\x21\x85\xe6"
      "\x5c\xb2\x78\xbb\x67\xe3\x00\xa0\xaf\x80\xbf\x48\x39\x7d\x0c\x52\x0f\xcc"
      "\x23\x9d\xed\x56\x4c\x35\x9b\x12\x10\x15\x8b\xd8\xd8\x58\x31\xa1\x08\x3e"
      "\xb9\x28\x52\x80\xa6\x66\x1e\x61\xa5\xfb\xed\xfb\xef\x6c\x9b\x0e\xdf\x9c"
      "\x4e\xbc\x7f\x6d\x05\xd2\x6a\xeb\x3f\x18\xd8\x6d\x2d\x2e\x20\x48\x33\xe4"
      "\xf9\x78\xb8\x7d\x2d\x5c\x19\x93\x7e\x77\x40\x6b\x4f\x0e\xa2\x22\x2b\x18"
      "\x17\x51\xa6\x32\x61\x4c\x16\xeb\x9a\x5a\x8f\x30\xaa\x0e\x54\xcb\xba\x5f"
      "\xa8\xf8\x56\xa1\x43\x44\xc1\xc0\xe0\x63\xcb\x9f\xad\x61\xe5\x21\xde\x33"
      "\x8f\xcb\x9b\x7d\x8d\x9f\xdf\xad\x43\xc8\xef\x54\xe4\x12\xff\xd8\x84\xa0"
      "\x20\x83\x75\x9c\x79\x1d\x9d\x9a\xc6\xc1\x14\xb0\x4c\x5b\x81\x90\x52\x0e"
      "\x13\xbc\xa9\x68\xda\xa0\x02\x2e\xc2\x18\x03\x43\xb2\xc8\x03\xa4\xe1\x02"
      "\x7c\xc6\xd3\x64\x78\x3f\x64\x39\xec\x8e\x4d\xb6\x1c\xef\x12\x47\x2a\x34"
      "\x3a\x1d\x2d\xf0\x2e\x20\x5c\x7f\x1d\xb4\xde\xfa\xdb\x76\x44\xa8\x66\xad"
      "\xaa\x9c\x54\xee\xde\x9f\x83\x0b\xfe\x81\xfa\x52\x5e\xcc\xae\xb2\xef\x54"
      "\x9f\x7f\x21\x53\x6a\x48\x52\xbd\x6d\x93\x7a\xce\x25\x64\x1f\x33\x07\x56"
      "\xaf\x01\x52\x78\x20\x2e\x8e\x99\x52\x3a\x5a\xc5\x66\x77\x39\xff\xd5\x40"
      "\xa0\x0a\x9e\xbf\x56\x43\x17\xf8\x3d\xdd\xb8\x05\x13\x11\xf8\x42\xce\x8e"
      "\x07\x83\x04\x28\x6c\xc5\x84\x60\xfe\xb5\xff\xe3\x0f\xbb\x99\x74\x97\x65"
      "\xf1\x7c\xf3\x1e\x08\x7b\x5f\xdc\x83\xb5\xec\xfd\x07\xab\x3a\xe4\x59\x17"
      "\x74\x90\xa7\x13\xe9\x57\x06\x30\x4b\x38\x6d\x0c\x2a\x9f\xdb\xfb\x64\x85"
      "\x70\x81\x1a\x64\xa5\x19\xc4\x8a\x27\x7d\x7b\x0b\x8b\xb2\x62\x66\xa2\xf8"
      "\x1a\xd9\x53\xb1\x7a\x96\x09\x8f\xdc\x5b\x90\x72\xf7\x10\x10\xa5\x6e\x71"
      "\x9e\x34\x7e\x45\x2f\xfe\xc0\x42\xa7\x33\x4a\x2e\x0c\xd1\x7b\x63\xca\x81"
      "\xa9\x84\x72\x75\x2f\x0b\xdc\xda\x0c\x70\xe6\xc5\x00\xb1\x6e\x2e\x7b\x6c"
      "\xf0\x12\x59\xca\x6a\x46\x82\x1a\xdd\xfd\x88\x51\x79\xf3\x44\x0e\x44\xb1"
      "\x4c\x94\x9b\xd8\x96\xa9\xc1\xf6\x04\xda\x02\x7f\xbb\x5b\x43\x93\x09\x49"
      "\x74\x21\xfc\x00\xb0\xd4\x24\xd6\x7d\xa9\x81\x59\xf1\x07\x9d",
      627);
  syscall(__NR_write, /*fd=*/r[1], /*buf=*/0x200000000a80ul, /*count=*/0x273ul);
}
int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  for (procid = 0; procid < 5; procid++) {
    if (fork() == 0) {
      loop();
    }
  }
  sleep(1000000);
  return 0;
}