// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_poll
#define __NR_poll 7
#endif
#ifndef __NR_recvfrom
#define __NR_recvfrom 45
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_sendto
#define __NR_sendto 44
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;

__attribute__((noreturn)) void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}

__attribute__((noreturn)) void fail(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(e == ENOMEM ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) void exitf(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(kRetryStatus);
}

static int flag_debug;

void debug(const char* msg, ...)
{
  if (!flag_debug)
    return;
  va_list args;
  va_start(args, msg);
  vfprintf(stdout, msg, args);
  va_end(args);
  fflush(stdout);
}

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
      (addr < prog_start || addr > prog_end)) {
    debug("SIGSEGV on %p, skipping\n", addr);
    _longjmp(segv_env, 1);
  }
  debug("SIGSEGV on %p, exiting\n", addr);
  doexit(sig);
  for (;;) {
  }
}

static void install_segv_handler()
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                \
  {                                                                    \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
    if (_setjmp(segv_env) == 0) {                                      \
      __VA_ARGS__;                                                     \
    }                                                                  \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
  }

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len)                          \
  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)              \
  if ((bf_off) == 0 && (bf_len) == 0) {                                \
    *(type*)(addr) = (type)(val);                                      \
  } else {                                                             \
    type new_val = *(type*)(addr);                                     \
    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));             \
    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);  \
    *(type*)(addr) = new_val;                                          \
  }

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
                                 uintptr_t a2, uintptr_t a3,
                                 uintptr_t a4, uintptr_t a5,
                                 uintptr_t a6, uintptr_t a7,
                                 uintptr_t a8)
{
  switch (nr) {
  default:
    return syscall(nr, a0, a1, a2, a3, a4, a5);
  }
}

static void setup_main_process()
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
  install_segv_handler();

  char tmpdir_template[] = "./syzkaller.XXXXXX";
  char* tmpdir = mkdtemp(tmpdir_template);
  if (!tmpdir)
    fail("failed to mkdtemp");
  if (chmod(tmpdir, 0777))
    fail("failed to chmod");
  if (chdir(tmpdir))
    fail("failed to chdir");
}

static void loop();

static void sandbox_common()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  setsid();

  struct rlimit rlim;
  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
  setrlimit(RLIMIT_AS, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_FSIZE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_STACK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 0;
  setrlimit(RLIMIT_CORE, &rlim);

  unshare(CLONE_NEWNS);
  unshare(CLONE_NEWIPC);
  unshare(CLONE_IO);
}

static int do_sandbox_none(int executor_pid, bool enable_tun)
{
  int pid = fork();
  if (pid)
    return pid;

  sandbox_common();

