linux-arts: Add a collection of syzcaller reproducers for Linux kernel

This is an initial commit for the syzcaller reproducers for Linux kernel
from https://github.com/dvyukov/syzkaller-repros

These reproducers are obtained from https://github.com/google/syzkaller

https://github.com/google/syzkaller/blob/64612bfd3c83d7246467cd9731f01a36b6331598/tools/syz-reprolist/reprolist.go

To build run build.sh.
To run run run.sh.

Testing should be done with KASAN, LOCKDEP, DEBUG_OBJECTS, DEBUG_VM,
FAULT_INJECTION, lockup detectors and other debugging configs.
diff --git a/syzkaller-repros/.gitignore b/syzkaller-repros/.gitignore
new file mode 100644
index 0000000..b72f9be
--- /dev/null
+++ b/syzkaller-repros/.gitignore
@@ -0,0 +1,2 @@
+*~
+*.swp
diff --git a/syzkaller-repros/LICENSE b/syzkaller-repros/LICENSE
new file mode 100644
index 0000000..261eeb9
--- /dev/null
+++ b/syzkaller-repros/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/syzkaller-repros/README.md b/syzkaller-repros/README.md
new file mode 100644
index 0000000..2da4357
--- /dev/null
+++ b/syzkaller-repros/README.md
@@ -0,0 +1,12 @@
+# syzkaller bug reproducers
+
+Collection of [syzkaller](https://github.com/google/syzkaller) bug reproducers for Linux kernel.
+
+Obtained from [syzbot](https://github.com/google/syzkaller/blob/master/docs/syzbot.md)
+using [syz-reprolist](https://github.com/google/syzkaller/blob/64612bfd3c83d7246467cd9731f01a36b6331598/tools/syz-reprolist/reprolist.go).
+
+To build run [build.sh](build.sh).\
+To run run [run.sh](run.sh).
+
+Testing should be done with KASAN, LOCKDEP, DEBUG_OBJECTS, DEBUG_VM, FAULT_INJECTION, lockup detectors
+and [other debugging configs](https://github.com/google/syzkaller/blob/master/dashboard/config/bits-syzbot.config).
diff --git a/syzkaller-repros/build.sh b/syzkaller-repros/build.sh
new file mode 100755
index 0000000..6d2d805
--- /dev/null
+++ b/syzkaller-repros/build.sh
@@ -0,0 +1,13 @@
+mkdir -p bin
+for f in linux/*.c; do
+	out="bin/`basename "$f" .c`"
+	if test -f "$out"; then
+		continue
+	fi
+	echo $f
+	flags=""
+	if grep "__NR_mmap2" $f; then
+		flags="-m32"
+	fi
+	gcc "$f" -static -pthread $flags -o $out
+done
diff --git a/syzkaller-repros/linux/000780f064cc50726a331cf2e8826321609a2e1d.c b/syzkaller-repros/linux/000780f064cc50726a331cf2e8826321609a2e1d.c
new file mode 100644
index 0000000..eea5c1f
--- /dev/null
+++ b/syzkaller-repros/linux/000780f064cc50726a331cf2e8826321609a2e1d.c
@@ -0,0 +1,33 @@
+// BUG: assuming atomic context at kernel/seccomp.c:LINE
+// https://syzkaller.appspot.com/bug?id=000780f064cc50726a331cf2e8826321609a2e1d
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifndef __NR_seccomp
+#define __NR_seccomp 317
+#endif
+
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+
+  *(uint16_t*)0x20007ff0 = 1;
+  *(uint64_t*)0x20007ff8 = 0x20004fe8;
+  *(uint16_t*)0x20004fe8 = 6;
+  *(uint8_t*)0x20004fea = 0;
+  *(uint8_t*)0x20004feb = 0;
+  *(uint32_t*)0x20004fec = 0x50000;
+  syscall(__NR_seccomp, 1, 2, 0x20007ff0);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/000ba6613265972f3246094bd3a41f35b0416af8.c b/syzkaller-repros/linux/000ba6613265972f3246094bd3a41f35b0416af8.c
new file mode 100644
index 0000000..cc3a134
--- /dev/null
+++ b/syzkaller-repros/linux/000ba6613265972f3246094bd3a41f35b0416af8.c
@@ -0,0 +1,328 @@
+// general protection fault in netlink_unicast
+// https://syzkaller.appspot.com/bug?id=000ba6613265972f3246094bd3a41f35b0416af8
+// status:invalid
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <net/if_arp.h>
+#include <pthread.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+
+__attribute__((noreturn)) static void fail(const char* msg, ...)
+{
+  int e = errno;
+  fflush(stdout);
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* uctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  doexit(sig);
+  for (;;) {
+  }
+}
+
+static void install_segv_handler()
+{
+  struct sigaction sa;
+
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                \
+  {                                                                    \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
+    if (_setjmp(segv_env) == 0) {                                      \
+      __VA_ARGS__;                                                     \
+    }                                                                  \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
+  }
+
+static void use_temporary_dir()
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    fail("failed to mkdtemp");
+  if (chmod(tmpdir, 0777))
+    fail("failed to chmod");
+  if (chdir(tmpdir))
+    fail("failed to chdir");
+}
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    fail("tun: snprintf failed");
+  if ((size_t)rv >= size)
+    fail("tun: string '%s...' doesn't fit into buffer", str);
+}
+
+static void snprintf_check(char* str, size_t size, const char* format,
+                           ...)
+{
+  va_list args;
+
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+
+#define COMMAND_MAX_LEN 128
+
+static void execute_command(const char* format, ...)
+{
+  va_list args;
+  char command[COMMAND_MAX_LEN];
+  int rv;
+
+  va_start(args, format);
+
+  vsnprintf_check(command, sizeof(command), format, args);
+  rv = system(command);
+  if (rv != 0)
+    fail("tun: command \"%s\" failed with code %d", &command[0], rv);
+
+  va_end(args);
+}
+
+static int tunfd = -1;
+
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define MAX_PIDS 32
+#define ADDR_MAX_LEN 32
+
+#define LOCAL_MAC "aa:aa:aa:aa:aa:%02hx"
+#define REMOTE_MAC "bb:bb:bb:bb:bb:%02hx"
+
+#define LOCAL_IPV4 "172.20.%d.170"
+#define REMOTE_IPV4 "172.20.%d.187"
+
+#define LOCAL_IPV6 "fe80::%02hxaa"
+#define REMOTE_IPV6 "fe80::%02hxbb"
+
+static void initialize_tun(uint64_t pid)
+{
+  if (pid >= MAX_PIDS)
+    fail("tun: no more than %d executors", MAX_PIDS);
+  int id = pid;
+
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1)
+    fail("tun: can't open /dev/net/tun");
+
+  char iface[IFNAMSIZ];
+  snprintf_check(iface, sizeof(iface), "syz%d", id);
+
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, iface, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+    fail("tun: ioctl(TUNSETIFF) failed");
+
+  char local_mac[ADDR_MAX_LEN];
+  snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id);
+  char remote_mac[ADDR_MAX_LEN];
+  snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id);
+
+  char local_ipv4[ADDR_MAX_LEN];
+  snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id);
+  char remote_ipv4[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id);
+
+  char local_ipv6[ADDR_MAX_LEN];
+  snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id);
+  char remote_ipv6[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id);
+
+  execute_command("sysctl -w net.ipv6.conf.%s.accept_dad=0", iface);
+
+  execute_command("sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  iface);
+
+  execute_command("ip link set dev %s address %s", iface, local_mac);
+  execute_command("ip addr add %s/24 dev %s", local_ipv4, iface);
+  execute_command("ip -6 addr add %s/120 dev %s", local_ipv6, iface);
+  execute_command("ip neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv4, remote_mac, iface);
+  execute_command("ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv6, remote_mac, iface);
+  execute_command("ip link set dev %s up", iface);
+}
+
+static void setup_tun(uint64_t pid, bool enable_tun)
+{
+  if (enable_tun)
+    initialize_tun(pid);
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+
+  unshare(CLONE_NEWNS);
+  unshare(CLONE_NEWIPC);
+  unshare(CLONE_IO);
+}
+
+static int do_sandbox_none(int executor_pid, bool enable_tun)
+{
+  int pid = fork();
+  if (pid)
+    return pid;
+
+  sandbox_common();
+  setup_tun(executor_pid, enable_tun);
+
+  loop();
+  doexit(1);
+}
+
+static void test();
+
+void loop()
+{
+  while (1) {
+    test();
+  }
+}
+
+long r[4];
+void* thr(void* arg)
+{
+  switch ((long)arg) {
+  case 0:
+    r[0] = syscall(__NR_mmap, 0x20000000ul, 0xf03000ul, 0x3ul, 0x32ul,
+                   0xfffffffffffffffful, 0x0ul);
+    break;
+  case 1:
+    r[1] = syscall(__NR_socket, 0x10ul, 0x3ul, 0x9ul);
+    break;
+  case 2:
+    NONFAILING(memcpy((void*)0x20f01fe1,
+                      "\x1f\x00\x00\x00\xe9\x03\x00\x00\xff\xff\xf7\x00"
+                      "\x07\x00\x31\x1f\xf6\x00\x00\x00\x00\x00\x00\x00"
+                      "\x00\x00\x00\x00\x00\x00\x06",
+                      31));
+    r[3] = syscall(__NR_write, r[1], 0x20f01fe1ul, 0x1ful);
+    break;
+  }
+  return 0;
+}
+
+void test()
+{
+  long i;
+  pthread_t th[6];
+
+  memset(r, -1, sizeof(r));
+  srand(getpid());
+  for (i = 0; i < 3; i++) {
+    pthread_create(&th[i], 0, thr, (void*)i);
+    usleep(rand() % 10000);
+  }
+  for (i = 0; i < 3; i++) {
+    pthread_create(&th[3 + i], 0, thr, (void*)i);
+    if (rand() % 2)
+      usleep(rand() % 10000);
+  }
+  usleep(rand() % 100000);
+}
+
+int main()
+{
+  int i;
+  for (i = 0; i < 8; i++) {
+    if (fork() == 0) {
+      install_segv_handler();
+      use_temporary_dir();
+      int pid = do_sandbox_none(i, true);
+      int status = 0;
+      while (waitpid(pid, &status, __WALL) != pid) {
+      }
+      return 0;
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/001410d947fa7742a85647e596c45661118c7d24.c b/syzkaller-repros/linux/001410d947fa7742a85647e596c45661118c7d24.c
new file mode 100644
index 0000000..c2263a0
--- /dev/null
+++ b/syzkaller-repros/linux/001410d947fa7742a85647e596c45661118c7d24.c
@@ -0,0 +1,341 @@
+// KASAN: use-after-free Read in p9_poll_workfn
+// https://syzkaller.appspot.com/bug?id=001410d947fa7742a85647e596c45661118c7d24
+// status:fixed
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <endian.h>
+#include <errno.h>
+#include <errno.h>
+#include <linux/futex.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+#include <errno.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+static void fail(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static uint64_t current_time_ms()
+{
+  struct timespec ts;
+
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    fail("clock_gettime failed");
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    fail("sandbox fork failed");
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  loop();
+  doexit(1);
+}
+
+static void execute_one();
+extern unsigned long long procid;
+
+static void loop()
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      fail("clone failed");
+    if (pid == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+      setpgrp();
+      execute_one();
+      int fd;
+      for (fd = 3; fd < 30; fd++)
+        close(fd);
+      doexit(0);
+    }
+
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      int res = waitpid(-1, &status, __WALL | WNOHANG);
+      if (res == pid) {
+        break;
+      }
+      usleep(1000);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill(-pid, SIGKILL);
+      kill(pid, SIGKILL);
+      while (waitpid(-1, &status, __WALL) != pid) {
+      }
+      break;
+    }
+  }
+}
+
+struct thread_t {
+  int created, running, call;
+  pthread_t th;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+static int collide;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
+      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
+    syscall(SYS_futex, &th->running, FUTEX_WAKE);
+  }
+  return 0;
+}
+
+static void execute(int num_calls)
+{
+  int call, thread;
+  running = 0;
+  for (call = 0; call < num_calls; call++) {
+    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        pthread_attr_t attr;
+        pthread_attr_init(&attr);
+        pthread_attr_setstacksize(&attr, 128 << 10);
+        pthread_create(&th->th, &attr, thr, th);
+      }
+      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
+        th->call = call;
+        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
+        syscall(SYS_futex, &th->running, FUTEX_WAKE);
+        if (collide && call % 2)
+          break;
+        struct timespec ts;
+        ts.tv_sec = 0;
+        ts.tv_nsec = 20 * 1000 * 1000;
+        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
+        if (__atomic_load_n(&running, __ATOMIC_RELAXED))
+          usleep((call == num_calls - 1) ? 10000 : 1000);
+        break;
+      }
+    }
+  }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    *(uint64_t*)0x20000300 = 0x200000c0;
+    *(uint16_t*)0x200000c0 = 0xa;
+    *(uint16_t*)0x200000c2 = htobe16(0x4e22);
+    *(uint32_t*)0x200000c4 = 0;
+    *(uint8_t*)0x200000c8 = -1;
+    *(uint8_t*)0x200000c9 = 2;
+    *(uint8_t*)0x200000ca = 0;
+    *(uint8_t*)0x200000cb = 0;
+    *(uint8_t*)0x200000cc = 0;
+    *(uint8_t*)0x200000cd = 0;
+    *(uint8_t*)0x200000ce = 0;
+    *(uint8_t*)0x200000cf = 0;
+    *(uint8_t*)0x200000d0 = 0;
+    *(uint8_t*)0x200000d1 = 0;
+    *(uint8_t*)0x200000d2 = 0;
+    *(uint8_t*)0x200000d3 = 0;
+    *(uint8_t*)0x200000d4 = 0;
+    *(uint8_t*)0x200000d5 = 0;
+    *(uint8_t*)0x200000d6 = 0;
+    *(uint8_t*)0x200000d7 = 1;
+    *(uint32_t*)0x200000d8 = 7;
+    *(uint32_t*)0x20000308 = 0x80;
+    *(uint64_t*)0x20000310 = 0x20000940;
+    *(uint64_t*)0x20000318 = 0;
+    *(uint64_t*)0x20000320 = 0x20000a00;
+    *(uint64_t*)0x20000328 = 0;
+    *(uint32_t*)0x20000330 = 0;
+    syscall(__NR_sendmsg, -1, 0x20000300, 0xe803);
+    break;
+  case 1:
+    *(uint16_t*)0x20ccb000 = 2;
+    *(uint16_t*)0x20ccb002 = htobe16(0x4e20);
+    *(uint32_t*)0x20ccb004 = htobe32(0);
+    *(uint8_t*)0x20ccb008 = 0;
+    *(uint8_t*)0x20ccb009 = 0;
+    *(uint8_t*)0x20ccb00a = 0;
+    *(uint8_t*)0x20ccb00b = 0;
+    *(uint8_t*)0x20ccb00c = 0;
+    *(uint8_t*)0x20ccb00d = 0;
+    *(uint8_t*)0x20ccb00e = 0;
+    *(uint8_t*)0x20ccb00f = 0;
+    syscall(__NR_connect, -1, 0x20ccb000, 0x10);
+    break;
+  case 2:
+    res = syscall(__NR_socket, 2, 6, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 3:
+    *(uint16_t*)0x20000140 = 2;
+    *(uint16_t*)0x20000142 = htobe16(0);
+    *(uint8_t*)0x20000144 = 0xac;
+    *(uint8_t*)0x20000145 = 0x14;
+    *(uint8_t*)0x20000146 = 0x14;
+    *(uint8_t*)0x20000147 = 0xaa;
+    *(uint8_t*)0x20000148 = 0;
+    *(uint8_t*)0x20000149 = 0;
+    *(uint8_t*)0x2000014a = 0;
+    *(uint8_t*)0x2000014b = 0;
+    *(uint8_t*)0x2000014c = 0;
+    *(uint8_t*)0x2000014d = 0;
+    *(uint8_t*)0x2000014e = 0;
+    *(uint8_t*)0x2000014f = 0;
+    syscall(__NR_connect, r[0], 0x20000140, 0x10);
+    break;
+  case 4:
+    memcpy((void*)0x20000f80, "./file0", 8);
+    res = syscall(__NR_open, 0x20000f80, 0x40, 0);
+    if (res != -1)
+      r[1] = res;
+    break;
+  case 5:
+    memcpy((void*)0x20000f00, "./file0", 8);
+    memcpy((void*)0x20000f40, "9p", 3);
+    memcpy((void*)0x20000fc0, "trans=fd,", 9);
+    memcpy((void*)0x20000fc9, "rfdno", 5);
+    *(uint8_t*)0x20000fce = 0x3d;
+    sprintf((char*)0x20000fcf, "0x%016llx", (long long)r[1]);
+    *(uint8_t*)0x20000fe1 = 0x2c;
+    memcpy((void*)0x20000fe2, "wfdno", 5);
+    *(uint8_t*)0x20000fe7 = 0x3d;
+    sprintf((char*)0x20000fe8, "0x%016llx", (long long)r[0]);
+    *(uint8_t*)0x20000ffa = 0x2c;
+    *(uint8_t*)0x20000ffb = 0;
+    syscall(__NR_mount, 0, 0x20000f00, 0x20000f40, 0, 0x20000fc0);
+    break;
+  case 6:
+    *(uint16_t*)0x20000080 = 0;
+    memcpy((void*)0x20000082,
+           "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+           108);
+    syscall(__NR_connect, r[0], 0x20000080, 0x6e);
+    break;
+  }
+}
+
+void execute_one()
+{
+  execute(7);
+  collide = 1;
+  execute(7);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  for (;;) {
+    do_sandbox_none();
+  }
+}
diff --git a/syzkaller-repros/linux/0036bceb487e54824818b8d6e9e0b7284af77e97.c b/syzkaller-repros/linux/0036bceb487e54824818b8d6e9e0b7284af77e97.c
new file mode 100644
index 0000000..3774c82
--- /dev/null
+++ b/syzkaller-repros/linux/0036bceb487e54824818b8d6e9e0b7284af77e97.c
@@ -0,0 +1,173 @@
+// general protection fault in ucma_accept
+// https://syzkaller.appspot.com/bug?id=0036bceb487e54824818b8d6e9e0b7284af77e97
+// status:dup
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <endian.h>
+#include <linux/futex.h>
+#include <pthread.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+static void test();
+
+void loop()
+{
+  while (1) {
+    test();
+  }
+}
+
+struct thread_t {
+  int created, running, call;
+  pthread_t th;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+static int collide;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
+      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
+    syscall(SYS_futex, &th->running, FUTEX_WAKE);
+  }
+  return 0;
+}
+
+static void execute(int num_calls)
+{
+  int call, thread;
+  running = 0;
+  for (call = 0; call < num_calls; call++) {
+    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        pthread_attr_t attr;
+        pthread_attr_init(&attr);
+        pthread_attr_setstacksize(&attr, 128 << 10);
+        pthread_create(&th->th, &attr, thr, th);
+      }
+      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
+        th->call = call;
+        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
+        syscall(SYS_futex, &th->running, FUTEX_WAKE);
+        if (collide && call % 2)
+          break;
+        struct timespec ts;
+        ts.tv_sec = 0;
+        ts.tv_nsec = 20 * 1000 * 1000;
+        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
+        if (running)
+          usleep((call == num_calls - 1) ? 10000 : 1000);
+        break;
+      }
+    }
+  }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffff};
+uint64_t procid;
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    memcpy((void*)0x200001c0, "/dev/infiniband/rdma_cm", 24);
+    res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200001c0, 2, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 1:
+    *(uint32_t*)0x20000500 = 0;
+    *(uint16_t*)0x20000504 = 0x18;
+    *(uint16_t*)0x20000506 = 0xfa00;
+    *(uint64_t*)0x20000508 = 1;
+    *(uint64_t*)0x20000510 = 0x200004c0;
+    *(uint16_t*)0x20000518 = 0x13f;
+    *(uint8_t*)0x2000051a = 8;
+    *(uint8_t*)0x2000051b = 0;
+    *(uint8_t*)0x2000051c = 0;
+    *(uint8_t*)0x2000051d = 0;
+    *(uint8_t*)0x2000051e = 0;
+    *(uint8_t*)0x2000051f = 0;
+    res = syscall(__NR_write, r[0], 0x20000500, 0x20);
+    if (res != -1)
+      r[1] = *(uint32_t*)0x200004c0;
+    break;
+  case 2:
+    *(uint32_t*)0x20000780 = 8;
+    *(uint16_t*)0x20000784 = 0x120;
+    *(uint16_t*)0x20000786 = 0xfa00;
+    *(uint64_t*)0x20000788 = 4;
+    *(uint32_t*)0x20000790 = 7;
+    *(uint32_t*)0x20000794 = 5;
+    memcpy((void*)0x20000798,
+           "\xc0\xc3\x75\xca\xc6\x1e\x68\x62\xf1\x97\xeb\x0f\xe1\x45\xd6\x16"
+           "\x30\x54\x42\x3a\xd9\x4f\xb0\xd7\xcc\x84\x98\x74\xd0\x55\x5a\xd3"
+           "\x8b\x01\x57\xbc\xec\xa7\x4a\x01\xca\x68\x21\x48\x73\xb7\xc4\x6a"
+           "\xa2\xd4\x6e\x1b\x5b\xbf\xd2\x8a\x37\xe1\x78\x55\xdb\x62\x3b\xba"
+           "\xf8\xd1\xea\x16\xc5\x00\x32\xb3\xb4\x1b\xf2\x1f\x80\xbb\xe6\x59"
+           "\xc4\x7d\xdf\x19\x9f\x7f\x34\x61\x73\xc6\xc6\x8d\x21\xc5\x6e\x8f"
+           "\xd9\xe6\xaa\x11\x44\x46\xcf\xab\x37\xd5\x66\x2b\x53\x08\xd4\xee"
+           "\xe6\x32\x07\x37\xc7\x6d\x4b\x72\xeb\xab\x0a\x85\x59\xeb\xab\xf1"
+           "\x44\x25\x25\x84\x54\x3e\x9c\xc4\x37\x2b\x55\x1a\xb5\x3a\x19\xde"
+           "\x5a\x30\x53\xd3\x8f\xe4\xce\x92\xbf\x56\x94\x16\xd4\xa0\xa4\xbb"
+           "\x80\x69\xbd\x07\xed\x74\xb1\x7a\x79\x26\xfd\x1f\x13\xf9\x21\xe8"
+           "\x92\x3f\x08\xd2\xab\x35\x0f\x0b\x88\x91\x61\x77\xc5\xb1\xdb\x4a"
+           "\x56\x9f\x67\x67\xc7\xe9\xe6\x18\x28\x41\xe0\xb0\xbe\x54\x47\xc9"
+           "\xe2\xe2\xa5\x74\x7c\x61\x9f\xc5\xc8\xf9\x5a\x89\x26\x9c\x7a\xad"
+           "\x7d\x1b\xbc\x7f\x06\xb0\x1f\xac\x8e\x14\x47\x2f\xd5\x8f\x1e\x4b"
+           "\x4f\xfa\x7c\xc8\xaa\x66\x8b\x3f\xc9\x77\xe1\xc8\xe4\x42\xb7\x79",
+           256);
+    *(uint8_t*)0x20000898 = 0xb3;
+    *(uint8_t*)0x20000899 = 1;
+    *(uint8_t*)0x2000089a = 6;
+    *(uint8_t*)0x2000089b = 6;
+    *(uint8_t*)0x2000089c = 6;
+    *(uint8_t*)0x2000089d = 0x20;
+    *(uint8_t*)0x2000089e = 0x31;
+    *(uint8_t*)0x2000089f = 1;
+    *(uint32_t*)0x200008a0 = r[1];
+    *(uint32_t*)0x200008a4 = 0;
+    syscall(__NR_write, r[0], 0x20000780, 0x128);
+    break;
+  case 3:
+    syscall(__NR_close, r[0]);
+    break;
+  }
+}
+
+void test()
+{
+  execute(4);
+  collide = 1;
+  execute(4);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  for (procid = 0; procid < 8; procid++) {
+    if (fork() == 0) {
+      for (;;) {
+        loop();
+      }
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/003df0980fa340f389b427ea9d8c9c7c162e08f0.c b/syzkaller-repros/linux/003df0980fa340f389b427ea9d8c9c7c162e08f0.c
new file mode 100644
index 0000000..0338b27
--- /dev/null
+++ b/syzkaller-repros/linux/003df0980fa340f389b427ea9d8c9c7c162e08f0.c
@@ -0,0 +1,98 @@
+// KASAN: slab-out-of-bounds Write in rmd160_final
+// https://syzkaller.appspot.com/bug?id=003df0980fa340f389b427ea9d8c9c7c162e08f0
+// status:dup
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <endian.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+uint64_t r[4] = {0x0, 0x0, 0x0, 0x0};
+void loop()
+{
+  long res = 0;
+  memcpy((void*)0x20000000, "keyring", 8);
+  *(uint8_t*)0x20000080 = 0x73;
+  *(uint8_t*)0x20000081 = 0x79;
+  *(uint8_t*)0x20000082 = 0x7a;
+  *(uint8_t*)0x20000083 = 0;
+  *(uint8_t*)0x20000084 = 0;
+  res = syscall(__NR_add_key, 0x20000000, 0x20000080, 0, 0, -1);
+  if (res != -1)
+    r[0] = res;
+  memcpy((void*)0x200000c0, "keyring", 8);
+  *(uint8_t*)0x20000180 = 0x73;
+  *(uint8_t*)0x20000181 = 0x79;
+  *(uint8_t*)0x20000182 = 0x7a;
+  *(uint8_t*)0x20000183 = 0;
+  *(uint8_t*)0x20000184 = 0;
+  res = syscall(__NR_add_key, 0x200000c0, 0x20000180, 0, 0, r[0]);
+  if (res != -1)
+    r[1] = res;
+  memcpy((void*)0x203bd000, "user", 5);
+  *(uint8_t*)0x20000040 = 0x73;
+  *(uint8_t*)0x20000041 = 0x79;
+  *(uint8_t*)0x20000042 = 0x7a;
+  *(uint8_t*)0x20000043 = 0;
+  *(uint8_t*)0x20000044 = 0;
+  memcpy((void*)0x20facfff, "\x06", 1);
+  res = syscall(__NR_add_key, 0x203bd000, 0x20000040, 0x20facfff, 1, r[1]);
+  if (res != -1)
+    r[2] = res;
+  memcpy((void*)0x20fc0ffb, "user", 5);
+  *(uint8_t*)0x20000200 = 0x73;
+  *(uint8_t*)0x20000201 = 0x79;
+  *(uint8_t*)0x20000202 = 0x7a;
+  *(uint8_t*)0x20000203 = 0x23;
+  *(uint8_t*)0x20000204 = 0;
+  memcpy((void*)0x200001c0, "\xb3", 1);
+  res = syscall(__NR_add_key, 0x20fc0ffb, 0x20000200, 0x200001c0, 1, r[1]);
+  if (res != -1)
+    r[3] = res;
+  memcpy((void*)0x200004c0,
+         "\xdf\x02\x75\x46\x77\x21\x2d\xfc\x3e\x2a\xbc\xb2\x44\x73\xe8\xe1\xcf"
+         "\xef\x09\x74\x22\x58\xcb\xae\x7b\x26\xfd\xc3\xff\xa6\x15\xd9\xda\x49"
+         "\x41\x37\xe1\x75\xe9\xf2\x78\x0a\xc5\xe2\xa0\x9f\x43\xa1\xfc\xeb\xf2"
+         "\x72\xa5\xa1\x35\xde\x92\xbf\x4a\x90\x33\x93\x38\x24\xf6\xe6\xaa\x02"
+         "\x38\x01\x4e\x32\x93\x53\x5d\x1c\x00\x66\xd2\x8e\x0f\x27\x51\x88\xb4"
+         "\xb4\xc1\x87\xe1\x87\x74\xfc\x22\x27\xcb\xb6\x61\x0f\xc6\x69\x7f\x53"
+         "\x37\x72\x61\x64\xc8\xfb\xe1\x18\x1e\x6d\x50\x98\x6c\xd9\x8a\x5c\x44"
+         "\xac\x0e\xc3\x75\xde\xb2\x7e\xaf\xcf\x7d\x06\x43\x8f\x25\x25\x10\x04"
+         "\x00\x00\x00\x03\xe7\xdc\x2f\x8f\xd8\x5a\xdc\xd8\x8c\xa3\x0e\x75\xb1"
+         "\xe1\x43\x26\x2d\x94\xde\xfa\x18\x7e\x48\x2a\x9b\x9a\x9a\x38\x73\x53"
+         "\xdf\x7a\x21\xaf\xfc\xe4\xe9\x14\x9e\x04\x00\x00\x00\x00\x00\x00\x00"
+         "\x65\xaf\xd9\x79\xe9",
+         192);
+  syscall(__NR_keyctl, 2, r[3], 0x200004c0, 0xc0);
+  *(uint32_t*)0x20000100 = r[2];
+  *(uint32_t*)0x20000104 = r[3];
+  *(uint32_t*)0x20000108 = r[3];
+  *(uint64_t*)0x20c61fc8 = 0x20000140;
+  memcpy((void*)0x20000140,
+         "\x72\x6d\x64\x31\x36\x30\x2d\x67\x65\x6e\x65\x72\x69\x63\x00\x00\x00"
+         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+         64);
+  *(uint64_t*)0x20c61fd0 = 0;
+  *(uint32_t*)0x20c61fd8 = 0;
+  *(uint32_t*)0x20c61fdc = 0;
+  *(uint32_t*)0x20c61fe0 = 0;
+  *(uint32_t*)0x20c61fe4 = 0;
+  *(uint32_t*)0x20c61fe8 = 0;
+  *(uint32_t*)0x20c61fec = 0;
+  *(uint32_t*)0x20c61ff0 = 0;
+  *(uint32_t*)0x20c61ff4 = 0;
+  *(uint32_t*)0x20c61ff8 = 0;
+  syscall(__NR_keyctl, 0x17, 0x20000100, 0x20a53ffb, 5, 0x20c61fc8);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/0041bf1423916e9ae458b08b760e269a33c14960.c b/syzkaller-repros/linux/0041bf1423916e9ae458b08b760e269a33c14960.c
new file mode 100644
index 0000000..667ee44
--- /dev/null
+++ b/syzkaller-repros/linux/0041bf1423916e9ae458b08b760e269a33c14960.c
@@ -0,0 +1,201 @@
+// BUG: workqueue lockup (4)
+// https://syzkaller.appspot.com/bug?id=0041bf1423916e9ae458b08b760e269a33c14960
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <pthread.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void loop(void)
+{
+  int i, call, thread;
+  for (call = 0; call < 4; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    memcpy((void*)0x20000040, "/dev/rtc0", 10);
+    res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 1:
+    syscall(__NR_ioctl, r[0], 0x7003);
+    break;
+  case 2:
+    *(uint32_t*)0x20000000 = 0;
+    *(uint32_t*)0x20000004 = 0;
+    *(uint32_t*)0x20000008 = 0;
+    *(uint32_t*)0x2000000c = 0x1f;
+    *(uint32_t*)0x20000010 = 0;
+    *(uint32_t*)0x20000014 = 0xa0;
+    *(uint32_t*)0x20000018 = 0;
+    *(uint32_t*)0x2000001c = 0;
+    *(uint32_t*)0x20000020 = 0;
+    syscall(__NR_ioctl, r[0], 0x4024700a, 0x20000000);
+    break;
+  case 3:
+    memcpy((void*)0x200000c0,
+           "\x2a\xf4\x9e\xe8\x10\xa9\xdb\x8a\xd3\x10\x2f\x61\x86\xaa\x74\x0f"
+           "\xf0\x9a\x70\x78\x21\x19\xad\xe7\xa3\xb6\x79\x3d\x91\xaf\xcd\x26"
+           "\xe6\x3f\xeb\x21\xf7\x60\xbf\xe8\x45\x3a\x86\xc5\xfb\xc7\xcb\x66"
+           "\x39\x41\x6e\x63\x70\xa4\x71\x34\xee\xef\xbe\x23\xbe\x3a\x8d\xf8"
+           "\x0b\xcf\x38\xe3\x1d\xb8\x51\x73\x54\x80\xfa\x50\xb1\x99\xdb\x1e"
+           "\xa6\xf1\x7a\x36\x1e\xbb\x5e\xfd\x4b\xaf\x08\x31\x07\xcf\x22\xc7"
+           "\xb9\xc2\xa0\x9d\xb8\x3f\x6c\xa2\xb1\xdb\x67\x5e\xf4\xe2\xf9\x90"
+           "\x83\x75\x63\xb6\xeb\x49\xb7\xc7\xa7\x50\x3a\x0a\xff\x9f\xda\xc4"
+           "\x8e\x96\xd9\x30\xfe\x55\xb5\x95\x83\x94\xb4\x92\x8b\x14\x3c\xb7"
+           "\x34\xc1\xbf\x7e\x63\x9b\x25\x74\x64\x5d\xd1\xf9\x06\x75\x21\xec"
+           "\x70\xde\x55\xb1\xbc\x07\xe0\xd9\x7c\x0c\x49\xc3\x19\x74\x0d\xa6"
+           "\xb9\xc6\xd7\xe9\x19\x85\x38\x97\x24\x4d\x6e\x2c\x99\x5f\x57\xe1"
+           "\xb4\xa4\xd2\x69\x93\xcd\x58\x6f\x1a\x89\xeb\x9e\x0b\x14\x47\x01"
+           "\x83\x51\xbc\x3c\xe1\x9e\x95\x43\x80\x62\xb3\x0a\x76\x3b\x94\x1e"
+           "\x7b\x8d\xbd\x3f\x9f\x90\xf1\x12\x8b\xf7\xb8\xa9\x3d\x32\x2e\xac"
+           "\xe1\xa9\xb4\xb8\x55\x07\x26\x47\x6a\x08\xa3\xbc\xb6\x7f\x07\x8b",
+           256);
+    syscall(__NR_ioctl, r[0], 0x41009432, 0x200000c0);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/004b0f7b61d4901cbfecfc33de7996e8cbe0a278.c b/syzkaller-repros/linux/004b0f7b61d4901cbfecfc33de7996e8cbe0a278.c
new file mode 100644
index 0000000..8f2907d
--- /dev/null
+++ b/syzkaller-repros/linux/004b0f7b61d4901cbfecfc33de7996e8cbe0a278.c
@@ -0,0 +1,1100 @@
+// WARNING in smc_unhash_sk
+// https://syzkaller.appspot.com/bug?id=004b0f7b61d4901cbfecfc33de7996e8cbe0a278
+// status:fixed
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <errno.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <fcntl.h>
+#include <linux/capability.h>
+#include <linux/futex.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/net.h>
+#include <linux/tcp.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdarg.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+#include <errno.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <string.h>
+#include <sys/stat.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+static void fail(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static void exitf(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit(kRetryStatus);
+}
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* uctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  doexit(sig);
+}
+
+static void install_segv_handler()
+{
+  struct sigaction sa;
+
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static uint64_t current_time_ms()
+{
+  struct timespec ts;
+
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    fail("clock_gettime failed");
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir()
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    fail("failed to mkdtemp");
+  if (chmod(tmpdir, 0777))
+    fail("failed to chmod");
+  if (chdir(tmpdir))
+    fail("failed to chdir");
+}
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    fail("tun: snprintf failed");
+  if ((size_t)rv >= size)
+    fail("tun: string '%s...' doesn't fit into buffer", str);
+}
+
+static void snprintf_check(char* str, size_t size, const char* format, ...)
