// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
                                 uintptr_t a2, uintptr_t a3,
                                 uintptr_t a4, uintptr_t a5,
                                 uintptr_t a6, uintptr_t a7,
                                 uintptr_t a8)
{
  switch (nr) {
  default:
    return syscall(nr, a0, a1, a2, a3, a4, a5);
  }
}

long r[160];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] =
        execute_syscall(__NR_mmap, 0x20000000ul, 0xfed000ul, 0x3ul,
                        0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
    break;
  case 1:
    r[1] = execute_syscall(__NR_socket, 0xaul, 0x5ul, 0x0ul, 0, 0, 0, 0,
                           0, 0);
    break;
  case 2:
    (memcpy((void*)0x20001fd8,
                      "\x64\x75\x6d\x6d\x79\x30\x00\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint32_t*)0x20001fe8 = (uint32_t)0x0);
    (*(uint8_t*)0x20001fec = (uint8_t)0x0);
    (*(uint8_t*)0x20001fed = (uint8_t)0x0);
    (*(uint8_t*)0x20001fee = (uint8_t)0x0);
    (*(uint8_t*)0x20001fef = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff0 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff1 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff2 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff3 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff4 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff5 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff6 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff7 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff8 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ff9 = (uint8_t)0x0);
    (*(uint8_t*)0x20001ffa = (uint8_t)0x0);
    (*(uint8_t*)0x20001ffb = (uint8_t)0x0);
    (*(uint8_t*)0x20001ffc = (uint8_t)0x0);
    (*(uint8_t*)0x20001ffd = (uint8_t)0x0);
    (*(uint8_t*)0x20001ffe = (uint8_t)0x0);
    (*(uint8_t*)0x20001fff = (uint8_t)0x0);
    r[24] = execute_syscall(__NR_ioctl, r[1], 0x8933ul, 0x20001fd8ul, 0,
                            0, 0, 0, 0, 0);
    if (r[24] != -1)
      (r[25] = *(uint32_t*)0x20001fe8);
    break;
  case 3:
    (*(uint8_t*)0x20005000 = (uint8_t)0x0);
    (*(uint8_t*)0x20005001 = (uint8_t)0x0);
    (*(uint8_t*)0x20005002 = (uint8_t)0x0);
    (*(uint8_t*)0x20005003 = (uint8_t)0x0);
    (*(uint8_t*)0x20005004 = (uint8_t)0x0);
    (*(uint8_t*)0x20005005 = (uint8_t)0x0);
    (*(uint8_t*)0x20005006 = (uint8_t)0x0);
    (*(uint8_t*)0x20005007 = (uint8_t)0x0);
    (*(uint8_t*)0x20005008 = (uint8_t)0x0);
    (*(uint8_t*)0x20005009 = (uint8_t)0x0);
    (*(uint8_t*)0x2000500a = (uint8_t)0x0);
    (*(uint8_t*)0x2000500b = (uint8_t)0x0);
    (*(uint8_t*)0x2000500c = (uint8_t)0x0);
    (*(uint8_t*)0x2000500d = (uint8_t)0x0);
    (*(uint8_t*)0x2000500e = (uint8_t)0x0);
    (*(uint8_t*)0x2000500f = (uint8_t)0x0);
    (*(uint32_t*)0x20005010 = (uint32_t)0x4);
    (*(uint32_t*)0x20005014 = r[25]);
    r[44] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20005000ul, 0,
                            0, 0, 0, 0, 0);
    break;
  case 4:
    (memcpy((void*)0x20005fd8,
                      "\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint32_t*)0x20005fe8 = (uint32_t)0x0);
    (*(uint8_t*)0x20005fec = (uint8_t)0x0);
    (*(uint8_t*)0x20005fed = (uint8_t)0x0);
    (*(uint8_t*)0x20005fee = (uint8_t)0x0);