  loop();
  doexit(1);
}

long r[67];
void loop()
{
  memset(r, -1, sizeof(r));
  r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xcfe000ul, 0x3ul,
                         0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
  r[1] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
                         0, 0);
  NONFAILING(*(uint32_t*)0x2035f000 = (uint32_t)0x8);
  r[3] = execute_syscall(__NR_setsockopt, r[1], 0x0ul, 0x17ul,
                         0x2035f000ul, 0x4ul, 0, 0, 0, 0);
  NONFAILING(*(uint16_t*)0x20a98000 = (uint16_t)0x2);
  NONFAILING(*(uint16_t*)0x20a98002 = (uint16_t)0x204e);
  NONFAILING(*(uint32_t*)0x20a98004 = (uint32_t)0x100007f);
  NONFAILING(*(uint8_t*)0x20a98008 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a98009 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800a = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800b = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800c = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800d = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800e = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20a9800f = (uint8_t)0x0);
  r[15] = execute_syscall(__NR_bind, r[1], 0x20a98000ul, 0x10ul, 0, 0,
                          0, 0, 0, 0);
  r[16] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
                          0, 0);
  NONFAILING(*(uint32_t*)0x20cfcffc = (uint32_t)0x200);
  r[18] =
      execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x20000000000002aul,
                      0x20cfcffcul, 0x4ul, 0, 0, 0, 0);
  NONFAILING(*(uint16_t*)0x20189000 = (uint16_t)0x2);
  NONFAILING(*(uint16_t*)0x20189002 = (uint16_t)0x204e);
  NONFAILING(*(uint32_t*)0x20189004 = (uint32_t)0x100007f);
  NONFAILING(*(uint8_t*)0x20189008 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20189009 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900a = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900b = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900c = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900d = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900e = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x2018900f = (uint8_t)0x0);
  r[30] = execute_syscall(__NR_sendto, r[16], 0x2043bfa2ul, 0x0ul,
                          0x8080ul, 0x20189000ul, 0x10ul, 0, 0, 0);
  r[31] = execute_syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x6ul,
                          0x1ful, 0x20cfcf78ul, 0x0ul, 0, 0, 0, 0);
  NONFAILING(memcpy(
      (void*)0x20153000,
      "\x05\xad\x44\xed\x72\x17\x03\x24\xf3\x17\xae\x88\xf5\x8b\xad\x1e"
      "\x94\xe1\xa0\xa2\xf3\xad\xc3\xee\x93\x89\xff\x35\x4c\x5d\x7b\xa3"
      "\x1f\x54\x78\x08\x5e\x31\x73\x09\x3a\x7d\x21\x54\x4a\x40\xf5\xc0"
      "\xc6\x58\x69\xf9\x43\xa4\x79\x3d\x5e\x31\x20\x91\x88\xf0\xb8\x54"
      "\x6a\x54\xd5\x0a\x3c\x7d\xdc\xf5\x89\xa3\x5f\x60\x23\x98\x2f\x0b"
      "\xc4\xe1\x83\xa8\x13\x43\xb1\xac\x16\xd7\xaf\x08\x29\x29\xa8\xa0"
      "\x02\x8f\x2d\xc1\xa6\xdf\xa6\x76\x53\x1a\xfe\xb7\xd4\x22\xb2\x7a"
      "\x98\x14\x55\x9f\xe5\x38\xa7\x4e\x91\xa5\x85\xc3\xb5\x86\x19\xdd"
      "\x40\xa4\x46\x62\xb0\xa1\x2b\x0a\x08\x46\x26\x83\x3c\x1b\x8c\xe8"
      "\xe0\xde\x6d\x81\xab\x2d\x61\xe9\x20\xa8\xed\xdb\xa6\x7d\xf3\xbf"
      "\x2c\xb9\x76\x2f\x6d\xa2\x6c\x7c\x8f\xe2\x01\xfe\xff\xff\x13\xd1"
      "\x1c\x94\x6b\x01\x3e\x3d\x0c\xe6\x72\x82\x3b\x9b\x8d\xc7\x0e\x61"
      "\xdb\xc6\xa8\x6f\x1c\x92\x22\x03\xdc\x4a\x37\xbd\x8d\xa0\x4f\x67"
      "\xcb\x39\xca\x8f\x8b\x1e\x52\xeb\x30\xdc\x3c\x02\xef\x97\xde\x56"
      "\x50\x2a\xc0\xe2\xe0\x81\xbc\x86\x1c\x19\xd5\x81\x21\x21\xe6\x1f"
