// https://syzkaller.appspot.com/bug?id=df4ee354bdda08ea538d1dd1844282d3fbdf310b
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static void kill_and_wait(int pid, int* status)
{
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
      return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent)
        break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void)
{
  intptr_t res = 0;
  *(uint32_t*)0x20000200 = 4;
  *(uint32_t*)0x20000204 = 0xe;
  *(uint64_t*)0x20000208 = 0x20000380;
  memcpy(
      (void*)0x20000380,
      "\xb7\x02\x00\x00\x91\x0c\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07\x03"
      "\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xfe\x00\x00\x00\x00\x79\xa4\xf0\xff"
      "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00"
      "\x00\x00\x65\x04\x04\x00\x01\x00\x01\x01\x04\x04\x00\x00\x0d\x00\x00\x00"
      "\xb7\x03\x00\x00\x01\x00\x00\x00\x6a\x0a\x00\xfe\x00\x00\x00\x00\x85\x00"
      "\x00\x00\x32\x00\x00\x00\xb7\x00\x00\x00\x01\x00\x00\x00\x95\x00\x00\x00"
      "\x00\x00\x00\x00\x75\xcd\xc4\xb5\x7b\x0c\x65\x75\x2a\x3a\xd5\x00\x00\x00"
      "\x7d\xdd\x00\x00\xcb\x45\x00\x63\x91\x00\x00\x20\x00\x00\x00\x00\x00\x00"
      "\x00\xff\x7f\x00\x00\xb5\x2f\x17\xce\xe1\x9d\x00\x01\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\xcb\x04\xfc\xbb\x0b\x9b\xaf\xe3\xba\x43\x13\x51\xa5\x8a"
      "\x88\x5b\xa9\x91\x8d\x37\xb0\x56\xb9\xbb\xd1\x1b\x6b\x9f\x5f\xf7\xdb\x6d"
      "\x57\x46\x20\x26\x00\x00\x00\x00\x00\x00\x80\x62\xd7\x7e\x84\xce\xf4\xa2"
      "\xab\x93\x8f\x65\xaa\xc3\x3c\x4d\x62\x0d\xe2\xc9\xb7\xdc\x10\xd7\xd3\x13"
      "\xf9\xf5\x76\x06\xb8\x3b\x99\x4f\xb4\x84\x51\x0b\xef\x2e\x48\x72\xf5\xc2"
      "\xfe\x6f\xaa\xf7\x5e\x5c\xc4\x05\x1a\xf7\x12\xf4\x1d\xef\xf6\xdf\x6a\x93"
      "\x6b\x4e\xc3\x82\x7c\x73\x9b\xb3\x9a\xad\x16\xcc\x75\xfe\x36\x92\x58\x67"
      "\x3b\x5d\xf1\x1c\xc2\xaf\xb5\x36\x11\xcc\x32\xa7\x90\xbc\x0b\x80\xe8\x0e"
      "\xae\x8f\x5e\x64\xbe\x2c\x9d\x2d\x29\xdb\x3d\x36\xdd\x01\x5c\x7b\xd3\xf1"
      "\x5a\xa6\xaa\xdb\xea\xb2\xa0\x16\x85\x10\x8e\x61\xaa\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x8b\x79\x8b\x4f\x74\x58\xd1\x86\x92\xe0"
      "\x15\x05\x67\x2e\x93\xa1\x4b\x8d\xd8\xdd\xd6\x3c\xc6\x7c\x4c\x6a\x06\xe8"
      "\x28\xe5\x21\x6f\x60\x1b\x19\xdb\x1a\xf1\xb5\xd3\x56\xd0\xf0\x62\x13\x7d"
      "\x86\x6d\x11\xbe\x4b\xa3\xf0\x15\x1f\xdb\xbd\x4e\x97\xd6\x2e\xcc\x64\x5e"
