// https://syzkaller.appspot.com/bug?id=bff61d87129afb198021fa0a2d4d09706a14ada8
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <pthread.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

long r[280];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                   0xfffffffffffffffful, 0x0ul);
    break;
  case 1:
    r[1] = syscall(__NR_socket, 0x2ul, 0x800000000001ul, 0x84ul);
    break;
  case 2:
    *(uint64_t*)0x20f44000 = (uint64_t)0x20ffcfe4;
    *(uint32_t*)0x20f44008 = (uint32_t)0x1c;
    *(uint64_t*)0x20f44010 = (uint64_t)0x200fbfb0;
    *(uint64_t*)0x20f44018 = (uint64_t)0x5;
    *(uint64_t*)0x20f44020 = (uint64_t)0x20000000;
    *(uint64_t*)0x20f44028 = (uint64_t)0x0;
    *(uint32_t*)0x20f44030 = (uint32_t)0x80;
    *(uint64_t*)0x20f44038 = (uint64_t)0x20ffc000;
    *(uint32_t*)0x20f44040 = (uint32_t)0x1c;
    *(uint64_t*)0x20f44048 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x20f44050 = (uint64_t)0x8;
    *(uint64_t*)0x20f44058 = (uint64_t)0x20ffce80;
    *(uint64_t*)0x20f44060 = (uint64_t)0x8;
    *(uint32_t*)0x20f44068 = (uint32_t)0x20000000;
    *(uint64_t*)0x20f44070 = (uint64_t)0x2055dff0;
    *(uint32_t*)0x20f44078 = (uint32_t)0x10;
    *(uint64_t*)0x20f44080 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x20f44088 = (uint64_t)0x2;
    *(uint64_t*)0x20f44090 = (uint64_t)0x20763000;
    *(uint64_t*)0x20f44098 = (uint64_t)0x3;
    *(uint32_t*)0x20f440a0 = (uint32_t)0x804;
    *(uint64_t*)0x20f440a8 = (uint64_t)0x20ffcfe4;
    *(uint32_t*)0x20f440b0 = (uint32_t)0x1c;
    *(uint64_t*)0x20f440b8 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x20f440c0 = (uint64_t)0xa;
    *(uint64_t*)0x20f440c8 = (uint64_t)0x20000000;
    *(uint64_t*)0x20f440d0 = (uint64_t)0x0;
    *(uint32_t*)0x20f440d8 = (uint32_t)0x800;
    *(uint64_t*)0x20f440e0 = (uint64_t)0x20ffcff0;
    *(uint32_t*)0x20f440e8 = (uint32_t)0x10;
    *(uint64_t*)0x20f440f0 = (uint64_t)0x20ffcfa0;
    *(uint64_t*)0x20f440f8 = (uint64_t)0x6;
    *(uint64_t*)0x20f44100 = (uint64_t)0x20ffcfd0;
    *(uint64_t*)0x20f44108 = (uint64_t)0x1;
    *(uint32_t*)0x20f44110 = (uint32_t)0x4015;
    *(uint16_t*)0x20ffcfe4 = (uint16_t)0xa;
    *(uint16_t*)0x20ffcfe6 = (uint16_t)0x224e;
    *(uint32_t*)0x20ffcfe8 = (uint32_t)0x4;
    *(uint8_t*)0x20ffcfec = (uint8_t)0x0;
    *(uint8_t*)0x20ffcfed = (uint8_t)0x0;
    *(uint8_t*)0x20ffcfee = (uint8_t)0x0;
    *(uint8_t*)0x20ffcfef = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff0 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff1 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff2 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff3 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff4 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff5 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff6 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff7 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff8 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff9 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffa = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffb = (uint8_t)0x0;
