// https://syzkaller.appspot.com/bug?id=566325c29e627765e4f5d223163e5c15191f0f46
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
  if ((bf_off) == 0 && (bf_len) == 0) {                                        \
    *(type*)(addr) = (type)(val);                                              \
  } else {                                                                     \
    type new_val = *(type*)(addr);                                             \
    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
    *(type*)(addr) = new_val;                                                  \
  }

struct csum_inet {
  uint32_t acc;
};

static void csum_inet_init(struct csum_inet* csum)
{
  csum->acc = 0;
}

static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
                             size_t length)
{
  if (length == 0)
    return;

  size_t i;
  for (i = 0; i < length - 1; i += 2)
    csum->acc += *(uint16_t*)&data[i];

  if (length & 1)
    csum->acc += (uint16_t)data[length - 1];

  while (csum->acc > 0xffff)
    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}

static uint16_t csum_inet_digest(struct csum_inet* csum)
{
  return ~csum->acc;
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
  long res = 0;
  res = syscall(__NR_socket, 0xa, 2, 0);
  if (res != -1)
    r[0] = res;
  res = syscall(__NR_dup2, r[0], r[0]);
  if (res != -1)
    r[1] = res;
  *(uint16_t*)0x2000cfe4 = 0xa;
  *(uint16_t*)0x2000cfe6 = htobe16(0x4e20);
  *(uint32_t*)0x2000cfe8 = 0;
  *(uint8_t*)0x2000cfec = 0;
  *(uint8_t*)0x2000cfed = 0;
  *(uint8_t*)0x2000cfee = 0;
  *(uint8_t*)0x2000cfef = 0;
  *(uint8_t*)0x2000cff0 = 0;
  *(uint8_t*)0x2000cff1 = 0;
  *(uint8_t*)0x2000cff2 = 0;
  *(uint8_t*)0x2000cff3 = 0;
  *(uint8_t*)0x2000cff4 = 0;
  *(uint8_t*)0x2000cff5 = 0;
  *(uint8_t*)0x2000cff6 = 0;
  *(uint8_t*)0x2000cff7 = 0;
  *(uint8_t*)0x2000cff8 = 0;
  *(uint8_t*)0x2000cff9 = 0;
  *(uint8_t*)0x2000cffa = 0;
  *(uint8_t*)0x2000cffb = 0;
  *(uint32_t*)0x2000cffc = 0;
  syscall(__NR_connect, r[0], 0x2000cfe4, 0x1c);
  *(uint64_t*)0x20000080 = 0;
  *(uint32_t*)0x20000088 = 0;
  *(uint64_t*)0x20000090 = 0x20000040;
  *(uint64_t*)0x20000040 = 0x20001000;
  *(uint64_t*)0x20000048 = 0;
  *(uint64_t*)0x20000098 = 1;
  *(uint64_t*)0x200000a0 = 0x20002000;
  *(uint64_t*)0x200000a8 = 0;
  *(uint32_t*)0x200000b0 = 0;
  syscall(__NR_sendmsg, r[0], 0x20000080, 0x8000);
  memcpy((void*)0x20000480,
         "\x43\xcb\x33\xb1\x05\xc5\x95\xaa\xf1\xa4\xee\x14\x8a\x0c\x87\x8e\x1f"
         "\xf4\x94\x7f\xcc\x99\xf7\x72\x4c\x87\x2e\x5e\xc4\x0a\x7f\xe5\xfd\x78"
         "\x50\x25\x18\x2b\xce\xc3\x01\xf3\x9b\x66\xbc\x43\xdd\x6c\x81\x04\x6d"
         "\xff\x38\x93\x54\xde\xe9\x36\x2f\x67\x00\x30\x85\xfe\x50\x60\x3b",
         67);
  *(uint16_t*)0x20000380 = 0xa;
  *(uint16_t*)0x20000382 = htobe16(0);
  *(uint32_t*)0x20000384 = 0;
  *(uint8_t*)0x20000388 = 0xfe;
  *(uint8_t*)0x20000389 = 0x80;
  *(uint8_t*)0x2000038a = 0;
  *(uint8_t*)0x2000038b = 0;
  *(uint8_t*)0x2000038c = 0;
  *(uint8_t*)0x2000038d = 0;
  *(uint8_t*)0x2000038e = 0;
  *(uint8_t*)0x2000038f = 0;
  *(uint8_t*)0x20000390 = 0;
  *(uint8_t*)0x20000391 = 0;
  *(uint8_t*)0x20000392 = 0;
  *(uint8_t*)0x20000393 = 0;
  *(uint8_t*)0x20000394 = 0;
  *(uint8_t*)0x20000395 = 0;
  *(uint8_t*)0x20000396 = 0;
  *(uint8_t*)0x20000397 = 0xbb;
  *(uint32_t*)0x20000398 = 0;
  syscall(__NR_sendto, r[1], 0x20000480, 0x43, 0, 0x20000380, 0x1c);
  *(uint8_t*)0x20000180 = -1;
  *(uint8_t*)0x20000181 = -1;
  *(uint8_t*)0x20000182 = -1;
  *(uint8_t*)0x20000183 = -1;
  *(uint8_t*)0x20000184 = -1;
  *(uint8_t*)0x20000185 = -1;
  *(uint8_t*)0x20000186 = 0xaa;
  *(uint8_t*)0x20000187 = 0xaa;
  *(uint8_t*)0x20000188 = 0xaa;
  *(uint8_t*)0x20000189 = 0xaa;
  *(uint8_t*)0x2000018a = 0xaa;
  *(uint8_t*)0x2000018b = 0xbb;
  *(uint16_t*)0x2000018c = htobe16(0x800);
  STORE_BY_BITMASK(uint8_t, 0x2000018e, 5, 0, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000018e, 4, 4, 4);
  STORE_BY_BITMASK(uint8_t, 0x2000018f, 0, 0, 2);
  STORE_BY_BITMASK(uint8_t, 0x2000018f, 0, 2, 6);
  *(uint16_t*)0x20000190 = htobe16(0x1c);
  *(uint16_t*)0x20000192 = htobe16(0);
  *(uint16_t*)0x20000194 = htobe16(0);
  *(uint8_t*)0x20000196 = 0;
  *(uint8_t*)0x20000197 = 2;
  *(uint16_t*)0x20000198 = 0;
  *(uint32_t*)0x2000019a = htobe32(0);
  *(uint32_t*)0x2000019e = htobe32(0xe0000001);
  *(uint8_t*)0x200001a2 = 0x11;
  *(uint8_t*)0x200001a3 = 0;
  *(uint16_t*)0x200001a4 = 0;
  *(uint32_t*)0x200001a6 = htobe32(0);
  *(uint32_t*)0x203b5000 = 0;
  *(uint32_t*)0x203b5004 = 0;
  *(uint32_t*)0x203b5008 = 0;
  *(uint32_t*)0x203b500c = 0;
  *(uint32_t*)0x203b5010 = 0;
  *(uint32_t*)0x203b5014 = 0xfffffffd;
  struct csum_inet csum_1;
  csum_inet_init(&csum_1);
  csum_inet_update(&csum_1, (const uint8_t*)0x200001a2, 8);
  *(uint16_t*)0x200001a4 = csum_inet_digest(&csum_1);
  struct csum_inet csum_2;
  csum_inet_init(&csum_2);
  csum_inet_update(&csum_2, (const uint8_t*)0x2000018e, 20);
  *(uint16_t*)0x20000198 = csum_inet_digest(&csum_2);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  loop();
  return 0;
}