+{
+  va_list args;
+
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+
+#define COMMAND_MAX_LEN 128
+#define PATH_PREFIX                                                            \
+  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
+#define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
+
+static void execute_command(bool panic, const char* format, ...)
+{
+  va_list args;
+  char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
+  int rv;
+
+  va_start(args, format);
+  memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
+  vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args);
+  rv = system(command);
+  if (panic && rv != 0)
+    fail("tun: command \"%s\" failed with code %d", &command[0], rv);
+
+  va_end(args);
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define MAX_PIDS 32
+#define ADDR_MAX_LEN 32
+
+#define LOCAL_MAC "aa:aa:aa:aa:%02hx:aa"
+#define REMOTE_MAC "aa:aa:aa:aa:%02hx:bb"
+
+#define LOCAL_IPV4 "172.20.%d.170"
+#define REMOTE_IPV4 "172.20.%d.187"
+
+#define LOCAL_IPV6 "fe80::%02hx:aa"
+#define REMOTE_IPV6 "fe80::%02hx:bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(int id)
+{
+  if (id >= MAX_PIDS)
+    fail("tun: no more than %d executors", MAX_PIDS);
+
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+
+  char iface[IFNAMSIZ];
+  snprintf_check(iface, sizeof(iface), "syz%d", id);
+
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, iface, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      fail("tun: ioctl(TUNSETIFF) failed");
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    fail("tun: ioctl(TUNGETIFF) failed");
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+
+  char local_mac[ADDR_MAX_LEN];
+  snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id);
+  char remote_mac[ADDR_MAX_LEN];
+  snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id);
+
+  char local_ipv4[ADDR_MAX_LEN];
+  snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id);
+  char remote_ipv4[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id);
+
+  char local_ipv6[ADDR_MAX_LEN];
+  snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id);
+  char remote_ipv6[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id);
+
+  execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", iface);
+
+  execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  iface);
+
+  execute_command(1, "ip link set dev %s address %s", iface, local_mac);
+  execute_command(1, "ip addr add %s/24 dev %s", local_ipv4, iface);
+  execute_command(1, "ip -6 addr add %s/120 dev %s", local_ipv6, iface);
+  execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv4, remote_mac, iface);
+  execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv6, remote_mac, iface);
+  execute_command(1, "ip link set dev %s up", iface);
+}
+
+#define DEV_IPV4 "172.20.%d.%d"
+#define DEV_IPV6 "fe80::%02hx:%02hx"
+#define DEV_MAC "aa:aa:aa:aa:%02hx:%02hx"
+
+static void initialize_netdevices(int id)
+{
+  unsigned i;
+  const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "veth"};
+  const char* devnames[] = {"lo",       "sit0",    "bridge0", "vcan0",
+                            "tunl0",    "gre0",    "gretap0", "ip_vti0",
+                            "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0",
+                            "erspan0",  "bond0",   "veth0",   "veth1"};
+
+  for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++)
+    execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]);
+  execute_command(0, "ip link add dev veth1 type veth");
+  for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) {
+    char addr[ADDR_MAX_LEN];
+    snprintf_check(addr, sizeof(addr), DEV_IPV4, id, id + 10);
+    execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_IPV6, id, id + 10);
+    execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_MAC, id, id + 10);
+    execute_command(0, "ip link set dev %s address %s", devnames[i], addr);
+    execute_command(0, "ip link set dev %s up", devnames[i]);
+  }
+}
+
+static void setup_tun(uint64_t pid, bool enable_tun)
+{
+  if (enable_tun) {
+    initialize_tun(pid);
+    initialize_netdevices(pid);
+  }
+}
+
+static int read_tun(char* data, int size)
+{
+  if (tunfd < 0)
+    return -1;
+
+  int rv = read(tunfd, data, size);
+  if (rv < 0) {
+    if (errno == EAGAIN)
+      return -1;
+    if (errno == EBADFD)
+      return -1;
+    fail("tun: read failed with %d", rv);
+  }
+  return rv;
+}
+
+static void flush_tun()
+{
+  char data[SYZ_TUN_MAX_PACKET_SIZE];
+  while (read_tun(&data[0], sizeof(data)) != -1)
+    ;
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+
+#define CLONE_NEWCGROUP 0x02000000
+
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(CLONE_NEWCGROUP)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    close(fd);
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static int real_uid;
+static int real_gid;
+__attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20];
+
+static int namespace_sandbox_proc(void* arg)
+{
+  sandbox_common();
+
+  write_file("/proc/self/setgroups", "deny");
+  if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid))
+    fail("write of /proc/self/uid_map failed");
+  if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid))
+    fail("write of /proc/self/gid_map failed");
+
+  if (unshare(CLONE_NEWNET))
+    fail("unshare(CLONE_NEWNET)");
+  setup_tun((long)arg >> 1, (long)arg & 1);
+
+  if (mkdir("./syz-tmp", 0777))
+    fail("mkdir(syz-tmp) failed");
+  if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
+    fail("mount(tmpfs) failed");
+  if (mkdir("./syz-tmp/newroot", 0777))
+    fail("mkdir failed");
+  if (mkdir("./syz-tmp/newroot/dev", 0700))
+    fail("mkdir failed");
+  unsigned mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
+  if (mount("/dev", "./syz-tmp/newroot/dev", NULL, mount_flags, NULL))
+    fail("mount(dev) failed");
+  if (mkdir("./syz-tmp/newroot/proc", 0700))
+    fail("mkdir failed");
+  if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL))
+    fail("mount(proc) failed");
+  if (mkdir("./syz-tmp/newroot/selinux", 0700))
+    fail("mkdir failed");
+  const char* selinux_path = "./syz-tmp/newroot/selinux";
+  if (mount("/selinux", selinux_path, NULL, mount_flags, NULL) &&
+      mount("/sys/fs/selinux", selinux_path, NULL, mount_flags, NULL))
+    fail("mount(selinuxfs) failed");
+  if (mkdir("./syz-tmp/pivot", 0777))
+    fail("mkdir failed");
+  if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
+    if (chdir("./syz-tmp"))
+      fail("chdir failed");
+  } else {
+    if (chdir("/"))
+      fail("chdir failed");
+    if (umount2("./pivot", MNT_DETACH))
+      fail("umount failed");
+  }
+  if (chroot("./newroot"))
+    fail("chroot failed");
+  if (chdir("/"))
+    fail("chdir failed");
+
+  struct __user_cap_header_struct cap_hdr = {};
+  struct __user_cap_data_struct cap_data[2] = {};
+  cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_hdr.pid = getpid();
+  if (syscall(SYS_capget, &cap_hdr, &cap_data))
+    fail("capget failed");
+  cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE);
+  cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE);
+  cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE);
+  if (syscall(SYS_capset, &cap_hdr, &cap_data))
+    fail("capset failed");
+
+  loop();
+  doexit(1);
+}
+
+static int do_sandbox_namespace(int executor_pid, bool enable_tun)
+{
+  int pid;
+
+  real_uid = getuid();
+  real_gid = getgid();
+  mprotect(sandbox_stack, 4096, PROT_NONE);
+  void* arg = (void*)(long)((executor_pid << 1) | enable_tun);
+  pid =
+      clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64],
+            CLONE_NEWUSER | CLONE_NEWPID, arg);
+  if (pid < 0)
+    fail("sandbox clone failed");
+  return pid;
+}
+
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+  uint64_t pcnt, bcnt;
+};
+
+struct ipt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct ipt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct ipt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct ipt_table_desc {
+  const char* name;
+  struct ipt_getinfo info;
+  struct ipt_replace replace;
+};
+
+static struct ipt_table_desc ipv4_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+#define IPT_BASE_CTL 64
+#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
+#define IPT_SO_GET_INFO (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+
+struct arpt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct arpt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+  const char* name;
+  struct arpt_getinfo info;
+  struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables,
+                                int family, int level)
+{
+  struct ipt_get_entries entries;
+  socklen_t optlen;
+  int fd, i;
+
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      fail("getsockopt(IPT_SO_GET_INFO)");
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      fail("table size is too large: %u", table->info.size);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      fail("too many counters: %u", table->info.num_entries);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+      fail("getsockopt(IPT_SO_GET_ENTRIES)");
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables,
+                           int family, int level)
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct ipt_get_entries entries;
+  struct ipt_getinfo info;
+  socklen_t optlen;
+  int fd, i;
+
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family);
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
+      fail("getsockopt(IPT_SO_GET_INFO)");
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+        fail("getsockopt(IPT_SO_GET_ENTRIES)");
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
+      fail("setsockopt(IPT_SO_SET_REPLACE)");
+  }
+  close(fd);
+}
+
+static void checkpoint_arptables(void)
+{
+  struct arpt_get_entries entries;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      fail("getsockopt(ARPT_SO_GET_INFO)");
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      fail("table size is too large: %u", table->info.size);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      fail("too many counters: %u", table->info.num_entries);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+      fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_arptables()
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct arpt_get_entries entries;
+  struct arpt_getinfo info;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+      fail("getsockopt(ARPT_SO_GET_INFO)");
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+        fail("getsockopt(ARPT_SO_GET_ENTRIES)");
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+      fail("setsockopt(ARPT_SO_SET_REPLACE)");
+  }
+  close(fd);
+}
+#include <linux/if.h>
+#include <linux/netfilter_bridge/ebtables.h>
+
+struct ebt_table_desc {
+  const char* name;
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+static struct ebt_table_desc ebt_tables[] = {
+    {.name = "filter"}, {.name = "nat"}, {.name = "broute"},
+};
+
+static void checkpoint_ebtables(void)
+{
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace,
+                   &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      fail("getsockopt(EBT_SO_GET_INIT_INFO)");
+    }
+    if (table->replace.entries_size > sizeof(table->entrytable))
+      fail("table size is too large: %u", table->replace.entries_size);
+    table->replace.num_counters = 0;
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace,
+                   &optlen))
+      fail("getsockopt(EBT_SO_GET_INIT_ENTRIES)");
+  }
+  close(fd);
+}
+
+static void reset_ebtables()
+{
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+  socklen_t optlen;
+  unsigned i, j, h;
+  int fd;
+
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1)
+    fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    if (table->replace.valid_hooks == 0)
+      continue;
+    memset(&replace, 0, sizeof(replace));
+    strcpy(replace.name, table->name);
+    optlen = sizeof(replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
+      fail("getsockopt(EBT_SO_GET_INFO)");
+    replace.num_counters = 0;
+    for (h = 0; h < NF_BR_NUMHOOKS; h++)
+      table->replace.hook_entry[h] = 0;
+    if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
+      memset(&entrytable, 0, sizeof(entrytable));
+      replace.entries = entrytable;
+      optlen = sizeof(replace) + replace.entries_size;
+      if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
+        fail("getsockopt(EBT_SO_GET_ENTRIES)");
+      if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
+        continue;
+    }
+    for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
+      if (table->replace.valid_hooks & (1 << h)) {
+        table->replace.hook_entry[h] =
+            (struct ebt_entries*)table->entrytable + j;
+        j++;
+      }
+    }
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
+      fail("setsockopt(EBT_SO_SET_ENTRIES)");
+  }
+  close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+  checkpoint_ebtables();
+  checkpoint_arptables();
+  checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                      AF_INET, SOL_IP);
+  checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                      AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+  reset_ebtables();
+  reset_arptables();
+  reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                 AF_INET, SOL_IP);
+  reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                 AF_INET6, SOL_IPV6);
+}
+
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exitf("opendir(%s) failed due to NOFILE, exiting", dir);
+    }
+    exitf("opendir(%s) failed", dir);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    struct stat st;
+    if (lstat(filename, &st))
+      exitf("lstat(%s) failed", filename);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exitf("unlink(%s) failed", filename);
+      if (umount2(filename, MNT_DETACH))
+        exitf("umount(%s) failed", filename);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exitf("umount(%s) failed", dir);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exitf("rmdir(%s) failed", dir);
+  }
+}
+
+static void test();
+
+void loop()
+{
+  int iter;
+  checkpoint_net_namespace();
+  for (iter = 0;; iter++) {
+    char cwdbuf[256];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      fail("failed to mkdir");
+    int pid = fork();
+    if (pid < 0)
+      fail("loop fork failed");
+    if (pid == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+      setpgrp();
+      if (chdir(cwdbuf))
+        fail("failed to chdir");
+      flush_tun();
+      test();
+      doexit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      int res = waitpid(-1, &status, __WALL | WNOHANG);
+      if (res == pid)
+        break;
+      usleep(1000);
+      if (current_time_ms() - start > 5 * 1000) {
+        kill(-pid, SIGKILL);
+        kill(pid, SIGKILL);
+        while (waitpid(-1, &status, __WALL) != pid) {
+        }
+        break;
+      }
+    }
+    remove_dir(cwdbuf);
+    reset_net_namespace();
+  }
+}
+
+struct thread_t {
+  int created, running, call;
+  pthread_t th;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+static int collide;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
+      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
+    syscall(SYS_futex, &th->running, FUTEX_WAKE);
+  }
+  return 0;
+}
+
+static void execute(int num_calls)
+{
+  int call, thread;
+  running = 0;
+  for (call = 0; call < num_calls; call++) {
+    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        pthread_attr_t attr;
+        pthread_attr_init(&attr);
+        pthread_attr_setstacksize(&attr, 128 << 10);
+        pthread_create(&th->th, &attr, thr, th);
+      }
+      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
+        th->call = call;
+        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
+        syscall(SYS_futex, &th->running, FUTEX_WAKE);
+        if (collide && call % 2)
+          break;
+        struct timespec ts;
+        ts.tv_sec = 0;
+        ts.tv_nsec = 20 * 1000 * 1000;
+        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
+        if (running)
+          usleep((call == num_calls - 1) ? 10000 : 1000);
+        break;
+      }
+    }
+  }
+}
+
+#ifndef __NR_bpf
+#define __NR_bpf 321
+#endif
+
+long r[2];
+void execute_call(int call)
+{
+  switch (call) {
+  case 0:
+    r[0] = syscall(__NR_socket, 0x2b, 1, 0);
+    break;
+  case 1:
+    NONFAILING(*(uint32_t*)0x20000000 = 0);
+    NONFAILING(*(uint32_t*)0x20000004 = 2);
+    NONFAILING(*(uint32_t*)0x20000008 = 0x18);
+    r[1] = syscall(__NR_bpf, 0xe, 0x20000000, 0xc);
+    break;
+  case 2:
+    NONFAILING(*(uint32_t*)0x200010c0 = r[1]);
+    NONFAILING(*(uint64_t*)0x200010c8 = 0x20000040);
+    NONFAILING(*(uint64_t*)0x200010d0 = 0x200000c0);
+    syscall(__NR_bpf, 4, 0x200010c0, 0x18);
+    break;
+  case 3:
+    NONFAILING(*(uint32_t*)0x20000080 = r[0]);
+    NONFAILING(*(uint16_t*)0x20000084 = 0);
+    NONFAILING(*(uint16_t*)0x20000086 = 0);
+    syscall(__NR_poll, 0x20000080, 1, 0);
+    break;
+  case 4:
+    NONFAILING(*(uint16_t*)0x20000000 = 2);
+    NONFAILING(*(uint16_t*)0x20000002 = 0);
+    NONFAILING(*(uint32_t*)0x20000004 = htobe32(0));
+    NONFAILING(*(uint8_t*)0x20000008 = 0);
+    NONFAILING(*(uint8_t*)0x20000009 = 0);
+    NONFAILING(*(uint8_t*)0x2000000a = 0);
+    NONFAILING(*(uint8_t*)0x2000000b = 0);
+    NONFAILING(*(uint8_t*)0x2000000c = 0);
+    NONFAILING(*(uint8_t*)0x2000000d = 0);
+    NONFAILING(*(uint8_t*)0x2000000e = 0);
+    NONFAILING(*(uint8_t*)0x2000000f = 0);
+    syscall(__NR_connect, r[0], 0x20000000, 0x10);
+    break;
+  }
+}
+
+void test()
+{
+  memset(r, -1, sizeof(r));
+  execute(5);
+  collide = 1;
+  execute(5);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  install_segv_handler();
+  char* cwd = get_current_dir_name();
+  for (;;) {
+    if (chdir(cwd))
+      fail("failed to chdir");
+    use_temporary_dir();
+    int pid = do_sandbox_namespace(0, true);
+    int status = 0;
+    while (waitpid(pid, &status, __WALL) != pid) {
+    }
+  }
+}
diff --git a/syzkaller-repros/linux/00571b0688c5a07b5115e1a3a52e2512c71a5bb2.c b/syzkaller-repros/linux/00571b0688c5a07b5115e1a3a52e2512c71a5bb2.c
new file mode 100644
index 0000000..a06c1c6
--- /dev/null
+++ b/syzkaller-repros/linux/00571b0688c5a07b5115e1a3a52e2512c71a5bb2.c
@@ -0,0 +1,309 @@
+// kernel BUG at fs/ext4/fsync.c:LINE!