    *(uint32_t*)0x20ffcffc = (uint32_t)0x800;
    *(uint64_t*)0x200fbfb0 = (uint64_t)0x20163000;
    *(uint64_t*)0x200fbfb8 = (uint64_t)0x0;
    *(uint64_t*)0x200fbfc0 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x200fbfc8 = (uint64_t)0x0;
    *(uint64_t*)0x200fbfd0 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x200fbfd8 = (uint64_t)0x0;
    *(uint64_t*)0x200fbfe0 = (uint64_t)0x20ffcfd1;
    *(uint64_t*)0x200fbfe8 = (uint64_t)0x0;
    *(uint64_t*)0x200fbff0 = (uint64_t)0x203b0000;
    *(uint64_t*)0x200fbff8 = (uint64_t)0x30;
    memcpy((void*)0x203b0000, "\x0c\x57\x81\x0e\xd8\x68\x73\x98\x5c\xff"
                              "\xc4\x0e\x1e\x84\xdb\x64\x8a\xab\x1e\xeb"
                              "\x85\x3d\x92\xa5\xa6\x98\xd2\xbf\x69\xf2"
                              "\x3e\xee\xd6\xd5\x0a\xed\xdc\xf7\x93\xc9"
                              "\xef\x5c\x5e\x10\xf1\xb6\xc0\x42",
           48);
    *(uint16_t*)0x20ffc000 = (uint16_t)0xa;
    *(uint16_t*)0x20ffc002 = (uint16_t)0x224e;
    *(uint32_t*)0x20ffc004 = (uint32_t)0xe2;
    *(uint8_t*)0x20ffc008 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc009 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00a = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00b = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00c = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00d = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00e = (uint8_t)0x0;
    *(uint8_t*)0x20ffc00f = (uint8_t)0x0;
    *(uint8_t*)0x20ffc010 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc011 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc012 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc013 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc014 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc015 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc016 = (uint8_t)0x0;
    *(uint8_t*)0x20ffc017 = (uint8_t)0x0;
    *(uint32_t*)0x20ffc018 = (uint32_t)0x3;
    *(uint64_t*)0x20ffc000 = (uint64_t)0x20c95f56;
    *(uint64_t*)0x20ffc008 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc010 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x20ffc018 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc020 = (uint64_t)0x20ffcf88;
    *(uint64_t*)0x20ffc028 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc030 = (uint64_t)0x20004f33;
    *(uint64_t*)0x20ffc038 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc040 = (uint64_t)0x20ffcf5e;
    *(uint64_t*)0x20ffc048 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc050 = (uint64_t)0x20e84fc1;
    *(uint64_t*)0x20ffc058 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc060 = (uint64_t)0x20e5f000;
    *(uint64_t*)0x20ffc068 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc070 = (uint64_t)0x20cfcf11;