      "\xe4\x24\x25\x3d\x35\x78\xcc\x7f\x75\xcd\x42\x65\xe4\x51\xa9\x01"
      "\x0e\x9b\x16\x83\x14\x4b\xda\x51\x8a\x96\xe5\xcc\x6b\x77\x5e\xbc"
      "\xa6\x93\x91\x9a\xbc\xd6\x1a\x81\xc7\xee\x28\x97\x80\x09\x84\xd7"
      "\xd8\x6b\x6b\xd4\x29\x8b\x43\x3e\x8c\x56\x98\x2b\xd0\xe1\x77\xf3"
      "\x6f\x5d\x8f\x0d\x8a\x8b\xbb\x6a\x58\x06\x03\x26\xa8\xc4\xa4\x32"
      "\x9b\xb0\x84\x52\x15\xe1\x5e\xd7\x6d\xf1\x1c\x0e\x88\x92\x7c\x22"
      "\x8e\x7b\x5f\x7a\x36\xce\xc3\x0c\xda\xec\x92\x80\x95\xbd\xb9\x03"
      "\xa1\x97\xc8\x0b\xe6\x6f\xf5\x81\xaf\x95\x06\xfb\x43\xca\xab\x7f"
      "\x02\x14\xd6\x73\x99\x96\xec\xe2\x82\xbd\x9a\x54\xf1\xcf\x9a\xc2"
      "\x66\xfd\x34\xf1\xec\x3f\xdb\x36\xac\x0e\xf5\xb6\x0d\x0f\xa8\x62"
      "\x36\xb9\x48\xf5\xb5\xd2\xd5\x16\xfc\x79\x44\xa1\x13\x42\x66\x90"
      "\x37\x5f\xfe\xf7\x46\x55\xf6\x0a\xc4\xcf\x7e\xe4\x2e\xb2\x5a\x25"
      "\x1a\x78\x18\xb5\x68\xd3\x1f\x04\x11\x80\x82\xc7\x52\xd6\xed\x8d"
      "\x34\x9c\xf6\x3b\x28\x76\x4c\xae\x7b\x53\xd4\x0e\x6f\xa5\x96\x50"
      "\x5d\x0e\x54\xdc\x38\x19\x7f\x1f\xfa\x80\xad\xf8\x01\x00\x00\x00"
      "\xce\xde\x3f\xb6\x0f\xe7\x1a\x68\x65\x32\x87\xee\x76\x77\x10\x15"
      "\x32\x88\x3b\xbb\xbb\xb4\x5b\x28\x14\x9a\x34\x7f\x07\x28\xf4\xfa"
      "\xf0\x83\xf4\x63\x67\xbc\x82\x92\xdf\xb6\x4e\x67\x29\x72\xff\x96"
      "\x4b\x9d\xb7\x7e\xd0",
      533));
  NONFAILING(*(uint16_t*)0x20445ff0 = (uint16_t)0x2);
  NONFAILING(*(uint16_t*)0x20445ff2 = (uint16_t)0x204e);
  NONFAILING(*(uint32_t*)0x20445ff4 = (uint32_t)0x100007f);
  NONFAILING(*(uint8_t*)0x20445ff8 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ff9 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ffa = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ffb = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ffc = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ffd = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445ffe = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20445fff = (uint8_t)0x0);
  r[44] = execute_syscall(__NR_sendto, r[16], 0x20153000ul, 0x215ul,
                          0x0ul, 0x20445ff0ul, 0x10ul, 0, 0, 0);
  NONFAILING(*(uint32_t*)0x20591ff0 = (uint32_t)0xffffffffffffffff);
  NONFAILING(*(uint16_t*)0x20591ff4 = (uint16_t)0x2000);
  NONFAILING(*(uint16_t*)0x20591ff6 = (uint16_t)0x0);
  NONFAILING(*(uint32_t*)0x20591ff8 = r[16]);
  NONFAILING(*(uint16_t*)0x20591ffc = (uint16_t)0x600a);
  NONFAILING(*(uint16_t*)0x20591ffe = (uint16_t)0x0);
  NONFAILING(*(uint32_t*)0x20592000 = r[1]);
  NONFAILING(*(uint16_t*)0x20592004 = (uint16_t)0x8000);
  NONFAILING(*(uint16_t*)0x20592006 = (uint16_t)0x0);
  r[54] = execute_syscall(__NR_poll, 0x20591ff0ul, 0x3ul, 0x5ul, 0, 0,
                          0, 0, 0, 0);
  NONFAILING(*(uint16_t*)0x20cf2ff0 = (uint16_t)0x2);
  NONFAILING(*(uint16_t*)0x20cf2ff2 = (uint16_t)0x204e);
  NONFAILING(*(uint32_t*)0x20cf2ff4 = (uint32_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ff8 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ff9 = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ffa = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ffb = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ffc = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ffd = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2ffe = (uint8_t)0x0);
  NONFAILING(*(uint8_t*)0x20cf2fff = (uint8_t)0x0);
  r[66] = execute_syscall(__NR_recvfrom, r[1], 0x20cf2ffcul, 0x0ul,
                          0x100000042ul, 0x20cf2ff0ul, 0x10ul, 0, 0, 0);
}
int main()
{
  setup_main_process();
  int pid = do_sandbox_none(0, false);
  int status = 0;
  while (waitpid(pid, &status, __WALL) != pid) {
  }
  return 0;
}