+// https://syzkaller.appspot.com/bug?id=00571b0688c5a07b5115e1a3a52e2512c71a5bb2
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+
+unsigned long long procid;
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+}
+
+#define SYZ_HAVE_RESET_TEST 1
+static void reset_test()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void execute_one(void)
+{
+  int i, call, thread;
+  for (call = 0; call < 8; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      setup_test();
+      execute_one();
+      reset_test();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    memcpy((void*)0x20000700, "./bus\x00", 6);
+    res = syscall(__NR_creat, 0x20000700, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 1:
+    *(uint64_t*)0x20000140 = 0x20008088;
+    syscall(__NR_ioctl, r[0], 0x40086602, 0x20000140);
+    break;
+  case 2:
+    memcpy((void*)0x20000040, "./bus\x00", 6);
+    res = syscall(__NR_creat, 0x20000040, 0);
+    if (res != -1)
+      r[1] = res;
+    break;
+  case 3:
+    *(uint32_t*)0x20000000 = 0xfffffee5;
+    *(uint32_t*)0x20000004 = 0;
+    *(uint64_t*)0x20000008 = 0;
+    *(uint32_t*)0x20000010 = 0;
+    *(uint32_t*)0x20000014 = 0;
+    *(uint32_t*)0x20000018 = 0;
+    *(uint32_t*)0x2000001c = 0;
+    syscall(__NR_write, r[1], 0x20000000, 0xfffffeba);
+    break;
+  case 4:
+    syscall(__NR_fcntl, r[1], 4, 0x44000);
+    break;
+  case 5:
+    *(uint64_t*)0x20000180 = 0x10000;
+    syscall(__NR_ioctl, r[1], 0x40086602, 0x20000180);
+    break;
+  case 6:
+    res = syscall(__NR_io_setup, 0x105, 0x20000080);
+    if (res != -1)
+      r[2] = *(uint64_t*)0x20000080;
+    break;
+  case 7:
+    *(uint64_t*)0x20000540 = 0x200000c0;
+    *(uint64_t*)0x200000c0 = 0;
+    *(uint32_t*)0x200000c8 = 0;
+    *(uint32_t*)0x200000cc = 0;
+    *(uint16_t*)0x200000d0 = 1;
+    *(uint16_t*)0x200000d2 = 0;
+    *(uint32_t*)0x200000d4 = r[1];
+    *(uint64_t*)0x200000d8 = 0x20000000;
+    *(uint64_t*)0x200000e0 = 0x10000;
+    *(uint64_t*)0x200000e8 = 0;
+    *(uint64_t*)0x200000f0 = 0;
+    *(uint32_t*)0x200000f8 = 0;
+    *(uint32_t*)0x200000fc = -1;
+    syscall(__NR_io_submit, r[2], 1, 0x20000540);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  for (procid = 0; procid < 6; procid++) {
+    if (fork() == 0) {
+      loop();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/0084fd109a7a10011e183a357715c91cff2cacb0.c b/syzkaller-repros/linux/0084fd109a7a10011e183a357715c91cff2cacb0.c
new file mode 100644
index 0000000..e921ded
--- /dev/null
+++ b/syzkaller-repros/linux/0084fd109a7a10011e183a357715c91cff2cacb0.c
@@ -0,0 +1,25 @@
+// WARNING in alloc_pages_vma
+// https://syzkaller.appspot.com/bug?id=0084fd109a7a10011e183a357715c91cff2cacb0
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+
+  *(uint64_t*)0x200001c0 = 0x80000001;
+  syscall(__NR_mbind, 0x20012000, 0xc00000, 0x8002, 0x200001c0, 0xfe, 0);
+  syscall(__NR_get_mempolicy, 0, 0x203e8000, 0x401, 0x208d3000, 3);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00939facb41d022d8694274c584487d484ba7260.c b/syzkaller-repros/linux/00939facb41d022d8694274c584487d484ba7260.c
new file mode 100644
index 0000000..1f1f2c5
--- /dev/null
+++ b/syzkaller-repros/linux/00939facb41d022d8694274c584487d484ba7260.c
@@ -0,0 +1,738 @@
+// KASAN: use-after-free Read in sctp_association_free
+// https://syzkaller.appspot.com/bug?id=00939facb41d022d8694274c584487d484ba7260
+// status:fixed
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <errno.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/capability.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+static void fail(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static void exitf(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit(kRetryStatus);
+}
+
+static uint64_t current_time_ms()
+{
+  struct timespec ts;
+
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    fail("clock_gettime failed");
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir()
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    fail("failed to mkdtemp");
+  if (chmod(tmpdir, 0777))
+    fail("failed to chmod");
+  if (chdir(tmpdir))
+    fail("failed to chdir");
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 128 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+
+  unshare(CLONE_NEWNS);
+  unshare(CLONE_NEWIPC);
+  unshare(CLONE_IO);
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    close(fd);
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static int real_uid;
+static int real_gid;
+__attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20];
+
+static int namespace_sandbox_proc(void* arg)
+{
+  sandbox_common();
+
+  write_file("/proc/self/setgroups", "deny");
+  if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid))
+    fail("write of /proc/self/uid_map failed");
+  if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid))
+    fail("write of /proc/self/gid_map failed");
+
+  if (mkdir("./syz-tmp", 0777))
+    fail("mkdir(syz-tmp) failed");
+  if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
+    fail("mount(tmpfs) failed");
+  if (mkdir("./syz-tmp/newroot", 0777))
+    fail("mkdir failed");
+  if (mkdir("./syz-tmp/newroot/dev", 0700))
+    fail("mkdir failed");
+  if (mount("/dev", "./syz-tmp/newroot/dev", NULL,
+            MS_BIND | MS_REC | MS_PRIVATE, NULL))
+    fail("mount(dev) failed");
+  if (mkdir("./syz-tmp/newroot/proc", 0700))
+    fail("mkdir failed");
+  if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL))
+    fail("mount(proc) failed");
+  if (mkdir("./syz-tmp/pivot", 0777))
+    fail("mkdir failed");
+  if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
+    if (chdir("./syz-tmp"))
+      fail("chdir failed");
+  } else {
+    if (chdir("/"))
+      fail("chdir failed");
+    if (umount2("./pivot", MNT_DETACH))
+      fail("umount failed");
+  }
+  if (chroot("./newroot"))
+    fail("chroot failed");
+  if (chdir("/"))
+    fail("chdir failed");
+
+  struct __user_cap_header_struct cap_hdr = {};
+  struct __user_cap_data_struct cap_data[2] = {};
+  cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_hdr.pid = getpid();
+  if (syscall(SYS_capget, &cap_hdr, &cap_data))
+    fail("capget failed");
+  cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE);
+  cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE);
+  cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE);
+  if (syscall(SYS_capset, &cap_hdr, &cap_data))
+    fail("capset failed");
+
+  loop();
+  doexit(1);
+}
+
+static int do_sandbox_namespace(int executor_pid, bool enable_tun)
+{
+
+  real_uid = getuid();
+  real_gid = getgid();
+  mprotect(sandbox_stack, 4096, PROT_NONE);
+  return clone(
+      namespace_sandbox_proc,
+      &sandbox_stack[sizeof(sandbox_stack) - 64],
+      CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWNET, NULL);
+}
+
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exitf("opendir(%s) failed due to NOFILE, exiting");
+    }
+    exitf("opendir(%s) failed", dir);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    struct stat st;
+    if (lstat(filename, &st))
+      exitf("lstat(%s) failed", filename);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exitf("unlink(%s) failed", filename);
+      if (umount2(filename, MNT_DETACH))
+        exitf("umount(%s) failed", filename);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exitf("umount(%s) failed", dir);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exitf("rmdir(%s) failed", dir);
+  }
+}
+
+static void test();
+
+void loop()
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[256];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      fail("failed to mkdir");
+    int pid = fork();
+    if (pid < 0)
+      fail("clone failed");
+    if (pid == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+      setpgrp();
+      if (chdir(cwdbuf))
+        fail("failed to chdir");
+      test();
+      doexit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      int res = waitpid(-1, &status, __WALL | WNOHANG);
+      if (res == pid)
+        break;
+      usleep(1000);
+      if (current_time_ms() - start > 5 * 1000) {
+        kill(-pid, SIGKILL);
+        kill(pid, SIGKILL);
+        while (waitpid(-1, &status, __WALL) != pid) {
+        }
+        break;
+      }
+    }
+    remove_dir(cwdbuf);
+  }
+}
+
+#ifndef __NR_mmap
+#define __NR_mmap 90
+#endif
+#ifndef __NR_socket
+#define __NR_socket 359
+#endif
+#ifndef __NR_setsockopt
+#define __NR_setsockopt 366
+#endif
+#ifndef __NR_sendmsg
+#define __NR_sendmsg 370
+#endif
+#ifndef __NR_sendto
+#define __NR_sendto 369
+#endif
+#ifndef __NR_ioctl
+#define __NR_ioctl 54
+#endif
+#undef __NR_mmap
+#define __NR_mmap __NR_mmap2
+
+long r[65];
+void* thr(void* arg)
+{
+  switch ((long)arg) {
+  case 0:
+    r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
+                   0xfffffffffffffffful, 0x0ul);
+    break;
+  case 1:
+    r[1] = syscall(__NR_socket, 0xaul, 0x5ul, 0x8010000000000084ul);
+    break;
+  case 2:
+    *(uint32_t*)0x20c01ffc = (uint32_t)0xac8;
+    r[3] = syscall(__NR_setsockopt, r[1], 0x1ul, 0x7ul, 0x20c01ffcul,
+                   0x4ul);
+    break;
+  case 3:
+    *(uint32_t*)0x20267000 = (uint32_t)0x205e3000;
+    *(uint32_t*)0x20267004 = (uint32_t)0x10;
+    *(uint32_t*)0x20267008 = (uint32_t)0x20ca6f80;
+    *(uint32_t*)0x2026700c = (uint32_t)0x8;
+    *(uint32_t*)0x20267010 = (uint32_t)0x20000000;
+    *(uint32_t*)0x20267014 = (uint32_t)0x0;
+    *(uint32_t*)0x20267018 = (uint32_t)0x20000000;
+    *(uint16_t*)0x205e3000 = (uint16_t)0x2;
+    *(uint16_t*)0x205e3002 = (uint16_t)0x234e;
+    *(uint8_t*)0x205e3004 = (uint8_t)0xac;
+    *(uint8_t*)0x205e3005 = (uint8_t)0x14;
+    *(uint8_t*)0x205e3006 = (uint8_t)0x0;
+    *(uint8_t*)0x205e3007 = (uint8_t)0xaa;
+    *(uint8_t*)0x205e3008 = (uint8_t)0x0;
+    *(uint8_t*)0x205e3009 = (uint8_t)0x0;
+    *(uint8_t*)0x205e300a = (uint8_t)0x0;
+    *(uint8_t*)0x205e300b = (uint8_t)0x0;
+    *(uint8_t*)0x205e300c = (uint8_t)0x0;
+    *(uint8_t*)0x205e300d = (uint8_t)0x0;
+    *(uint8_t*)0x205e300e = (uint8_t)0x0;
+    *(uint8_t*)0x205e300f = (uint8_t)0x0;
+    *(uint32_t*)0x20ca6f80 = (uint32_t)0x20230000;
+    *(uint32_t*)0x20ca6f84 = (uint32_t)0x1000;
+    *(uint32_t*)0x20ca6f88 = (uint32_t)0x208d5f07;
+    *(uint32_t*)0x20ca6f8c = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6f90 = (uint32_t)0x200adf5c;
+    *(uint32_t*)0x20ca6f94 = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6f98 = (uint32_t)0x2091b000;
+    *(uint32_t*)0x20ca6f9c = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6fa0 = (uint32_t)0x203dcf92;
+    *(uint32_t*)0x20ca6fa4 = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6fa8 = (uint32_t)0x209aa000;
+    *(uint32_t*)0x20ca6fac = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6fb0 = (uint32_t)0x205b0000;
+    *(uint32_t*)0x20ca6fb4 = (uint32_t)0x0;
+    *(uint32_t*)0x20ca6fb8 = (uint32_t)0x20d62000;
+    *(uint32_t*)0x20ca6fbc = (uint32_t)0x0;
+    memcpy(
+        (void*)0x20230000,
+        "\x8a\x7b\x77\x6a\x6d\x88\x97\x91\x9f\x77\xfb\x32\x26\x29\x3c"
+        "\xc6\x51\x99\x6b\x46\x29\xf4\x55\x3e\x9c\xb8\x55\x67\x03\x0b"
+        "\x24\x12\x2d\x35\x1a\xd3\x51\x09\x06\xbf\x08\xf7\xb1\xea\x62"
+        "\xac\xbc\x38\x00\xbb\xbc\xcb\x29\x08\x63\xd9\x95\xd9\x79\xbb"
+        "\xa3\x7e\xe4\x17\x89\xfc\x06\x00\x7d\x95\x77\xae\x51\x6a\x59"
+        "\xf4\xa7\x6a\xe6\xe2\x82\x2c\x8e\x4f\xee\x3d\x2b\xd8\x43\x3f"
+        "\x87\xbd\x75\x8a\x51\x75\xe8\xfd\x33\xf9\x99\xf2\xf9\x7e\xfc"
+        "\x57\xa2\xea\x29\xd1\x60\x8d\xd2\x28\x3f\x61\x20\x07\x11\x04"
+        "\x49\xca\xe4\xcc\xad\xf3\x67\x84\x77\xb3\x38\xd5\x2d\x1c\x0f"
+        "\x51\x6a\x76\xa9\xd1\x7f\x54\x97\x87\x51\x6e\x69\x06\x78\x0d"
+        "\xaa\xcd\x7f\x27\x2d\x9e\xcd\xa2\x36\x54\xcc\x5b\x1b\xb4\x0a"
+        "\xf8\xeb\x8d\x1b\x8c\x5a\xe6\x8f\xc4\xe4\x13\xa9\x76\xad\x3e"
+        "\x15\x88\x2e\x9a\xcc\xe1\xe5\xa0\xf6\x4b\xe1\xde\x46\xf3\x46"
+        "\x18\xde\xde\x13\x8d\x00\x4e\x0b\xd3\xce\x10\x7a\x3d\x32\xeb"
+        "\xc4\x8c\x3d\x43\xcd\x27\xc3\x34\xc3\xb4\x82\xf1\x53\x8c\xe2"
+        "\x7f\xcd\x56\xff\x58\xf3\xe9\xb9\xf4\x24\x90\xdc\x6c\xbc\x61"
+        "\x79\xaf\x5f\xca\xad\x37\xd9\x9f\xf8\x88\xf3\x73\x8b\x68\x66"
+        "\x82\x8d\x18\x83\x93\x8e\x5a\xd8\xde\x85\x56\xa3\xbd\x97\xfb"
+        "\x28\xac\x3c\xe6\xc0\x6b\x19\x80\x99\xfe\xf7\x81\x3d\x30\xeb"
+        "\x49\xca\x57\x95\xb2\x84\xaf\xb3\xdd\xac\xcd\xb1\xe0\x35\x06"
+        "\xa2\x15\x94\x7b\xac\xdb\xf0\x46\xf4\x03\x26\xfe\x40\xa7\x19"
+        "\xd2\xac\x40\x28\x0d\x14\xe0\xb0\x93\x3f\x30\x4e\xce\x95\xef"
+        "\x71\x5f\x5a\x21\xda\xdb\x55\xfb\x27\x99\x6c\x42\x3a\xf5\x65"
+        "\x48\x4d\x47\x7f\x00\xf4\x9f\x2f\xa4\x7e\x10\x50\x51\x13\xb0"
+        "\x3a\xfb\x13\x37\xbe\x33\x2e\x51\x49\xc2\x0f\xc1\x4c\xbd\x9e"
+        "\xbe\x76\x6a\x37\x5f\xfa\xf6\xe1\x9f\xc1\xde\x40\xd7\x82\xa1"
+        "\x35\x87\xf9\x58\x3f\x3b\x33\x31\xb6\x04\x5f\x3a\x75\x78\xbd"
+        "\xf3\x32\x59\xc9\x45\xce\xc1\xe8\x87\x1a\x1f\x19\xd3\x09\xaf"
+        "\xf9\x67\x13\x15\xab\x69\x9d\xc8\x9b\x27\xd0\x66\x0e\xfc\x0a"
+        "\xb5\x0d\x9c\xa5\xbc\x6b\xd2\x35\xdf\x98\xce\xbb\x0f\x62\xba"
+        "\xc5\xe7\xe8\x8a\x21\x09\x83\xe0\x98\x31\xba\xa4\xbf\x27\x6d"
+        "\xa9\xad\xf3\xda\x0f\x4b\x88\x7a\x23\x9d\xf6\xba\x9d\x92\x0b"
+        "\x31\xfe\x05\x92\x8f\x90\xf5\xd3\x0c\x6b\x45\x35\xe4\xeb\x00"
+        "\x44\xc4\xc6\x24\x85\x89\xad\xf7\x7f\xbf\x96\x75\xd4\x66\x89"
+        "\x01\x28\xb9\x7c\x50\xd8\x31\x47\x6d\x9a\x29\x40\x80\xbd\x74"
+        "\x73\x89\x23\x6e\xe2\xd3\x9f\x52\xa3\xb1\x7f\x6c\x5e\x86\x3f"
+        "\x3f\xf0\x35\xbb\x52\xf2\xcb\x50\xe5\xc2\xa2\x01\x5b\x52\x36"
+        "\x7a\x17\x16\xfd\x27\xd5\xf2\x1d\x7b\x73\x19\x6d\x8a\x06\x3f"
+        "\xb5\x67\xf7\x26\x8b\xe0\xb5\x82\x53\x0d\xe1\xe9\xec\xc8\xc6"
+        "\x86\xd0\xc6\x5d\x48\x8f\x2b\xb1\x85\x0d\xb8\xb8\xae\x97\xf7"
+        "\xb3\x76\x91\x2d\xd5\x24\x62\x65\x56\xcc\x65\x95\x21\x04\xd4"
+        "\xd9\x6c\x60\x7a\x73\x71\xbc\xc7\x46\x39\x9a\xea\xa8\x04\xa5"
+        "\x90\xaf\x68\x8f\x62\x16\x42\xe3\x45\x5c\x87\x63\x95\x61\xcb"
+        "\x53\x7d\xa6\xb5\x27\x55\x9a\x0b\xb7\x2f\xe2\x5b\x7e\xaa\x6a"
+        "\xe0\xe6\x7a\xca\x61\x72\x13\xe3\xba\x18\x49\x40\x01\x65\x3a"
+        "\xf2\x0e\x34\xa1\x84\xc4\x23\x39\x76\x2b\xcf\x69\x9c\x4b\xa7"
+        "\x23\xf7\xec\x25\x40\x57\x54\x32\x26\x12\x53\xec\x9d\xb8\x64"
+        "\x42\xf5\xa3\xa8\x07\x1b\xa2\x13\x0d\xbc\x5e\xb0\xf9\x5b\x8e"
+        "\x38\xa2\x1c\xe5\xef\xf9\x8f\x6a\xd4\x67\xac\x45\x25\x21\x29"
+        "\x36\xdb\xa5\x7e\xda\x10\xe9\x60\xb5\xfe\x23\xf4\x1d\x4a\x52"
+        "\x24\xe4\x79\x9b\x04\x7d\xa0\x3a\x5e\x75\xfa\x39\x0a\x13\xd7"
+        "\x1a\x3f\xcd\x9f\xe0\x7a\x2f\x7e\x75\x3b\x12\x0c\x19\x7d\x04"
+        "\x99\x4b\x9d\xaa\x9f\x66\xba\x66\x61\x5f\xe2\x39\x7c\x0f\xe0"
+        "\x77\x08\x55\x51\xcf\x16\xb4\xfa\xb2\x7e\x65\x30\xb2\xce\x77"
+        "\x31\x55\x4f\xba\x2d\x68\xa6\x17\x7e\x08\x93\xb3\xea\x65\x35"
+        "\x1f\x07\xb9\x6b\x6b\xa3\xe0\xa7\xa2\x49\x1c\xd3\x67\x03\x26"
+        "\x7e\x2b\xd0\x92\xd3\xb4\x87\x05\x90\x15\x4c\x01\x44\xbb\x88"
+        "\xe4\x50\xba\xf9\x5b\x2f\xc4\xcb\x1d\x43\x35\x18\x9c\x13\x91"
+        "\x8c\x1d\x4d\x56\x33\x29\x28\xfd\xd1\x9e\x4b\x17\x38\x7e\x16"
+        "\xbb\x02\xcb\x5b\xaa\x91\x65\xbd\x3c\x13\x5c\xf8\xbe\x4a\x9d"
+        "\x85\xb0\x72\x42\x90\x9d\x96\x05\x2b\xd6\x5e\xf2\x37\x77\xa9"
+        "\x89\x64\xf1\x51\xbe\x4e\xce\xfa\x01\xdb\x33\xc4\x43\xc3\x0b"
+        "\x11\xea\x9a\x2e\xb5\x0f\xba\xd2\xd2\x6d\x05\x95\xf3\x9e\x3b"
+        "\x28\xff\xa7\x35\x48\x29\x06\xcc\x11\x6a\xb8\x76\x20\x6f\x99"
+        "\x40\xc9\xb7\x74\x49\x00\xd5\x7a\x52\x67\x6a\xe5\x45\x81\x3e"
+        "\xe6\x7a\x74\x04\x42\x61\x46\xc5\x91\x0c\x4b\x6c\xb7\x55\x91"
+        "\x98\x1d\x6c\x79\x79\x9f\x86\x24\x81\x88\xc3\x14\xa3\xe0\x77"
+        "\xdc\x26\x88\x71\x50\x1d\x3c\xcd\x42\x43\x2a\xfb\xcd\xe5\xdd"
+        "\xa5\x65\x71\x3d\xb8\x82\x4b\xfd\xe5\xb3\x4f\x0a\xdf\x97\x02"
+        "\xa5\x3a\xa8\x81\x4e\xc9\xaa\x95\x88\xcc\x24\x32\xa6\xe5\x42"
+        "\xf9\x15\xd3\x54\x5a\x00\x65\x64\x4e\xa3\xf1\x82\x69\x66\x19"
+        "\x14\x40\x9a\x1b\xc8\x7c\xbe\x78\xc4\xa8\xd4\xc2\xc9\xee\xaa"
+        "\xd5\x6c\x6d\xec\xf2\xe2\xc5\x5f\x66\xac\xa9\x0d\x99\x89\x86"
+        "\xf6\xd1\x7b\x55\xec\xa4\x6c\xaf\x68\xa7\xcb\x28\xd3\xca\xcb"
+        "\xe6\xc3\xbc\xf3\xff\x37\x1b\xd5\xdd\x41\x81\xe1\xed\x7d\x49"
+        "\xb1\x55\xb1\x24\xd1\x77\x6d\xcf\xb8\xe7\x39\xff\x17\xd4\x6b"
+        "\x3f\xc4\x10\xf8\x7b\xd4\x96\x73\x1a\x5e\xb8\x24\x91\x16\x67"
+        "\x1d\x41\xb8\xbc\x5e\x1e\x92\x24\xa9\x7c\xba\x63\xe8\x4f\x15"
+        "\x39\xbe\xb7\xf2\x3b\x78\x81\x45\x04\x8e\x2b\xb7\xb7\x14\x74"
+        "\x8b\x84\x8b\x73\x51\xb9\x18\x44\x1f\x95\x58\x4a\x6b\x5f\x76"
+        "\xc9\xd0\xc4\xca\x98\x31\x25\x68\x86\x4c\x00\xa7\x92\x68\xfa"
+        "\x4a\x6b\xa0\xbd\x21\xab\x09\x22\x96\x67\x46\x85\xdc\x75\x3d"
+        "\x66\xa8\x33\x2a\x71\xbc\x19\xda\xaf\x3e\x0a\xb5\x7e\xac\xc8"
+        "\x8b\xde\xc5\x4a\x10\xd5\xd0\x95\xde\xed\x7a\xb9\x61\xe6\x78"
+        "\x6e\x84\x74\xf4\x9b\x17\xe3\x59\x85\x01\xef\xe2\xfb\xd6\xf8"
+        "\x5e\xf8\xc0\x1d\x27\xed\xab\x43\x2b\x70\x6e\xc6\x07\x4d\x35"
+        "\x43\x11\xac\x0e\x02\xbd\xe5\xdc\x7a\x38\x22\x25\x0a\xa3\x3c"
+        "\x06\xaa\x55\x92\xd7\x60\xe6\x91\xbf\x4e\x3d\x90\xe7\xc6\x46"
+        "\xb4\xa2\xa0\xa9\x0e\x2f\xe2\x93\xa2\x81\x49\x3e\x9c\x80\xed"
+        "\x3d\xcd\xc6\x5a\x66\xbc\x45\xff\x57\x63\xf7\x9e\xb8\xbe\x22"
+        "\x7f\xed\xcd\xca\x8a\xb8\x3e\x16\xc6\x3f\xfb\x6b\x29\x49\x47"
+        "\xf8\xfe\x81\x30\xdb\x8e\x2c\x07\xe4\x39\x4f\x48\x22\xfa\xa6"
+        "\x48\x05\xdd\xf2\xdd\x3a\xf8\x99\x83\xb8\x80\x7c\xa8\x3c\x47"
+        "\x4e\xdd\x2b\xea\xd1\xc0\x05\x48\x80\xc3\x20\x88\xfe\xee\xf9"
+        "\xca\x53\xd0\x6f\x76\xde\x70\xad\x29\xe6\x2e\x47\xc7\x5f\x3c"
+        "\x0f\x1f\xfb\xd0\x2c\x1e\xf2\x7e\x25\x4b\x8f\x14\x1f\x9b\x0a"
+        "\x8a\x98\x31\x0c\x25\xbb\x18\xb9\xa4\x52\xd7\xd8\x43\xb3\xbc"
+        "\x47\x29\xc0\x8c\xc8\x47\xfb\x36\x0a\xd2\x3d\x7b\xc4\x1c\x15"
+        "\x88\xa2\xab\xe1\x6d\xd7\x5b\x25\x4f\x72\xbe\xb9\x76\x29\xa5"
+        "\x64\x07\x46\x61\xa3\x1f\xd3\xdc\xad\xd5\x7d\x40\xf8\xac\x42"
+        "\x18\x88\x9a\x5e\x66\x7e\xc8\xf7\x6d\x8c\x1c\x40\xdc\xa1\xbb"
+        "\xaa\x83\x27\x7d\x16\x3d\xf4\x9a\x3a\xc2\xe7\x9c\x3c\x48\xb4"
+        "\x63\xc1\xac\x32\xc8\x37\xff\xad\x01\x7e\x87\x3a\x11\xaa\xb5"
+        "\xcd\x44\xfe\xf3\xeb\x5e\x59\x50\xed\x53\x78\x73\x9a\x75\x93"
+        "\x18\xb7\xee\xba\x31\x1b\xa7\x43\x86\x9c\x50\xc4\x38\xf8\xa0"
+        "\x5d\x0b\xa7\xeb\xf0\xd7\xd0\xbe\xdb\x5a\x95\x01\xb0\x84\x56"
+        "\x79\xd3\x92\x21\x59\xf6\x3b\xa7\x4c\x4f\x0c\x1b\x21\xd0\x62"
+        "\x1e\x09\xb0\x52\x71\xa7\xd1\x43\xe3\xcd\x70\xa8\x81\x33\x6c"
+        "\xfb\x01\x4c\x7a\xba\xb3\xa7\x2f\x1d\xaf\x54\x7f\xc2\x46\x68"
+        "\x0f\xfd\x97\x02\xdd\x19\x33\x81\xc8\xd4\x88\x32\x02\xf9\xdd"
+        "\xaa\xc6\xca\x7b\xab\xc3\x34\xd6\x4f\xcb\xed\xde\xb8\xe5\xe0"
+        "\xf7\xdf\x39\xd1\x46\x91\x04\xe6\x01\x9f\x64\x48\x40\xdf\x01"
+        "\xc2\x96\xce\x8c\x1c\xbf\x19\x4c\x4a\xdd\x99\x1b\xc8\xf4\xa6"
+        "\x2e\x0b\xe5\x1d\xb9\x84\x57\x22\xef\x6d\xd3\x12\xf0\xfc\xc3"
+        "\x87\x42\xd5\xb2\x6b\xfb\xd8\x0c\x7e\xd5\xad\xa4\x8a\xf3\xae"
+        "\x20\xf4\x3d\x28\x17\x3e\xd5\x7a\x9c\xad\x5b\xdc\x4a\xab\x4a"
+        "\x7d\x04\x4f\x87\xba\x80\x4d\xac\x9c\x6c\x1e\xca\x47\x55\x2d"
+        "\x90\x88\x5d\x89\x98\x5d\xc8\xc0\x61\x8c\x99\x0c\xf3\x0f\x65"
+        "\xa1\x28\xfd\x7c\x70\xe9\x73\xa0\x3d\x7f\xea\xa8\x05\x9e\x85"
+        "\xe1\x30\xe6\x61\x3a\x3c\xf1\xa1\xc2\x80\x0d\x8b\x7b\xff\xe1"
+        "\x5b\xde\x0c\xae\x2c\x0b\xa8\x91\x08\xc4\x77\x99\xb0\xad\xa3"
+        "\x98\xf6\xb5\x75\xd7\x66\xee\x35\xca\xfa\x0d\x0e\xfe\x81\x95"
+        "\x30\xdc\xd9\x9d\x94\x63\xf8\x98\xc4\xdb\x6d\xf8\x59\x69\x9e"
+        "\xe8\x36\xaa\x13\x89\x53\xb4\x7c\xb6\x96\x09\xec\x2f\x66\x96"
+        "\x8f\x71\xd0\x33\x35\x78\x99\xc7\x7b\xaf\x9b\xe8\x66\xf0\x75"
+        "\xa6\xd2\x52\x00\x04\x87\x4b\xcf\x9f\x92\x60\x0b\xbb\x1c\xeb"
+        "\xac\xa4\xdb\xc2\x08\x99\xaf\xfe\xc4\x54\x3d\x20\x6c\x39\x5b"
+        "\x3c\x7f\x8b\x35\x08\x3a\x3f\xe3\xc4\x88\x13\xa0\x35\x6f\xc3"
+        "\xc1\x48\x1b\x3b\xad\x91\xc1\x60\x65\xd5\x80\x5e\xfa\xd0\x71"
+        "\x5b\x67\x2a\x35\x7b\xb9\xbe\x84\x5f\xcb\x40\x68\x5b\xa9\x47"
+        "\x98\x43\xf9\x61\x4f\x8c\xae\x9b\xac\xe7\x16\xd5\x96\xd7\x32"
+        "\x8f\x33\xa2\x99\x35\x2f\x65\xb1\x83\xd8\x53\xcb\xfb\xff\x19"
+        "\xd4\x35\x13\xd0\x64\xd0\x59\xb4\x00\xb6\xfe\x5c\x0f\xa5\x3d"
+        "\x0d\xac\x2e\x9c\x9d\x79\x70\x66\x1c\x01\x64\x6e\x6e\x60\x25"
+        "\xca\x6e\x6b\x06\x02\x3e\x81\x84\xd3\x1d\x1c\x13\x4b\x8e\x77"
+        "\x70\x3b\x5b\xd7\x4f\xbd\xc5\xa8\x7c\xc3\x91\x8d\xaa\x8b\x8a"
+        "\x19\x5b\xf5\xb5\x47\x98\x86\xfb\x81\xa5\xad\x63\x3b\x03\x62"
+        "\xa9\xf0\x5d\xba\x73\x9a\x1d\x82\x65\xb2\x2e\x8a\xc7\x09\xc2"
+        "\x86\xd2\x1e\xd6\xa2\x28\xc4\xb4\xae\x54\x73\x75\x9c\xd3\xbf"
+        "\xff\x20\x62\x51\x6c\xdf\x1a\x3b\x6d\x34\x96\x6d\x1a\xe1\xeb"
+        "\xac\x57\x12\x71\xd4\x85\xe0\xad\xeb\x92\xf6\x2b\x5a\x36\xf0"
+        "\xc6\xf6\xba\x28\x13\x4c\xce\x34\xd7\xdc\xf9\xcc\xd3\xfe\x87"
+        "\x6a\x28\x7e\x2c\xad\x19\xe7\x98\x3a\x45\xf9\x44\xe6\x9b\x95"
+        "\x67\x6e\xfd\xe1\xe4\xfc\xb6\xd2\xcb\x49\xc2\x8b\xf0\xba\x5b"
+        "\xa8\x6f\x63\x20\x3e\x50\x55\x21\x51\x9d\xb9\xf5\x70\xe5\x63"
+        "\xf3\xd5\xab\x01\xb7\x83\xd5\x66\x46\xe6\xcf\xb4\x60\xe4\x5f"
+        "\x11\xc9\x59\xc3\xf8\x9f\x91\x27\x64\x53\x81\xbe\xcb\xbb\x05"
+        "\x47\x20\x7d\x77\x88\xfa\x98\x9a\xc3\x6f\xd7\xd0\x72\x12\xac"
+        "\x3f\x77\xb7\x40\xc4\x2d\xcd\x4a\x8e\xfb\x16\x67\x9a\xbe\x04"
+        "\xb4\x86\x86\x0e\xf5\xe9\x02\x45\x2d\xfc\xb3\x61\xf2\x86\x4c"
+        "\xc4\xd4\xa2\x06\x38\x0d\xae\x0f\x96\x24\x2f\xac\x79\x33\x33"
+        "\x5f\x71\x2b\xeb\x64\x14\x7c\x94\x58\xa9\x38\x62\x93\x68\x54"
+        "\x70\x00\x8a\x12\xaf\x4a\x07\xc5\xd5\x4f\x11\xef\xdd\x35\x5f"
+        "\x96\x6c\x10\x8b\x03\x4f\x7e\x7e\xc8\xaa\xc6\x35\x48\xe9\xb0"
+        "\x9a\xf9\x5d\x2b\x4b\xf1\x79\xcf\xda\x5c\xae\xed\xa1\x85\x6f"
+        "\xba\xd8\x0f\x4d\x7a\x50\x68\x93\x8f\x5b\xab\x7d\xf1\x03\x04"
+        "\x64\xb7\x1d\x62\x1c\xca\x21\x20\x2c\x13\x3c\x68\xd4\xc0\x22"
+        "\x38\x3f\xdd\xc9\x67\xb7\x7f\xfc\x67\x78\xc4\x06\x91\x5f\x2e"
+        "\x7b\x6d\x84\xb8\x4a\x22\xd6\x76\xae\xdd\x29\x5c\x7c\x6a\xcb"
+        "\x97\xb6\xda\x6f\xfb\x58\xae\xf4\x7c\xb5\x95\x12\x18\xeb\x6e"
+        "\x95\x7e\x94\xf5\xa3\x7e\x0d\x09\xf7\xf3\x47\x66\x51\xa2\xd5"
+        "\xef\x5f\x0d\x01\x1e\xaa\x84\x7c\xf3\x6c\x47\xa3\xaf\xb0\xc1"
