// https://syzkaller.appspot.com/bug?id=4894a6d412735394296e80976329c1a6848acc14
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static int inject_fault(int nth)
{
  int fd;
  fd = open("/proc/thread-self/fail-nth", O_RDWR);
  if (fd == -1)
    exit(1);
  char buf[16];
  sprintf(buf, "%d", nth);
  if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
    exit(1);
  return fd;
}

static void setup_fault()
{
  static struct {
    const char* file;
    const char* val;
    bool fatal;
  } files[] = {
      {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
      {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
      {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
  };
  unsigned i;
  for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
    if (!write_file(files[i].file, files[i].val)) {
      if (files[i].fatal)
        exit(1);
    }
  }
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  setup_fault();
  intptr_t res = 0;
  memcpy((void*)0x20000300, "./bus\000", 6);
  syscall(__NR_mkdir, /*path=*/0x20000300ul, /*mode=*/0ul);
  memcpy((void*)0x20000000, "./file0\000", 8);
  syscall(__NR_open, /*file=*/0x20000000ul, /*flags=*/0x141042ul, /*mode=*/0ul);
  memcpy((void*)0x200002c0, "./file1\000", 8);
  syscall(__NR_mkdir, /*path=*/0x200002c0ul, /*mode=*/0ul);
  memcpy((void*)0x20000040, "./bus\000", 6);
  memcpy((void*)0x20000080, "overlay\000", 8);
  memcpy((void*)0x20000280, "upperdir=./bus,workdir=./file1,lowerdir=.", 41);
  syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000040ul, /*type=*/0x20000080ul,
          /*flags=*/0ul, /*opts=*/0x20000280ul);
  memcpy((void*)0x200001c0, "./bus\000", 6);
  syscall(__NR_chdir, /*dir=*/0x200001c0ul);
  memcpy((void*)0x200001c0, "./file0\000", 8);
  res = syscall(__NR_open, /*file=*/0x200001c0ul, /*flags=*/0ul, /*mode=*/0ul);
  if (res != -1)
    r[0] = res;
  memcpy((void*)0x20000000, "./file0\000", 8);
  res = syscall(__NR_open, /*file=*/0x20000000ul, /*flags=*/0x141042ul,
                /*mode=*/0ul);
  if (res != -1)
    r[1] = res;
  inject_fault(4);
  syscall(__NR_sendfile, /*fdout=*/r[1], /*fdin=*/r[0], /*off=*/0ul,
          /*count=*/0x7ffff000ul);
  return 0;
}