      "\x14\x3a\x60\xf1\xc6\xed\xc7\x66\x09\x07\x39\x09\x82\x61\x51\xe2\xb4\x2b"
      "\xf0\xed\x0c\x8c\xef\x3b\xa2\xa7\x30\xa0\x0c\x87\xc4\x93\xdb\x84\x5b\x10"
      "\xe9\x46\x8b\xda\x6f\x82\x88\x1e\xb8\xcd\xcf\xa7\x2b\x08\xee\xcc\x95\x2a"
      "\x3f\xd2\xc4\x6f\x3c\x1c\xde\x71\xa1\x9d\x1a\x29\x82\x49\x2a\x21\x0e\x00"
      "\xd2\xbf\xea\x3b\x8d\x18\x8d\xf2\xef\xf8\xd5\x6a\xaa\xe7\xd3\x2a\x2e\x18"
      "\x37\x22\x53\x73\x95\x01\x9f\x02\xec\x4b\x85\xf6\xaa\xd7\xfa\xca\x08\x8d"
      "\xe9\xb2\x67\x97\xa8\x44\x6b\x16\xc2\x8d\x85\xf2\x25\x99\x2d\xbd\xd5\xbb"
      "\x01\xba\x51\x50\x89\x51\xc7\xa3\xd6\xca\x09\x16\xc3\xa1\x29\x12\x71\x56"
      "\x49\xc2\xb1\xc7\x19\x2a\x42\x51\xb5\x9d\x37\x8d\x06\x16\xa4\x8c\x79\x57"
      "\xe1\x22\x66\x5c\x8b\x7e\x89\xed\xdf\xc3\x78\x3f\x6c\x91\x29\xa7\xc5\xf8"
      "\xee\x5f\x50\x57\x9e\x2f\x63\x8f\x7e\xb1\x2f\x63\xbe\x72\xa3\xd8\x17\xb3"
      "\x24\xd6\xe4\x17\xb1\xc2\xcb\xfd\xca\xda\x0a\x16\xe3\x17\x90\xe2\x6c\xf1"
      "\x95\x88\xa7\xe0\x49\x6e\xe2\x78\x22\x24\xcf\x30\xf8\x10\xda\x86\xcf\x1a"
      "\x32\x04\xf4\xc9\x40\x4f\x5d\x73\x21\xa4\xfe\xfc\x4d\x1c\x91\x39\xca\x4b"
      "\x65\xb9\x99\x09\x95\x00\x00\x00\x6b\x42\x07\x7c\xa6\x0f\xde\xcb\x27\x17"
      "\xe2\x1f\x8f\x18\x7b\x18\x66\x10\x8b\x6e\x8c\x71\xe2\x60\x32\x17\x60\x66"
      "\x59\x97\x83\x37\x06\xe1\xfa\x89\x91\x7e\x13\x1f\x40\x34\xa8\x38\x3e\x99"
      "\xc3\x56\x8f\xd0\x42\x01\xb3\x7c\xd9\x2c\xa6\xeb\xf9\x4a\x2d\x83\x10\xf7"
      "\x03\x27\x75\xcf\xd7\x56\x52\xf8\x7b\x03\x9d\x54\x30\xb3\xc6\x64\x3e\x91"
      "\x46\xd2\x47\x8c\xe3\x13\xdd\x7c\xee\x65\xef\xfa\xe2\x5b\x39\x7a\x6a\xb9"
      "\x5e\xfb\x96\xcf\xe1\x87\xd9\xae\x7f\x86\x5b\xe4\x19\x43\xad\xaf\x49\x13"
      "\xdb\x6f\x38\x59\xba\x43\x5a\x3a\x18\xc0\x8a\x7f\xef\xf1\x96\x0a\x71\x76"
      "\xed\x5c\x09\x7e\x9f\x21\x24\x41\x14\x70\x0e\x3f\x54\x3e\xc4\x50\x50\xc7"
      "\x2f\x48\x95\x8d\xd0\xc9\xb4\x17\x72\x62\x76\xb9\xb3\x75\x86\xcf\x98\x16"
      "\xc4\xa4\x99\x4d\xca\x4b\x27\xab\x67\xd6\x61\x3a\x2a\xdf\xc2\x30\x33\xaa"
      "\xd1\xca\x1c\x09\xfd",
      869);
  *(uint64_t*)0x20000210 = 0x20000340;
  memcpy((void*)0x20000340, "GPL\000", 4);
  *(uint32_t*)0x20000218 = 0;
  *(uint32_t*)0x2000021c = 0;
  *(uint64_t*)0x20000220 = 0;
  *(uint32_t*)0x20000228 = 0;
  *(uint32_t*)0x2000022c = 0;
  memset((void*)0x20000230, 0, 16);
  *(uint32_t*)0x20000240 = 0;
