// https://syzkaller.appspot.com/bug?id=ee7a490448b51172934397f09a7ef045e634f8d1
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static long syz_open_procfs(volatile long a0, volatile long a1)
{
  char buf[128];
  memset(buf, 0, sizeof(buf));
  if (a0 == 0) {
    snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
  } else if (a0 == -1) {
    snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
  } else {
    snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
  }
  int fd = open(buf, O_RDWR);
  if (fd == -1)
    fd = open(buf, O_RDONLY);
  return fd;
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  openat$nullb arguments: [
  //    fd: const = 0xffffffffffffff9c (8 bytes)
  //    file: ptr[in, buffer] {
  //      buffer: {2f 64 65 76 2f 6e 75 6c 6c 62 30 00} (length 0xc)
  //    }
  //    flags: open_flags = 0xa0342 (4 bytes)
  //    mode: const = 0x0 (2 bytes)
  //  ]
  //  returns fd_block
  memcpy((void*)0x200000000000, "/dev/nullb0\000", 12);
  res = syscall(
      __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul,
      /*flags=O_TRUNC|O_NOFOLLOW|O_NOCTTY|O_CREAT|O_CLOEXEC|0x2*/ 0xa0342,
      /*mode=*/0);
  if (res != -1)
    r[0] = res;
  //  mmap arguments: [
  //    addr: VMA[0xb36000]
  //    len: len = 0xb36000 (8 bytes)
  //    prot: mmap_prot = 0x3000007 (8 bytes)
  //    flags: mmap_flags = 0x38011 (8 bytes)
  //    fd: fd (resource)
  //    offset: intptr = 0x0 (8 bytes)
  //  ]
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
          /*prot=PROT_GROWSUP|PROT_GROWSDOWN|PROT_WRITE|PROT_READ|PROT_EXEC*/
          0x3000007ul,
          /*flags=MAP_STACK|MAP_POPULATE|MAP_NONBLOCK|MAP_FIXED|0x1*/ 0x38011ul,
          /*fd=*/r[0], /*offset=*/0ul);
  //  bpf$BPF_PROG_TEST_RUN arguments: [
  //    cmd: const = 0xa (8 bytes)
  //    arg: ptr[in, bpf_test_prog_arg] {
  //      bpf_test_prog_arg {
  //        prog: fd_bpf_prog (resource)
  //        retval: const = 0x18000000000002a0 (4 bytes)
  //        insizedata: len = 0xe1 (4 bytes)
  //        outsizedata: len = 0x0 (4 bytes)
  //        indata: ptr[in, buffer] {
  //          buffer: {b9 ff 03 07 68 44 26 8c b8 9e 14 f0 05 dd 1b e0 ff ff 00
  //          fe 3a 21 63 2f 77 fb ac 14 14 1d e0 07 03 17 62 07 9f 4b 4d 2f 87
  //          e5 fe ca 6a ab 84 50 13 f2 32 5f 1a 39 01 05 0b 03 8d a1 88 0b 25
  //          18 1a a5 9d 94 3b e3 f4 ae d5 0e a5 a6 b8 68 67 31 cb 89 ef 77 12
  //          3c 89 9b 69 9e ea a8 ea a0 07 34 61 11 96 63 90 64 00 f3 0c 06 00
  //          00 00 00 00 00 59 b6 d3 29 6e 8c a3 1b ce 1d 83 92 07 8b 72 f2 49
  //          96 ae 17 df fc 2e 43 c8 17 4b 54 b6 20 63 68 94 aa ac f2 8f f6 26
  //          16 36 3c 70 a4 40 ae c4 01 4c af 28 c0 ad c0 43 08 46 17 d7 ec f4
  //          1e 9d 13 45 89 d4 6e 5d fc 4c a5 78 0d 38 ca e8 70 b9 a1 df 48 b2
  //          38 19 0d a4 50 29 6b 0a c0 14 96 ac e2 3e ef c9 d4 24 6d d1 4a fb
  //          f7 9a 22 83 a0 bb 7e 1d} (length 0xe1)
  //        }
  //        outdata: nil
  //        repeat: int32 = 0x8 (4 bytes)
  //        dur: const = 0x60000000 (4 bytes)
  //        insizectx: len = 0x0 (4 bytes)
