// https://syzkaller.appspot.com/bug?id=90a60ac9052c9528d51de6882cfb71ce76234884
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#include <linux/genetlink.h>
#include <linux/netlink.h>

static long syz_genetlink_get_family_id(volatile long name)
{
  char buf[512] = {0};
  struct nlmsghdr* hdr = (struct nlmsghdr*)buf;
  struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr);
  struct nlattr* attr = (struct nlattr*)(genlhdr + 1);
  hdr->nlmsg_len =
      sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ;
  hdr->nlmsg_type = GENL_ID_CTRL;
  hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  genlhdr->cmd = CTRL_CMD_GETFAMILY;
  attr->nla_type = CTRL_ATTR_FAMILY_NAME;
  attr->nla_len = sizeof(*attr) + GENL_NAMSIZ;
  strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ);
  struct iovec iov = {hdr, hdr->nlmsg_len};
  struct sockaddr_nl addr = {0};
  addr.nl_family = AF_NETLINK;
  int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  if (fd == -1) {
    return -1;
  }
  struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0};
  if (sendmsg(fd, &msg, 0) == -1) {
    close(fd);
    return -1;
  }
  ssize_t n = recv(fd, buf, sizeof(buf), 0);
  close(fd);
  if (n <= 0) {
    return -1;
  }
  if (hdr->nlmsg_type != GENL_ID_CTRL) {
    return -1;
  }
  for (; (char*)attr < buf + n;
       attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
    if (attr->nla_type == CTRL_ATTR_FAMILY_ID)
      return *(uint16_t*)(attr + 1);
  }
  return -1;
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  intptr_t res = 0;
  res = syscall(__NR_socket, 0x10, 3, 0x10);
  if (res != -1)
    r[0] = res;
  memcpy((void*)0x20000000, "TIPC\000", 5);
  res = syz_genetlink_get_family_id(0x20000000);
  if (res != -1)
    r[1] = res;
  *(uint64_t*)0x200002c0 = 0;
  *(uint32_t*)0x200002c8 = 0;
  *(uint64_t*)0x200002d0 = 0x20000780;
  *(uint64_t*)0x20000780 = 0x20000300;
  memcpy((void*)0x20000300, "h\000\000\000", 4);
  *(uint16_t*)0x20000304 = r[1];
  memcpy((void*)0x20000306,
         "\x03\x00\x00\x00\x00\xc1\x6c\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
         "\x00\x09\x41\x00\x00\x00\x4c\x00\x18\x00\x00\x0f\x00\x62\x72\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\xa9\x34\xc5\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\xc2\x6a"
         "\xeb\xc1\xa9\xf6\x9d\xe9\xca\x49\xc2\x8e\x57\x61\xe4\x1a\x7e\x79\x33"
         "\x1c\x16\xca\xde\x66\x37\x33\x1f\x59\x70\x7f\x8c\xbc\x20\x4d\xdd\xc5"
         "\x9a\xb7\x2c\x2c\x2a\x03\x86\x93\x12\x22\x5f\x36\x6c\x7f\x5b\xc3\x01"
         "\x95\x24\x5d\x94\xc6\x3b\x26\x69\xa5\x54\x69\xa7\x74\x62\x6c\xbd\x11"
         "\x3f\x82\x10\xd9\x33\x36\xb5\x2f\x9b\x85\xbf\xf3\x12\xc2\xb3\x0c\x93"
         "\x12\x79\x63\x58\xdf\xf1\xc6\x3b\xd7\x24\x3e\x37\xee\xfc\x18\x9b\x68"
         "\xa0\x1c\xa9\x9e\x60\xaa\xbc\x26\x8f\x92\x61\xe3\x68\xff\xaa\x72\xed"
         "\xbd\x00\x07\x7c\x9d\x8e\xe0\x74",
         229);
  *(uint64_t*)0x20000788 = 0x68;
  *(uint64_t*)0x200002d8 = 1;
  *(uint64_t*)0x200002e0 = 0;
  *(uint64_t*)0x200002e8 = 0;
  *(uint32_t*)0x200002f0 = 0;
  syscall(__NR_sendmsg, r[0], 0x200002c0, 0);
  return 0;
}