// https://syzkaller.appspot.com/bug?id=e2d0f382ccf497c1b6cec826cb791cad23062db6
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <pthread.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <unistd.h>

#include <stdint.h>
#include <string.h>

#ifndef __NR_userfaultfd
#define __NR_userfaultfd 374
#endif
#ifndef __NR_ioctl
#define __NR_ioctl 54
#endif
#ifndef __NR_clone
#define __NR_clone 120
#endif
#ifndef __NR_close
#define __NR_close 6
#endif
#ifndef __NR_mmap
#define __NR_mmap 192
#endif
#undef __NR_mmap
#define __NR_mmap __NR_mmap2

long r[1];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
            0xfffffffffffffffful, 0x0ul);
    break;
  case 1:
    r[0] = syscall(__NR_userfaultfd, 0x0ul);
    break;
  case 2:
    *(uint64_t*)0x20842fe8 = (uint64_t)0xaa;
    *(uint64_t*)0x20842ff0 = (uint64_t)0x2;
    *(uint64_t*)0x20842ff8 = (uint64_t)0x0;
    syscall(__NR_ioctl, r[0], 0xc018aa3ful, 0x20842fe8ul);
    break;
  case 3:
    *(uint32_t*)0x20e90000 = (uint32_t)0x205b7000;
    *(uint64_t*)0x20e90008 = (uint64_t)0x400000;
    *(uint64_t*)0x20e90010 = (uint64_t)0x1;
    *(uint64_t*)0x20e90018 = (uint64_t)0x0;
    syscall(__NR_ioctl, r[0], 0xc020aa00ul, 0x20e90000ul);
    break;
  case 4:
    syscall(__NR_clone, 0x600ul, 0x20687000ul, 0x20b4c000ul,
            0x20552ffcul, 0x207a4f71ul);
    break;
  case 5:
    syscall(__NR_close, r[0]);
    break;
  }
  return 0;
}

void loop()
{
  long i;
  pthread_t th[12];

  memset(r, -1, sizeof(r));
  for (i = 0; i < 6; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(rand() % 10000);
  }
  usleep(rand() % 100000);
}

int main()
{
  loop();
  return 0;
}