// https://syzkaller.appspot.com/bug?id=3c1f47967b7cbd399d3ba3e65f297a29aa1c5f92
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

uint64_t r[1] = {0xffffffffffffffff};
void loop()
{
  long res;
  memcpy((void*)0x20001000, "/dev/sg#", 9);
  res = syz_open_dev(0x20001000, 0, 2);
  if (res != -1)
    r[0] = res;
  *(uint8_t*)0x200008c0 = 0x40;
  *(uint8_t*)0x200008c1 = 6;
  *(uint8_t*)0x200008c2 = -1;
  *(uint8_t*)0x200008c3 = 2;
  *(uint64_t*)0x200008c8 = 0;
  *(uint64_t*)0x200008d0 = 0;
  *(uint8_t*)0x200008d8 = 7;
  *(uint8_t*)0x200008d9 = 0x20;
  *(uint8_t*)0x200008da = 7;
  *(uint8_t*)0x200008db = 2;
  *(uint8_t*)0x200008e0 = 0;
  *(uint8_t*)0x200008e1 = 0;
  *(uint16_t*)0x200008e2 = 2;
  *(uint64_t*)0x200008e4 = 0x20000240;
  *(uint8_t*)0x20000240 = 0;
  *(uint8_t*)0x20000241 = 0;
  *(uint8_t*)0x20000242 = 0x1d;
  *(uint8_t*)0x20000243 = 1;
  *(uint32_t*)0x20000248 = 0;
  *(uint8_t*)0x20000258 = 7;
  *(uint8_t*)0x20000259 = 0x65;
  *(uint8_t*)0x2000025a = 0;
  *(uint8_t*)0x2000025b = 1;
  *(uint32_t*)0x20000260 = 3;
  *(uint32_t*)0x20000264 = 0x39;
  *(uint8_t*)0x200008f0 = 0;
  *(uint8_t*)0x200008f1 = 1;
  *(uint8_t*)0x200008f2 = 5;
  *(uint8_t*)0x200008f3 = 1;
  *(uint32_t*)0x200008f8 = 0xffffffdd;
  *(uint8_t*)0x20000908 = 1;
  *(uint8_t*)0x20000909 = 7;
  *(uint8_t*)0x2000090a = 9;
  *(uint8_t*)0x2000090b = 0x9b;
  memcpy((void*)0x20000910, "\x39\x14\x40\x22\x22\x17\xfe\xa8\xd1\x86\x31\xf4",
         12);
  *(uint8_t*)0x20000920 = 4;
  *(uint8_t*)0x20000921 = 1;
  *(uint8_t*)0x20000922 = 7;
  *(uint8_t*)0x20000923 = 3;
  *(uint32_t*)0x20000928 = 0x100;
  *(uint8_t*)0x20000938 = 1;
  *(uint8_t*)0x20000939 = 0x3f;
  *(uint8_t*)0x2000093a = 9;
  *(uint8_t*)0x2000093b = 5;
  *(uint8_t*)0x20000940 = 3;
  *(uint32_t*)0x20000944 = 0xdaeb;
  *(uint32_t*)0x20000948 = 0x3f;
  syscall(__NR_write, r[0], 0x200008c0, 0x90);
  *(uint64_t*)0x200003c0 = 0x20000340;
  *(uint64_t*)0x200003c8 = 0xf;
  *(uint64_t*)0x200003d0 = 0x20000600;
  *(uint64_t*)0x200003d8 = 0xdc;
  *(uint64_t*)0x200003e0 = 0x20000700;
  *(uint64_t*)0x200003e8 = 0xc6;
  *(uint64_t*)0x200003f0 = 0x200009c0;
  *(uint64_t*)0x200003f8 = 0xf8;
  syscall(__NR_readv, r[0], 0x200003c0, 4);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  loop();
  return 0;
}