+        "\xbb\xb4\x69\xb7\x6d\xe5\xb5\x6e\x2d\x2f\xbf\xe6\x00\xb1\x8e"
+        "\x35\xc1\xd1\xec\x2f\x15\x9f\xa0\xba\x80\x79\xd0\x3a\x84\x30"
+        "\x16\x7a\x69\xfe\xf9\xbf\x5a\x87\x11\x62\x5a\x99\xcb\x1a\x85"
+        "\x47\x6a\xa1\x2f\x87\x6d\xec\x2f\xcc\xea\x9a\xc7\xf7\x22\x9f"
+        "\x11\xa4\x0c\x4a\x32\xd4\x2c\x70\xd1\xa9\x0c\x96\x95\xc6\x65"
+        "\x5f\x12\x42\xd4\xf3\xbf\x6a\x32\x68\x8d\x7a\x35\x37\xf3\x45"
+        "\xb6\x0f\x60\x65\x0a\x11\xca\xfa\x55\xc9\x4a\x44\xb5\xf1\x0c"
+        "\xde\x08\xb3\xbd\x6c\xfc\x5c\xc0\x7c\xa6\xc9\xd4\x63\xf7\xe7"
+        "\xf2\x33\x94\xd9\x5b\x33\x5a\x47\x8d\x01\x26\x24\xdc\xbf\x8b"
+        "\x89\x1d\x76\x6b\x02\xe7\xbd\x93\x82\x21\x18\xfe\xda\x2b\xe7"
+        "\xcc\xc1\x04\x66\xf5\x5d\x44\x1f\x26\x8c\xa0\x3f\x2c\x08\xa2"
+        "\xa2\x3b\x6d\x16\xe8\xb5\x8a\x88\xfc\x96\x30\x2c\xd4\x1c\xe4"
+        "\x0d\x05\x69\xd2\x25\x7d\x88\xe7\x38\x8c\x26\x2f\x52\xbd\xed"
+        "\xa8\xde\x3e\x4b\x8a\x6c\x41\xd7\xf2\xda\xd4\xb6\x35\x89\xaf"
+        "\x0e\x22\xbf\x09\x18\x0f\x43\x63\x7d\xcb\x2c\xf5\x75\xaf\x57"
+        "\xfd\x10\x78\xfa\xf1\xdd\xd1\xa4\x49\x0b\xae\xef\x4f\xb3\x94"
+        "\x7e\x9e\x9c\x20\x46\x9e\xb8\x2a\x50\x2c\xe0\x9a\x1b\x0b\x1b"
+        "\x00\xf7\x49\x64\xfc\xe1\xc1\x1d\xcb\xe6\xce\x5f\x4b\x62\xde"
+        "\x1d\xe4\x58\x28\xce\x4b\xa2\x1a\x3d\xc8\xe0\x02\xb4\x9f\x93"
+        "\xec\x44\x84\x60\x1b\x07\xdd\xf5\x0c\x59\xc8\xcd\xcc\x48\x04"
+        "\x11\x61\x2a\xe3\x4d\x67\x85\x63\xe7\xd8\xb3\xbf\x7b\x41\x32"
+        "\x05\x60\x7f\x8b\x51\x3d\xc5\xee\xdc\xea\x10\xb1\xe7\x51\x9a"
+        "\xc2\x6b\x62\x9c\x95\xc7\xa5\xda\x43\x90\x90\x10\xfa\x61\xb8"
+        "\xe6\x64\x1e\x55\x83\x27\x37\xe7\x95\x16\x33\x20\x10\x50\x9b"
+        "\x7d\xd9\x15\x6b\x6f\x44\xc5\x1c\xda\x24\xbd\x4d\x69\xdb\x6b"
+        "\x1a\x44\x8d\x9d\xd4\x6e\xc3\xb3\x1c\xda\x37\x05\xa1\x61\x6e"
+        "\x27\x66\xbe\xc3\xa5\xa7\x85\x9b\xab\x12\x87\x52\x2e\xf4\x6e"
+        "\x6a\xbb\xa2\xf1\xb8\x34\x6f\xb7\x6e\x44\xa2\x78\x0a\x1a\x43"
+        "\x07\x28\x9a\x2d\xb4\x8a\xb2\xb9\x32\xe6\x26\x5e\x99\x4e\x4e"
+        "\xc2\x2d\xd2\x4e\xb4\xa0\x4a\x48\x27\xb6\x73\x61\xab\xad\xc0"
+        "\x2d\xc5\x1c\x70\x98\xd1\x26\x96\x7d\x12\xfa\xe8\xd7\x2e\xf4"
+        "\x27\x0d\xfe\x97\xbb\x74\xab\x20\xd8\x52\x63\xf6\x29\x53\x35"
+        "\xfe\x34\x75\x43\x6b\xa8\xba\xb3\x08\xa0\x8e\xc9\xbc\xa5\xc5"
+        "\x50\x0c\x06\xeb\xb1\xfd\x69\xac\xb6\xe0\xf2\xc4\x5c\x17\x83"
+        "\xde\x0e\x40\xfc\x8f\xa0\x25\xaa\x55\xd5\x8d\x6d\xf6\x01\xba"
+        "\x48\x1f\x58\x68\xcb\x0a\x86\x34\x21\x9e\xe7\x32\x9d\x4d\x5c"
+        "\xb2\xda\xa3\x23\x76\xb7\x56\x4a\xb8\x26\xd3\x87\xeb\xb7\x78"
+        "\x62\x7d\xbc\x48\xc0\xef\x2b\xb3\xbe\xb7\x64\x07\xb2\x77\xc1"
+        "\x49\xfd\x9a\x23\x79\x15\x51\xe3\xe6\x1a\x59\x8b\x56\xc1\xc8"
+        "\x73\x35\x79\x6c\xb2\x22\x61\x40\x9d\xd3\xf0\xfa\x95\x95\x2d"
+        "\xda\xbd\xe1\x66\x1b\x12\x5e\x50\x7b\x0f\x92\xb1\x75\x46\x7e"
+        "\x27\x90\x77\xcc\x64\xd0\xe3\xb8\xe8\x09\xd3\xc4\x2c\xd3\xc0"
+        "\xca\xd0\x15\x4e\x13\x9a\x9b\x86\xbf\x2e\x1a\xd4\xe4\x17\xd5"
+        "\x7a\x3e\xc5\xb3\x10\xa8\x23\x1b\xd9\x65\xe3\xa3\x48\x23\x34"
+        "\x6e\x4c\x09\xee\x5d\xe1\x63\xb7\x4b\x92\xe5\xdd\xe6\xb4\xc2"
+        "\x00\x9e\x7b\x01\x50\x68\x56\x17\x47\xb1\x8b\x62\x03\x0c\xab"
+        "\x72\xa7\xbe\x3d\x60\x8e\x73\x6a\x9a\x13\x1f\x3c\xf7\xf1\x59"
+        "\xee\x17\x99\x07\xe3\xc3\x5b\x93\xa9\xfd\x06\x93\xb2\xd0\x21"
+        "\x27\x54\x8a\x02\x29\x13\x58\x8a\x05\xbb\x6f\xd9\x46\x54\x2f"
+        "\x65\x2f\x1b\x4b\xe9\xbe\x23\x45\x91\x21\x8b\xda\x3a\x21\x8a"
+        "\xac\x74\x4d\xfd\x0f\xa1\x2b\x37\x6a\xbe\x19\xfd\xfe\xd3\xe9"
+        "\xe3\x32\x65\x90\x38\x0e\x8e\x53\x39\xd7\xc2\x9f\x96\x7d\x4c"
+        "\x59\xae\xb4\x0b\xe3\x5c\xe0\x9d\xa5\x8e\x7d\x7b\x53\x15\x55"
+        "\x2f\x8e\xe1\x78\x71\x16\x56\x73\xe8\xc5\x80\xab\x0a\x28\x0a"
+        "\x90\x27\x31\x69\x10\x2d\xd2\x84\xda\x16\x53\xd1\x36\x16\xeb"
+        "\x69\x83\xa4\x58\xf2\x6c\xa0\xbe\xff\xa4\xae\xaf\x95\x36\xac"
+        "\xfb\x83\x70\x39\x4d\x4e\xb8\xf8\xb3\xee\x04\x2c\xb8\x11\xb6"
+        "\xa7\xed\xa8\x0e\x50\x84\x88\xb2\x19\xaa\xa5\x99\xb4\xb1\x17"
+        "\x60\x7b\xfb\x3a\x09\x43\x44\x38\xf7\xb6\x78\x49\x5a\x35\xcc"
+        "\xb3\x0f\x5f\x2a\x45\x17\x60\x51\x14\x67\x18\x04\x10\xb0\xba"
+        "\x38\x2c\x89\x98\x9d\x5d\x52\x25\xfb\xc6\x6a\x0d\x96\xa0\x38"
+        "\xcc\xf0\x88\x39\xb9\x07\xe5\x16\x08\xa2\xa7\x2a\xa2\xa9\x92"
+        "\x24\x0e\x45\x1f\x34\x5a\x88\x20\x4c\xc5\x54\xe0\x59\x8b\xb8"
+        "\x2a\x44\x53\x10\x98\xdc\xb9\x37\xcd\x75\x6c\xca\xd8\xc3\x49"
+        "\x98\x22\xdf\x92\xb8\x0e\xd9\xdd\x67\x89\xd5\x0a\x58\xe4\x59"
+        "\xd2\x16\x16\x3c\x80\x75\x72\xfd\x08\xe9\x30\x7d\x6c\xc9\x47"
+        "\xcf\xab\x58\x2d\xf5\xec\x71\x50\x7a\x17\x4d\xab\x62\xf4\x74"
+        "\xf1\x67\xb7\xb7\x5e\x0f\xba\x54\x79\xc6\x36\x4a\x56\xfb\x91"
+        "\xa9\x65\x2c\x25\x7e\x67\x40\x16\xc9\xc6\x65\x1f\x49\xcc\xb7"
+        "\x30\xb9\x0f\x42\xcc\xb3\xde\xfb\x3b\x60\xa2\xee\x78\x0d\xe7"
+        "\xbd\x33\xbf\xba\x59\x61\xcb\x10\x22\xfc\x0e\x3d\x60\xa4\x11"
+        "\xd0\x27\x4f\x17\x65\x0f\x6c\x98\x23\x55\x0b\xa4\x39\x2b\xcc"
+        "\xe2\x7b\x6d\x87\x51\x84\x9e\x0f\x62\x48\xc8\x45\xbf\x0d\x84"
+        "\x3f\xb7\x7a\x32\x40\x4a\x1e\x43\x78\xa6\xaa\xb1\xa2\x18\x5b"
+        "\x4c\x16\x9e\xbf\xe0\x87\xbc\x2b\x5d\xf8\xf4\x43\x8e\x29\xd7"
+        "\x0e\xe7\x43\x15\xe3\xaa\xc9\x99\xa3\xe0\x1b\xe5\xb4\x2c\xcd"
+        "\xd6\x50\xff\x92\x19\x48\x97\xbb\x1e\xe8\x5c\x6e\x6d\xcf\x94"
+        "\x13\x5b\x9f\x3a\xfb\x16\xa2\xa8\x94\x1c\x99\xd5\x57\x44\xb7"
+        "\xce\x68\x1f\x3f\xdf\x00\x59\xe6\x5b\xed\x48\x75\xdb\xbc\xf0"
+        "\x7c\xba\x91\x58\x47\x49\x01\x2d\x3c\x5f\x83\xbb\xc5\x08\x6b"
+        "\x3f\x7d\x83\x1f\xa3\xda\x4c\x0e\x18\x6a\x86\x67\xd8\xb2\x30"
+        "\xd4\x9a\x4a\xdc\xba\x9a\x8f\xc0\x6d\x30\x04\x32\x46\x4f\x82"
+        "\xc1\xcc\x1d\x5d\x4e\xb2\x53\x83\xde\xee\x2c\x7b\x23\x71\x91"
+        "\x17\x13\x73\xa7\xfa\x2e\x11\xfb\xb3\x38\xb0\x19\x91\x53\x99"
+        "\x45\x2f\x2a\x72\xf3\x7c\x61\x64\x38\x7a\x3f\xd8\xf9\xb1\x63"
+        "\xae\x86\x5a\xce\x4e\x6b\x7a\x5e\xae\x35\x55\xca\x2f\x8d\x61"
+        "\x9d\xac\x1d\x0b\x69\x38\xd0\xf1\x0f\xff\x54\x2a\x54\xd9\x89"
+        "\xe3\xdf\xd7\x6d\xb1\x01\x9b\xba\xcb\x78\x02\x1e\x24\xfd\x81"
+        "\x21\x0a\xee\x50\xe5\x90\xdc\x81\xb5\x56\x13\x4b\x10\x67\xc8"
+        "\x66\x60\x81\xaa\x6d\xa4\x46\xcb\x3e\x88\xe3\x0d\x13\x2f\xea"
+        "\xcb\x4d\x58\xbd\xb5\x8f\x11\xfd\xf9\xec\x0c\x71\xe9\xf3\x7d"
+        "\x2a\xcb\x9d\x3d\xb5\x4d\x1b\x23\x7c\x84\xd3\xb1\xb5\x38\x04"
+        "\xdb\xef\x1e\xeb\xad\x1c\x0b\x39\x35\x71\x37\x40\x54\xd5\xe1"
+        "\x34\xb8\x55\x8a\x3a\x59\x6a\x13\x38\xaa\x11\x14\xf6\x71\x59"
+        "\x9d\xf1\x4e\x81\x5b\x28\x9c\xaa\x6f\xc8\x25\x2e\x15\x2f\xf3"
+        "\x48\xe6\xe7\xe4\x92\xb5\x26\x64\x99\x47\x01\x87\x89\x39\x93"
+        "\x57\xe8\x65\x7e\xfd\x55\xec\xda\x84\xca\x20\xa8\x3c\x00\x6d"
+        "\x8f\xaa\xf4\xa9\x73\xa3\x0e\xef\x37\xaa\x3b\x8d\xe3\x0b\x6d"
+        "\xdf\xb3\x10\xd8\x32\x35\x37\x04\x56\x47\x49\x21\xae\xcb\xa0"
+        "\xd0\x68\xa9\x1e\xf4\x7f\xa8\x6d\xa9\xee\xea\xb3\x48\x64\x83"
+        "\x5b\xb7\x9a\xc6\xdd\xce\x17\x87\xdf\xdc\x1b\x7c\x4c\x7f\xa1"
+        "\x1e\x38\xfb\x24\xa9\x14\xdf\xc7\x1f\x9a\x34\x6d\x40\x96\x30"
+        "\x9a\xf6\x40\x70\xd1\xd4\x05\x18\x8b\xa7\x83\x6c\xd5\xc8\xf8"
+        "\x45\x76\xb7\x8e\xdf\xe5\x86\x78\xaf\xcd\x6f\x46\x12\x0e\x01"
+        "\xfc\x03\xcd\x67\x85\xe0\x55\x01\x5b\xaf\x83\xc7\x0d\x2d\x08"
+        "\xbc\x62\x5f\xed\x38\xbc\xc6\x83\x17\xb2\xf7\x4c\xee\x75\x1c"
+        "\x2d\xe6\xb2\x9f\x77\xb8\x97\xb4\x3b\x35\xae\xab\x42\x84\x9c"
+        "\x8a\x7f\x15\x11\xc3\x76\x1f\x5e\x0b\xfd\x83\x9c\x98\x9d\x61"
+        "\x8d\xf5\x20\x15\xa3\x53\x4f\x5e\xf4\x3d\x22\x77\x53\x4d\x88"
+        "\xb3\xb9\xe2\x49\x15\x69\xf5\xe5\x06\x2b\x66\x48\x38\xb2\xac"
+        "\xf1\x98\xa7\xc9\x68\x2b\xd3\x6a\x4f\xcb\xf4\x8e\xd2\x02\x51"
+        "\x76",
+        4096);
+    r[42] = syscall(__NR_sendmsg, r[1], 0x20267000ul, 0x8000ul);
+    break;
+  case 4:
+    memcpy((void*)0x20925000, "\xe0\x05", 2);
+    *(uint16_t*)0x209e1000 = (uint16_t)0xa;
+    *(uint16_t*)0x209e1002 = (uint16_t)0x204e;
+    *(uint32_t*)0x209e1004 = (uint32_t)0x0;
+    *(uint64_t*)0x209e1008 = (uint64_t)0x0;
+    *(uint64_t*)0x209e1010 = (uint64_t)0x100000000000000;
+    *(uint32_t*)0x209e1018 = (uint32_t)0x0;
+    r[50] = syscall(__NR_sendto, r[1], 0x20925000ul, 0x2ul, 0x0ul,
+                    0x209e1000ul, 0x1cul);
+    break;
+  case 5:
+    *(uint32_t*)0x203f2000 = (uint32_t)0x184cc268;
+    r[52] = syscall(__NR_setsockopt, r[1], 0x1ul, 0x7ul, 0x203f2000ul,
+                    0x4ul);
+    break;
+  case 6:
+    memcpy((void*)0x20f78ffa, "\xd0", 1);
+    *(uint16_t*)0x20acffe4 = (uint16_t)0xa;
+    *(uint16_t*)0x20acffe6 = (uint16_t)0x204e;
+    *(uint32_t*)0x20acffe8 = (uint32_t)0x6;
+    *(uint64_t*)0x20acffec = (uint64_t)0x0;
+    *(uint64_t*)0x20acfff4 = (uint64_t)0x100000000000000;
+    *(uint32_t*)0x20acfffc = (uint32_t)0x0;
+    r[60] = syscall(__NR_sendto, r[1], 0x20f78ffaul, 0x1ul, 0x4040ul,
+                    0x20acffe4ul, 0x1cul);
+    break;
+  case 7:
+    r[61] = syscall(__NR_socket, 0x2ul, 0x806ul, 0x0ul);
+    break;
+  case 8:
+    memcpy((void*)0x20915fe0, "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00"
+                              "\x00\x00\x00\x00\x00\x00",
+           16);
+    *(uint16_t*)0x20915ff0 = (uint16_t)0xfffffffffffffffd;
+    r[64] = syscall(__NR_ioctl, r[61], 0x8914ul, 0x20915fe0ul);
+    break;
+  }
+  return 0;
+}
+
+void test()
+{
+  long i;
+  pthread_t th[18];
+
+  memset(r, -1, sizeof(r));
+  for (i = 0; i < 9; i++) {
+    pthread_create(&th[i], 0, thr, (void*)i);
+    usleep(rand() % 10000);
+  }
+  usleep(rand() % 100000);
+}
+
+int main()
+{
+  use_temporary_dir();
+  int pid = do_sandbox_namespace(0, false);
+  int status = 0;
+  while (waitpid(pid, &status, __WALL) != pid) {
+  }
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00965426fe7ceec1fd2d8756770d4c7c3cacdc4b.c b/syzkaller-repros/linux/00965426fe7ceec1fd2d8756770d4c7c3cacdc4b.c
new file mode 100644
index 0000000..b9145d4
--- /dev/null
+++ b/syzkaller-repros/linux/00965426fe7ceec1fd2d8756770d4c7c3cacdc4b.c
@@ -0,0 +1,157 @@
+// KASAN: use-after-free Read in blkdev_get
+// https://syzkaller.appspot.com/bug?id=00965426fe7ceec1fd2d8756770d4c7c3cacdc4b
+// status:open
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+extern unsigned long long procid;
+
+struct fs_image_segment {
+  void* data;
+  uintptr_t size;
+  uintptr_t offset;
+};
+
+#define IMAGE_MAX_SEGMENTS 4096
+#define IMAGE_MAX_SIZE (129 << 20)
+
+#define SYZ_memfd_create 319
+
+static uintptr_t syz_mount_image(uintptr_t fsarg, uintptr_t dir, uintptr_t size,
+                                 uintptr_t nsegs, uintptr_t segments,
+                                 uintptr_t flags, uintptr_t optsarg)
+{
+  char loopname[64], fs[32], opts[256];
+  int loopfd, err = 0, res = -1;
+  uintptr_t i;
+  struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+
+  if (nsegs > IMAGE_MAX_SEGMENTS)
+    nsegs = IMAGE_MAX_SEGMENTS;
+  for (i = 0; i < nsegs; i++) {
+    if (segs[i].size > IMAGE_MAX_SIZE)
+      segs[i].size = IMAGE_MAX_SIZE;
+    segs[i].offset %= IMAGE_MAX_SIZE;
+    if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
+      segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
+    if (size < segs[i].offset + segs[i].offset)
+      size = segs[i].offset + segs[i].offset;
+  }
+  if (size > IMAGE_MAX_SIZE)
+    size = IMAGE_MAX_SIZE;
+  int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0);
+  if (memfd == -1) {
+    err = errno;
+    goto error;
+  }
+  if (ftruncate(memfd, size)) {
+    err = errno;
+    goto error_close_memfd;
+  }
+  for (i = 0; i < nsegs; i++) {
+    if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
+    }
+  }
+  snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+  loopfd = open(loopname, O_RDWR);
+  if (loopfd == -1) {
+    err = errno;
+    goto error_close_memfd;
+  }
+  if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
+    if (errno != EBUSY) {
+      err = errno;
+      goto error_close_loop;
+    }
+    ioctl(loopfd, LOOP_CLR_FD, 0);
+    usleep(1000);
+    if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
+      err = errno;
+      goto error_close_loop;
+    }
+  }
+  mkdir((char*)dir, 0777);
+  memset(fs, 0, sizeof(fs));
+  strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
+  memset(opts, 0, sizeof(opts));
+  strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
+  if (strcmp(fs, "iso9660") == 0) {
+    flags |= MS_RDONLY;
+  } else if (strncmp(fs, "ext", 3) == 0) {
+    if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
+      strcat(opts, ",errors=continue");
+  } else if (strcmp(fs, "xfs") == 0) {
+    strcat(opts, ",nouuid");
+  }
+  if (mount(loopname, (char*)dir, fs, flags, opts)) {
+    err = errno;
+    goto error_clear_loop;
+  }
+  res = 0;
+error_clear_loop:
+  ioctl(loopfd, LOOP_CLR_FD, 0);
+error_close_loop:
+  close(loopfd);
+error_close_memfd:
+  close(memfd);
+error:
+  errno = err;
+  return res;
+}
+
+static void execute_one();
+extern unsigned long long procid;
+
+void loop()
+{
+  while (1) {
+    execute_one();
+  }
+}
+
+unsigned long long procid;
+void execute_one()
+{
+  memcpy((void*)0x20000000, "reiserfs", 9);
+  memcpy((void*)0x20000100, "./fiue0", 8);
+  *(uint64_t*)0x20000200 = 0x20000240;
+  memcpy((void*)0x20000240,
+         "\x00\x08\x00\x00\xec\x05\x00\x00\x6d\x8a\x2b\x00\x12\x00\x00\x00\x08"
+         "\x08\x00\x00\xb9\x02\x00\x00\x00\x01\x00\x00\x84\x81\x1f\x4c\xe1\x00"
+         "\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x10\xec\x03\x02\xe5\xfb"
+         "\x00\x52\x65\x49\x73\x45\x72\x33\x46\x73",
+         61);
+  *(uint64_t*)0x20000208 = 0x3d;
+  *(uint64_t*)0x20000210 = 0x10000;
+  *(uint8_t*)0x20013900 = 0;
+  syz_mount_image(0x20000000, 0x20000100, 0x400000000000000, 1, 0x20000200, 0,
+                  0x20013900);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  for (procid = 0; procid < 8; procid++) {
+    if (fork() == 0) {
+      for (;;) {
+        loop();
+      }
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00aa2c9aba775f0761d3dabd7fb176964685051a.c b/syzkaller-repros/linux/00aa2c9aba775f0761d3dabd7fb176964685051a.c
new file mode 100644
index 0000000..c337eea
--- /dev/null
+++ b/syzkaller-repros/linux/00aa2c9aba775f0761d3dabd7fb176964685051a.c
@@ -0,0 +1,710 @@
+// KASAN: use-after-free Read in vhci_hub_control
+// https://syzkaller.appspot.com/bug?id=00aa2c9aba775f0761d3dabd7fb176964685051a
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
+
+#define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
+  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
+
+#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
+  if ((bf_off) == 0 && (bf_len) == 0) {                                        \
+    *(type*)(addr) = (type)(val);                                              \
+  } else {                                                                     \
+    type new_val = *(type*)(addr);                                             \
+    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
+    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
+    *(type*)(addr) = new_val;                                                  \
+  }
+
+struct csum_inet {
+  uint32_t acc;
+};
+
+static void csum_inet_init(struct csum_inet* csum)
+{
+  csum->acc = 0;
+}
+
+static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
+                             size_t length)
+{
+  if (length == 0)
+    return;
+  size_t i;
+  for (i = 0; i < length - 1; i += 2)
+    csum->acc += *(uint16_t*)&data[i];
+  if (length & 1)
+    csum->acc += (uint16_t)data[length - 1];
+  while (csum->acc > 0xffff)
+    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
+}
+
+static uint16_t csum_inet_digest(struct csum_inet* csum)
+{
+  return ~csum->acc;
+}
+
+static long syz_open_dev(long a0, long a1, long a2)
+{
+  if (a0 == 0xc || a0 == 0xb) {
+    char buf[128];
+    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
+            (uint8_t)a2);
+    return open(buf, O_RDWR, 0);
+  } else {
+    char buf[1024];
+    char* hash;
+    strncpy(buf, (char*)a0, sizeof(buf) - 1);
+    buf[sizeof(buf) - 1] = 0;
+    while ((hash = strchr(buf, '#'))) {
+      *hash = '0' + (char)(a1 % 10);
+      a1 /= 10;
+    }
+    return open(buf, a2, 0);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+}
+
+#define SYZ_HAVE_RESET_TEST 1
+static void reset_test()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      setup_test();
+      execute_one();
+      reset_test();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+#ifndef __NR_memfd_create
+#define __NR_memfd_create 319
+#endif
+
+uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0,
+                 0xffffffffffffffff};
+
+void execute_one(void)
+{
+  long res = 0;
+  memcpy((void*)0x200000c0, "/dev/bus/usb/00#/00#", 21);
+  res = syz_open_dev(0x200000c0, 0x80000000007, 1);
+  if (res != -1)
+    r[0] = res;
+  *(uint32_t*)0x20000000 = 0xa3;
+  *(uint32_t*)0x20000004 = 0x6c;
+  *(uint32_t*)0x20000008 = 0;
+  *(uint32_t*)0x2000000c = 0;
+  *(uint32_t*)0x20000010 = 0;
+  *(uint64_t*)0x20000018 = 0;
+  syscall(__NR_ioctl, r[0], 0xc0185500, 0x20000000);
+  *(uint32_t*)0x20d4effc = 1;
+  syscall(__NR_setsockopt, -1, 1, 0x3c, 0x20d4effc, 4);
+  memcpy((void*)0x206d1fd4, "\xdb", 1);
+  *(uint16_t*)0x204daff0 = 2;
+  *(uint16_t*)0x204daff2 = htobe16(0);
+  *(uint32_t*)0x204daff4 = htobe32(0x7f000001);
+  *(uint8_t*)0x204daff8 = 0;
+  *(uint8_t*)0x204daff9 = 0;
+  *(uint8_t*)0x204daffa = 0;
+  *(uint8_t*)0x204daffb = 0;
+  *(uint8_t*)0x204daffc = 0;
+  *(uint8_t*)0x204daffd = 0;
+  *(uint8_t*)0x204daffe = 0;
+  *(uint8_t*)0x204dafff = 0;
+  syscall(__NR_sendto, -1, 0x206d1fd4, 1, 0x4000010, 0x204daff0, 0x10);
+  *(uint16_t*)0x20942000 = 2;
+  *(uint16_t*)0x20942002 = htobe16(0x4e20);
+  *(uint32_t*)0x20942004 = htobe32(0xe0000001);
+  *(uint8_t*)0x20942008 = 0;
+  *(uint8_t*)0x20942009 = 0;
+  *(uint8_t*)0x2094200a = 0;
+  *(uint8_t*)0x2094200b = 0;
+  *(uint8_t*)0x2094200c = 0;
+  *(uint8_t*)0x2094200d = 0;
+  *(uint8_t*)0x2094200e = 0;
+  *(uint8_t*)0x2094200f = 0;
+  syscall(__NR_bind, -1, 0x20942000, 0x10);
+  memcpy((void*)0x200001c0,
+         "\x76\x63\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+         16);
+  syscall(__NR_setsockopt, -1, 1, 0x19, 0x200001c0, 0x10);
+  *(uint64_t*)0x20000080 = 0;
+  *(uint64_t*)0x20000088 = 0x4004400;
+  syscall(__NR_ioctl, -1, 0x127f, 0x20000080);
+  *(uint32_t*)0x2001d000 = 1;
+  *(uint32_t*)0x2001d004 = 0x70;
+  *(uint8_t*)0x2001d008 = 0;
+  *(uint8_t*)0x2001d009 = 0;
+  *(uint8_t*)0x2001d00a = 0;
+  *(uint8_t*)0x2001d00b = 0;
+  *(uint32_t*)0x2001d00c = 0;
+  *(uint64_t*)0x2001d010 = 0x7f;
+  *(uint64_t*)0x2001d018 = 0;
+  *(uint64_t*)0x2001d020 = 0;
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 0, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 1, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 2, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 3, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 4, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 3, 5, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 6, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 7, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 8, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 9, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 10, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 11, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 12, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 13, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 14, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 15, 2);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 17, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 18, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 19, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 20, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 21, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 22, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 23, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 24, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 25, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 26, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 27, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 28, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 29, 35);
+  *(uint32_t*)0x2001d030 = 0;
+  *(uint32_t*)0x2001d034 = 0;
+  *(uint64_t*)0x2001d038 = 0;
+  *(uint64_t*)0x2001d040 = 0;
+  *(uint64_t*)0x2001d048 = 0;
+  *(uint64_t*)0x2001d050 = 0;
+  *(uint32_t*)0x2001d058 = 0;
+  *(uint32_t*)0x2001d05c = 0;
+  *(uint64_t*)0x2001d060 = 0;
+  *(uint32_t*)0x2001d068 = 0;
+  *(uint16_t*)0x2001d06c = 0;
+  *(uint16_t*)0x2001d06e = 0;
+  syscall(__NR_perf_event_open, 0x2001d000, 0, -1, -1, 0);
+  syscall(__NR_mmap, 0x20000000, 0xb36000, 2, 0x8031, -1, 0);
+  memcpy((void*)0x20000040, "cpu.stat", 9);
+  syscall(__NR_openat, -1, 0x20000040, 0, 0);
+  *(uint32_t*)0x2001d000 = 1;
+  *(uint32_t*)0x2001d004 = 0x70;
+  *(uint8_t*)0x2001d008 = 0;
+  *(uint8_t*)0x2001d009 = 0;
+  *(uint8_t*)0x2001d00a = 0;
+  *(uint8_t*)0x2001d00b = 0;
+  *(uint32_t*)0x2001d00c = 0;
+  *(uint64_t*)0x2001d010 = 0x7f;
+  *(uint64_t*)0x2001d018 = 0;
+  *(uint64_t*)0x2001d020 = 0;
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 0, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 1, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 2, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 3, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 4, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0x81, 5, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 6, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 7, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 8, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 9, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 10, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 11, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 12, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 13, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 14, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 15, 2);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 17, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 18, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 19, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 20, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 21, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 22, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 23, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 24, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 25, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 26, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 27, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 28, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 29, 35);
