// https://syzkaller.appspot.com/bug?id=86b765f077631bfe5058f698155b2b0da8bcdbc5
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <sys/types.h>

#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void kill_and_wait(int pid, int* status)
{
  kill(pid, SIGKILL);
  while (waitpid(-1, status, 0) != pid) {
  }
}

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void execute_one(void);

#define WAIT_FLAGS 0

static void loop(void)
{
  int iter;
  for (iter = 0;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      sleep_ms(1);
      if (current_time_ms() - start < 5 * 1000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void)
{
  intptr_t res = 0;
  memcpy((void*)0x20000000, "/dev/pf\000", 8);
  res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 2ul, 0ul);
  if (res != -1)
    r[0] = res;
  memcpy(
      (void*)0x20000680,
      "\x43\x71\x07\x8b\x86\xc4\x5e\x83\x76\x98\x5b\x83\xa4\x0d\x66\x14\x30\x7a"
      "\x15\x33\xd8\xb8\xea\x90\xda\x1c\x94\xaa\xa8\x1f\x72\x14\x1a\xdf\xce\x74"
      "\x8e\x2e\x31\x02\x3a\x28\x46\xa8\x8f\xdd\xc2\x49\xba\xe2\xe9\xc3\x92\xbf"
      "\x1b\x4e\xf6\x4a\x4b\x34\xa2\x34\x2f\xc5\x17\xdf\xef\x27\x27\x07\xc5\xec"
      "\xe8\x98\xfc\x2e\xac\x84\x00\x6e\x18\xa7\xfb\xdc\xaf\x10\x71\x53\xf5\xb7"
      "\x36\x78\x0a\x72\x6c\xbf\x10\x1d\x7c\x7b\xa0\xc6\x5d\x06\x4b\x1d\x84\xab"
      "\x62\x2a\x6f\xc2\xd6\x8d\xcb\xb6\x6a\xc8\xba\x82\x3a\xa5\xc9\x5e\x56\x3f"
      "\x7b\x41\x0e\x2a\x51\x20\x41\xf8\x6b\xf0\x95\x02\xcb\x89\x42\xb9\xdc\x33"
      "\x0d\x26\xc8\x2f\x28\x1a\x9d\xc8\x44\x3d\xf8\xa1\x86\x91\xe6\x6b\x25\xdb"
      "\xec\x87\x63\xa3\xc6\xac\x71\xa5\x85\xb2\x4e\x58\xec\x38\x02\xfb\xf2\xda"
      "\xd0\x65\xe0\xb5\x78\x30\xcc\x8c\xbe\xb4\x6a\x23\x6d\xab\xbb\x97\x9f\x43"
      "\xdf\x3c\xcf\x2c\x7b\x0d\x38\xd1\x29\x58\xba\xcd\x53\x8a\xc8\x4f\xfe\x15"
      "\xa1\xdf\xf7\x93\x01\x27\x7b\xd3\xe6\x15\x8f\xd9\x0b\x4c\x02\x69\x73\x95"
      "\x78\x7f\xbe\x4a\x48\xc5\x21\xdd\xfb\x48\xa3\x24\xa6\xaa\x4c\x07\x62\x6e"
      "\xb6\x2b\x4b\x54\xd1\x4b\x33\x14\x6c\x70\x8f\x03\x57\x93\x68\x5b\xc2\x8a"
      "\xf9\x1c\x0a\xb3\x98\x70\x1e\xfa\x9f\x3c\x1b\x6a\x38\xa4\x64\xb7\xcb\x35"
      "\xc7\x65\xfb\x76\xf0\xa5\x99\xa9\x26\x08\xd6\x54\xea\x0f\x56\x6d\xe6\x07"
      "\x97\x33\x60\x4e\x79\xf3\x30\x94\xdd\x61\xbd\x75\xf5\x27\x69\x78\x93\x83"
