// https://syzkaller.appspot.com/bug?id=ee7a490448b51172934397f09a7ef045e634f8d1
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif

static long syz_open_procfs(volatile long a0, volatile long a1)
{
  char buf[128];
  memset(buf, 0, sizeof(buf));
  if (a0 == 0) {
    snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
  } else if (a0 == -1) {
    snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
  } else {
    snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
  }
  int fd = open(buf, O_RDWR);
  if (fd == -1)
    fd = open(buf, O_RDONLY);
  return fd;
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  syz_open_procfs arguments: [
  //    pid: pid (resource)
  //    file: ptr[in, buffer] {
  //      buffer: {6d 61 70 73 00} (length 0x5)
  //    }
  //  ]
  //  returns fd
  memcpy((void*)0x200000000040, "maps\000", 5);
  res = -1;
  res = syz_open_procfs(/*pid=*/0, /*file=*/0x200000000040);
  if (res != -1)
    r[0] = res;
  //  openat$nullb arguments: [
  //    fd: const = 0xffffffffffffff9c (8 bytes)
  //    file: ptr[in, buffer] {
  //      buffer: {2f 64 65 76 2f 6e 75 6c 6c 62 30 00} (length 0xc)
  //    }
  //    flags: open_flags = 0x282 (4 bytes)
  //    mode: const = 0x0 (2 bytes)
  //  ]
  //  returns fd_block
  memcpy((void*)0x200000000000, "/dev/nullb0\000", 12);
  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul,
                /*file=*/0x200000000000ul,
                /*flags=O_TRUNC|O_EXCL|O_RDWR*/ 0x282, /*mode=*/0);
  if (res != -1)
    r[1] = res;
  //  mmap arguments: [
  //    addr: VMA[0xb36000]
  //    len: len = 0xb36000 (8 bytes)
  //    prot: mmap_prot = 0x2000007 (8 bytes)
  //    flags: mmap_flags = 0x38011 (8 bytes)
  //    fd: fd (resource)
  //    offset: intptr = 0x3000 (8 bytes)
  //  ]
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul,
          /*prot=PROT_GROWSUP|PROT_WRITE|PROT_READ|PROT_EXEC*/ 0x2000007ul,
          /*flags=MAP_STACK|MAP_POPULATE|MAP_NONBLOCK|MAP_FIXED|0x1*/ 0x38011ul,
          /*fd=*/r[1], /*offset=*/0x3000ul);
  //  io_uring_setup arguments: [
  //    entries: int32 = 0x2e34 (4 bytes)
  //    params: ptr[inout, io_uring_params] {
  //      io_uring_params {
  //        sq_entries: int32 = 0x0 (4 bytes)
  //        cq_entries: int32 = 0xfffffffc (4 bytes)
  //        flags: io_uring_setup_flags = 0x0 (4 bytes)
  //        sq_thread_cpu: int32 = 0x0 (4 bytes)
  //        sq_thread_idle: int32 = 0x0 (4 bytes)
  //        features: int32 = 0x0 (4 bytes)
  //        wq_fd: fd_io_uring (resource)
  //        resv: buffer: {00 00 00 00 00 00 00 00 00 00 00 00} (length 0xc)
  //        sq_off: array[int32] {
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //        }
  //        cq_off: array[int32] {
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //          int32 = 0x0 (4 bytes)
  //        }
  //      }
  //    }
  //  ]
  //  returns fd_io_uring
  *(uint32_t*)0x200000000184 = 0xfffffffc;
  *(uint32_t*)0x200000000188 = 0;
  *(uint32_t*)0x20000000018c = 0;
  *(uint32_t*)0x200000000190 = 0;
  *(uint32_t*)0x200000000198 = -1;
  memset((void*)0x20000000019c, 0, 12);
  syscall(__NR_io_uring_setup, /*entries=*/0x2e34, /*params=*/0x200000000180ul);
  //  ioctl$KVM_SET_USER_MEMORY_REGION arguments: [
  //    fd: fd_kvmvm (resource)
  //    cmd: const = 0xc0686611 (4 bytes)
  //    arg: ptr[in, kvm_userspace_memory_region] {
  //      kvm_userspace_memory_region {
  //        slot: kvm_mem_slots = 0x67 (4 bytes)
  //        flags: kvm_mem_region_flags = 0x0 (4 bytes)
  //        paddr: kvm_guest_addrs = 0x3f (8 bytes)
  //        size: len = 0x2000 (8 bytes)
  //        addr: VMA[0x2000]
  //      }
  //    }
  //  ]
  *(uint32_t*)0x200000000180 = 0x67;
  *(uint32_t*)0x200000000184 = 0;
  *(uint64_t*)0x200000000188 = 0x3f;
  *(uint64_t*)0x200000000190 = 0x2000;
  *(uint64_t*)0x200000000198 = 0x200000ffe000;
  syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0686611,
          /*arg=*/0x200000000180ul);
  return 0;
}