    *(uint64_t*)0x20ffc078 = (uint64_t)0x0;
    *(uint64_t*)0x20ffce80 = (uint64_t)0x20;
    *(uint32_t*)0x20ffce88 = (uint32_t)0x84;
    *(uint32_t*)0x20ffce8c = (uint32_t)0x2;
    *(uint16_t*)0x20ffce90 = (uint16_t)0x6;
    *(uint16_t*)0x20ffce92 = (uint16_t)0x2;
    *(uint32_t*)0x20ffce94 = (uint32_t)0x5;
    *(uint32_t*)0x20ffce98 = (uint32_t)0x80000001;
    *(uint32_t*)0x20ffce9c = (uint32_t)0x0;
    *(uint64_t*)0x20ffceb0 = (uint64_t)0x30;
    *(uint32_t*)0x20ffceb8 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcebc = (uint32_t)0x1;
    *(uint16_t*)0x20ffcec0 = (uint16_t)0x7;
    *(uint16_t*)0x20ffcec2 = (uint16_t)0x100;
    *(uint16_t*)0x20ffcec4 = (uint16_t)0x2;
    *(uint32_t*)0x20ffcec8 = (uint32_t)0x9;
    *(uint32_t*)0x20ffcecc = (uint32_t)0xff;
    *(uint32_t*)0x20ffced0 = (uint32_t)0xfffffffffffffeff;
    *(uint32_t*)0x20ffced4 = (uint32_t)0x6;
    *(uint32_t*)0x20ffced8 = (uint32_t)0x0;
    *(uint32_t*)0x20ffcedc = (uint32_t)0x0;
    *(uint64_t*)0x20ffcee0 = (uint64_t)0x18;
    *(uint32_t*)0x20ffcee8 = (uint32_t)0x84;
    *(uint32_t*)0x20ffceec = (uint32_t)0x0;
    *(uint16_t*)0x20ffcef0 = (uint16_t)0x1ff;
    *(uint16_t*)0x20ffcef2 = (uint16_t)0x5eac;
    *(uint16_t*)0x20ffcef4 = (uint16_t)0x1;
    *(uint16_t*)0x20ffcef6 = (uint16_t)0x1ff;
    *(uint64_t*)0x20ffcf10 = (uint64_t)0x18;
    *(uint32_t*)0x20ffcf18 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcf1c = (uint32_t)0x0;
    *(uint16_t*)0x20ffcf20 = (uint16_t)0x100000000;
    *(uint16_t*)0x20ffcf22 = (uint16_t)0x1ff;
    *(uint16_t*)0x20ffcf24 = (uint16_t)0x8f0;
    *(uint16_t*)0x20ffcf26 = (uint16_t)0x6;
    *(uint64_t*)0x20ffcf40 = (uint64_t)0x30;
    *(uint32_t*)0x20ffcf48 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcf4c = (uint32_t)0x1;
    *(uint16_t*)0x20ffcf50 = (uint16_t)0x6;
    *(uint16_t*)0x20ffcf52 = (uint16_t)0xa6;
    *(uint16_t*)0x20ffcf54 = (uint16_t)0x4;
    *(uint32_t*)0x20ffcf58 = (uint32_t)0x7ff;
    *(uint32_t*)0x20ffcf5c = (uint32_t)0xc1;
    *(uint32_t*)0x20ffcf60 = (uint32_t)0x7;
    *(uint32_t*)0x20ffcf64 = (uint32_t)0x927;
    *(uint32_t*)0x20ffcf68 = (uint32_t)0x81;
    *(uint32_t*)0x20ffcf6c = (uint32_t)0x0;
    *(uint64_t*)0x20ffcf70 = (uint64_t)0x20;
    *(uint32_t*)0x20ffcf78 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcf7c = (uint32_t)0x2;
    *(uint16_t*)0x20ffcf80 = (uint16_t)0x8;
    *(uint16_t*)0x20ffcf82 = (uint16_t)0xa;
    *(uint32_t*)0x20ffcf84 = (uint32_t)0x1;
    *(uint32_t*)0x20ffcf88 = (uint32_t)0x1;
    *(uint32_t*)0x20ffcf8c = (uint32_t)0x0;
    *(uint64_t*)0x20ffcfa0 = (uint64_t)0x20;
    *(uint32_t*)0x20ffcfa8 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcfac = (uint32_t)0x2;
    *(uint16_t*)0x20ffcfb0 = (uint16_t)0x2;
    *(uint16_t*)0x20ffcfb2 = (uint16_t)0x820a;
    *(uint32_t*)0x20ffcfb4 = (uint32_t)0x1;
    *(uint32_t*)0x20ffcfb8 = (uint32_t)0x3;