      "\x5f\x74\x31\x63\x11\x19\x5d\x68\x4c\x74\x4c\xdd\xa4\xca\x6b\x01\x1b\xea"
      "\xda\x9c\x11\xe3\xdb\xa1\x8e\x0b\x59\xf1\xf2\x23\xa5\x8d\x99\x52\xde\xdd"
      "\x34\x0c\x00\x34\x6d\xe1\xb7\x10\xee\xbd\x67\x30\xaa\x76\x3c\x7b\xec\x2e"
      "\x89\xb9\x51\x8b\xbe\xf0\xd6\xa1\x72\x94\x8f\xa5\xb7\x2c\xaf\x4e\x39\x51"
      "\xf4\xc1\x22\x0e\x0a\x2e\x57\x51\x9e\xc5\x74\x46\x60\x1e\x64\x3b\xc9\x10"
      "\x05\x89\x3b\x69\x32\xd4\x4b\xe0\x46\xc2\x38\xfe\xd4\xd6\x8a\xf6\xc1\x23"
      "\x42\xb3\xec\xa4\x84\x2c\x83\xd1\x36\xb3\x71\x4d\x8b\x13\x82\xb9\xcc\x2d"
      "\xd1\x3a\xb4\x58\x78\xe1\x89\xcd\xd0\xd8\xc7\xb2\x29\x88\x74\x80\xec\x72"
      "\x54\x9b\x62\x4b\x3c\x10\x31\x77\xfe\xdc\xa1\xda\x00\x2b\xe1\x12\xa4\x22"
      "\xc4\xc9\x4d\x0b\xc3\x3b\x3e\xbc\xd7\x7d\x60\xd3\x71\x63\xf2\x86\x54\xdc"
      "\xc8\x8d\x97\x99\x5d\x74\x47\xe9\x58\x5d\x9c\xc3\x47\x05\x14\xe7\xd5\xe1"
      "\xa0\x52\x61\x18\x2f\xd5\xfa\xb4\x40\x85\xe1\x06\x6a\x11\xff\x24\xb4\x71"
      "\xcc\xfc\xd0\x36\xfc\x95\x8b\xe1\x8b\x68\xeb\x2f\x26\x36\x51\x73\x86\xa8"
      "\x41\x4c\x82\xff\xf1\x4c\x13\x89\xff\x89\x4d\xa5\xdd\xf7\x06\xba\x72\x0d"
      "\xbc\x22\x73\x09\xfd\xe8\xe0\x7b\xa6\x03\x0c\x02\xc1\xcc\xe6\x32\xa9\x65"
      "\xfc\xc6\x9d\xfa\x0f\x9e\x1b\x64\xe6\xae\xc3\xc6\x4f\x90\x4e\xac\x55\xf2"
      "\xc5\x7a\x6e\x50\x34\x6d\x66\x80\xaf\xf4\x1f\x8a\x6b\x07\x56\x7e\x46\x83"
      "\xe2\xb9\xfa\xc9\xb6\xa9\x54\xdf\xf5\xd1\xef\xbd\x31\xf6\x5f\xdb\x79\x77"
      "\xa4\x32\xd7\x19\x97\x13\xd4\x79\xd3\xc0\x64\x04\x53\xaa\xf4\xae\x76\xfa"
      "\x82\xdb\x85\x23\x86\x39\xed\xfa\x55\x7e\x59\x63\xb2\x5d\xdf\x5d\x4d\x10"
      "\xc0\xca\x7f\x1d\x30\x36\x45\xe2\xe4\xbc\x33\x3b\x79\x6e\x77\xdf\x49\xf6"
      "\xb6\xd2\x40\xbf\x2e\x8c\x6a\xe2\x32\xce\xef\xbb\x5f\xd3\x78\xfa\xd5\x58"
      "\x47\x97\xe4\x3c\x02\x6e\xda\xb3\x87\x53\x2b\x27\x18\x42\xf4\x37\xb2\xc6"
      "\xa1\x2d\x6b\xc0\x8b\xf7\x4d\x08\x9a\x74\x30\xda\x10\xae\x00\xc9\x5b\x0a"
      "\x2d\x42\xea\x08\x07\x45\xad\x49\xcc\x25\x27\xfc\x59\x4c\x5a\xd4\x07\xb8"
      "\x32\xc6\x81\x4e\x40\xe6\xf2\x4a\xac\x4a\xe4\x4a\x38\x6c\x29\x27\xba\x8c"
      "\x18\xa1\x6e\x5e\x06\xcb\x3b\x9d\x81\xb6\x4b\xe0\xc9\xc1\x43\x3a\x3e\x7b"
      "\x32\xed\x43\xf6\x54\x8b\x03\x50\x20\x53\x31\x89\x7d\x8c\x0e\x1d\xc9\x53"