  //        outsizectx: len = 0x0 (4 bytes)
  //        inctx: nil
  //        outctx: nil
  //        flags: bpf_prog_test_run_flags = 0x0 (4 bytes)
  //        cpu: const = 0x0 (4 bytes)
  //        batch_size: int32 = 0x0 (4 bytes)
  //        pad = 0x0 (4 bytes)
  //      }
  //    }
  //    size: len = 0x50 (8 bytes)
  //  ]
  *(uint32_t*)0x200000000080 = -1;
  *(uint32_t*)0x200000000084 = 0x2a0;
  *(uint32_t*)0x200000000088 = 0xe1;
  *(uint32_t*)0x20000000008c = 0;
  *(uint64_t*)0x200000000090 = 0x200000000100;
  memcpy(
      (void*)0x200000000100,
      "\xb9\xff\x03\x07\x68\x44\x26\x8c\xb8\x9e\x14\xf0\x05\xdd\x1b\xe0\xff\xff"
      "\x00\xfe\x3a\x21\x63\x2f\x77\xfb\xac\x14\x14\x1d\xe0\x07\x03\x17\x62\x07"
      "\x9f\x4b\x4d\x2f\x87\xe5\xfe\xca\x6a\xab\x84\x50\x13\xf2\x32\x5f\x1a\x39"
      "\x01\x05\x0b\x03\x8d\xa1\x88\x0b\x25\x18\x1a\xa5\x9d\x94\x3b\xe3\xf4\xae"
      "\xd5\x0e\xa5\xa6\xb8\x68\x67\x31\xcb\x89\xef\x77\x12\x3c\x89\x9b\x69\x9e"
      "\xea\xa8\xea\xa0\x07\x34\x61\x11\x96\x63\x90\x64\x00\xf3\x0c\x06\x00\x00"
      "\x00\x00\x00\x00\x59\xb6\xd3\x29\x6e\x8c\xa3\x1b\xce\x1d\x83\x92\x07\x8b"
      "\x72\xf2\x49\x96\xae\x17\xdf\xfc\x2e\x43\xc8\x17\x4b\x54\xb6\x20\x63\x68"
      "\x94\xaa\xac\xf2\x8f\xf6\x26\x16\x36\x3c\x70\xa4\x40\xae\xc4\x01\x4c\xaf"
      "\x28\xc0\xad\xc0\x43\x08\x46\x17\xd7\xec\xf4\x1e\x9d\x13\x45\x89\xd4\x6e"
      "\x5d\xfc\x4c\xa5\x78\x0d\x38\xca\xe8\x70\xb9\xa1\xdf\x48\xb2\x38\x19\x0d"
      "\xa4\x50\x29\x6b\x0a\xc0\x14\x96\xac\xe2\x3e\xef\xc9\xd4\x24\x6d\xd1\x4a"
      "\xfb\xf7\x9a\x22\x83\xa0\xbb\x7e\x1d",
      225);
  *(uint64_t*)0x200000000098 = 0;
  *(uint32_t*)0x2000000000a0 = 8;
  *(uint32_t*)0x2000000000a4 = 0x60000000;
  *(uint32_t*)0x2000000000a8 = 0;
  *(uint32_t*)0x2000000000ac = 0;
  *(uint64_t*)0x2000000000b0 = 0;
  *(uint64_t*)0x2000000000b8 = 0;
  *(uint32_t*)0x2000000000c0 = 0;
  *(uint32_t*)0x2000000000c4 = 0;
  *(uint32_t*)0x2000000000c8 = 0;
  syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000000080ul, /*size=*/0x50ul);
  //  syz_open_procfs arguments: [
  //    pid: pid (resource)
  //    file: ptr[in, buffer] {
  //      buffer: {6d 61 70 73 00} (length 0x5)
  //    }
  //  ]
  //  returns fd
  memcpy((void*)0x200000000240, "maps\000", 5);
  res = -1;
  res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000240);
  if (res != -1)
    r[1] = res;
  //  ioctl$KVM_SET_USER_MEMORY_REGION arguments: [
  //    fd: fd_kvmvm (resource)
  //    cmd: const = 0xc0686611 (4 bytes)
  //    arg: ptr[in, kvm_userspace_memory_region] {
  //      kvm_userspace_memory_region {
  //        slot: kvm_mem_slots = 0x68 (4 bytes)
  //        flags: kvm_mem_region_flags = 0x0 (4 bytes)
  //        paddr: kvm_guest_addrs = 0x17 (8 bytes)
  //        size: len = 0x2000 (8 bytes)
  //        addr: VMA[0x2000]
  //      }
  //    }
  //  ]
  *(uint32_t*)0x200000000180 = 0x68;
  *(uint32_t*)0x200000000184 = 0;
  *(uint64_t*)0x200000000188 = 0x17;
  *(uint64_t*)0x200000000190 = 0x2000;
  *(uint64_t*)0x200000000198 = 0x200000ffd000;
  syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xc0686611,
          /*arg=*/0x200000000180ul);
  return 0;
}