    (*(uint8_t*)0x20005fef = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff0 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff1 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff2 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff3 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff4 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff5 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff6 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff7 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff8 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ff9 = (uint8_t)0x0);
    (*(uint8_t*)0x20005ffa = (uint8_t)0x0);
    (*(uint8_t*)0x20005ffb = (uint8_t)0x0);
    (*(uint8_t*)0x20005ffc = (uint8_t)0x0);
    (*(uint8_t*)0x20005ffd = (uint8_t)0x0);
    (*(uint8_t*)0x20005ffe = (uint8_t)0x0);
    (*(uint8_t*)0x20005fff = (uint8_t)0x0);
    r[67] = execute_syscall(__NR_ioctl, r[1], 0x8933ul, 0x20005fd8ul, 0,
                            0, 0, 0, 0, 0);
    if (r[67] != -1)
      (r[68] = *(uint32_t*)0x20005fe8);
    break;
  case 5:
    (*(uint8_t*)0x20004fe8 = (uint8_t)0x0);
    (*(uint8_t*)0x20004fe9 = (uint8_t)0x0);
    (*(uint8_t*)0x20004fea = (uint8_t)0x0);
    (*(uint8_t*)0x20004feb = (uint8_t)0x0);
    (*(uint8_t*)0x20004fec = (uint8_t)0x0);
    (*(uint8_t*)0x20004fed = (uint8_t)0x0);
    (*(uint8_t*)0x20004fee = (uint8_t)0x0);
    (*(uint8_t*)0x20004fef = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff0 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff1 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff2 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff3 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff4 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff5 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff6 = (uint8_t)0x0);
    (*(uint8_t*)0x20004ff7 = (uint8_t)0x0);
    (*(uint32_t*)0x20004ff8 = (uint32_t)0x81);
    (*(uint32_t*)0x20004ffc = r[68]);
    r[87] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20004fe8ul, 0,
                            0, 0, 0, 0, 0);
    break;
  case 6:
    (*(uint8_t*)0x20001000 = (uint8_t)0xfd);
    (*(uint8_t*)0x20001001 = (uint8_t)0x0);
    (*(uint8_t*)0x20001002 = (uint8_t)0x0);
    (*(uint8_t*)0x20001003 = (uint8_t)0x0);
    (*(uint8_t*)0x20001004 = (uint8_t)0x0);
    (*(uint8_t*)0x20001005 = (uint8_t)0x0);
    (*(uint8_t*)0x20001006 = (uint8_t)0x0);
    (*(uint8_t*)0x20001007 = (uint8_t)0x0);
    (*(uint8_t*)0x20001008 = (uint8_t)0x0);
    (*(uint8_t*)0x20001009 = (uint8_t)0x0);
    (*(uint8_t*)0x2000100a = (uint8_t)0x0);
    (*(uint8_t*)0x2000100b = (uint8_t)0x0);
    (*(uint8_t*)0x2000100c = (uint8_t)0x0);
    (*(uint8_t*)0x2000100d = (uint8_t)0x0);
    (*(uint8_t*)0x2000100e = (uint8_t)0x0);
    (*(uint8_t*)0x2000100f = (uint8_t)0xbb);
    (*(uint32_t*)0x20001010 = (uint32_t)0x1);
    (*(uint32_t*)0x20001014 = r[68]);
    r[106] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20001000ul,
                             0, 0, 0, 0, 0, 0);
    break;
  case 7:
    (memcpy((void*)0x20000000,
                      "\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint16_t*)0x20000010 = (uint16_t)0x4001);
    r[109] = execute_syscall(__NR_ioctl, r[1], 0x8914ul, 0x20000000ul,
                             0, 0, 0, 0, 0, 0);
    break;
  case 8:
    r[110] = execute_syscall(__NR_socket, 0xaul, 0x3ul, 0x7ul, 0, 0, 0,
                             0, 0, 0);
    break;