      "\x9a\x02\x7c\x27\x61\x11\xd8\xfc\x98\x15\xf2\x73\x1f\xc6\x24\x9b\x41\x4f"
      "\x7f\x94\xea\xb8\x6a\x17\x2d\xa4\x93\x2c\x83\x09\x72\xc2\x2d\x0c\x21\xb8"
      "\x7d\xdc\x7a\x69\x36\x2d\xfd\x67\x32\x84\xc0\xa9\x38\xbc\xe3\x59\x43\xe6"
      "\x1d\x73\xec\x65\xb6\x89\xbb\x6d\x11\xca\x38\x7a\x29\xe7\xef\x67\x7e\x46"
      "\x23\xdf\x2c\x09\xc2\xd1\x1d\xa1\xb8\xaa\x4c\xdc\xd9\x87\xf0\x91\x44\xd8"
      "\xce\xaa\x0c\x82\x94\x94\x8f\x8c\x3b\x3e\xf1\x66\x43\xc4\x78\x85\x0d\x06"
      "\xc7\xd3\x62\xcf\x50\xd2\x00\x2b\x04\x59\xfb\x71\x68\x33\x00\xc3\x40\xbb"
      "\xff\xdb\x1c\x19\xbb\x71\x40\xd6\xc4\xde\x34\xc3\x9a\x68\x47\x7a\xa3\xe4"
      "\xc0\x00\x07\xa4\x8f\xa8\xef\xd8\x03\xa7\x5d\x1e\xfd\x79\x74\xb0\x5f\x36"
      "\xeb\xac\xfa\xb9\x2c\x73\xe1\xba\x9a\x8a\x02\xc0\xa4\x20\xe8\x3b\x51\xff"
      "\x65\x09\x18\x3f\xf3\xe0\x06\xeb\x16\xb2\x44\x64\x85\x36\x64\x4b",
      1024);
  memcpy((void*)0x20000a80,
         "\xa6\xea\x73\x04\x23\x87\xdc\x1c\x38\x4a\x8e\x49\x69\xaf\x45\xf1\xdf"
         "\x01\x8a\x69\x79\xf2\x9b\xcb\xf9\x74\x04\x79\x78\xb5\x85\x00",
         32);
  *(uint32_t*)0x20000aa0 = 9;
  *(uint8_t*)0x20000aa4 = 2;
  *(uint64_t*)0x20000aa8 = 0;
  *(uint64_t*)0x20000ab0 = 0xffff;
  *(uint64_t*)0x20000ab8 = 0x8a;
  *(uint64_t*)0x20000ac0 = 0x8001;
  *(uint64_t*)0x20000ac8 = 4;
  *(uint64_t*)0x20000ad0 = 5;
  *(uint64_t*)0x20000ad8 = 0x1007;
  *(uint64_t*)0x20000ae0 = 0x3f;
  *(uint32_t*)0x20000ae8 = 0x67f;
  syscall(SYS_ioctl, 0xffffff9c, 0xc450444aul, 0x20000680ul);
  memcpy(
      (void*)0x20000100,
      "\x20\xe8\x68\xe2\xcd\x9b\x50\x3f\x30\xb9\x6c\x28\xd9\x1f\x45\x6b\xe8\x72"
      "\x52\x79\xe2\x05\xd4\xb8\x63\x1a\xa1\x04\xb6\x5c\xae\x39\x3a\x90\x20\x0a"
      "\x72\x70\x0f\x22\x54\x82\xab\x7d\x9d\x76\xab\xb9\x94\xc1\x5b\x7e\x9b\x6d"
      "\x12\xa1\x82\xf8\x1d\x89\xc6\xa0\x35\x91\x1b\x4e\xf4\x50\xf4\x1d\xe1\x2d"
      "\x19\xe8\x43\xc3\x3e\xd9\x6f\x1d\xcd\xc4\x7f\x00\x00\x00\x01\x84\xbb\x76"
      "\x1e\xc3\xc6\x4d\x2a\xc5\x0f\xf7\xa5\xe3\x9e\xc5\xcc\xf5\x32\x22\xfd\xf6"
      "\xd3\xbc\xa6\x57\x6c\x5f\x29\xf0\x90\x7c\xa4\xf9\x19\x94\x71\x61\x02\x88"
      "\xad\xfc\x98\xf7\x68\xb8\xc3\x0e\x00\x15\xc4\x01\xd2\x0b\xae\x94\xa4\xfc"
      "\xc8\xcf\xde\xfd\xb5\x00\xbc\x94\x15\x1d\x22\x5c\xd3\x16\x0f\x66\xe8\x23"
      "\x83\xcf\x65\x79\xb1\xd6\xe2\x73\x5a\x65\x77\x44\xf0\xcb\x11\xec\x19\x98"
