// https://syzkaller.appspot.com/bug?id=c2f42158ba4ec6e59c9d10d4755bcd933387da7a
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <sched.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#include <linux/sched.h>

#ifndef __NR_clone3
#define __NR_clone3 435
#endif
#ifndef __NR_exit
#define __NR_exit 93
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif

#define USLEEP_FORKED_CHILD (3 * 50 * 1000)

static long handle_clone_ret(long ret)
{
  if (ret != 0) {
    return ret;
  }
  usleep(USLEEP_FORKED_CHILD);
  syscall(__NR_exit, 0);
  while (1) {
  }
}

#define MAX_CLONE_ARGS_BYTES 256
static long syz_clone3(volatile long a0, volatile long a1)
{
  unsigned long copy_size = a1;
  if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES)
    return -1;
  char clone_args[MAX_CLONE_ARGS_BYTES];
  memcpy(&clone_args, (void*)a0, copy_size);
  uint64_t* flags = (uint64_t*)&clone_args;
  *flags &= ~CLONE_VM;
  return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size));
}

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  syz_clone3 arguments: [
  //    args: ptr[in, clone_args] {
  //      clone_args {
  //        flags: clone3_flags = 0x142b63480 (8 bytes)
  //        pidfd: ptr[out, fd_pidfd] {
  //          fd_pidfd (resource)
  //        }
  //        child_tid: nil
  //        parent_tid: nil
  //        exit_signal: align64[signalno] {
  //          v: int32 = 0x3e (4 bytes)
  //          pad = 0x0 (4 bytes)
  //        }
  //        stack: nil
  //        stack_size: bytesize = 0x0 (8 bytes)
  //        tls: nil
  //        set_tid: nil
  //        set_tid_size: len = 0x0 (8 bytes)
  //        cgroup: align64[fd_cgroup] {
  //          v: fd_cgroup (resource)
  //          pad = 0x0 (4 bytes)
  //        }
  //      }
  //    }
  //    size: bytesize = 0x58 (8 bytes)
  //  ]
  //  returns pid
  *(uint64_t*)0x20000000 = 0x142b63480;
  *(uint64_t*)0x20000008 = 0x20000080;
  *(uint64_t*)0x20000010 = 0;
  *(uint64_t*)0x20000018 = 0;
  *(uint32_t*)0x20000020 = 0x3e;
  *(uint64_t*)0x20000028 = 0;
  *(uint64_t*)0x20000030 = 0;
  *(uint64_t*)0x20000038 = 0;
  *(uint64_t*)0x20000040 = 0;
  *(uint64_t*)0x20000048 = 0;
  *(uint32_t*)0x20000050 = -1;
  syz_clone3(/*args=*/0x20000000, /*size=*/0x58);
  return 0;
}