// https://syzkaller.appspot.com/bug?id=0c8e5c99b3db338c8956fcb7231eb1f7e2d707f9
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
  if ((bf_off) == 0 && (bf_len) == 0) {                                        \
    *(type*)(addr) = (type)(val);                                              \
  } else {                                                                     \
    type new_val = *(type*)(addr);                                             \
    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
    *(type*)(addr) = new_val;                                                  \
  }

struct csum_inet {
  uint32_t acc;
};

static void csum_inet_init(struct csum_inet* csum)
{
  csum->acc = 0;
}

static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
                             size_t length)
{
  if (length == 0)
    return;

  size_t i;
  for (i = 0; i < length - 1; i += 2)
    csum->acc += *(uint16_t*)&data[i];

  if (length & 1)
    csum->acc += (uint16_t)data[length - 1];

  while (csum->acc > 0xffff)
    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}

static uint16_t csum_inet_digest(struct csum_inet* csum)
{
  return ~csum->acc;
}

uint64_t r[1] = {0xffffffffffffffff};
void loop()
{
  long res = 0;
  *(uint8_t*)0x20000240 = 0xaa;
  *(uint8_t*)0x20000241 = 0xaa;
  *(uint8_t*)0x20000242 = 0xaa;
  *(uint8_t*)0x20000243 = 0xaa;
  *(uint8_t*)0x20000244 = 0xaa;
  *(uint8_t*)0x20000245 = 0xaa;
  *(uint8_t*)0x20000246 = 0xaa;
  *(uint8_t*)0x20000247 = 0xaa;
  *(uint8_t*)0x20000248 = 0xaa;
  *(uint8_t*)0x20000249 = 0xaa;
  *(uint8_t*)0x2000024a = 0xaa;
  *(uint8_t*)0x2000024b = 0xbb;
  *(uint16_t*)0x2000024c = htobe16(0x800);
  STORE_BY_BITMASK(uint8_t, 0x2000024e, 5, 0, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000024e, 4, 4, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000024f, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000024f, 0, 2, 6);
  *(uint16_t*)0x20000250 = htobe16(0x58);
  *(uint16_t*)0x20000252 = htobe16(0);
  *(uint16_t*)0x20000254 = htobe16(0);
  *(uint8_t*)0x20000256 = 0;
  *(uint8_t*)0x20000257 = 0;
  *(uint16_t*)0x20000258 = 0;
  *(uint32_t*)0x2000025a = htobe32(0);
  *(uint8_t*)0x2000025e = 0xac;
  *(uint8_t*)0x2000025f = 0x14;
  *(uint8_t*)0x20000260 = 0x14;
  *(uint8_t*)0x20000261 = 0xaa;
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 0, 1);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 1, 1);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 1, 2, 1);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 3, 1);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 4, 4);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 8, 1);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 0, 9, 4);
  STORE_BY_BITMASK(uint16_t, 0x20000262, 1, 13, 3);
  *(uint16_t*)0x20000264 = htobe16(0x880b);
  *(uint16_t*)0x20000266 = htobe16(0);
  *(uint16_t*)0x20000268 = htobe16(0);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 0, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 1, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 2, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 3, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 4, 9);
  STORE_BY_BITMASK(uint16_t, 0x2000026a, 0, 13, 3);