  *(uint32_t*)0x20000244 = 0;
  *(uint32_t*)0x20000248 = -1;
  *(uint32_t*)0x2000024c = 8;
  *(uint64_t*)0x20000250 = 0x20000000;
  *(uint32_t*)0x20000000 = 0;
  *(uint32_t*)0x20000004 = 0;
  *(uint32_t*)0x20000258 = 8;
  *(uint32_t*)0x2000025c = 0x10;
  *(uint64_t*)0x20000260 = 0x20000100;
  *(uint32_t*)0x20000100 = 0;
  *(uint32_t*)0x20000104 = 0;
  *(uint32_t*)0x20000108 = 0;
  *(uint32_t*)0x2000010c = 0;
  *(uint32_t*)0x20000268 = 0x10;
  *(uint32_t*)0x2000026c = 0;
  *(uint32_t*)0x20000270 = -1;
  *(uint32_t*)0x20000274 = 0;
  *(uint64_t*)0x20000278 = 0;
  *(uint64_t*)0x20000280 = 0;
  *(uint32_t*)0x20000288 = 0x10;
  *(uint32_t*)0x2000028c = 0;
  res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x14ul);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000240 = r[0];
  *(uint32_t*)0x20000244 = 0x1f2f;
  *(uint32_t*)0x20000248 = 0xf;
  *(uint32_t*)0x2000024c = 0x3253;
  *(uint64_t*)0x20000250 = 0x200007c0;
  memcpy((void*)0x200007c0,
         "\x9f\x44\x94\x87\x21\x91\x95\x80\x68\x40\x10\xa4\x08\x00", 14);
  *(uint64_t*)0x20000258 = 0;
  *(uint32_t*)0x20000260 = 0x177;
  *(uint32_t*)0x20000264 = 0;
  *(uint32_t*)0x20000268 = 0xb1;
  *(uint32_t*)0x2000026c = 0;
  *(uint64_t*)0x20000270 = 0x20000700;
  memcpy(
      (void*)0x20000700,
      "\x38\x9c\xef\xf6\x9d\x08\xb0\xaf\x1c\xc7\x1b\x62\x62\xd5\x06\x60\xbb\xaf"
      "\x31\xa7\xf8\xcd\x6a\x6f\x91\x1b\xeb\x65\xd5\xfe\x6b\x54\xbf\x21\xa6\x64"
      "\x89\x12\x1f\x24\xfe\xfd\x19\x80\x59\x28\x8c\x9b\x73\x5e\x18\x98\xe7\x7a"
      "\x74\x69\x48\x9a\x24\x92\x92\xc0\x2a\x72\xbc\x19\x3a\x30\x08\xeb\xdb\xf4"
      "\xe9\xdd\x4e\xe8\xfc\xce\xef\x55\x40\x2c\x91\x3c\x8d\xd0\xeb\xec\xe1\x33"
      "\x0a\xaa\x93\xec\xe8\x35\xc5\x04\x4a\x24\x6a\x59\x67\xe3\xac\xd7\xc9\x50"
      "\xb3\xb1\x9f\x35\x18\x30\xe5\x45\xeb\x9b\xc3\xa9\xc6\xdd\x22\xce\x97\xf1"
      "\xf8\x57\xcf\xe8\xb6\x8a\x23\x70\xb6\x9e\xa3\x36\x00\x6b\x58\x93\x68\xf9"
      "\x2d\xeb\x68\xf3\xdf\xc6\xf2\xbf\xee\x09\xf8\x34\x2d\xa4\x37\xfc\xe5\xdc"
      "\xdf\x65\x8e\x45\x3e\x31\x32\xbb\x42\x06\x75\x75\x31\x8c\x39",
      177);
  *(uint64_t*)0x20000278 = 0x20000000;
  *(uint32_t*)0x20000280 = 0;
  *(uint32_t*)0x20000284 = 0;
  *(uint32_t*)0x20000288 = 0;
  syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000240ul, /*size=*/0x23ul);
}
int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  loop();
  return 0;
}