    *(uint32_t*)0x20ffcfbc = (uint32_t)0x0;
    *(uint64_t*)0x20ffcfd0 = (uint64_t)0x18;
    *(uint32_t*)0x20ffcfd8 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcfdc = (uint32_t)0x0;
    *(uint16_t*)0x20ffcfe0 = (uint16_t)0x40;
    *(uint16_t*)0x20ffcfe2 = (uint16_t)0x0;
    *(uint16_t*)0x20ffcfe4 = (uint16_t)0x6;
    *(uint16_t*)0x20ffcfe6 = (uint16_t)0x7;
    *(uint16_t*)0x2055dff0 = (uint16_t)0x2;
    *(uint16_t*)0x2055dff2 = (uint16_t)0x204e;
    *(uint8_t*)0x2055dff4 = (uint8_t)0xac;
    *(uint8_t*)0x2055dff5 = (uint8_t)0x14;
    *(uint8_t*)0x2055dff6 = (uint8_t)0x0;
    *(uint8_t*)0x2055dff7 = (uint8_t)0xaa;
    *(uint8_t*)0x2055dff8 = (uint8_t)0x0;
    *(uint8_t*)0x2055dff9 = (uint8_t)0x0;
    *(uint8_t*)0x2055dffa = (uint8_t)0x0;
    *(uint8_t*)0x2055dffb = (uint8_t)0x0;
    *(uint8_t*)0x2055dffc = (uint8_t)0x0;
    *(uint8_t*)0x2055dffd = (uint8_t)0x0;
    *(uint8_t*)0x2055dffe = (uint8_t)0x0;
    *(uint8_t*)0x2055dfff = (uint8_t)0x0;
    *(uint64_t*)0x20ffc000 = (uint64_t)0x20a0ffa9;
    *(uint64_t*)0x20ffc008 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc010 = (uint64_t)0x2016d000;
    *(uint64_t*)0x20ffc018 = (uint64_t)0x0;
    *(uint64_t*)0x20763000 = (uint64_t)0x30;
    *(uint32_t*)0x20763008 = (uint32_t)0x84;
    *(uint32_t*)0x2076300c = (uint32_t)0x1;
    *(uint16_t*)0x20763010 = (uint16_t)0x80000001;
    *(uint16_t*)0x20763012 = (uint16_t)0x2;
    *(uint16_t*)0x20763014 = (uint16_t)0x8006;
    *(uint32_t*)0x20763018 = (uint32_t)0x101;
    *(uint32_t*)0x2076301c = (uint32_t)0x6;
    *(uint32_t*)0x20763020 = (uint32_t)0x5c;
    *(uint32_t*)0x20763024 = (uint32_t)0xa24;
    *(uint32_t*)0x20763028 = (uint32_t)0x3;
    *(uint32_t*)0x2076302c = (uint32_t)0x0;
    *(uint64_t*)0x20763030 = (uint64_t)0x20;
    *(uint32_t*)0x20763038 = (uint32_t)0x84;
    *(uint32_t*)0x2076303c = (uint32_t)0x2;
    *(uint16_t*)0x20763040 = (uint16_t)0x3;
    *(uint16_t*)0x20763042 = (uint16_t)0x8;
    *(uint32_t*)0x20763044 = (uint32_t)0x8;
    *(uint32_t*)0x20763048 = (uint32_t)0x5;
    *(uint32_t*)0x2076304c = (uint32_t)0x0;
    *(uint64_t*)0x20763060 = (uint64_t)0x20;
    *(uint32_t*)0x20763068 = (uint32_t)0x84;
    *(uint32_t*)0x2076306c = (uint32_t)0x2;
    *(uint16_t*)0x20763070 = (uint16_t)0x1;
    *(uint16_t*)0x20763072 = (uint16_t)0x800a;
    *(uint32_t*)0x20763074 = (uint32_t)0x6;
    *(uint32_t*)0x20763078 = (uint32_t)0x401;
    *(uint32_t*)0x2076307c = (uint32_t)0x0;
    *(uint16_t*)0x20ffcfe4 = (uint16_t)0xa;
    *(uint16_t*)0x20ffcfe6 = (uint16_t)0x214e;
    *(uint32_t*)0x20ffcfe8 = (uint32_t)0x2;
    *(uint64_t*)0x20ffcfec = (uint64_t)0x0;
    *(uint64_t*)0x20ffcff4 = (uint64_t)0x100000000000000;
    *(uint32_t*)0x20ffcffc = (uint32_t)0x8;
    *(uint64_t*)0x20ffc000 = (uint64_t)0x20557000;
    *(uint64_t*)0x20ffc008 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc010 = (uint64_t)0x2034d000;
    *(uint64_t*)0x20ffc018 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc020 = (uint64_t)0x20ba9000;