+  *(uint32_t*)0x2001d030 = 0;
+  *(uint32_t*)0x2001d034 = 0;
+  *(uint64_t*)0x2001d038 = 0x20abe000;
+  *(uint64_t*)0x2001d040 = 0;
+  *(uint64_t*)0x2001d048 = 0;
+  *(uint64_t*)0x2001d050 = 0;
+  *(uint32_t*)0x2001d058 = 0;
+  *(uint32_t*)0x2001d05c = 0;
+  *(uint64_t*)0x2001d060 = 0;
+  *(uint32_t*)0x2001d068 = 0;
+  *(uint16_t*)0x2001d06c = 0;
+  *(uint16_t*)0x2001d06e = 0;
+  syscall(__NR_perf_event_open, 0x2001d000, 0, -1, -1, 0);
+  *(uint8_t*)0x2000a000 = -1;
+  *(uint8_t*)0x2000a001 = 0xe0;
+  *(uint8_t*)0x2000a002 = -1;
+  *(uint8_t*)0x2000a003 = -1;
+  *(uint8_t*)0x2000a004 = -1;
+  *(uint8_t*)0x2000a005 = -1;
+  *(uint8_t*)0x2000a006 = -1;
+  *(uint8_t*)0x2000a007 = -1;
+  *(uint8_t*)0x2000a008 = -1;
+  *(uint8_t*)0x2000a009 = -1;
+  *(uint8_t*)0x2000a00a = -1;
+  *(uint8_t*)0x2000a00b = -1;
+  *(uint16_t*)0x2000a00c = htobe16(0x800);
+  STORE_BY_BITMASK(uint8_t, 0x2000a00e, 5, 0, 4);
+  STORE_BY_BITMASK(uint8_t, 0x2000a00e, 4, 4, 4);
+  STORE_BY_BITMASK(uint8_t, 0x2000a00f, 0, 0, 2);
+  STORE_BY_BITMASK(uint8_t, 0x2000a00f, 0, 2, 6);
+  *(uint16_t*)0x2000a010 = htobe16(0xfec3);
+  *(uint16_t*)0x2000a012 = htobe16(0);
+  *(uint16_t*)0x2000a014 = htobe16(0);
+  *(uint8_t*)0x2000a016 = 0;
+  *(uint8_t*)0x2000a017 = 0;
+  *(uint16_t*)0x2000a018 = htobe16(0);
+  *(uint8_t*)0x2000a01a = 0xac;
+  *(uint8_t*)0x2000a01b = 0x14;
+  *(uint8_t*)0x2000a01c = -1;
+  *(uint8_t*)0x2000a01d = 0xbb;
+  *(uint32_t*)0x2000a01e = htobe32(0xe0000001);
+  *(uint16_t*)0x2000a022 = htobe16(0);
+  *(uint16_t*)0x2000a024 = htobe16(0);
+  *(uint16_t*)0x2000a026 = htobe16(8);
+  *(uint16_t*)0x2000a028 = htobe16(0);
+  struct csum_inet csum_1;
+  csum_inet_init(&csum_1);
+  csum_inet_update(&csum_1, (const uint8_t*)0x0, 4);
+  csum_inet_update(&csum_1, (const uint8_t*)0x0, 4);
+  uint16_t csum_1_chunk_2 = 0x1100;
+  csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2);
+  uint16_t csum_1_chunk_3 = 0x800;
+  csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2);
+  csum_inet_update(&csum_1, (const uint8_t*)0x0, 8);
+  *(uint16_t*)0x2000a028 = csum_inet_digest(&csum_1);
+  struct csum_inet csum_2;
+  csum_inet_init(&csum_2);
+  csum_inet_update(&csum_2, (const uint8_t*)0x2000a00e, 20);
+  *(uint16_t*)0x2000a018 = csum_inet_digest(&csum_2);
+  *(uint32_t*)0x2001d000 = 1;
+  *(uint32_t*)0x2001d004 = 0x70;
+  *(uint8_t*)0x2001d008 = 0;
+  *(uint8_t*)0x2001d009 = 0;
+  *(uint8_t*)0x2001d00a = 0;
+  *(uint8_t*)0x2001d00b = 0;
+  *(uint32_t*)0x2001d00c = 0;
+  *(uint64_t*)0x2001d010 = 0x7f;
+  *(uint64_t*)0x2001d018 = 0;
+  *(uint64_t*)0x2001d020 = 0;
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 0, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 1, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 2, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 3, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 4, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0x81, 5, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 6, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 7, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 8, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 9, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 10, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 11, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 12, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 13, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 14, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 15, 2);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 17, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 18, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 19, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 20, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 21, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 22, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 23, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 24, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 25, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 26, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 27, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 28, 1);
+  STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 29, 35);
+  *(uint32_t*)0x2001d030 = 0;
+  *(uint32_t*)0x2001d034 = 0;
+  *(uint64_t*)0x2001d038 = 0x20abe000;
+  *(uint64_t*)0x2001d040 = 0;
+  *(uint64_t*)0x2001d048 = 0;
+  *(uint64_t*)0x2001d050 = 0;
+  *(uint32_t*)0x2001d058 = 0;
+  *(uint32_t*)0x2001d05c = 0;
+  *(uint64_t*)0x2001d060 = 0;
+  *(uint32_t*)0x2001d068 = 0;
+  *(uint16_t*)0x2001d06c = 0;
+  *(uint16_t*)0x2001d06e = 0;
+  syscall(__NR_perf_event_open, 0x2001d000, 0, -1, -1, 0);
+  syscall(__NR_setsockopt, -1, 0x29, 0x36, 0x20000480, 1);
+  *(uint32_t*)0x20000180 = 0;
+  *(uint16_t*)0x20000184 = 0x18;
+  *(uint16_t*)0x20000186 = 0xfa00;
+  *(uint64_t*)0x20000188 = 1;
+  *(uint64_t*)0x20000190 = 0x20000140;
+  *(uint16_t*)0x20000198 = 2;
+  *(uint8_t*)0x2000019a = 0xf;
+  *(uint8_t*)0x2000019b = 0;
+  *(uint8_t*)0x2000019c = 0;
+  *(uint8_t*)0x2000019d = 0;
+  *(uint8_t*)0x2000019e = 0;
+  *(uint8_t*)0x2000019f = 0;
+  syscall(__NR_write, 0xffffff9c, 0x20000180, 0x20);
+  *(uint64_t*)0x200003c0 = 0x20000280;
+  *(uint16_t*)0x20000280 = 0x10;
+  *(uint16_t*)0x20000282 = 0;
+  *(uint32_t*)0x20000284 = 0;
+  *(uint32_t*)0x20000288 = -1;
+  *(uint32_t*)0x200003c8 = 0xc;
+  *(uint64_t*)0x200003d0 = 0x20000340;
+  *(uint64_t*)0x20000340 = 0x20000300;
+  *(uint32_t*)0x20000300 = 0x14;
+  *(uint16_t*)0x20000304 = 0;
+  *(uint16_t*)0x20000306 = 4;
+  *(uint32_t*)0x20000308 = 0;
+  *(uint32_t*)0x2000030c = 0x25dfdbfb;
+  *(uint8_t*)0x20000310 = 5;
+  *(uint8_t*)0x20000311 = 0;
+  *(uint16_t*)0x20000312 = 0;
+  *(uint64_t*)0x20000348 = 0x14;
+  *(uint64_t*)0x200003d8 = 1;
+  *(uint64_t*)0x200003e0 = 0;
+  *(uint64_t*)0x200003e8 = 0;
+  *(uint32_t*)0x200003f0 = 0;
+  syscall(__NR_sendmsg, -1, 0x200003c0, 0x40000);
+  *(uint16_t*)0x20000000 = 2;
+  *(uint16_t*)0x20000002 = htobe16(0x4e20);
+  *(uint8_t*)0x20000004 = 0xac;
+  *(uint8_t*)0x20000005 = 0x14;
+  *(uint8_t*)0x20000006 = 0x14;
+  *(uint8_t*)0x20000007 = 0x18;
+  *(uint8_t*)0x20000008 = 0;
+  *(uint8_t*)0x20000009 = 0;
+  *(uint8_t*)0x2000000a = 0;
+  *(uint8_t*)0x2000000b = 0;
+  *(uint8_t*)0x2000000c = 0;
+  *(uint8_t*)0x2000000d = 0;
+  *(uint8_t*)0x2000000e = 0;
+  *(uint8_t*)0x2000000f = 0;
+  syscall(__NR_connect, -1, 0x20000000, 0x10);
+  *(uint32_t*)0x20000880 = 0;
+  syscall(__NR_ioctl, -1, 0x800442d4, 0x20000880);
+  *(uint64_t*)0x20000dc0 = 0x200004c0;
+  *(uint16_t*)0x200004c0 = 0x18;
+  *(uint32_t*)0x200004c2 = 0;
+  *(uint16_t*)0x200004c6 = 3;
+  *(uint8_t*)0x200004c8 = 0xaa;
+  *(uint8_t*)0x200004c9 = 0xaa;
+  *(uint8_t*)0x200004ca = 0xaa;
+  *(uint8_t*)0x200004cb = 0xaa;
+  *(uint8_t*)0x200004cc = 0xaa;
+  *(uint8_t*)0x200004cd = 0xaa;
+  memcpy((void*)0x200004ce,
+         "\x79\x61\x6d\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+         16);
+  *(uint32_t*)0x20000dc8 = 0x80;
+  *(uint64_t*)0x20000dd0 = 0x200007c0;
+  *(uint64_t*)0x200007c0 = 0x20000700;
+  *(uint64_t*)0x200007c8 = 0;
+  *(uint64_t*)0x20000dd8 = 1;
+  *(uint64_t*)0x20000de0 = 0x20000e00;
+  *(uint64_t*)0x20000de8 = 0;
+  *(uint32_t*)0x20000df0 = 0x840;
+  syscall(__NR_sendmsg, -1, 0x20000dc0, 0x80);
+  *(uint32_t*)0x20000840 = 0;
+  syscall(__NR_setsockopt, -1, 0x84, 4, 0x20000840, 4);
+  memcpy((void*)0x20000600, "/dev/rtc0", 10);
+  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000600, 0x100000542, 0);
+  *(uint32_t*)0x20000040 = 1;
+  *(uint32_t*)0x20000044 = 0x70;
+  *(uint8_t*)0x20000048 = 0;
+  *(uint8_t*)0x20000049 = 0;
+  *(uint8_t*)0x2000004a = 0;
+  *(uint8_t*)0x2000004b = 0;
+  *(uint32_t*)0x2000004c = 0;
+  *(uint64_t*)0x20000050 = 0x50d;
+  *(uint64_t*)0x20000058 = 0;
+  *(uint64_t*)0x20000060 = 0;
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 0, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 1, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 2, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 3, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 4, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0xffff, 5, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 6, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 7, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 8, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 9, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 10, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 11, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 12, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 13, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 14, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 15, 2);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 17, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 18, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 19, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 20, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 21, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 22, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 23, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 24, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 25, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 26, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 27, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 28, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 29, 35);
+  *(uint32_t*)0x20000070 = 0;
+  *(uint32_t*)0x20000074 = 0;
+  *(uint64_t*)0x20000078 = 0x20000000;
+  *(uint64_t*)0x20000080 = 0;
+  *(uint64_t*)0x20000088 = 0;
+  *(uint64_t*)0x20000090 = 0;
+  *(uint32_t*)0x20000098 = 0;
+  *(uint32_t*)0x2000009c = 0;
+  *(uint64_t*)0x200000a0 = 0;
+  *(uint32_t*)0x200000a8 = 0;
+  *(uint16_t*)0x200000ac = 0;
+  *(uint16_t*)0x200000ae = 0;
+  syscall(__NR_perf_event_open, 0x20000040, 0, -1, -1, 0);
+  memcpy((void*)0x20000300, "/dev/loop#", 11);
+  res = syz_open_dev(0x20000300, 0x252, 0x82);
+  if (res != -1)
+    r[1] = res;
+  *(uint32_t*)0x20000880 = 0;
+  syscall(__NR_ioctl, -1, 0x800442d4, 0x20000880);
+  memcpy((void*)0x200005c0, "cpuset.mems", 12);
+  syscall(__NR_openat, -1, 0x200005c0, 2, 0);
+  syscall(__NR_ioctl, r[1], 0x4c00, -1);
+  memcpy((void*)0x20000540, "user", 5);
+  *(uint8_t*)0x20000580 = 0x73;
+  *(uint8_t*)0x20000581 = 0x79;
+  *(uint8_t*)0x20000582 = 0x7a;
+  *(uint8_t*)0x20000583 = 0x23;
+  *(uint8_t*)0x20000584 = 0;
+  res =
+      syscall(__NR_add_key, 0x20000540, 0x20000580, 0x20000640, 0, 0xfffffffd);
+  if (res != -1)
+    r[2] = res;
+  syscall(__NR_keyctl, 0xd, r[2], 0xe0, 0);
+  syscall(__NR_write, -1, 0x200008c0, 0);
+  *(uint32_t*)0x20000800 = 0;
+  *(uint32_t*)0x20000804 = 0x400;
+  *(uint32_t*)0x20000808 = 3;
+  *(uint32_t*)0x2000080c = 4;
+  syscall(__NR_setsockopt, -1, 0x84, 0, 0x20000800, 0x10);
+  memcpy((void*)0x20000600, "/dev/rtc0", 10);
+  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000600, 0x100000542, 0);
+  syscall(__NR_write, -1, 0x20000100, 0);
+  syscall(__NR_mmap, 0x20000000, 0x7000, 0x80000000007, 0x11, -1, 0);
+  memcpy((void*)0x20000a80, "./file0", 8);
+  memcpy((void*)0x20000a40, "ramfs", 6);
+  syscall(__NR_mount, 0x20000ac0, 0x20000a80, 0x20000a40, 0, 0x20000b80);
+  memcpy((void*)0x20000280, "cpuacct.usage_user", 19);
+  res = syscall(__NR_openat, 0xffffff9c, 0x20000280, 0, 0);
+  if (res != -1)
+    r[3] = res;
+  memcpy((void*)0x200008c0,
+         "\x29\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"
+         "\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x40\x00\x00\x00\x00\x00\x00"
+         "\x00\x00\x00\x00\x00\x00\x00\x69\x12\x7f\xbc\xda\xb5\x6d\x0f\x1f\x4c"
+         "\xb2\x06\x00\x00\x00\x00\x00\x00\x21\xb0\xc9\xe0\x6e",
+         64);
+  syscall(__NR_write, r[3], 0x200008c0, 0x40);
+  memcpy((void*)0x200001c0, "./file0", 8);
+  syscall(__NR_mkdir, 0x200001c0, 0);
+  *(uint32_t*)0x20000040 = 1;
+  *(uint32_t*)0x20000044 = 0x70;
+  *(uint8_t*)0x20000048 = 0;
+  *(uint8_t*)0x20000049 = 0;
+  *(uint8_t*)0x2000004a = 0;
+  *(uint8_t*)0x2000004b = 0;
+  *(uint32_t*)0x2000004c = 0;
+  *(uint64_t*)0x20000050 = 0x50d;
+  *(uint64_t*)0x20000058 = 0;
+  *(uint64_t*)0x20000060 = 0;
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 0, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 1, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 2, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 3, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 4, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0xffff, 5, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 6, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 7, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 8, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 9, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 10, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 11, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 12, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 13, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 14, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 15, 2);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 17, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 18, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 19, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 20, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 21, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 22, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 23, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 24, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 25, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 26, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 27, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 28, 1);
+  STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 29, 35);
+  *(uint32_t*)0x20000070 = 0;
+  *(uint32_t*)0x20000074 = 0;
+  *(uint64_t*)0x20000078 = 0x20000000;
+  *(uint64_t*)0x20000080 = 0;
+  *(uint64_t*)0x20000088 = 0;
+  *(uint64_t*)0x20000090 = 0;
+  *(uint32_t*)0x20000098 = 0;
+  *(uint32_t*)0x2000009c = 0;
+  *(uint64_t*)0x200000a0 = 0;
+  *(uint32_t*)0x200000a8 = 0;
+  *(uint16_t*)0x200000ac = 0;
+  *(uint16_t*)0x200000ae = 0;
+  syscall(__NR_perf_event_open, 0x20000040, 0, -1, -1, 0);
+  *(uint32_t*)0x200002c0 = 0;
+  *(uint16_t*)0x200002c4 = -1;
+  *(uint16_t*)0x200002c6 = 0x20;
+  syscall(__NR_setsockopt, r[3], 0x84, 0x79, 0x200002c0, 8);
+  memcpy((void*)0x20000380,
+         "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x76\x8e"
+         "\x05\xf7\xc1\x55\xad\x7d\xc6\x94\x7c\x57\x3e\x5a\x69\x24\x4e\x76\x38"
+         "\x2c\x0a\xa6\x3d\x57\x5e\xa3\x59\x7f\x8b\x17\x28\x27\x7e\xf7\x6b\x30"
+         "\x54\x4d\x7b\xa9\x2d\xcf\x97\x8f\x1f\x81\xdc\x1b\x7f\x8f\x7b\x34\x51"
+         "\xda\xda\x02\xec\xb4\xf1\xdd\xcc\x8b\x52\x41\xda\x89\x45\x66\x6e\x00"
+         "\x73\xc2\x5a\x62\x01\x00\x4d\xbe\xa3\x7a\xab\xd3\xeb\x98\x88\xc4\xc6"
+         "\x29\x41\x9f\x50\x93\x7a\x68\x48\xe0\xd2\x81\xe4\xee\x56\x8c\x4d\xe9"
+         "\xa0\x36\xc2\x6f\x19\x22\xf6\x49\x71\xd4\xdf\x97\xfb\xab\x04\xe8\xce"
+         "\x49\x38\xb3\x1d\xcf\x25\x9b\x4b\xc6\x09\x01\xe1\x86\x61\xfa\xb8\xfb"
+         "\x29\x88\xcd\x2b\xc2\x60\xc2\xf5\x72\x35\x3e\x6b\xb0\xa0\x02\xfc\x16"
+         "\x4d\x4f\x18\x9b\x06\x80\x62\xd1\x01\x00\x00\x00\x00\x00\x00\x00\x40"
+         "\x0c\x0c\x4c\xa5\x7b\x54\x6b\x94\x30\x17\x2e\xa5\x36\x2e\xe0\x14\x1b"
+         "\x3d\xf0\x6a\xd2\x35\xe8\x15\xd8\x9e\xea\xd3\xd9\x47\x34\x09\xc0\x9c"
+         "\x2e\x27\xa9\x52\x33\x7a\x24\xf2\x01\x88\xc0\x13\x12\x3c\xc0\x31\x6a"
+         "\x33\xd8\xb4\x43\x45\x37\x73\xe4\xa0\x9e\xdd\x80\x31\x12\x4d\xee\x13"
+         "\xce\x9c\x75\x28\x8f\x2e\xc8\x33\xc7\xe6\x6a\xf5\xb1\x9a\x00\x00\x00"
+         "\x00\x00\x00\x00",
+         276);
+  syscall(__NR_memfd_create, 0x20000380, 0);
+  syscall(__NR_keyctl, 0xd, 0, 0xe0, 0);
+  *(uint64_t*)0x20000000 = 0x39043;
+  syscall(__NR_sendfile, -1, -1, 0x20000000, 0x2000005);
+  *(uint64_t*)0x20000080 = 0;
+  *(uint64_t*)0x20000088 = 0x4004400;
+  syscall(__NR_ioctl, -1, 0x127f, 0x20000080);
+  syscall(__NR_shmat, 0, 0x206b5000, 0x5000);
+  memcpy((void*)0x20000040, "cpu.stat", 9);
+  syscall(__NR_openat, -1, 0x20000040, 0, 0);
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00b395ed1c95e10c5623e185b2e3d5912cd72f63.c b/syzkaller-repros/linux/00b395ed1c95e10c5623e185b2e3d5912cd72f63.c
new file mode 100644
index 0000000..022e958
--- /dev/null
+++ b/syzkaller-repros/linux/00b395ed1c95e10c5623e185b2e3d5912cd72f63.c
@@ -0,0 +1,259 @@
+// memory leak in device_add
+// https://syzkaller.appspot.com/bug?id=00b395ed1c95e10c5623e185b2e3d5912cd72f63
+// status:invalid
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static int inject_fault(int nth)
+{
+  int fd;
+  fd = open("/proc/thread-self/fail-nth", O_RDWR);
+  if (fd == -1)
+    exit(1);
+  char buf[16];
+  sprintf(buf, "%d", nth + 1);
+  if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
+    exit(1);
+  return fd;
+}
+
+static void setup_fault()
+{
+  static struct {
+    const char* file;
+    const char* val;
+    bool fatal;
+  } files[] = {
+      {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
+      {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
+      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
+      {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
+      {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
+    if (!write_file(files[i].file, files[i].val)) {
+      if (files[i].fatal)
+        exit(1);
+    }
+  }
+}
+
+#define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak"
+
+static void setup_leak()
+{
+  if (!write_file(KMEMLEAK_FILE, "scan"))
+    exit(1);
+  sleep(5);
+  if (!write_file(KMEMLEAK_FILE, "scan"))
+    exit(1);
+  if (!write_file(KMEMLEAK_FILE, "clear"))
+    exit(1);
+}
+
+static void check_leaks(void)
+{
+  int fd = open(KMEMLEAK_FILE, O_RDWR);
+  if (fd == -1)
+    exit(1);
+  uint64_t start = current_time_ms();
+  if (write(fd, "scan", 4) != 4)
+    exit(1);
+  sleep(1);
+  while (current_time_ms() - start < 4 * 1000)
+    sleep(1);
+  if (write(fd, "scan", 4) != 4)
+    exit(1);
+  static char buf[128 << 10];
+  ssize_t n = read(fd, buf, sizeof(buf) - 1);
+  if (n < 0)
+    exit(1);
+  int nleaks = 0;
+  if (n != 0) {
+    sleep(1);
+    if (write(fd, "scan", 4) != 4)
+      exit(1);
+    if (lseek(fd, 0, SEEK_SET) < 0)
+      exit(1);
+    n = read(fd, buf, sizeof(buf) - 1);
+    if (n < 0)
+      exit(1);
+    buf[n] = 0;
+    char* pos = buf;
+    char* end = buf + n;
+    while (pos < end) {
+      char* next = strstr(pos + 1, "unreferenced object");
+      if (!next)
+        next = end;
+      char prev = *next;
+      *next = 0;
+      fprintf(stderr, "BUG: memory leak\n%s\n", pos);
+      *next = prev;
+      pos = next;
+      nleaks++;
+    }
+  }
+  if (write(fd, "clear", 5) != 5)
+    exit(1);
+  close(fd);
+  if (nleaks)
+    exit(1);
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  setup_leak();
+  setup_fault();
+  install_segv_handler();
+  use_temporary_dir();
+  intptr_t res = 0;
+  res = syscall(__NR_socket, 0x10, 3, 0);
+  if (res != -1)
+    r[0] = res;
+  syscall(__NR_socketpair, 1, 2, 0, 0);
+  syscall(__NR_ioctl, -1, 0x8912, 0x400200);
+  NONFAILING(*(uint64_t*)0x20000580 = 0);
+  NONFAILING(*(uint32_t*)0x20000588 = 0xc8);
+  NONFAILING(*(uint64_t*)0x20000590 = 0x20000000);
+  NONFAILING(*(uint64_t*)0x20000000 = 0x20000140);
+  NONFAILING(*(uint32_t*)0x20000140 = 0x50);
+  NONFAILING(*(uint16_t*)0x20000144 = 0x10);
+  NONFAILING(*(uint16_t*)0x20000146 = 0x705);
+  NONFAILING(*(uint32_t*)0x20000148 = 0);
+  NONFAILING(*(uint32_t*)0x2000014c = 0);
+  NONFAILING(*(uint8_t*)0x20000150 = 0);
+  NONFAILING(*(uint8_t*)0x20000151 = 0);
+  NONFAILING(*(uint16_t*)0x20000152 = 0);
+  NONFAILING(*(uint32_t*)0x20000154 = 0);
+  NONFAILING(*(uint32_t*)0x20000158 = 0);
+  NONFAILING(*(uint32_t*)0x2000015c = 0);
+  NONFAILING(*(uint16_t*)0x20000160 = 8);
+  NONFAILING(*(uint16_t*)0x20000162 = 0xd);
+  NONFAILING(*(uint8_t*)0x20000164 = 0);
+  NONFAILING(*(uint16_t*)0x20000168 = 0x28);
+  NONFAILING(*(uint16_t*)0x2000016a = 0x12);
+  NONFAILING(*(uint16_t*)0x2000016c = 0xc);
+  NONFAILING(*(uint16_t*)0x2000016e = 1);
+  NONFAILING(memcpy((void*)0x20000170, "veth\000", 5));
+  NONFAILING(*(uint16_t*)0x20000178 = 0x18);
+  NONFAILING(*(uint16_t*)0x2000017a = 2);
+  NONFAILING(*(uint16_t*)0x2000017c = 0x14);
+  NONFAILING(*(uint16_t*)0x2000017e = 1);
+  NONFAILING(*(uint8_t*)0x20000180 = 0);
+  NONFAILING(*(uint8_t*)0x20000181 = 0);
+  NONFAILING(*(uint16_t*)0x20000182 = 0);
+  NONFAILING(*(uint32_t*)0x20000184 = 0);
+  NONFAILING(*(uint32_t*)0x20000188 = 0);
+  NONFAILING(*(uint32_t*)0x2000018c = 0);
+  NONFAILING(*(uint64_t*)0x20000008 = 0x50);
+  NONFAILING(*(uint64_t*)0x20000598 = 1);
+  NONFAILING(*(uint64_t*)0x200005a0 = 0);
+  NONFAILING(*(uint64_t*)0x200005a8 = 0);
+  NONFAILING(*(uint32_t*)0x200005b0 = 0);
+  inject_fault(92);
+  syscall(__NR_sendmsg, r[0], 0x20000580, 0);
+  check_leaks();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00b4820daa16ea0528aeef6e4d85ab4c96a8a68a.c b/syzkaller-repros/linux/00b4820daa16ea0528aeef6e4d85ab4c96a8a68a.c
new file mode 100644
index 0000000..11747cb
--- /dev/null
+++ b/syzkaller-repros/linux/00b4820daa16ea0528aeef6e4d85ab4c96a8a68a.c
@@ -0,0 +1,1120 @@
+// WARNING in enter_vmx_operation
+// https://syzkaller.appspot.com/bug?id=00b4820daa16ea0528aeef6e4d85ab4c96a8a68a
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if_arp.h>
+#include <pthread.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/kvm.h>
+#include <linux/tcp.h>
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    exit(1);
+  if ((size_t)rv >= size)
+    exit(1);
+}
+
+#define COMMAND_MAX_LEN 128
+#define PATH_PREFIX                                                            \
+  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
+#define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
+
+static void execute_command(bool panic, const char* format, ...)
