// https://syzkaller.appspot.com/bug?id=b8afb3d95297388287141f3721edb7a94b0280c5
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <sched.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

static void setup_common()
{
  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
  }
}

static void loop();

static void sandbox_common()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  setsid();
  struct rlimit rlim;
  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
  setrlimit(RLIMIT_AS, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
  setrlimit(RLIMIT_MEMLOCK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  setrlimit(RLIMIT_FSIZE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_STACK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 0;
  setrlimit(RLIMIT_CORE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 256;
  setrlimit(RLIMIT_NOFILE, &rlim);
  if (unshare(CLONE_NEWNS)) {
  }
  if (unshare(CLONE_NEWIPC)) {
  }
  if (unshare(0x02000000)) {
  }
  if (unshare(CLONE_NEWUTS)) {
  }
  if (unshare(CLONE_SYSVSEM)) {
  }
}

int wait_for_loop(int pid)
{
  if (pid < 0)
    exit(1);
  int status = 0;
  while (waitpid(-1, &status, __WALL) != pid) {
  }
  return WEXITSTATUS(status);
}

static int do_sandbox_none(void)
{
  if (unshare(CLONE_NEWPID)) {
  }
  int pid = fork();
  if (pid != 0)
    return wait_for_loop(pid);
  setup_common();
  sandbox_common();
  if (unshare(CLONE_NEWNET)) {
  }
  loop();
  exit(1);
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

void loop(void)
{
  long res = 0;
  memcpy((void*)0x20000180,
         "\x73\x74\x61\x74\x09\xc0\xc2\xfe\xbc\xf9\xdf\x2d\xea\xc8\xc1\x77\xff"
         "\x17\x12\x48\xe9\x11\x93\x51\x30\x49\xf8\x31\x55\x0d\x6f\x7d\xe6\x6c"
         "\xf6\x37\xbd\xbf\x13\x11\x92\x0c\x8a\x26\xed\xa4\xdc\xc3\x78\x3f\x9d"
         "\xb5\x11\x6b\x34\xd3\x1b\x05\x12\xa5\x60\x8a\xaf\xf0\x1e\x79\x52\x34"
         "\x0c\xd6\xfd\x00\x00\x00\x00",
         75);
  res = syscall(__NR_openat, 0xffffff9c, 0x20000180, 0x275a, 0);
  if (res != -1)
    r[0] = res;
  memcpy((void*)0x200005c0, "\xf7", 1);
  syscall(__NR_pwrite64, r[0], 0x200005c0, 1, 0);
  memcpy((void*)0x20000240, "memory.stat", 12);
  res = syscall(__NR_openat, 0xffffff9c, 0x20000240, 0x275a, 0);
  if (res != -1)
    r[1] = res;
  sprintf((char*)0x20000100, "0x%016llx", (long long)0);
  syscall(__NR_write, r[1], 0x20000100, 0x12);
  *(uint16_t*)0x20000080 = 0;
  *(uint16_t*)0x20000082 = 0;
  *(uint64_t*)0x20000088 = 0;
  *(uint64_t*)0x20000090 = 0x405c92ec;
  *(uint32_t*)0x20000098 = 0;
  *(uint32_t*)0x2000009c = 0;
  *(uint32_t*)0x200000a0 = 0;
  *(uint32_t*)0x200000a4 = 0;
  *(uint32_t*)0x200000a8 = 0;
  *(uint32_t*)0x200000ac = 0;
  syscall(__NR_ioctl, r[1], 0x40305828, 0x20000080);
  *(uint16_t*)0x20000140 = 0;
  *(uint16_t*)0x20000142 = 0;
  *(uint64_t*)0x20000148 = 0x56cd4216;
  *(uint64_t*)0x20000150 = 0x10001;
  *(uint32_t*)0x20000158 = 0;
  *(uint32_t*)0x2000015c = 0;
  *(uint32_t*)0x20000160 = 0;
  *(uint32_t*)0x20000164 = 0;
  *(uint32_t*)0x20000168 = 0;
  *(uint32_t*)0x2000016c = 0;
  syscall(__NR_ioctl, r[0], 0x40305828, 0x20000140);
  *(uint32_t*)0x20000300 = 0;
  *(uint32_t*)0x20000304 = r[1];
  *(uint64_t*)0x20000308 = 0;
  *(uint64_t*)0x20000310 = 0xfffa931c;
  *(uint64_t*)0x20000318 = 0;
  *(uint64_t*)0x20000320 = 0;
  syscall(__NR_ioctl, r[0], 0xc028660f, 0x20000300);
}
int main(void)
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  do_sandbox_none();
  return 0;
}