  *(uint16_t*)0x2000026c = htobe16(0x800);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 0, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 1, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 2, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 3, 1);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 4, 9);
  STORE_BY_BITMASK(uint16_t, 0x2000026e, 0, 13, 3);
  *(uint16_t*)0x20000270 = htobe16(0x86dd);
  *(uint16_t*)0x20000272 = 8;
  *(uint16_t*)0x20000274 = htobe16(0x88be);
  *(uint32_t*)0x20000276 = htobe32(0);
  STORE_BY_BITMASK(uint8_t, 0x2000027a, 0, 0, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000027a, 1, 4, 4);
  *(uint8_t*)0x2000027b = 0;
  STORE_BY_BITMASK(uint8_t, 0x2000027c, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000027c, 0, 2, 1);
  STORE_BY_BITMASK(uint8_t, 0x2000027c, 0, 3, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000027c, 0, 5, 3);
  *(uint8_t*)0x2000027d = 0;
  *(uint32_t*)0x2000027e = 1;
  *(uint32_t*)0x20000282 = htobe32(0);
  *(uint16_t*)0x20000286 = 8;
  *(uint16_t*)0x20000288 = htobe16(0x22eb);
  *(uint32_t*)0x2000028a = htobe32(0);
  STORE_BY_BITMASK(uint8_t, 0x2000028e, 0, 0, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000028e, 2, 4, 4);
  *(uint8_t*)0x2000028f = 0;
  STORE_BY_BITMASK(uint8_t, 0x20000290, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, 0x20000290, 0, 2, 1);
  STORE_BY_BITMASK(uint8_t, 0x20000290, 0, 3, 2);
  STORE_BY_BITMASK(uint8_t, 0x20000290, 0, 5, 3);
  *(uint8_t*)0x20000291 = 0;
  *(uint32_t*)0x20000292 = 2;
  *(uint32_t*)0x20000296 = htobe32(0);
  *(uint16_t*)0x2000029a = htobe16(0);
  STORE_BY_BITMASK(uint8_t, 0x2000029c, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000029c, 0, 2, 5);
  STORE_BY_BITMASK(uint8_t, 0x2000029c, 0, 7, 1);
  STORE_BY_BITMASK(uint8_t, 0x2000029d, 0, 0, 1);
  STORE_BY_BITMASK(uint8_t, 0x2000029d, 0, 1, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000029d, 0, 3, 1);
  STORE_BY_BITMASK(uint8_t, 0x2000029d, 0, 4, 1);
  *(uint16_t*)0x2000029e = 8;
  *(uint16_t*)0x200002a0 = htobe16(0x6558);
  *(uint32_t*)0x200002a2 = htobe32(0);
  *(uint32_t*)0x20000000 = 0;
  *(uint32_t*)0x20000004 = 0;
  *(uint32_t*)0x20000008 = 0;
  *(uint32_t*)0x2000000c = 0;
  *(uint32_t*)0x20000010 = 0;
  *(uint32_t*)0x20000014 = 0;
  struct csum_inet csum_1;
  csum_inet_init(&csum_1);
  csum_inet_update(&csum_1, (const uint8_t*)0x2000024e, 20);
  *(uint16_t*)0x20000258 = csum_inet_digest(&csum_1);
  res = syscall(__NR_socket, 0x11, 2, 0x81);
  if (res != -1)
    r[0] = res;
  *(uint16_t*)0x20000000 = 0x11;
  memcpy((void*)0x20000002,
         "\x00\x00\x01\x00\x00\x00\x00\x00\x08\x00\x44\x94\x4e\xeb\xa7\x1a\x49"
         "\x76\xe2\x52\x92\x2c\xb1\x8f\x6e\x2e\x2a\xba\x00\x00\x00\x01\x2e\x0b"
         "\x38\x36\x00\x54\x04\xb0\xe0\x30\x1a\x4c\xe8\x75\xf2\xe3\xff\x5f\x16"
         "\x3e\xe3\x40\xb7\x67\x95\x00\x80\x00\x00\x00\x00\x00\x00\x01\x01\x01"
         "\x3c\x58\x11\x03\x9e\x15\x77\x50\x27\xec\xce\x66\xfd\x79\x2b\xbf\x0e"
         "\x5b\xf5\xff\x1b\x08\x16\xf3\xf6\xdb\x1c\x00\x01\x00\x00\x00\x00\x00"
         "\x00\x00\x49\x74\x00\x00\x00\x00\x00\x00\x00\x06\xad\x8e\x5e\xcc\x32"
         "\x6d\x3a\x09\xff\xc2\xc6\x54",
         126);
  syscall(__NR_bind, r[0], 0x20000000, 0x80);
  *(uint64_t*)0x200010c0 = 0x20000080;
  memcpy((void*)0x20000080, "\x09\x00\x00\x00", 4);
  *(uint64_t*)0x200010c8 = 4;
  syscall(__NR_writev, r[0], 0x200010c0, 1);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  loop();
  return 0;
}