+{
+  va_list args;
+  char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
+  int rv;
+  va_start(args, format);
+  memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
+  vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args);
+  va_end(args);
+  rv = system(command);
+  if (rv) {
+    if (panic)
+      exit(1);
+  }
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC "aa:aa:aa:aa:aa:aa"
+#define REMOTE_MAC "aa:aa:aa:aa:aa:bb"
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE);
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  TUN_IFACE);
+  execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC);
+  execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE);
+  execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV4, REMOTE_MAC, TUN_IFACE);
+  execute_command(0, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE);
+  execute_command(0, "ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV6, REMOTE_MAC, TUN_IFACE);
+  execute_command(1, "ip link set dev %s up", TUN_IFACE);
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02hx"
+#define DEV_MAC "aa:aa:aa:aa:aa:%02hx"
+
+static void snprintf_check(char* str, size_t size, const char* format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+static void initialize_netdevices(void)
+{
+  unsigned i;
+  const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"};
+  const char* devnames[] = {"lo",
+                            "sit0",
+                            "bridge0",
+                            "vcan0",
+                            "tunl0",
+                            "gre0",
+                            "gretap0",
+                            "ip_vti0",
+                            "ip6_vti0",
+                            "ip6tnl0",
+                            "ip6gre0",
+                            "ip6gretap0",
+                            "erspan0",
+                            "bond0",
+                            "veth0",
+                            "veth1",
+                            "team0",
+                            "veth0_to_bridge",
+                            "veth1_to_bridge",
+                            "veth0_to_bond",
+                            "veth1_to_bond",
+                            "veth0_to_team",
+                            "veth1_to_team"};
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++)
+    execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]);
+  execute_command(0, "ip link add type veth");
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    execute_command(
+        0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(
+        0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set veth0_to_%s up", devmasters[i]);
+    execute_command(0, "ip link set veth1_to_%s up", devmasters[i]);
+  }
+  execute_command(0, "ip link set bridge_slave_0 up");
+  execute_command(0, "ip link set bridge_slave_1 up");
+  for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) {
+    char addr[32];
+    snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10);
+    execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10);
+    execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10);
+    execute_command(0, "ip link set dev %s address %s", devnames[i], addr);
+    execute_command(0, "ip link set dev %s up", devnames[i]);
+  }
+}
+
+static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4,
+                              long a5, long a6, long a7)
+{
+  return 0;
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void loop(void)
+{
+  int i, call, thread;
+  int collide = 0;
+again:
+  for (call = 0; call < 7; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      if (collide && (call % 2) == 0)
+        break;
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+  if (!collide) {
+    collide = 1;
+    goto again;
+  }
+}
+
+uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    NONFAILING(memcpy((void*)0x20000200, "/dev/kvm", 9));
+    res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000200, 0, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 1:
+    res = syscall(__NR_ioctl, r[0], 0xae01, 0);
+    if (res != -1)
+      r[1] = res;
+    break;
+  case 2:
+    res = syscall(__NR_ioctl, r[1], 0xae41, 0);
+    if (res != -1)
+      r[2] = res;
+    break;
+  case 3:
+    NONFAILING(*(uint8_t*)0x200000c0 = 0);
+    NONFAILING(*(uint8_t*)0x200000c1 = 0);
+    NONFAILING(*(uint8_t*)0x200000c2 = 0);
+    NONFAILING(*(uint8_t*)0x200000c3 = 0);
+    NONFAILING(*(uint32_t*)0x200000c4 = 0);
+    NONFAILING(*(uint8_t*)0x200000c8 = 0);
+    NONFAILING(*(uint8_t*)0x200000c9 = 0);
+    NONFAILING(*(uint8_t*)0x200000ca = 0);
+    NONFAILING(*(uint8_t*)0x200000cb = 0);
+    NONFAILING(*(uint8_t*)0x200000cc = 0);
+    NONFAILING(*(uint8_t*)0x200000cd = 0);
+    NONFAILING(*(uint8_t*)0x200000ce = 0);
+    NONFAILING(*(uint8_t*)0x200000cf = 0);
+    NONFAILING(*(uint32_t*)0x200000d0 = 0);
+    NONFAILING(*(uint32_t*)0x200000d4 = 9);
+    NONFAILING(*(uint8_t*)0x200000d8 = 0);
+    NONFAILING(*(uint8_t*)0x200000d9 = 0x4d);
+    NONFAILING(*(uint8_t*)0x200000da = 0);
+    NONFAILING(*(uint8_t*)0x200000db = 0);
+    syscall(__NR_ioctl, r[2], 0x4040aea0, 0x200000c0);
+    break;
+  case 4:
+    NONFAILING(*(uint64_t*)0x20000100 = 0x40);
+    NONFAILING(*(uint64_t*)0x20000108 = 0x20000500);
+    NONFAILING(
+        memcpy((void*)0x20000500,
+               "\x0f\x08\x66\xb8\xed\x00\x8e\xc0\x66\xba\x40\x00\xb0\x00\xee"
+               "\xd2\xa8\x07\x00\x00\x00\x41\x0f\x01\xca\xb9\x8e\x0b\x00\x00"
+               "\xb8\x62\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\xb9\x0b\x08"
+               "\x00\x00\x0f\x32\x0f\xc7\x2a\x8f\x2a\x60\x12\x8f\x00\x00\x00"
+               "\x00\x00\x30\x00\x00\x0f\xc7\xaa\x00\x10\x00\x00",
+               72));
+    NONFAILING(*(uint64_t*)0x20000110 = 0x48);
+    syz_kvm_setup_cpu(-1, r[2], 0x20000000, 0x20000100, 1, -1, 0x20000000, 0);
+    break;
+  case 5:
+    syscall(__NR_ioctl, r[2], 0xae80, 0);
+    break;
+  case 6:
+    NONFAILING(*(uint16_t*)0x20000580 = 3);
+    NONFAILING(*(uint16_t*)0x20000582 = 0);
+    NONFAILING(*(uint32_t*)0x20000584 = 0x2080);
+    NONFAILING(*(uint64_t*)0x20000588 = 0x1000);
+    NONFAILING(*(uint64_t*)0x20000590 = 0x100000);
+    NONFAILING(*(uint16_t*)0x20000598 = 2);
+    NONFAILING(*(uint8_t*)0x200005a0 = 0);
+    NONFAILING(*(uint8_t*)0x200005a1 = 0);
+    NONFAILING(*(uint8_t*)0x200005a2 = 0);
+    NONFAILING(*(uint8_t*)0x200005a3 = 0);
+    NONFAILING(*(uint8_t*)0x200005a4 = 0);
+    NONFAILING(*(uint8_t*)0x200005a5 = 0);
+    NONFAILING(*(uint8_t*)0x200005a6 = 0);
+    NONFAILING(*(uint8_t*)0x200005a7 = 0);
+    NONFAILING(*(uint8_t*)0x200005a8 = 0);
+    NONFAILING(*(uint8_t*)0x200005a9 = 0);
+    NONFAILING(*(uint8_t*)0x200005aa = 0);
+    NONFAILING(*(uint8_t*)0x200005ab = 0);
+    NONFAILING(*(uint8_t*)0x200005ac = 0);
+    NONFAILING(*(uint8_t*)0x200005ad = 0);
+    NONFAILING(*(uint8_t*)0x200005ae = 0);
+    NONFAILING(*(uint8_t*)0x200005af = 0);
+    NONFAILING(*(uint8_t*)0x200005b0 = 0);
+    NONFAILING(*(uint8_t*)0x200005b1 = 0);
+    NONFAILING(*(uint8_t*)0x200005b2 = 0);
+    NONFAILING(*(uint8_t*)0x200005b3 = 0);
+    NONFAILING(*(uint8_t*)0x200005b4 = 0);
+    NONFAILING(*(uint8_t*)0x200005b5 = 0);
+    NONFAILING(*(uint8_t*)0x200005b6 = 0);
+    NONFAILING(*(uint8_t*)0x200005b7 = 0);
+    NONFAILING(*(uint8_t*)0x200005b8 = 0);
+    NONFAILING(*(uint8_t*)0x200005b9 = 0);
+    NONFAILING(*(uint8_t*)0x200005ba = 0);
+    NONFAILING(*(uint8_t*)0x200005bb = 0);
+    NONFAILING(*(uint8_t*)0x200005bc = 0);
+    NONFAILING(*(uint8_t*)0x200005bd = 0);
+    NONFAILING(*(uint8_t*)0x200005be = 0);
+    NONFAILING(*(uint8_t*)0x200005bf = 0);
+    NONFAILING(*(uint8_t*)0x200005c0 = 0);
+    NONFAILING(*(uint8_t*)0x200005c1 = 0);
+    NONFAILING(*(uint8_t*)0x200005c2 = 0);
+    NONFAILING(*(uint8_t*)0x200005c3 = 0);
+    NONFAILING(*(uint8_t*)0x200005c4 = 0);
+    NONFAILING(*(uint8_t*)0x200005c5 = 0);
+    NONFAILING(*(uint8_t*)0x200005c6 = 0);
+    NONFAILING(*(uint8_t*)0x200005c7 = 0);
+    NONFAILING(*(uint8_t*)0x200005c8 = 0);
+    NONFAILING(*(uint8_t*)0x200005c9 = 0);
+    NONFAILING(*(uint8_t*)0x200005ca = 0);
+    NONFAILING(*(uint8_t*)0x200005cb = 0);
+    NONFAILING(*(uint8_t*)0x200005cc = 0);
+    NONFAILING(*(uint8_t*)0x200005cd = 0);
+    NONFAILING(*(uint8_t*)0x200005ce = 0);
+    NONFAILING(*(uint8_t*)0x200005cf = 0);
+    NONFAILING(*(uint8_t*)0x200005d0 = 0);
+    NONFAILING(*(uint8_t*)0x200005d1 = 0);
+    NONFAILING(*(uint8_t*)0x200005d2 = 0);
+    NONFAILING(*(uint8_t*)0x200005d3 = 0);
+    NONFAILING(*(uint8_t*)0x200005d4 = 0);
+    NONFAILING(*(uint8_t*)0x200005d5 = 0);
+    NONFAILING(*(uint8_t*)0x200005d6 = 0);
+    NONFAILING(*(uint8_t*)0x200005d7 = 0);
+    NONFAILING(*(uint8_t*)0x200005d8 = 0);
+    NONFAILING(*(uint8_t*)0x200005d9 = 0);
+    NONFAILING(*(uint8_t*)0x200005da = 0);
+    NONFAILING(*(uint8_t*)0x200005db = 0);
+    NONFAILING(*(uint8_t*)0x200005dc = 0);
+    NONFAILING(*(uint8_t*)0x200005dd = 0);
+    NONFAILING(*(uint8_t*)0x200005de = 0);
+    NONFAILING(*(uint8_t*)0x200005df = 0);
+    NONFAILING(*(uint8_t*)0x200005e0 = 0);
+    NONFAILING(*(uint8_t*)0x200005e1 = 0);
+    NONFAILING(*(uint8_t*)0x200005e2 = 0);
+    NONFAILING(*(uint8_t*)0x200005e3 = 0);
+    NONFAILING(*(uint8_t*)0x200005e4 = 0);
+    NONFAILING(*(uint8_t*)0x200005e5 = 0);
+    NONFAILING(*(uint8_t*)0x200005e6 = 0);
+    NONFAILING(*(uint8_t*)0x200005e7 = 0);
+    NONFAILING(*(uint8_t*)0x200005e8 = 0);
+    NONFAILING(*(uint8_t*)0x200005e9 = 0);
+    NONFAILING(*(uint8_t*)0x200005ea = 0);
+    NONFAILING(*(uint8_t*)0x200005eb = 0);
+    NONFAILING(*(uint8_t*)0x200005ec = 0);
+    NONFAILING(*(uint8_t*)0x200005ed = 0);
+    NONFAILING(*(uint8_t*)0x200005ee = 0);
+    NONFAILING(*(uint8_t*)0x200005ef = 0);
+    NONFAILING(*(uint8_t*)0x200005f0 = 0);
+    NONFAILING(*(uint8_t*)0x200005f1 = 0);
+    NONFAILING(*(uint8_t*)0x200005f2 = 0);
+    NONFAILING(*(uint8_t*)0x200005f3 = 0);
+    NONFAILING(*(uint8_t*)0x200005f4 = 0);
+    NONFAILING(*(uint8_t*)0x200005f5 = 0);
+    NONFAILING(*(uint8_t*)0x200005f6 = 0);
+    NONFAILING(*(uint8_t*)0x200005f7 = 0);
+    NONFAILING(*(uint8_t*)0x200005f8 = 0);
+    NONFAILING(*(uint8_t*)0x200005f9 = 0);
+    NONFAILING(*(uint8_t*)0x200005fa = 0);
+    NONFAILING(*(uint8_t*)0x200005fb = 0);
+    NONFAILING(*(uint8_t*)0x200005fc = 0);
+    NONFAILING(*(uint8_t*)0x200005fd = 0);
+    NONFAILING(*(uint8_t*)0x200005fe = 0);
+    NONFAILING(*(uint8_t*)0x200005ff = 0);
+    NONFAILING(memcpy(
+        (void*)0x20000600,
+        "\x1c\xf4\x4f\xa3\xfc\x42\x54\xad\x02\x24\xb7\xc2\xbf\x8b\x0b\x7c\x87"
+        "\x70\x98\x43\x8b\xcb\x93\x91\xa7\x02\xc6\xc5\x21\xc4\x1a\x34\x64\xba"
+        "\x1c\xbe\x64\x4e\x28\xd2\x33\x59\x8d\x97\xa3\x42\x46\x95\xde\x04\x13"
+        "\x36\xa5\xcf\x30\x26\xdf\xe2\x91\xd7\x5a\x12\x75\x64\x72\x54\x6b\x13"
+        "\xb0\xab\x37\x70\x18\x27\x64\x50\x4f\xbc\xe8\xb0\xf6\xca\xd2\x7e\x2d"
+        "\xcc\xe0\xc6\x82\x6d\x03\xd8\xd7\x7f\xe9\x50\x26\x1b\xf5\x21\x35\x1d"
+        "\xd4\x99\x0a\x91\x4c\x74\x49\xf5\x73\x79\x8d\x27\x2b\x2f\x72\x29\x7f"
+        "\x59\x32\xa8\xc3\xfc\x18\xa6\xf6\x0c\x8e\x1a\x23\xc8\xc3\xe4\x09\x87"
+        "\x6d\xc5\xcf\x0d\xab\x7f\x38\xe2\x80\x7a\xcc\x2c\x81\x1f\x6e\xba\xa1"
+        "\x55\x29\x5f\xf9\x51\xf4\xc9\x97\x0d\xe1\xa9\x61\x7a\x69\x95\x30\x5c"
+        "\x13\x13\x36\xf2\xd3\x06\x30\x35\x17\x42\xd6\x71\x55\xd3\x48\x0c\x79"
+        "\x4a\x25\x64\xba\x6b\xe6\xc7\xc8\x6c\xd0\x7e\x9f\x4b\xce\xb9\xb5\xc8"
+        "\xc8\x97\x7f\x8f\x5e\xec\xb5\xf8\xc0\x4a\x25\x48\x09\x9a\xbf\x9e\x8a"
+        "\xec\xca\x2a\x6a\xd9\x08\x13\xe4\x2b\xc8\x70\xe7\xdd\x16\x85\xf1\x30"
+        "\x9a\x2e\xbf\x8e\x5d\x1f\xa8\x31\x6d\x46\xb0\x19\xb5\xff\xb0\x6d\xd1"
+        "\x7e\x19\x7b\xfe\xc3\x02\x8d\xc1\x1e\x7c\xbe\x55\xec\xb2\x24\x56\x93"
+        "\xae\x37\x9d\x9a\x0c\xdc\x16\x30\x20\x6b\xc7\x67\x4f\xa9\x95\x69\x20"
+        "\xbe\x38\xc6\x55\x81\x3e\x9e\xa8\x39\x0e\xa5\xb7\x10\x46\xdb\xa1\xa5"
+        "\xb0\x45\xfe\xaa\xc5\x0d\x0d\x65\x3c\xd7\x5b\xf7\x93\x5d\x47\x1c\xae"
+        "\x2a\x20\xe1\xdb\xbe\x4b\xc2\x08\x4a\x61\xee\x69\x0d\xe5\x2e\xbe\x79"
+        "\xed\xbe\x8e\xb0\x43\xb3\xa4\x1d\x2f\x7b\xed\xe4\xbf\x7d\xfc\x1d\x90"
+        "\x8e\x1c\x32\xa0\x2f\xac\x41\xc2\x56\x3f\x85\x65\x1c\xe8\x0d\x46\x9a"
+        "\x71\x6f\x2f\x87\x89\xd4\xe0\x47\x89\xb3\x42\x36\xee\x2a\x91\xa0\xfc"
+        "\x00\xb8\xa4\x37\xab\x15\xad\x4f\xd4\x1a\x36\x54\x3f\x73\x09\x5a\xfb"
+        "\x44\xe3\xf5\x74\x6e\xb6\x79\x2d\xc5\x35\x19\x52\x85\xf1\xbe\x98\x90"
+        "\x73\xdd\x47\x8a\xb4\xe7\x77\x2c\x9d\xd4\x59\xd8\x2a\x7b\xb9\x58\x49"
+        "\xdc\x04\xa9\x66\x22\x3d\x3d\xfe\xc1\x7b\xb9\x31\xd8\xa1\x56\xe4\x2a"
+        "\x66\x69\xe0\x9b\xca\x9f\x3f\x37\xd7\xa3\xe6\xc5\x48\x1b\x1f\xfb\x85"
+        "\xed\x64\x89\x3e\xda\xf5\x90\x2c\xc3\x20\x9d\x70\x9c\x48\xf8\x01\xc5"
+        "\x62\x74\xe5\x94\xa4\xe3\xde\xe4\x65\xd4\xff\xde\xd4\x1b\xb6\xdb\xbd"
+        "\xcb\x04\x89\xa1\xed\x70\xc7\x28\xe6\x5a\xb9\x45\x40\x38\x5f\x7a\xaa"
+        "\x2c\xb2\x5a\xd2\x87\x49\x42\xde\xc1\x8b\x5f\xa1\x51\xe1\x5c\x6f\x5c"
+        "\x36\xbb\x87\x74\x19\x99\xd0\x62\x37\x0f\x26\x24\x3c\xf6\xbe\x4c\x5d"
+        "\xaa\x7f\xb4\x7b\xc2\xbb\xe0\xc0\xb0\x74\xbd\xb5\x92\xa4\x88\x5f\xed"
+        "\xff\x92\x9d\x9b\x8b\xbf\x07\x55\x87\xe4\xbb\x12\x85\x46\x50\x41\xbb"
+        "\xae\xce\x29\x69\x4b\x1c\x98\x13\x64\x2f\xc0\x5b\x86\x02\x34\xd2\xba"
+        "\xbb\x42\x6c\x91\xd4\xfa\x75\x64\xa8\x3a\xf7\x74\x55\x57\xc0\x87\xe8"
+        "\x23\x20\xc4\x34\x67\xf5\xcd\x05\xdc\x8b\xa3\x40\x81\xda\x4c\x5b\x6f"
+        "\x6d\xa5\xc9\xbc\x1f\x2c\x17\x26\xdd\x68\xb8\x56\x6d\x94\xfa\xc2\xc7"
+        "\xdb\xe3\x4a\x7b\x92\xbd\x8a\x12\xc1\x29\x85\x49\x04\xeb\xab\x79\x73"
+        "\x23\xa9\x34\x44\x30\x57\x67\x70\xf7\x98\xb4\x46\x1f\x66\xb7\x40\x06"
+        "\x94\x4c\xb5\xc7\x74\x04\x0d\x92\x21\xbe\x0a\x77\xad\xc4\x85\x4b\xa5"
+        "\xbd\x26\xf9\x1c\xdf\xb0\x64\x68\x2e\x33\xa4\x39\x8b\x0b\x4a\x19\xe1"
+        "\x42\x0c\x60\xed\x29\xe4\xc3\x08\xfb\xbc\xac\x6d\x32\x0d\xea\x2d\xa7"
+        "\x05\x26\x46\x0a\xb8\xa6\x21\x12\x4b\x32\xda\x3e\xc5\xc6\xa8\xf2\x52"
+        "\xba\x2c\x0b\xf2\x75\x4d\x44\x59\x4e\xfb\x05\x5b\xf2\xe8\x51\xa9\xaf"
+        "\xc4\xfb\x3a\xa0\xe4\xc4\xe1\x1d\xfb\x2f\x66\x32\x8f\x66\x9c\x1a\xe6"
+        "\x91\xf4\x7b\xc6\xa3\x05\xe9\x8d\xad\x7b\x40\x27\x6a\xe9\x60\xec\xcd"
+        "\x48\xec\xb4\x48\xbe\x3f\xe1\xd9\xfc\xf7\xad\xb0\x10\x06\x21\x29\x25"
+        "\x65\xbe\x64\xe0\x43\x33\xa2\xbe\xd7\x36\x66\xee\x4f\xc1\x64\x17\xbc"
+        "\x0c\xa7\xc4\x0a\xe2\x3b\xd9\xbd\x54\x38\x51\x8c\x91\x9f\xc1\x4e\x04"
+        "\xbd\x3c\x90\x48\xe6\x09\x71\x85\xc6\x88\x85\x54\x09\xbd\x9f\xcf\xde"
+        "\x97\xd2\x72\x8d\xfd\x9b\x61\xc4\x0d\x3e\xa4\x17\x33\x8d\x1d\x15\x09"
+        "\x26\xc2\xc8\xfe\x42\x0d\xac\xdd\x4c\xb8\x2c\x49\xf1\xc7\xd8\xf6\x20"
+        "\x7c\x7a\x0a\x05\x93\x7b\x24\xab\x84\x25\x84\x66\x80\x8d\x76\xd5\x81"
+        "\x12\x9e\xec\x94\xdd\x80\x27\x97\xf7\xf0\xe7\xfe\x37\xc3\x7a\x5b\xbc"
+        "\x26\xc7\xc7\x63\xbf\x1d\x3c\x26\xed\xf4\xb5\x44\xd5\x3c\x98\x58\x70"
+        "\xb2\xd5\x0e\x0c\x06\xf9\x6a\x2a\x7b\x2e\x05\xa5\xe8\x1c\xf3\x0d\xd4"
+        "\x7a\x9d\x6e\x83\xd0\x22\xe6\x53\x93\xc0\xd4\xa1\x3a\x43\xaf\x81\xc5"
+        "\xf6\xf0\x5c\x34\x07\x5f\x39\x02\x7b\x04\x17\xa7\xb2\x16\x03\x5f\x9c"
+        "\x5e\x7e\x53\x0c\x3f\xd2\xf9\xa7\x03\x0a\xcb\x6a\xb2\xa3\x0e\x33\xa6"
+        "\x3a\x31\x58\xa9\xc7\xce\x25\x6f\xd4\x07\x54\x4e\x38\xf6\x91\xb8\xcb"
+        "\xec\x01\xfa\xfc\x1b\x9e\xf5\xba\xbe\x52\x13\x90\x99\xf9\x47\x37\xe4"
+        "\x86\xd1\x2b\x53\x69\x8a\xca\x31\xa9\xcc\x77\xc6\x15\xce\x72\x9f\xc6"
+        "\xc3\xd9\x18\x77\x68\x5c\xaf\x7e\x22\xf5\xf8\x73\x13\x85\xeb\xb5\xcd"
+        "\x09\x44\xa2\xca\xb5\x42\x12\x76\xd9\x8e\x12\x23\xb9\x54\x4a\x05\x05"
+        "\x2c\xd4\xd0\xaa\x64\x9b\x81\x19\xf5\xb4\xb3\xfc\xb8\x44\xf9\x94\xd5"
+        "\x4e\xff\x1a\x52\xd3\x45\xaa\xc3\x66\x22\xf7\xe1\x8b\xc5\x45\x13\xe8"
+        "\x77\x67\x35\xaa\x9c\x23\xc0\x9d\xbb\xcc\x8a\x01\xc2\xb3\x42\x98\xd8"
+        "\xc4\x07\x83\x79\x73\x00\xc2\x3e\x82\xd5\x18\x1a\x49\x83\x65\x74\x81"
+        "\xe0\x84\xd0\x92\xe9\x4f\x8d\xaa\xf1\xd4\x66\x3f\x15\x4f\xb7\xdf\x20"
+        "\x9d\xab\xb1\x50\xc4\x9e\xdc\xad\x99\x2c\xc2\xa2\xba\x79\x30\x0c\x30"
+        "\xb6\x9c\x2b\x6f\x9e\xb7\x92\x91\x7d\xad\x7c\x9d\x68\xf6\x00\xcc\xbf"
+        "\x65\x80\xdb\xeb\x97\xaa\x3a\xeb\x05\xc7\x89\x74\x12\x8d\xe5\xb0\x2d"
+        "\x01\x92\xc4\x4b\xeb\x89\x79\x53\xe7\x8d\x82\x9b\x7d\x1e\x8d\x2b\x14"
+        "\x82\x80\x02\x1e\x5e\x8c\xa9\x3e\xee\x27\x7d\x8a\xca\x5c\x4a\x47\x8f"
+        "\xf3\xc5\xef\x4b\xa4\xf3\x19\x18\x0d\xba\x4a\xd1\xfe\xff\x58\xd5\xa7"
+        "\xab\x48\xc4\x79\x67\xd1\x45\xd2\x33\x5a\x52\xfa\x0b\x5e\xef\xae\x98"
+        "\x7b\x51\x6a\x28\x30\xc0\xd8\x80\xc5\x09\x6b\xf5\xd2\xa6\x59\x34\x61"
+        "\xc9\x49\xd9\x27\x10\x16\xf7\xfd\x3f\x94\xfa\x1e\xcb\x3b\x15\x7c\x57"
+        "\x6d\xe5\xeb\x64\xaa\x42\x9b\x75\x44\xca\xe7\x4b\x2d\x3f\x91\xde\x2a"
+        "\x1a\x4e\x9d\xf0\xc5\xba\x9e\x04\x5f\x2a\x37\xc2\xe7\xb5\x8f\xeb\xe9"
+        "\xc9\x0e\xf1\xcc\xd9\xcb\xcd\x11\x80\x91\xcf\x99\x8d\xad\xbf\xc0\x37"
+        "\xdb\x37\x8d\xc7\xcd\x14\x6d\x14\xac\xc7\x0f\xc5\x2a\x77\x79\x8d\xd2"
+        "\x27\x59\x40\x32\xa2\x4a\xd4\xd0\xa4\xdc\xf5\xaf\x67\x80\x17\x22\xdc"
+        "\x0b\x67\xc5\x5a\xaf\xd9\xef\x11\xff\xe6\xec\xd4\x27\xf1\x47\x70\x56"
+        "\xbd\xb9\x41\x25\xcb\x3b\xdb\x1e\x49\xb2\x22\x6a\xfd\x51\xdf\x00\xc5"