      "\x93\x6b\x72\xba\x58\xdc\x2b\x6c\x15\xfe\x44\x03\x90\x97\x7d\x70\xcb\xed"
      "\x9a\x4d\x4e\xf2\x5d\x3c\xe6\x9b\x6e\x2a\x45\xac\x6a\x16\xfc\x57\x58\x93"
      "\x66\x6d\x13\x80\xfd\x83\x15\xa6\xb1\x7c\x07\xf0\x46\x34\x8b\xa4\xb7\xc8"
      "\xca\x2c\xe5\x73\xba\xd3\x6a\x3b\xfe\xea\x62\x38\x82\x9b\x33\xf2\x1e\x36"
      "\x2b\x95\x29\xa3\xc0\xca\x75\xbc\x9f\x93\x16\xd8\xd7\x86\x50\x2b\x59\x8d"
      "\x5f\x3d\x90\xcf\x55\x4a\x8e\xcf\x81\x27\x36\xe2\xb0\x1f\x16\xf6\x60\x14"
      "\x4b\x76\x57\x1a\xb0\xdd\x89\x21\x70\x3f\xc4\x11\xb5\x3b\xa4\x1a\x27\x48"
      "\xb8\xec\x5b\x0b\x43\xc0\x82\x94\x59\x9a\xf9\x73\x3a\xbb\x04\xa2\x61\x02"
      "\xa4\x26\x2f\x16\xbe\xff\xd1\x95\x25\x31\xdb\xb5\xbb\xe0\xf3\x95\xd0\x8f"
      "\x79\xc0\xc8\x4e\x9b\x89\x21\x03\x93\xef\xa6\x1f\xab\x6a\x79\x5e\x25\x88"
      "\xf2\xd2\xd1\x1b\xa7\x05\xf7\x35\xb2\x7e\x24\x46\x6e\x48\x0c\xfb\x93\x8b"
      "\xde\x76\xfe\xac\x19\x1a\xc3\xa7\x5a\x1e\x15\x57\xde\x3c\x66\xd1\x54\x91"
      "\x6c\xd0\x1f\xc7\x9e\xf6\x58\xa8\x9b\xde\xb0\x87\x6c\x0a\xa9\x74\x95\x58"
      "\xf4\x46\x08\x69\xb4\xcf\x1e\x56\xe0\x17\x92\xfc\xbc\x71\x7c\x81\x55\xd2"
      "\x62\x84\x86\xe3\x2d\xc9\x75\xbd\x85\xc1\x5b\x83\x01\xc3\x05\x9b\x86\x2b"
      "\xe3\xfe\x0a\x61\x17\x20\x9b\x28\x0f\x98\xe5\xe7\x9f\xf4\xf1\x0c\xaa\x05"
      "\x14\x60\xda\xcc\xf2\xb2\xb6\xb8\x07\x30\xdf\xf8\xbe\x69\x80\x77\x52\xb8"
      "\x10\x92\x52\x0a\x9b\x1c\xb3\x1a\x32\x66\xa9\xb8\xc2\x8e\x7f\x70\x4f\x23"
      "\xb5\x60\xf5\x1b\x60\x41\x49\xc9\xd3\xf5\x27\x38\xc6\x46\x4f\x3e\xe1\x7e"
      "\x60\x58\xe8\xb1\xe1\x51\x29\x1a\x9e\x82\xfe\xa8\xe7\x6a\x19\x8d\xdd\xab"
      "\x25\x3d\x34\x2a\x42\x37\x33\x08\x0f\x3b\xd7\x78\xed\x07\x6f\x34\x8a\x22"
      "\xad\x42\xab\x74\x45\x2e\xee\x89\x3f\xc4\x55\x16\x36\xca\xc3\x8e\x3d\x93"
      "\x1c\x34\xed\x14\xdf\xec\xca\xa5\xcb\x66\x54\x00\xef\x9f\x90\x79\xc8\xfa"
      "\x47\x6a\x23\x0d\x47\x68\x54\xb2\xfc\x9d\x24\xc3\xc0\x31\x21\xcf\xa9\x7a"
      "\x35\x76\x75\xa9\x66\x6f\x7c\x62\xf9\x98\x8e\x6f\x4e\x16\x88\xa3\x94\xd7"
      "\x88\x77\x55\x3e\x32\xc5\xd2\x88\x96\xb7\x7d\x52\x60\x7e\x3f\x09\x7b\xec"
      "\xa9\x66\xae\xdb\x1f\x26\xf5\x8b\x28\xf8\x61\x35\x83\x5a\x1b\x32\xa2\x61"
      "\x3b\x15\x92\x46\x4c\xc6\x7c\x0c\xca\x70\xaf\xce\xe8\x4e\x04\x76\xc1\x0a"