    *(uint64_t*)0x20ffc028 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc030 = (uint64_t)0x20ffc000;
    *(uint64_t*)0x20ffc038 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc040 = (uint64_t)0x20ffcfcf;
    *(uint64_t*)0x20ffc048 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc050 = (uint64_t)0x202c4000;
    *(uint64_t*)0x20ffc058 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc060 = (uint64_t)0x20ffcfbc;
    *(uint64_t*)0x20ffc068 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc070 = (uint64_t)0x20ffcf42;
    *(uint64_t*)0x20ffc078 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc080 = (uint64_t)0x20c86000;
    *(uint64_t*)0x20ffc088 = (uint64_t)0x0;
    *(uint64_t*)0x20ffc090 = (uint64_t)0x205ad000;
    *(uint64_t*)0x20ffc098 = (uint64_t)0x0;
    *(uint16_t*)0x20ffcff0 = (uint16_t)0x2;
    *(uint16_t*)0x20ffcff2 = (uint16_t)0x204e;
    *(uint32_t*)0x20ffcff4 = (uint32_t)0x20000e0;
    *(uint8_t*)0x20ffcff8 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcff9 = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffa = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffb = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffc = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffd = (uint8_t)0x0;
    *(uint8_t*)0x20ffcffe = (uint8_t)0x0;
    *(uint8_t*)0x20ffcfff = (uint8_t)0x0;
    *(uint64_t*)0x20ffcfa0 = (uint64_t)0x2020df35;
    *(uint64_t*)0x20ffcfa8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcfb0 = (uint64_t)0x20ffcf9b;
    *(uint64_t*)0x20ffcfb8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcfc0 = (uint64_t)0x206b4000;
    *(uint64_t*)0x20ffcfc8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcfd0 = (uint64_t)0x20dfff5f;
    *(uint64_t*)0x20ffcfd8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcfe0 = (uint64_t)0x20ffcf34;
    *(uint64_t*)0x20ffcfe8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcff0 = (uint64_t)0x20774f1b;
    *(uint64_t*)0x20ffcff8 = (uint64_t)0x0;
    *(uint64_t*)0x20ffcfd0 = (uint64_t)0x20;
    *(uint32_t*)0x20ffcfd8 = (uint32_t)0x84;
    *(uint32_t*)0x20ffcfdc = (uint32_t)0x2;
    *(uint16_t*)0x20ffcfe0 = (uint16_t)0x4;
    *(uint16_t*)0x20ffcfe2 = (uint16_t)0x8;
    *(uint32_t*)0x20ffcfe4 = (uint32_t)0x2;
    *(uint32_t*)0x20ffcfe8 = (uint32_t)0x9;
    *(uint32_t*)0x20ffcfec = (uint32_t)0x0;
    r[276] = syscall(__NR_sendmmsg, r[1], 0x20f44000ul, 0x5ul, 0x10ul);
    break;
  case 3:
    r[277] = syscall(__NR_listen, r[1], 0x9ul);
    break;
  case 4:
    *(uint32_t*)0x20ffd000 = (uint32_t)0x10;
    r[279] = syscall(__NR_accept, r[1], 0x20ffc000ul, 0x20ffd000ul);
    break;
  }
  return 0;
}

void loop()
{
  long i;
  pthread_t th[10];

  memset(r, -1, sizeof(r));
  for (i = 0; i < 5; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(rand() % 10000);
  }
  usleep(rand() % 100000);
}

int main()
{
  loop();
  return 0;
}