  case 9:
    (*(uint8_t*)0x20feafe8 = (uint8_t)0xfd);
    (*(uint8_t*)0x20feafe9 = (uint8_t)0x0);
    (*(uint8_t*)0x20feafea = (uint8_t)0x0);
    (*(uint8_t*)0x20feafeb = (uint8_t)0x0);
    (*(uint8_t*)0x20feafec = (uint8_t)0x0);
    (*(uint8_t*)0x20feafed = (uint8_t)0x0);
    (*(uint8_t*)0x20feafee = (uint8_t)0x0);
    (*(uint8_t*)0x20feafef = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff0 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff1 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff2 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff3 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff4 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff5 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff6 = (uint8_t)0x0);
    (*(uint8_t*)0x20feaff7 = (uint8_t)0xaa);
    (*(uint32_t*)0x20feaff8 = (uint32_t)0xff0000000000000);
    (*(uint32_t*)0x20feaffc = (uint32_t)0x0);
    r[129] = execute_syscall(__NR_ioctl, 0xfffffffffffffffful, 0x8916ul,
                             0x20feafe8ul, 0, 0, 0, 0, 0, 0);
    break;
  case 10:
    r[130] = execute_syscall(__NR_socket, 0xaul, 0x5ul, 0x0ul, 0, 0, 0,
                             0, 0, 0);
    break;
  case 11:
    (memcpy((void*)0x209b9000,
                      "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint16_t*)0x209b9010 = (uint16_t)0x3003);
    r[133] = execute_syscall(__NR_ioctl, r[130], 0x8914ul, 0x209b9000ul,
                             0, 0, 0, 0, 0, 0);
    break;
  case 12:
    (memcpy((void*)0x20000000,
                      "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint16_t*)0x20000010 = (uint16_t)0x2);
    (*(uint16_t*)0x20000012 = (uint16_t)0x234e);
    (*(uint32_t*)0x20000014 = (uint32_t)0x100007f);
    (*(uint8_t*)0x20000018 = (uint8_t)0x0);
    (*(uint8_t*)0x20000019 = (uint8_t)0x0);
    (*(uint8_t*)0x2000001a = (uint8_t)0x0);
    (*(uint8_t*)0x2000001b = (uint8_t)0x0);
    (*(uint8_t*)0x2000001c = (uint8_t)0x0);
    (*(uint8_t*)0x2000001d = (uint8_t)0x0);
    (*(uint8_t*)0x2000001e = (uint8_t)0x0);
    (*(uint8_t*)0x2000001f = (uint8_t)0x0);
    r[146] = execute_syscall(__NR_ioctl, r[110], 0x8914ul, 0x20000000ul,
                             0, 0, 0, 0, 0, 0);
    break;
  case 13:
    (memcpy((void*)0x20000000,
                      "\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
                      "\x00\x00\x00\x00",
                      16));
    (*(uint16_t*)0x20000010 = (uint16_t)0x2);
    (*(uint16_t*)0x20000012 = (uint16_t)0x204e);
    (*(uint32_t*)0x20000014 = (uint32_t)0x0);
    (*(uint8_t*)0x20000018 = (uint8_t)0x0);
    (*(uint8_t*)0x20000019 = (uint8_t)0x0);
    (*(uint8_t*)0x2000001a = (uint8_t)0x0);
    (*(uint8_t*)0x2000001b = (uint8_t)0x0);
    (*(uint8_t*)0x2000001c = (uint8_t)0x0);
    (*(uint8_t*)0x2000001d = (uint8_t)0x0);
    (*(uint8_t*)0x2000001e = (uint8_t)0x0);
    (*(uint8_t*)0x2000001f = (uint8_t)0x0);
    r[159] = execute_syscall(__NR_ioctl, r[1], 0x8914ul, 0x20000000ul,
                             0, 0, 0, 0, 0, 0);
    break;
  }
  return 0;
}

void test()
{
  unshare(CLONE_NEWNET);

  long i;
  pthread_t th[28];

  memset(r, -1, sizeof(r));
  srand(getpid());
  for (i = 0; i < 14; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
  }
  for (i = 0; i < 14; i++) {
    pthread_create(&th[14 + i], 0, thr, (void*)i);
  }
}

int main()
{
  while (1) test();
  return 0;
}