+        "\x2a\x0f\x30\x77\xd9\x49\xf2\xe5\x6b\x38\xfb\xa0\x39\x8c\xec\xbd\x09"
+        "\xcc\x18\x60\x39\xae\x43\xcf\xc5\x1f\x9b\xc3\x86\xc4\x2a\xbe\xff\x0f"
+        "\xcc\x11\x5d\x27\xa4\xc4\xf3\x2b\xb3\xde\xbe\xaa\xf1\x8d\x98\xeb\x44"
+        "\xa8\x25\x3d\x48\x70\x70\xf0\xfa\xe1\x5d\x63\x03\xad\x1b\x0a\x21\x08"
+        "\x95\xaa\x17\xfa\x0e\x46\x8b\xe0\x01\x68\x83\x39\xb1\x92\x23\xae\x07"
+        "\xad\x30\xeb\xdd\x3f\x5a\x38\xee\x55\xa5\x12\xba\x83\xd4\x0d\x64\xdb"
+        "\xa1\x15\x72\x3f\xa8\x6d\x76\x2e\xee\x27\x68\x27\x74\xa9\xcc\x73\x7e"
+        "\xbb\x62\xa4\xfe\xe8\x04\x62\x12\xc4\x75\x8a\x30\xeb\xc2\x02\x8e\x3b"
+        "\xc1\x02\x4c\x55\x2b\x27\xbe\xaa\x13\x42\xf3\x96\x7c\x4a\x8e\x22\xbc"
+        "\x29\x67\x8c\xee\x6e\x75\xad\x4e\x18\x52\xfd\x8d\x85\x5f\x97\x3a\xa5"
+        "\xf9\x3f\xbd\x72\xf8\x19\x08\xd6\xfa\xf0\xe3\x02\xaf\xe9\xb0\x8b\x07"
+        "\x88\xbe\xc8\xb0\x1e\xed\x5b\x67\x0a\xc7\xc9\xb4\x20\x5e\xd8\x13\x2a"
+        "\xc1\xa6\x69\x37\x94\x44\xdb\x82\xe3\x1f\x67\xd6\x88\x03\x8f\xf1\xf5"
+        "\x2f\xd7\xd7\x63\x27\x9a\xbd\xe7\x56\x90\x91\xc2\xb9\xab\x22\xe1\xd7"
+        "\x1f\x1d\xde\x9f\xe9\xc1\xfd\xa8\x66\x4a\xec\xf1\x01\xfb\xc1\xf2\xd5"
+        "\xf1\x3f\xd3\x36\xda\x7e\x37\x94\x62\x43\x47\xf8\xb9\xfd\x6c\x31\xd4"
+        "\x0b\xd4\xd3\x97\x9a\xd0\x2b\x7d\xaa\xb0\x4c\xe3\x18\xa1\xc2\x96\x59"
+        "\x2d\x8c\xb5\x1c\x05\x38\x45\x91\x78\x61\x34\x9b\x4b\xcc\xad\x37\x72"
+        "\x10\x8f\x4f\xe0\xfd\xbc\xde\x3d\xaf\x18\x52\x3f\x8a\x75\x5d\x2a\xd4"
+        "\x93\x35\xcf\x2e\x1d\xd7\xb0\x05\x49\x99\x3d\x83\xa1\x59\xcd\x5b\xe5"
+        "\xa7\x71\x58\xb1\x26\xd0\xe8\x45\x59\x32\x75\xb3\xf0\x4d\xbe\x93\x4c"
+        "\xbf\x3f\xc1\x69\x8b\xbc\xf8\xa1\xe4\x56\x72\xd2\x1f\x04\xaf\xf9\xfc"
+        "\x85\xdb\x00\x77\x07\x32\xe1\x88\xbb\xd4\xd7\x95\x28\x06\x6d\x18\x5e"
+        "\x08\x34\xb5\x8b\x8b\x6b\x9f\xdf\x31\x51\xa1\x9f\xb3\x6c\xc5\x20\xec"
+        "\xc8\x6a\x40\x3a\x7c\xa9\xb2\x88\x07\x5d\x8a\x83\x8a\x42\x3a\xd9\xc7"
+        "\xaf\x42\x80\x99\xa8\xb8\x46\xac\x4d\x71\x27\xa4\x38\xcd\x23\x11\xa2"
+        "\x76\x3f\x12\xf1\xcd\x4b\x13\x14\x35\xea\x9e\x7b\x7e\x00\x54\xd8\xbb"
+        "\xc8\x60\x3f\x8e\xb9\x8a\xe3\x2e\x0d\x63\xfb\x2a\x7d\x69\x38\x00\x23"
+        "\x40\xb9\xa3\xa8\xcb\x8f\x62\xa7\xbd\xf9\x9b\xbe\x43\x6d\xef\xf4\x9b"
+        "\x38\xca\x4c\x1b\x2d\x0e\xe5\xea\x27\xe7\x6e\xbc\xdd\x07\x49\x13\xa7"
+        "\x91\xbd\x22\x3d\xc9\x20\x84\xe5\x5e\xf5\x36\xd6\xba\x10\xec\x8e\xcc"
+        "\xa0\xbf\x50\x53\xc8\xa9\x18\xc5\x42\x22\x03\x7f\xd4\xf1\x8b\x34\xfe"
+        "\xe9\x78\xe9\x80\x5f\xa9\x95\x56\xf5\x24\x3d\x1e\x0b\x71\xe2\xf4\x38"
+        "\xa3\x02\x5d\x5a\xf8\xfb\xe8\xac\x11\x90\x83\x10\xa6\xb2\x92\x08\xe7"
+        "\x4c\xff\xa0\x4f\xc7\xe9\x90\x06\x2e\xf6\x88\xa9\xfd\x43\xb6\x83\xf6"
+        "\x10\x6f\x53\x19\xe1\x40\x42\xad\x57\x29\x99\x02\xae\xb0\x89\x44\x34"
+        "\x2f\x99\x56\xc3\xea\x21\x71\x22\xd2\x45\xef\x7f\x80\x08\xae\xf8\x41"
+        "\x90\x8e\x05\xe1\x05\x4e\x42\xbd\xcb\xa3\x55\x81\x9e\x30\x61\xd7\x9d"
+        "\xc1\x79\x07\xb4\x55\xc5\xdc\xd3\x16\x53\xbf\x1b\x3e\x4e\x44\xb6\x89"
+        "\xce\xf8\x2f\x97\xe9\xee\x6e\x4d\xfb\x3b\x73\xaa\x34\x5e\x83\xbf\x2e"
+        "\x32\x53\x4b\x42\xa3\xff\xe2\x64\x1b\x2a\x0b\x92\x30\xba\x2e\x17\x19"
+        "\x21\xe8\x31\xd5\x3e\xbb\x73\xca\x80\x5b\xd6\x03\x45\x4d\x40\x63\xb9"
+        "\x0f\xed\x6d\x01\x18\x36\x72\x88\xbd\x01\x5d\x1d\x37\xe0\xa4\x52\xc1"
+        "\xc0\x2b\x73\x03\x03\x44\xbb\xce\xf1\x0f\xf2\x37\xeb\x80\xb6\x8d\x2b"
+        "\x4b\xfe\x64\xb7\xeb\xbe\x26\xdf\xf2\x4c\x1b\x57\xe8\xaa\xfa\xdd\x63"
+        "\x10\xe6\x19\x65\x6e\x2b\x9b\x6b\x49\xbe\x21\x13\xb6\x1d\xc4\xbc\x0c"
+        "\xc0\x9a\x94\x1c\x2d\xad\x23\x33\xce\x0e\x80\x3e\x5e\x79\xd8\x9c\xac"
+        "\xba\xfb\x26\x5a\x1a\x91\x5e\x38\x24\x1a\x35\x2e\x41\x7a\x5a\xc2\xc9"
+        "\x43\xc4\xfa\xcd\x9f\xc6\x7f\x1e\x5a\x85\x15\x33\x4e\xe2\x48\x45\x1b"
+        "\xd3\x61\xe9\xb3\xea\x8a\xbe\xa1\x57\x34\x72\x5b\x2f\xc4\x91\x31\xf1"
+        "\xa9\x49\xa8\x07\x9a\xb4\xdb\x92\x01\xef\xe9\x5d\x9b\x3c\x17\xed\x5d"
+        "\x74\x48\x04\xb6\x5c\x28\x39\xfb\xab\xc3\x5a\x6d\x0e\x82\x83\x21\xdf"
+        "\x05\x5b\x17\x01\x74\x36\x05\x8a\xc3\x94\xdc\x49\xac\x0d\xbe\xca\xfd"
+        "\x7a\xd5\x20\x7e\x42\x39\xea\x8d\x89\x79\xdb\xc8\x91\x2d\x80\x42\xd4"
+        "\x59\xa0\xb6\xb6\xcc\xa8\x05\x67\x49\x73\x7e\x94\xae\x73\x1d\x72\xd4"
+        "\x60\x7f\xfd\x79\x30\x26\x72\x10\xa6\xc8\x97\x59\x51\xa5\xb7\x35\xe6"
+        "\xff\x1b\x99\xa4\x75\x19\xb3\xd3\xb1\xda\xbd\x58\x52\x70\x7c\x97\xa2"
+        "\xd6\x19\x89\x16\x2b\xb0\x8d\x92\xce\x30\x54\xd3\x88\x21\x4e\xb7\x6a"
+        "\xec\xf0\x76\x29\xd5\xf0\xcc\x9b\x8f\x2b\x19\xbc\x25\x6c\x95\x30\xde"
+        "\x2c\x5f\x0a\xa4\x55\xa4\xe3\x6e\x3a\xb6\x2f\xde\xff\x56\xc1\xf1\x09"
+        "\xd4\xfe\x87\x6b\x15\x76\x42\xb1\x21\x2c\x25\xe2\x07\x2b\x2b\x93\x86"
+        "\x1c\x57\x92\x66\xd7\x96\xcf\xd4\x39\x6d\xd0\xc4\x8a\xf5\x2f\xb6\x89"
+        "\x57\xd4\xae\xc9\x07\xcc\x29\xa1\x33\x22\xe7\x3c\x07\xbe\xb9\x66\x55"
+        "\x37\x9d\x2a\x33\xbe\x16\xbc\xdb\xa2\x5c\x1b\x59\x6e\xfa\x1e\x03\x8e"
+        "\x58\xa6\x6c\xb7\xc6\x3b\x85\xc3\x8c\x49\x79\xb1\x6c\x18\x2f\x64\x72"
+        "\x2a\xb9\x4b\x11\x9b\x58\x47\x9b\xa9\xa0\x48\x19\xed\xed\xe6\xce\xfb"
+        "\x11\x2d\x2e\x06\xfc\xd0\x8a\x96\xa2\xee\x7e\xb5\xfe\x5b\x8d\x6a\xb5"
+        "\x07\x8c\x0d\x46\xd8\x60\xa7\x0d\xec\x36\xf8\x59\x56\x86\x6c\x04\x80"
+        "\x89\x9b\xb1\x0c\x26\xb1\x55\x11\xfb\xa6\x89\x15\xed\xaf\x6b\x18\xc3"
+        "\xf9\x63\x81\x32\x0f\xc6\x4a\x91\x40\x1c\x82\xc2\x14\x90\xce\xd0\x09"
+        "\xbd\xea\xa6\xe4\xac\x55\x51\x02\xab\x00\xf6\x74\xa4\x1d\xc7\x37\x54"
+        "\x14\xa2\x2d\x55\xa2\xc9\x29\x20\xc1\x30\x0d\xcc\x88\xea\xfc\x7b\x1f"
+        "\x07\x71\x3d\x6b\xea\x65\x98\x33\xdb\x5f\xd2\xfe\xe9\xe1\x76\x5d\x9d"
+        "\xf1\x18\xd7\x55\xb9\x81\x32\x2c\xc3\x30\x07\xf1\x94\x02\x28\x03\x0d"
+        "\x2f\xc8\xc4\x8c\x7d\x94\x0b\x0a\xe9\xd3\xe2\xa3\x8b\x1d\x9b\x2d\x19"
+        "\xcd\x9b\xad\x05\xe0\xc8\x4f\x17\xcd\xbe\x76\x5e\x11\x53\xa1\x04\x95"
+        "\x08\xb7\x62\xa2\x96\x21\x09\x72\x6c\x50\x44\x3f\x04\xf0\x5d\x00\xd2"
+        "\x42\x8f\x21\x13\xc2\xad\x99\x15\x22\x79\xd0\x8a\xd3\x77\x63\x30\xce"
+        "\xbf\xc9\x5c\x6b\xcb\x65\xe9\x60\x81\xd8\x75\xa9\xfc\x32\x32\xbc\x6a"
+        "\x9a\xf2\x6c\x1b\x43\xb1\x4e\xa7\x5b\x58\xe9\x46\xa5\x6d\x5f\xd5\xee"
+        "\x4d\x7e\x86\x5e\x04\xe1\x93\x6d\x6e\x86\x26\xdc\xc2\x52\x32\x94\xd3"
+        "\x9e\xc6\x24\x95\xd0\xbd\x6c\xfd\xb8\x6d\x5d\x54\xda\x87\x81\x03\xfc"
+        "\xa8\x34\x60\xfc\x15\x7d\x0f\xe9\x0f\x7b\x8b\x2a\x6f\xf9\x81\xe8\x85"
+        "\x46\x65\xc4\x31\x60\x0e\x8e\xe8\x88\x46\xf9\xc1\x9c\x1b\x80\x39\xa3"
+        "\x46\x09\xb9\x0b\x91\x3b\xe5\xa3\xf3\x44\xeb\xa5\xe8\x4e\x98\x1f\x02"
+        "\x4d\xb7\x05\xd9\x66\x82\x22\x7a\x55\xd1\x4d\x73\x6c\x5d\x38\xd5\x6a"
+        "\xbe\x99\x7c\xa8\xd4\x96\xb3\xed\x3f\xc2\xed\x54\xe8\xec\x21\x7e\x93"
+        "\x7c\x4d\x9d\xd8\x19\xfd\x37\x37\xa3\x45\x51\xec\xd1\xe4\x02\xfd\xef"
+        "\x55\x0d\xfb\x01\x00\xc7\xaf\x45\x41\x99\x2a\xd0\x79\xbe\x01\xf5\xa0"
+        "\xd7\xdb\xa6\x61\xcf\x94\x49\xc4\x5a\x44\x72\xdb\x4b\x34\xb8\xde\xcf"
+        "\xb5\x34\x2f\x0d\x00\xfb\x28\xba\x7e\x06\x46\xb6\x03\x0a\x1b\x15\x5d"
+        "\x40\x40\xab\x54\xce\x77\x21\xa0\xbd\x84\xf3\x5d\x5d\x2d\xec\x46\x79"
+        "\xae\xbc\x8b\x14\x7c\x53\x7a\x5b\xe3\xe8\xe8\xe7\x15\x1e\x7a\x73\x2c"
+        "\x83\xd0\x22\xef\x43\x16\x81\x22\x37\x70\x31\x3b\x76\xc4\xee\x8d\x06"
+        "\xbe\x8b\x64\xeb\x97\xe5\x21\x0e\xcc\x17\x08\x53\xd5\x5c\x3d\xd6\x11"
+        "\x0f\x7d\x60\xa7\xd2\x72\x90\x4d\xfe\x1d\x49\xf3\x1b\xa3\xf4\xcb\xea"
+        "\x65\x8f\x2f\xa8\x8b\x2a\xc4\x9b\x99\x99\x19\xad\xf8\x19\xe5\x99\x6b"
+        "\x69\x6d\x9a\x5d\x02\xa0\x81\xf6\xf3\xe7\x23\xe6\xab\xae\x35\x4b\x0b"
+        "\xc8\xd2\xd6\x94\x1f\xfd\xba\x16\xa8\xc9\xe2\xe1\x61\x0d\x24\xb5\xa6"
+        "\x9c\x02\x41\x67\x8e\x7c\x67\xfd\xe3\xa6\x4a\x87\x19\x43\x87\x38\xff"
+        "\xdf\xcb\xcd\x45\x55\x0b\xed\x51\xbc\x23\xa9\x5e\xcf\xa1\x9a\xaa\xba"
+        "\x5b\x94\x52\xae\x7a\xae\x9c\x0f\x68\x3c\xa0\x49\x85\x9a\x8b\x3f\xd2"
+        "\x3b\x48\x2f\x1f\x96\x52\x4b\xb1\x48\xcc\x2d\xa2\x5c\x75\xf9\x67\x56"
+        "\xf4\x24\x5b\x8a\x0e\x11\x56\x8e\xbd\x0f\x49\xd2\x76\x6c\x96\x0e\x23"
+        "\xa1\xab\x1e\xf6\xa8\x89\xdc\x9c\xf4\xac\xb2\xed\xc9\xdc\x40\x33\x04"
+        "\x67\x21\x6d\xe7\x7d\x51\x57\x5d\x54\x29\x14\x7c\x99\x35\xda\x9c\x8b"
+        "\x25\x07\x37\xda\x0d\xf7\x70\xcd\xd8\x46\x3d\x9a\xca\xa5\x37\x70\xb7"
+        "\x26\x69\x60\x6d\x84\xdb\x43\xaa\x8b\xb9\xff\x13\x65\xce\x6b\x57\x30"
+        "\xde\x46\xf0\x66\x74\x4f\x52\x63\x3c\x59\x46\x85\xd9\x2e\xf5\xcf\x2d"
+        "\xad\xb5\xfc\xe6\x20\x4a\x07\x15\x24\x5f\x73\x3e\x6a\x3f\x88\x7a\x0a"
+        "\x9a\xca\x96\x4d\xbf\x79\x88\xad\x2c\x68\x44\x22\x21\x71\x09\x43\xb6"
+        "\xda\x5e\x95\x2e\x65\x49\xd0\xa1\xa1\x9f\x21\xde\xfc\xd3\x06\x97\x61"
+        "\x0b\x6e\x01\x9b\xf8\xd0\x69\xc8\x8b\xf6\x9a\xec\xef\x88\x3b\xf8\x5b"
+        "\x19\x03\x83\xbc\xd7\xd3\x2a\x54\x6e\x57\x18\xf2\xa6\x75\x0b\xa1\x16"
+        "\x70\xb2\x32\x57\x6c\x95\xa6\xb6\x49\xda\x85\x4c\x7b\x54\x79\x3f\xf8"
+        "\x57\xea\xaa\x9c\xbf\x77\xc2\x0c\x6a\x43\x7c\x38\xd4\x97\xc9\xe5\x3d"
+        "\xe1\x72\x39\x3b\xcb\x7c\xe8\xaf\xa4\xee\xb7\x7c\xfc\x95\xc6\x2f\x7a"
+        "\x77\xc7\x92\x0b\x1b\xd7\x03\x76\x96\xea\x40\x9d\xf2\xba\xfb\x88\x55"
+        "\x4f\x4b\x32\x3f\x9a\x21\x7d\xbb\xab\xca\xb4\xb2\xe9\xc1\x3a\x2b\xc8"
+        "\x65\x83\x0d\xe3\xd1\x08\xd2\xf3\xa9\x3e\x49\xec\x18\x7f\x25\xa1\xa0"
+        "\x5f\x86\x4f\x12\x3b\x94\x2e\xc5\xeb\x8d\xcc\xb5\x3a\x80\xe1\x19\x9a"
+        "\x86\x8a\x9c\xc3\xb9\xcb\xc4\xc4\xbb\x8d\xff\x7f\x3a\x32\xb2\x82\x71"
+        "\x21\xd9\xf4\x77\x9d\xfb\x4b\x59\xb9\xf9\xc4\xd1\x17\x17\x43\x10\x89"
+        "\xb5\x5d\xa1\x04\xb2\xd6\xc8\x14\x8f\x8d\xb7\xee\x68\x72\xc9\x6d\x57"
+        "\xf7\x8d\x8c\x31\x00\x9e\x1f\xcb\x21\x3e\x4e\xe7\x5c\xb5\xd5\x56\x9f"
+        "\xc2\xf7\x79\x57\x2a\x92\x26\x52\x49\xdc\x3e\x43\xf4\x9f\x6e\x96\x7a"
+        "\x06\xc3\x84\x14\x54\x05\x2f\x8b\xb8\x48\x7d\xa1\x62\x61\x1d\x5d\x11"
+        "\x2e\xfc\xfe\x52\xb2\x59\xa6\x2e\xcf\x8d\xe5\x9a\x8d\xb8\x5e\x1a\x14"
+        "\xb5\x85\xc9\xe5\x83\xe0\xb7\x7f\xe6\x05\x6a\xc6\x6f\xbf\xaa\x2b\x3b"
+        "\x71\x9a\x25\xba\x2d\x08\x0e\xa1\x18\x5d\xe4\x1e\xb1\x32\xda\xf7\x38"
+        "\xfc\x92\xc1\xff\x6f\x75\xe9\x7c\x13\x87\xb0\x97\x5c\xf8\xb5\x20\x12"
+        "\x6b\xe8\x38\xa8\xba\x09\x6b\xde\xb0\x5e\x0e\x67\x9e\x63\xc6\x71\x71"
+        "\x67\xa5\x0d\xd2\xd5\xe5\x29\xe1\xc8\x89\x87\x23\xe6\x6a\x30\x24\x32"
+        "\x1a\xf9\xbe\x86\xf3\x3f\xbd\xae\x25\xcb\x35\x4b\x65\xc4\x90\x8f\xa8"
+        "\x53\x09\x62\xda\x08\x7c\x03\xdf\xc8\xcf\x7f\x5b\x4f\xeb\x02\xa1\xb9"
+        "\x44\xcc\x81\xf0\x89\x1b\x8f\xec\x37\x31\x77\x48\xcc\xe4\x4d\x6b\xf6"
+        "\xab\x4c\xd8\x0b\x35\xe4\xf3\xfd\x67\x85\x37\x87\x10\xcf\xd3\x8f\x93"
+        "\x49\x23\x99\x04\xff\x59\x15\x4a\x5e\x47\xcd\xd1\xbb\x83\x62\xd2\x19"
+        "\xc3\x6d\x8b\x3c\x43\xca\x9d\xa7\xce\xb3\x61\x1b\xc6\x3b\x72\xce\x1f"
+        "\x9a\x0b\xec\x5f\x14\xfb\xa8\x3f\x81\x25\x9c\xdb\x8f\x14\x90\xc0\x15"
+        "\xe1\xd4\x2a\x80\xde\xb3\x8b\xe8\xa8\x62\x71\x53\x4f\x7e\x22\xbc\xd4"
+        "\xf0\x1a\x54\xce\x80\x3f\x0f\xbf\x88\x24\x79\xca\x69\xfb\xd7\x49\xa4"
+        "\x71\x76\x91\x5c\x5b\x92\xa0\xfa\x31\xef\xb8\x35\xc8\xcc\xc1\x8a\xe2"
+        "\xed\x72\xa6\x8a\x0c\xb1\x6c\x0b\xfd\x3a\xe5\x16\x79\xd4\xa8\xc5\x8f"
+        "\x63\x07\xe9\x06\x3e\xca\x65\x91\xad\xdc\xd5\x97\x73\x25\xbc\x90\x4b"
+        "\x86\x79\xb0\x49\x1a\xa1\x47\x79\xe0\xa1\xd7\xef\xb9\x7c\xc8\x28\xb6"
+        "\xb2\x84\x40\xee\x67\xb3\x97\x0a\xee\x1c\xca\x67\x71\xba\x8d\xe3\x86"
+        "\x5b\x3c\x89\xd9\x47\xdb\xe8\x67\xb2\xb6\xf6\x6f\x72\x0c\x65\x62\x69"
+        "\x41\xd0\x6d\x99\xc9\x6f\xd1\x19\x69\x04\x81\xe3\x3d\xe9\xee\xec\xfb"
+        "\x05\x45\x4d\x2d\xdd\x0b\x32\x64\x24\x30\x6d\x4c\xbc\x18\xf7\xe8\xfb"
+        "\x3e\xf9\xc0\xab\xb4\x8e\xc9\x7e\x33\x42\x0f\x78\xb3\x3a\x96\x9f\x60"
+        "\x31\x07\xd9\xeb\x34\x06\x54\x63\x83\x00\x17\xb4\x29\x3e\x1d\x88\x37"
+        "\x72\x94\xfc\x7c\xfa\xec\x61\xef\x93\x2d\xb5\xb1\xff\xd8\x62\xdf\xab"
+        "\x6b\x4c\x9a\x2f\xee\x3f\xf6\x07\x04\x59\xd0\x23\x21\x06\xb5\xa1",
+        4096));
+    NONFAILING(memcpy(
+        (void*)0x20001600,
+        "\x28\x37\x06\xf8\x7d\x87\x69\x09\xdf\x2a\x80\x49\x48\x56\x9f\x27\x6d"
+        "\xff\x95\x9e\x5d\xe8\xc1\xbe\xa6\xc6\x3c\x3b\x16\x63\xa2\xfc\xa9\x0f"
+        "\x99\x15\x0d\xaa\x68\xc6\x69\x8a\x7b\x0c\xda\xd9\x1a\xe5\x75\x9f\xb5"
+        "\xde\x10\x5c\x7f\xbe\x4a\xf2\x3b\xa7\xea\xeb\x43\xef\x4e\xe6\x9f\xbd"
+        "\xcf\x4a\x56\x1f\x64\xb7\x12\x75\xff\x42\xea\x26\x6d\xc6\x3c\xb9\xb5"
+        "\x86\x35\x17\xc3\xa0\xd5\x7d\xc7\xa7\x3d\x0e\x07\x60\xda\xc6\x2e\x82"
+        "\xd3\x0b\x44\x8d\xb2\xc1\x46\x82\x32\x75\x59\x6a\x9e\x13\xbb\xde\xac"
+        "\xcb\xfa\x26\x59\xe4\x3b\x19\x4f\x37\x52\xf5\x7d\x01\xdd\x7c\xbc\xe2"
+        "\x10\xf8\x36\xe5\x55\xfa\x6b\x0b\x7a\xdc\x95\x6e\xb9\xe0\x95\xdf\x01"
+        "\x6a\x59\x67\x2d\x76\x75\x20\x11\xd1\x0a\x25\xf8\xd6\x4a\xe6\x49\xf9"
+        "\x4f\x54\x9f\x33\x35\x41\xd8\x14\x2f\xbd\x54\xd7\x0f\xa9\x1a\x04\x14"
+        "\xe7\x66\x8a\xc2\x2a\xe3\x97\xfe\x28\xa5\x48\x4e\xda\xf6\x57\x70\x27"
+        "\x76\xd3\x32\x65\x25\x26\x76\xe8\x62\x21\xe3\x9b\x72\x3e\x59\x6a\x9c"
+        "\xe6\x89\x4a\x42\x6d\xf2\xc6\x4a\x71\x88\x1b\xcf\x4c\xf0\x5e\x1d\x9c"
+        "\x75\xc5\x05\x82\x10\x48\x5a\xc3\x51\xe7\xcc\xf8\x96\xe8\xd2\xeb\x29"
+        "\xfb\xbf\xfb\x23\x8b\x5c\xcb\x95\xe8\x79\x76\x2b\x68\x90\xaa\xe9\x3e"
+        "\x20\xf1\x07\x86\x54\xcc\x73\x6c\xaa\x98\x6f\x4d\xca\x39\xdf\xbb\xb6"
+        "\x59\x36\xc6\x15\xa6\xb4\xa5\x0c\x11\xbd\xe8\x87\xee\x6f\xd8\xe1\x9c"
+        "\x0d\x00\x9b\x45\x31\x78\x96\x3d\x1a\x0f\x55\xfd\x72\x1e\xe5\xcf\xb4"
+        "\x00\x3d\x57\x2a\x51\x7a\xcd\x54\x0d\xc0\xae\x59\xce\x2c\x92\xb1\x3d"
+        "\x65\x9e\xfe\xb8\x3a\x2a\xf3\x85\x43\x1f\xdd\xf6\x12\xcc\xda\x37\x62"
+        "\xf4\x07\x5b\xb4\x9e\x2f\xe9\x0e\x87\xbc\x1e\xe2\x31\xe0\xb8\x7a\xb9"
+        "\x6b\x7c\x6d\xb6\xe0\x01\x3f\x68\x3f\x06\x65\x74\xbf\x6d\x93\xfa\xed"
+        "\x6c\x54\x1e\x9f\x23\x4e\x36\xf0\x99\xdc\xc4\x6b\x0e\x5e\x38\x0f\x5c"
+        "\xdc\x42\xe7\xef\x1a\x1d\xc6\x2d\x95\x5d\xc9\x07\x14\x44\xec\x47\x4c"
+        "\x0d\x67\x93\x4c\x44\xef\x49\xc8\xd7\x61\x6d\x2c\xe2\xdc\x89\xb0\xae"
+        "\x8a\xfd\x30\x75\xca\xa9\x66\x95\xa5\x7a\x43\xcd\x88\x59\xc3\xbb\x4c"
+        "\x8d\xc7\x07\x62\xb1\xe4\x60\x5f\x26\xde\x57\xcd\x8e\xc8\x5e\x0b\x08"
+        "\x32\x64\xf0\xfd\xcc\x97\xe1\x04\xcc\xe9\x7c\x1f\x25\x4c\x86\x35\x52"
+        "\x04\x98\x40\x40\xb2\xe0\xff\x2b\xac\xdb\xc9\xec\x3d\xe6\xb9\xcd\xee"
+        "\xb5\xde\xc9\x87\x65\x4d\x32\x49\xb0\x4d\xed\x12\x45\xc4\xc5\xde\x1d"
+        "\x8d\x1f\xf0\x68\x70\x47\x75\xc3\x7e\xe4\xb7\x70\xec\x14\x45\x38\xb3"
+        "\xbc\x54\x33\x16\xfe\x08\x07\x09\x0b\x0b\xca\x76\x26\xb6\x6e\xe6\x0f"
+        "\x19\xdd\x37\xdd\xca\xd0\xf3\xc3\x94\x49\x30\x7c\x84\x6b\x69\xc5\x43"
+        "\x8c\xa0\x2e\x51\xf6\x31\x50\xf8\x1c\xc6\x7a\xa1\x97\xa2\x0d\x25\xc6"
+        "\xbc\x05\x96\x28\x4d\x72\x80\x83\xf6\x79\xfc\xf0\x81\x06\x33\x8a\x2e"
+        "\xc4\xcf\xa7\xdd\xe2\xbb\x74\x3c\xdb\xe3\x46\x4a\xf5\xa8\x6a\x38\x1f"
+        "\x23\xb3\xae\x21\xf1\xd9\x46\x4d\xb1\x84\x66\x2e\x7c\x47\xee\x63\xe2"
+        "\x80\xd4\x06\xe9\xc2\xba\xda\x5a\x4e\xb5\xa6\x1b\x52\xd0\xca\x13\xb9"
+        "\x38\x5e\x8f\xc6\x8a\x0f\x91\x26\x3e\x80\x7b\x82\x3b\x59\xb4\x58\x73"
+        "\x14\xee\xb7\xe7\x31\x04\x44\x33\xf3\xd2\x16\x7f\x8e\x4a\x5b\xaf\xe7"
+        "\x21\x8b\x2e\x3b\x8a\x52\xf7\xaa\xa2\x9d\x8f\xf0\x00\xed\x21\x16\x62"
+        "\x70\xd0\x80\x63\xea\x24\x14\x05\xa8\x60\x58\xf0\x99\x82\x7f\x1d\xa0"
+        "\x87\xa6\x17\x3f\xb5\xa6\x61\x61\x3d\xa3\x9b\x3a\xde\x86\xfe\x43\x61"
+        "\x02\x9d\x6f\x6a\xd9\x62\x05\x9a\xe4\x61\xc9\x7e\x8a\x7e\xb4\xb4\xab"
+        "\xc8\x24\xa9\x12\x4b\xd7\xd9\xd5\x76\x92\x25\xc3\x3c\x91\x85\xec\x03"
+        "\x30\x8e\xf3\xf8\x45\xb9\x25\x42\xf2\xca\x52\x01\xf9\xac\x4f\x88\x08"
+        "\x01\x24\x1d\x18\x0e\xb9\x96\x4f\xb9\xd5\x55\xdf\xe6\xbf\x46\xaa\x5e"
+        "\xd9\x33\x3c\x96\x38\xe2\xa3\x7a\x48\x65\x75\x66\x5c\xb0\x00\xb0\x53"
+        "\x02\xe0\x27\xa9\x66\xe6\x9f\x3f\xb3\xf2\x66\xcd\xf2\x49\x70\xec\xd5"
+        "\x8b\xe7\x64\x80\x38\xc3\x29\xe7\xe1\xee\xb1\xa4\x9d\x56\x9d\x31\xb0"
+        "\x22\x87\x9a\x7f\xa1\xc3\x9e\xe8\x13\xa0\x63\x3a\x11\x73\x0d\xb9\xdf"
+        "\xfb\x38\x3b\x51\x75\x51\x08\x3f\x75\xbb\x9f\xfc\xa4\x2c\x6e\x80\xde"
+        "\xd4\xc9\xbf\xc0\xdf\xd9\x61\x34\xbc\x89\x65\x02\x3b\x7d\xe3\x33\x95"
+        "\x5b\x16\x11\x20\xf9\x18\xb8\x4d\x79\x34\x84\x5b\x1b\x8f\x27\xf4\x64"
+        "\x33\x05\xb3\x9c\x87\x39\x68\x60\x53\xd0\x31\xb9\xe7\xd9\x57\x6d\x93"
+        "\x9e\x07\x74\xfb\x07\x0e\xfa\x56\x00\xce\x09\x78\x74\x96\xa5\x0f\x4e"
+        "\x17\x0b\x99\xb6\xf8\xa8\x35\x28\x8a\x5b\x18\x48\x5b\x7d\x5a\xd7\xf7"
+        "\x64\xb0\x39\xbf\x6a\x4f\x98\xd4\x73\x3c\x5b\x46\x5c\xed\xa1\x1f\x40"
+        "\xee\xbe\x96\xb0\x1b\x79\x12\x6f\xbf\x76\xb2\xf8\x16\x20\x6e\xed\x5e"
+        "\x7f\xc8\xca\x05\xc8\xa2\x6a\x1a\xdf\xd0\xa9\x15\x8b\xf1\x12\x01\xf8"
+        "\x9a\x12\xed\x80\x73\xb9\x04\xbb\xb2\xff\x43\xd3\x4d\x39\xc2\xfa\xb7"
+        "\xad\x96\x24\x98\x73\x89\x87\xad\x9b\xb6\x85\x9f\x8e\xc1\xb3\xb1\x39"
+        "\xed\x61\x84\x44\xf7\x66\x87\x24\x17\x18\xe1\x5d\x11\x4b\xb0\x43\x77"