      "\xee\x9e\xb2\xa1\x1f\xdb\x9b\x8e\xb1\xbf\x83\xbe\xa6\x47\x65\xc9\x08\x67"
      "\x25\xa8\xf9\xbe\xa7\xe0\x83\xb7\x2e\x3f\xa8\x1a\x72\xfa\xaf\x1c\x74\x7a"
      "\xaf\x5a\x31\xb4\x0c\x89\x11\x20\x92\xe3\x37\xec\x59\xc4\x6e\x14\x15\x76"
      "\x9f\xce\xc4\xbe\x64\x4c\xab\x2d\xa7\xc8\x9c\x66\x35\x77\x0e\x4c\x26\xaf"
      "\x74\x67\x6e\x32\xc3\x80\x1a\x89\x2d\x87\x28\x08\x31\x47\x32\x97\x0f\xc6"
      "\x6d\x5f\x51\x0d\x5a\xb5\xed\x8d\xba\x68\x8b\x01\xa7\x1b\x0d\xeb\x76\x57"
      "\x2d\xb5\x71\xe8\xa6\x8b\x6a\x6f\x98\xf6\x36\x5d\x76\xca\xc4\x46\x94\x68"
      "\x79\xfc\xc4\x69\x2f\x5f\x68\xce\x3d\xe5\x01\x88\x6c\xb7\xa0\xc9\x5e\xbe"
      "\xb3\x64\x8c\x62\x79\x2d\xf6\x8d\x20\x42\x1c\x3e\x7d\x62\xa7\xce\x1a\x1f"
      "\x4f\x4c\x61\x87\xfd\x97\xea\x9d\x7f\x95\x18\x8f\xea\x4d\xc5\xf8\x3e\x23"
      "\x8f\xa1\xd2\xcd\xba\x4f\x66\xd5\xc7\x91\x42\xcb\xf2\x6e\x51\x90\xb2\x49"
      "\x06\x8c\x2b\x55\x72\x6b\x09\x7a\xba\xf2\xb9\x13\x49\x6c\xf9\x6f\x87\xc8"
      "\x67\xa5\x8c\xc3\x1c\x70\x66\x7a\x7d\xbf\xe4\xa1\xfa\x3d\xd4\xf4\xd7\xd9"
      "\x02\xee\x27\x64\x6a\x51\x3d\x21\xcb\x1b\xbb\x3f\xb7\x60\x06\x19\x80\x4d"
      "\x0d\x57\x1c\x1c\x09\x28\x17\xdc\x3f\x3d\xd5\x18\x0b\x39\xef\xeb\xe1\xf4"
      "\x1d\xe1\xb6\x59\x18\x11\xc6\xa7\xce\x6d\x5f\xcc\x67\x88\xb6\xdb\xf9\xe3"
      "\xed\x4e\xd5\x6d\xb5\xf5\x52\x33\xbe\xf9\xb5\xda\x59\xc2\xde\x1a\x54\xce"
      "\x32\xcc\x58\xeb\xc1\x02\x08\x9e\xf6\xe2\x40\x5a\x82\x2d\x44\x02\x60\x4d"
      "\xc4\x9d\xe3\xa9\x77\x39\x53\xbc\x41\xf2\x35\x00\x00\x00\x00\x00",
      1024);
  memcpy((void*)0x20000500,
         "\x84\x8c\x57\xf1\x7e\xef\x49\xf3\xf2\x93\xc8\x30\x65\xec\x93\x86\x99"
         "\xeb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
         32);
  *(uint32_t*)0x20000520 = 0;
  *(uint8_t*)0x20000524 = 0;
  *(uint64_t*)0x20000528 = 0;
  *(uint64_t*)0x20000530 = 0;
  *(uint64_t*)0x20000538 = 0;
  *(uint64_t*)0x20000540 = 0;
  *(uint64_t*)0x20000548 = 0;
  *(uint64_t*)0x20000550 = 0;
  *(uint64_t*)0x20000558 = 0;
  *(uint64_t*)0x20000560 = 0;
  *(uint32_t*)0x20000568 = 0;
  syscall(SYS_ioctl, -1, 0xc4504441ul, 0x20000100ul);
  syscall(SYS_ioctl, r[0], 0xcbe04404ul, 0x20000040ul);
  syscall(SYS_dup, -1);
}
int main(void)
{
  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul);
  loop();
  return 0;
}