+        "\xf5\xba\x37\x08\x7f\xb5\x02\xc9\xc6\xcf\x9a\xc8\x6b\xf5\xf1\x41\x63"
+        "\x33\x01\x0c\xd4\x84\x30\xd3\xdc\x25\x6c\xc0\x55\x82\xd0\x12\xf8\x51"
+        "\x23\xbe\x30\x14\xce\x26\xd5\x6f\xac\xa7\xcc\xcf\x31\xbc\x47\x06\xa1"
+        "\xf8\x97\x4b\x18\x64\x58\x33\x8a\xfd\x58\xd8\x16\xf7\x65\xa6\x24\xb7"
+        "\xe7\x02\x41\x47\x5d\x3f\xc8\x2f\xf6\xe4\xa1\xaf\x16\x81\x63\x4c\x4b"
+        "\xaf\xc7\x8c\x54\x09\x10\x56\xe5\x9f\x25\x4e\xa9\x8e\xdc\xab\x34\x2a"
+        "\xc6\xac\x0f\x2d\xe6\x74\xb9\x4f\xef\x86\x59\x4a\x17\x20\x26\x50\x42"
+        "\xd6\xb4\x89\xa9\x16\x83\x2a\xea\x66\x86\x5b\x5f\x7e\xb6\x81\x34\x50"
+        "\x4e\x13\x43\x4f\xde\x4d\x59\xf0\xfe\x6a\x07\x29\x9b\x28\x44\xc7\x00"
+        "\x28\x5e\x58\x4b\x3a\x5e\xd7\xb1\x70\x79\xbe\xfa\xc9\x30\x83\x43\x9a"
+        "\xb2\x3f\x0a\x88\x75\x10\x6a\xeb\xa4\x3d\x4f\x15\x7e\xbb\x7d\x67\xa9"
+        "\x4f\x80\xe5\xd5\x30\x97\xfc\x4d\xc9\x74\xce\x26\x0c\x05\xd8\x56\x1f"
+        "\x63\xc3\xfc\xbe\xd8\xde\x22\xf8\x65\x3a\x80\x91\x37\x16\x1f\x4e\x8b"
+        "\x4a\x91\xbc\x90\x1e\x02\xa9\x05\xa8\xd3\x16\xa6\x44\x1e\xba\x25\xe4"
+        "\xdb\xc1\x9c\xcc\xf8\xcc\x79\x20\x30\x1a\xd3\x26\x26\x35\xd8\xf3\x67"
+        "\xe0\x4e\xc3\xc2\xe7\x93\xa0\x65\xab\x16\x5c\x42\x60\xae\xba\x1a\x1d"
+        "\xda\xfb\x55\x1c\x6a\x48\x33\x8c\x48\x7b\x84\x46\x90\x8f\x9f\x04\x8c"
+        "\x3a\x0c\xd6\x82\x67\xa9\xf3\x0f\x6e\xab\x58\xc3\x85\x11\xc3\x0b\x3d"
+        "\x0b\x48\x00\x22\xde\x21\x27\xcf\x1b\xfb\x2f\xd5\xd1\x56\xda\x60\x14"
+        "\x5b\x8e\xe7\x04\xee\xba\x38\x1a\x49\x43\x03\x36\xef\x2a\xa2\x3c\x5c"
+        "\x9a\x8b\x7c\x8a\xac\xd2\xa6\x25\xe0\xf6\x94\xf4\xb1\xf7\xa9\x0c\xb2"
+        "\x31\x4e\x07\x3f\x47\x6f\xdd\x48\x2f\x10\x12\x24\x35\x76\x41\x2c\x6d"
+        "\xed\xef\x94\xf0\x1c\x98\x18\x57\xa6\x8d\xb7\x0a\x6d\x9f\xba\xa5\xf1"
+        "\x05\x75\x9d\x9c\x49\x7a\xbd\x3b\x5d\x73\x3f\x3a\x5b\xb6\xf2\xd3\xaa"
+        "\xa1\x57\x52\xb9\x0b\x7e\x4a\xfe\x1d\x6d\xeb\xe6\xfd\x65\xe8\x05\xa7"
+        "\xda\x8a\x92\x15\xd4\xa0\x60\x13\x2f\x53\xac\x54\x56\xe0\x41\xa4\x3c"
+        "\xb2\x6b\x8c\x83\xbc\xf9\x6c\x86\x7a\xcc\x32\xb3\x49\x84\x6e\x1a\xee"
+        "\xe3\xb8\xe1\x38\xa5\x62\x50\xe3\x27\x20\xe1\x61\xc4\x13\x7a\xd3\x5d"
+        "\x2d\x5e\x1a\xfc\x8d\xe2\x56\x96\x8e\x0b\x4a\xcf\xa9\x42\xb0\xd6\x46"
+        "\x34\x80\xba\x46\xeb\x36\x4b\x05\x82\x02\xab\x0e\x0a\xf5\x58\x7a\x8f"
+        "\x34\x74\x95\x0f\x09\x54\x13\xd6\x0e\xd1\x39\x13\x15\xe5\xcb\x89\x0e"
+        "\xe0\xf2\xbe\x82\x38\x9a\x8b\xb7\x85\x1a\x03\xba\xc1\x29\x79\xc0\xe3"
+        "\xc0\x44\x15\x34\xed\x14\x5d\xbf\x7d\x5b\x7c\x7c\xe0\xa2\x7d\x20\x77"
+        "\x45\x3f\xc7\x89\x82\xaa\x7d\x41\x49\x31\xa5\x0f\x71\x1c\x35\x5c\x7f"
+        "\xc7\x92\xf6\x9b\xd9\x64\xc0\xb6\x90\xcf\xad\x69\xc2\x33\xdb\x1f\x57"
+        "\x7b\xe2\xb3\xfe\x1d\xd0\x18\x49\x65\xf9\x87\x7a\x2c\xaa\x62\xab\xbc"
+        "\x11\x9c\x54\x43\x5a\x47\x9a\x11\x1b\xd1\x38\xf7\x27\xb3\x03\x7d\x90"
+        "\xe3\x05\x2b\x2d\xac\x08\xc4\x60\x19\x42\x09\x63\x47\xf3\xa6\x55\xfa"
+        "\x93\xc3\x5f\x40\x98\xe9\x68\x4a\x14\xee\x93\x58\x02\x05\xea\xd3\x0a"
+        "\x4a\x39\xff\x9a\xf5\x22\x90\xb4\xa0\x03\x97\xf7\x21\x5d\xf8\x39\x30"
+        "\xea\x6a\x86\x48\x9d\xac\x2d\x60\x7f\x80\xba\x36\x95\xc5\xf1\x3c\x0e"
+        "\xb7\x31\x6f\x32\x3b\x23\x49\xef\xf0\xda\x87\xd7\x1a\x02\xef\x6f\x8b"
+        "\xb1\x6c\xba\x7c\x09\x16\x44\x83\xa6\xa0\x1c\x74\x8a\xfd\x0d\x18\x31"
+        "\x71\x0d\xa2\x47\xbe\x01\xc2\xce\x9a\xa8\x55\x31\xb0\xd7\x56\xc9\xb2"
+        "\xab\x87\x4e\x19\x67\x94\x0b\xf2\xbe\xd3\xd3\x4b\xf7\x07\x9b\xfb\x11"
+        "\xa4\x0b\x31\x2b\xbf\xaa\x31\x15\x35\x05\x46\x46\xc1\x49\x00\xe0\xef"
+        "\xa0\x9f\x5f\x39\x4d\x58\x69\x92\x92\x8c\x38\xe3\x63\x95\xca\xa1\xba"
+        "\xa6\xdc\x3f\x87\xf6\x07\xc0\x97\xbc\x5e\x70\x22\x1d\x85\x25\x38\x98"
+        "\xc1\xe2\x3c\x7b\x6e\x6e\xa5\x95\xd6\x9d\xa9\x08\xc7\x72\x5e\x0d\x3e"
+        "\x7a\xef\x44\x6f\x5c\x99\x51\xc2\x5f\x04\x56\x89\xeb\x32\xb8\x02\x55"
+        "\x4b\x40\xb3\x26\xb6\xac\x8a\xe6\xec\x69\xc2\x14\x49\x11\xf6\x9d\x06"
+        "\xeb\x1b\x47\x5e\x14\x79\x12\x78\xf8\x20\x14\xa5\x55\x27\xff\x7e\x15"
+        "\x04\x45\x28\x9d\xbe\xde\x8d\x2a\xa1\xba\xd5\xc5\x32\x34\x8a\x86\xe5"
+        "\x3a\xd6\x14\x99\xd8\x04\xcc\x4a\x72\xdd\x4d\x47\x6f\x90\xf4\xc9\x34"
+        "\x1b\xbb\x92\x7a\x3b\xc7\xbe\x3a\xa0\xee\x4e\xa8\xb4\x90\xec\xef\xc2"
+        "\xc4\x82\x53\x49\xde\xf8\x59\x80\xdf\x42\x40\xf4\x91\xac\xda\x83\xe6"
+        "\x02\x91\x90\x66\x3f\x31\xa1\xde\x57\x29\x8d\x6d\x68\xe3\xcc\x31\x84"
+        "\x7e\x95\x7a\x9f\x43\x4d\x48\x7e\x65\x31\x07\xf4\xc5\x0a\x97\xe0\x8c"
+        "\x24\xc9\xc3\x61\x09\xc1\x20\xb1\x23\x61\x46\x0d\x7a\xff\x9a\xaa\x62"
+        "\xab\x2f\x48\x00\xbb\xfd\x3b\x1d\x85\x8c\x7b\x00\xd3\x07\x2a\x0f\xd5"
+        "\x30\xf5\x85\x6b\x86\x53\x7a\x09\x57\xa6\xd8\x7a\x25\x81\x99\xb0\xd0"
+        "\xb1\x05\x1f\x60\x7e\x6c\xff\x88\xf5\x77\xaa\x83\xf8\x2c\xd6\x84\x9d"
+        "\xe9\x0c\x25\xda\x05\x80\x0c\xb2\x16\x01\xa6\x26\xc6\x1b\x77\x02\x46"
+        "\x1c\xf6\xc0\x66\xa8\xd7\x69\x85\xab\x36\x31\xce\x50\x7b\x9f\x22\xc5"
+        "\x7a\x18\x78\xcb\x86\xb9\x3d\x4e\xd8\x86\x74\xf0\x3c\x47\x2d\xa5\xf9"
+        "\x75\xc6\xf4\xc6\x72\x08\xa8\x5b\xb7\xb8\x7e\xe6\xbe\x60\xc8\xc8\x0b"
+        "\xa9\x5e\x17\xc2\xf7\xef\xc0\xa0\xcc\xb8\xf3\xd1\xf4\x3b\xcf\x79\xd6"
+        "\xa1\x76\xd2\xcd\x79\x18\x34\xd4\xa1\x71\xe1\xf8\x65\x99\x3d\x33\x6c"
+        "\x2a\x62\x04\xa6\xf8\x3b\x5b\x6e\xcd\x1e\xda\x4d\x0a\x72\xfb\x13\x08"
+        "\x8f\xb7\x17\x5e\xca\x7d\x14\x3d\x66\xa7\x39\xcd\x0e\x02\x87\x90\xa2"
+        "\x98\xdb\x72\x23\x49\xe8\x30\x81\x6d\x7b\x0e\xa6\x23\x96\x44\xeb\x0c"
+        "\x92\xdc\xcb\xb9\x43\x66\x73\x85\x2b\x41\xed\xfc\x05\x2e\x01\x1d\xdd"
+        "\x2e\x9d\xa3\xab\x38\x77\x29\xc9\x91\x5b\xa7\x1d\x50\x6d\x0e\xf9\xdd"
+        "\x8c\x43\xf6\x93\xe1\x4d\xb0\x90\x72\x0c\x86\x01\x88\x88\x69\xd7\x79"
+        "\x75\x8c\x13\xd7\x4f\x9d\x1a\x22\xb6\x0d\x35\x51\x58\xb3\xff\x35\x9f"
+        "\x84\x3c\xe4\xe9\x04\x53\xf4\x5d\x7b\x7d\xc6\xab\xeb\x3e\x8e\x73\xac"
+        "\x81\x5d\x56\x05\xec\x40\x89\x0f\xcf\x49\xe3\xe7\x32\x57\xf1\xcc\xec"
+        "\xf4\xfb\xf5\x0f\x3b\x06\x44\x19\x8a\xe5\xe7\x35\x34\x65\xe6\x52\x8e"
+        "\xb3\x2d\x90\xcb\x7b\x21\xf4\x97\xaf\x24\x19\xd7\x98\xd4\xbe\xbe\xc0"
+        "\x48\xdf\xc5\x5b\x0e\xfd\x09\x1a\x5d\x01\x00\xe4\x79\xd8\xca\xb8\x8a"
+        "\x5a\x86\x0b\x37\x9f\x5a\x04\x34\x55\x73\x82\x85\x94\x48\x79\x58\x65"
+        "\xa4\xa7\xdb\x2a\xcc\xb9\x4e\x69\xa5\xb7\x98\x6e\x87\x5d\xc0\x01\x15"
+        "\x64\x13\xf0\xa9\x4e\x30\xd2\x23\x35\x96\x59\xad\x77\xd1\x7a\x57\x6f"
+        "\xdd\x61\x0d\x8f\x2c\xea\x3b\x51\x59\xc7\xa9\x7a\xb9\x47\xd6\xb9\xa2"
+        "\xda\xcf\xf7\xdb\x44\xa2\x43\x22\xe1\x2b\x2c\x19\xc8\xfa\xb6\x6b\x6f"
+        "\xa2\xe1\x7a\x77\x62\x21\x07\x00\x6f\x1f\xa9\x8e\x18\x4f\xb5\xae\x46"
+        "\x4e\x23\xc2\x5e\x8c\x0c\xfc\x79\x92\x64\x19\x14\x91\x3f\xde\xa3\x00"
+        "\x86\xa5\x54\xc4\xd9\x58\x0b\xc8\xad\x2a\xc0\x03\x01\x4b\x57\x9f\xdc"
+        "\xbb\xbc\xc8\x44\x65\x0d\x3c\x5c\xfd\x1c\xe1\x8c\x58\x26\x82\xa8\xd2"
+        "\xe1\x58\x8d\x68\x71\x2f\x94\x20\x21\x66\xd5\xba\x1d\x43\x1a\xe4\x13"
+        "\x40\x34\xc6\xb3\xc6\x9e\x45\xce\xb3\xa3\xfd\xf7\x15\xda\x07\x48\x13"
+        "\x98\xdd\xbd\xc3\x2b\x44\x47\x86\x0a\x55\x01\xac\xae\x7c\xce\xf4\xb2"
+        "\xde\x23\x3c\xae\x2f\x79\xae\xf2\xf3\x9b\x7a\x68\x66\xc8\xd1\x90\x10"
+        "\x39\x3d\x79\x5b\x40\x42\xfb\x09\x24\x22\xc6\x73\x59\xfe\x29\x48\x5b"
+        "\x4f\xd3\xdf\xb3\x2d\xc2\x2f\x6f\x96\x4a\xcf\x7c\x83\xc7\x1d\xbe\x7a"
+        "\xbe\x83\xfc\x4b\xe8\x8a\xfd\xdc\x21\x87\x11\xd5\x14\x6f\x5e\x36\x3f"
+        "\xdd\xd4\x90\x63\xde\x78\xd4\x2a\xb6\xef\x24\x52\x36\x9a\x68\xda\xd7"
+        "\xd1\xa3\x2f\xd1\xa1\x76\x3d\x46\x95\x7b\x3b\x36\x57\x93\x82\x9a\x07"
+        "\x96\x70\xc5\x07\xaa\xf5\x56\x99\x3f\xad\x99\xa0\xca\x6e\x92\xe1\xff"
+        "\x47\x47\xe6\xb8\xc6\x5d\xb8\x8c\xcd\xf9\xea\x6f\xf4\xd2\xc0\xa1\x40"
+        "\x5c\x17\x1d\xcf\x61\xb9\x92\x80\x6a\x0f\xd0\x25\x8e\x8e\xef\x7d\xde"
+        "\x77\x4a\x3c\x31\x2f\xe0\x08\xc5\x60\x37\xe7\xb5\x38\x77\x66\x78\xa6"
+        "\x35\x0e\xc3\x8e\x16\x80\xde\xf1\xb5\x62\xdd\xef\xb5\x07\x11\xac\x1c"
+        "\x18\xba\x7a\xf6\x35\xbb\x50\x71\x61\xea\x5e\x2d\x2d\x64\x4f\xfd\x97"
+        "\x17\x16\x2b\x95\x63\x40\x5a\x47\xce\xf8\x2f\xea\x1c\x10\x3e\xe0\x73"
+        "\x50\xf6\x95\xf4\x0f\xaa\xfc\xa3\x22\xa8\xf6\x77\x53\xf9\xb5\x3e\x2d"
+        "\xfb\x71\xb5\x34\x2f\xd4\x44\x69\x64\xf7\x8e\x0a\x8a\xf1\xa6\xc1\x8c"
+        "\x79\x0b\x63\xe8\x05\x19\x41\x4d\xb4\x0b\x73\xde\xdb\x4b\x1f\x79\x2c"
+        "\x2a\x08\xec\xce\x09\xd6\x97\xfe\x5f\x02\x95\x57\xf4\xa9\xbe\x65\x72"
+        "\x5d\xea\xcd\xeb\x67\xc6\x44\x83\x91\x8d\xf9\x3f\xe8\xe6\x11\x00\x97"
+        "\xf8\x69\xf6\x96\xc1\x62\x13\x87\x22\x96\x7f\x6f\x00\xc0\xab\x06\xc2"
+        "\xcd\xb3\xe0\x78\xc9\xae\x35\xe8\x1a\xaf\xfa\xbe\x57\x72\xc5\x64\x22"
+        "\x80\x67\xe4\x5f\xac\xc2\x5f\x07\x81\xa7\xbc\x10\x47\x31\x8f\x77\x15"
+        "\xdd\x15\xbd\xba\xb6\x88\xac\x72\xab\x7c\xcd\xc9\xe9\x85\x24\x4e\x16"
+        "\x29\x8a\x07\x75\x2c\xc4\xcd\xef\x6e\xfd\x6b\x5a\xe8\xaa\x34\xed\xef"
+        "\xfc\x50\x61\x44\xba\xc7\x42\x32\x65\x98\xb1\x74\xc9\x7b\xdd\xf8\x41"
+        "\x9a\x60\x4c\x73\x43\xe4\x3e\x27\xc9\xe3\x68\x35\xca\x36\x6a\x19\x49"
+        "\x97\xc5\xb4\xe2\xe9\xc8\x4e\x8f\x23\x20\x39\xfd\x19\x4b\x68\x10\xc6"
+        "\xd6\x08\x32\xf9\x25\x6f\x2d\x55\xc3\x2f\xb9\x4d\xcd\x17\x15\xa1\xd8"
+        "\x06\x54\x0c\xd3\xbd\xdf\x35\x0a\xb9\x37\xa4\x00\x07\xfd\x5b\x2b\x42"
+        "\x3a\x5a\x39\x0c\xc1\x90\x59\x23\x42\x85\x64\x9e\x8c\xfd\x8a\xb6\x42"
+        "\x95\x58\xf6\x05\x13\xb9\x39\x15\xf2\xd8\x57\x3d\xc6\x77\xbb\x13\xcb"
+        "\x3a\xf8\xeb\x48\x99\x48\xe9\xd5\xa8\x43\x9a\x8e\x91\x2f\x46\x6a\x9b"
+        "\xe4\x85\xd4\x10\x12\xc6\x1d\x42\x98\x0b\xaa\x4f\x9a\x97\x14\x64\xdf"
+        "\x3a\x67\x65\xe9\xea\xeb\x63\xef\x24\xe1\xaa\x68\x39\x4c\x37\x26\xd6"
+        "\xa1\xf2\x0a\xef\x52\x3d\x81\x61\xc6\xac\x72\x0d\x80\x1d\xad\xc5\xc7"
+        "\x36\x3e\x37\xaa\x39\xbe\x59\x29\x62\x2a\xdf\x93\x07\xde\x7d\x6f\x32"
+        "\x07\x15\x39\xeb\xcd\xca\x5b\xe4\x65\xe8\xa4\xad\x9d\x7a\xaf\x73\x93"
+        "\x9b\x2e\x59\xd7\xfb\x27\x2a\xc6\xcf\x53\x38\xcc\x49\x84\xab\xea\xb7"
+        "\x58\xd9\x1f\xe1\xdc\x7d\xfc\x06\x70\xd5\xc5\x29\x19\xbd\x64\xd7\x7b"
+        "\xd8\x58\xfa\x9e\xc0\xfc\x40\x50\xb6\x8b\xbc\xe6\x18\x6b\xa7\x7f\xd6"
+        "\x7a\xfa\x2d\x82\xcb\xcb\x9d\x57\xa1\xc3\xce\xf0\x52\x9e\x0c\x41\xd7"
+        "\xb9\x6e\x8b\x02\x62\x68\x37\x75\xc1\x31\xbd\x3f\x07\x6d\x65\x3b\xbb"
+        "\xc0\xd5\x0c\x49\x5d\x25\xfe\xa6\x23\xa5\xba\x40\x93\x89\x11\x70\xba"
+        "\xbc\x2d\xa2\x71\xa6\xbe\x0f\xf8\xc4\x55\x10\xb8\x94\x14\xfe\xce\x67"
+        "\x36\xbf\xe1\xda\xcd\xa8\x4f\x2a\xdc\x79\xd9\xe4\x5c\x1f\x1a\x2b\x8d"
+        "\xfb\xcd\xda\xa3\x1c\x92\xb5\xe8\xb1\x31\x02\x42\x16\xd7\x3a\xbc\xe5"
+        "\x23\x9d\x1e\x56\x3c\xfa\x6f\x72\x8c\x59\x50\xfd\x73\xd5\x3a\x4a\x2a"
+        "\x4b\x18\xea\xa0\xaa\x77\x38\x9f\xdd\xba\xef\xb7\xa7\x4b\xa9\x3d\xa0"
+        "\x56\x35\xf6\x35\xfb\x70\xf4\x4a\xa6\xe8\x09\x42\x66\xb0\xc2\xa9\xc8"
+        "\x1f\x95\xaf\x34\xe2\x19\xd5\x80\xff\x63\xc2\x1e\xb8\x30\xe2\x2b\x36"
+        "\x81\x9d\x95\x2c\x98\x49\xb4\xd4\x5b\x7c\xea\xa0\x08\xf2\xd2\xe1\xf4"
+        "\x9c\x7a\xa8\x9c\xa1\xc8\xc9\xe3\x1b\x09\xeb\x6b\x0c\x13\x42\x65\x75"
+        "\x4b\x48\x62\xee\xf6\x41\xa8\x36\x30\x85\x62\xd1\xd7\xa5\x66\x7d\x7d"
+        "\x6a\x32\x2c\xb9\xda\x90\x7f\x1e\x6f\x8d\xb8\xaa\x29\x34\x52\x97\x52"
+        "\x7e\x9c\x5c\xb0\x6f\xd6\xbd\xe5\xec\x81\xd6\x5d\x22\x82\xb3\xfb\x99"
+        "\xdd\xec\xe0\x1c\x34\x40\x6b\x41\x10\x62\x91\x7f\xb3\xcb\x4c\x1f\x48"
+        "\x85\xaf\xe3\x47\x32\xc6\x8a\xf4\xc9\x67\x27\xf0\x70\xb9\x83\x6b\xee"
+        "\x99\x19\x76\x0c\xaa\x1e\x79\x7e\xa7\x51\xa8\xd3\x1d\x1d\x2b\x1f\xf2"
+        "\x44\x6d\x47\xb8\xc6\x2a\xef\xe7\x2b\x47\xf3\xd1\x69\x1e\x91\x87\x9d"
+        "\x7f\x89\x1c\x10\x6f\x12\x18\xf7\xa2\xf8\x43\x00\xb5\xe5\x75\x42\x89"
+        "\x2f\x78\xf2\x46\x72\x7e\x1c\x19\xa5\xba\x72\x1a\x7e\xbd\x6c\x8e\x6f"
+        "\x71\x39\xf4\xa4\x87\x84\xc7\x80\x1e\x1c\x4a\x4c\xda\xdc\x8b\x1c\xa5"
+        "\xae\x72\x2d\x41\x76\x76\xf8\x88\xbd\xf5\x69\x17\xd4\x7b\x07\x34\x70"
+        "\x99\x79\x6e\xad\xd0\x63\xc4\x05\xb7\xf3\x5b\xc8\xbe\xfb\x58\x7d\xfb"
+        "\x80\x8b\x3f\xaf\x6d\x9f\x71\xfb\x47\x02\x13\x4c\x7d\xc0\xea\xcf\x6a"
+        "\x58\x79\xb8\xf1\xb9\x46\xb8\x61\x7d\x8a\x19\x04\xb3\x10\x26\xe7\x3e"
+        "\xf0\xbb\xb3\x87\x05\xef\x86\x7b\x4b\x17\x8f\xb5\xda\x01\xde\x1a\x7b"
+        "\x3d\x86\x50\x50\xe0\x3c\x56\x5a\x13\x61\x73\x86\x4f\x92\xe7\x53\x78"
+        "\x3b\x68\x8a\xfb\xf9\xa1\x90\x42\xce\x44\xe9\x42\x0b\x3e\x0b\x50\x67"
+        "\x68\xcd\x22\x50\x9b\x84\xf9\xb9\x6b\xa6\xb4\x8f\x4c\x1b\x3e\x41\xea"
+        "\x8f\xff\xfe\x22\x5d\xe1\xe3\x3d\x02\x99\x46\x9d\x93\x60\xba\x5d\x35"
+        "\x58\x37\x15\x43\x47\x14\xd3\x73\x20\x8e\xd1\xc3\x86\xc9\x05\x37\xed"
+        "\x12\xe0\x94\x48\x30\xd7\x73\x27\x6f\x78\xdb\xbb\x8c\x9e\x13\x5b\x66"
+        "\x15\xc3\xdf\x45\x60\xe3\xeb\xc3\x03\x52\x3c\x60\x2c\xf6\x3c\x0c\xfc"
+        "\x70\x40\x73\xb7\x8d\x8b\x54\x08\xa4\x90\x1f\x6e\xa9\xc2\x18\x2f\x47"
+        "\x99\xbf\xda\xd3\x9c\x2c\xf8\x30\x63\x49\x77\x19\x7a\xb0\x12\xf8\x0e"
+        "\x55\xcc\xcf\x93\x09\x41\x6f\x6f\xb8\xb1\xfb\x49\xd4\xed\x48\x6f\xf0"
+        "\xd8\xa8\xaf\xb6\xd5\x45\xc4\xcf\xee\x84\x57\x06\x0d\xaf\xe9\xd5\x79"
+        "\xca\xac\x18\x50\xe6\x31\xb6\x8c\x12\xcf\x65\x24\xd3\x01\x1e\x79\xda"
+        "\x2e\xa9\x71\x32\x02\xe1\x1c\x59\x1a\xb5\xc2\xc3\xfe\x7d\xdc\x33\x4a"
+        "\xa3\xcf\xb5\x1b\x29\x47\x84\xce\x1b\x62\x2e\xa0\x47\x4a\x9b\x8d\xeb"
+        "\xfd\x0e\x61\x6a\x22\xbc\x89\xcf\x39\xb7\x46\xff\x28\x51\x2f\x7d\x24"
+        "\x39\x5f\x2d\x3f\xe1\x55\xec\xf9\x50\x86\x61\xb9\x01\xf2\xeb\x7e\xc4"
+        "\xf2\x76\x26\x2e\x0a\xcf\xf4\xfe\xa6\xbd\x9f\x14\xdd\x84\x88\x1c\x4e"
+        "\xe9\x2f\xb3\x31\xe3\x03\xe4\xf6\xf3\x90\xee\xb2\x62\xa1\xee\x3f\x33"
+        "\x81\x3e\x4e\x22\xb4\x5d\xa3\xb1\xe9\x4d\xd2\xea\x10\xea\xb1\x6b",
+        4096));
+    syscall(__NR_ioctl, r[2], 0x4080aebf, 0x20000580);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  install_segv_handler();
+  use_temporary_dir();
+  do_sandbox_none();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00b4f754d718dc7bf0a33828706f6428ff43016a.c b/syzkaller-repros/linux/00b4f754d718dc7bf0a33828706f6428ff43016a.c
new file mode 100644
index 0000000..89eea58
--- /dev/null
+++ b/syzkaller-repros/linux/00b4f754d718dc7bf0a33828706f6428ff43016a.c
@@ -0,0 +1,219 @@
+// WARNING in __get_user_pages
+// https://syzkaller.appspot.com/bug?id=00b4f754d718dc7bf0a33828706f6428ff43016a
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <pthread.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void loop(void)
+{
+  int i, call, thread;
+  for (call = 0; call < 6; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+}
+
+uint64_t r[1] = {0x0};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    *(uint64_t*)0x20000240 = 0;
+    *(uint64_t*)0x20000248 = 0;
+    *(uint64_t*)0x20000250 = 0;
+    *(uint64_t*)0x20000258 = 0;
+    *(uint64_t*)0x20000260 = 0x20000000001;
+    *(uint64_t*)0x20000268 = 0;
+    *(uint64_t*)0x20000270 = 0;
+    *(uint64_t*)0x20000278 = 0;
+    *(uint64_t*)0x20000100 = 0;
+    *(uint64_t*)0x20000108 = 0;
+    *(uint64_t*)0x20000110 = 0;
+    *(uint64_t*)0x20000118 = 0;
+    *(uint64_t*)0x20000120 = 0;
+    *(uint64_t*)0x20000128 = 0;
+    *(uint64_t*)0x20000130 = 0;
+    *(uint64_t*)0x20000138 = 0;
+    *(uint64_t*)0x20000180 = 0x1f;
+    *(uint64_t*)0x20000188 = 0;
+    *(uint64_t*)0x20000190 = 0;
+    *(uint64_t*)0x20000198 = 0;
+    *(uint64_t*)0x200001a0 = 0;
+    *(uint64_t*)0x200001a8 = 0;
+    *(uint64_t*)0x200001b0 = 0;
+    *(uint64_t*)0x200001b8 = 0;
+    *(uint64_t*)0x20000200 = 0;
+    *(uint64_t*)0x20000208 = 0;
+    syscall(__NR_select, 0x40, 0x20000240, 0x20000100, 0x20000180, 0x20000200);
+    break;
+  case 1:
+    syscall(__NR_mmap, 0x20000000, 0xb36000, 0, 0x80000008031, -1, 0);
+    break;
+  case 2:
+    syscall(__NR_clone, 0x2102001fff, 0, 0x9999999999999999, 0x20000000, -1);
+    break;
+  case 3:
+    res = syscall(__NR_getpid);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 4:
+    syscall(__NR_ptrace, 0x10, r[0]);
+    break;
+  case 5:
+    syscall(__NR_ptrace, 4, r[0], 0x200000c0, 0);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  use_temporary_dir();
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00c139b1a9e34248d66ad96841873572811714ad.c b/syzkaller-repros/linux/00c139b1a9e34248d66ad96841873572811714ad.c
new file mode 100644
index 0000000..e09723d
--- /dev/null
+++ b/syzkaller-repros/linux/00c139b1a9e34248d66ad96841873572811714ad.c
@@ -0,0 +1,1538 @@
+// memory leak in tls_init
+// https://syzkaller.appspot.com/bug?id=00c139b1a9e34248d66ad96841873572811714ad
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/capability.h>
+#include <linux/futex.h>
+#include <linux/if_addr.h>
+#include <linux/if_ether.h>
+#include <linux/if_link.h>
+#include <linux/if_tun.h>
+#include <linux/in6.h>
+#include <linux/ip.h>
+#include <linux/neighbour.h>
+#include <linux/net.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/tcp.h>
+#include <linux/veth.h>
+
+unsigned long long procid;
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (pthread_create(&th, &attr, fn, arg) == 0) {
+      pthread_attr_destroy(&attr);
+      return;
+    }
+    if (errno == EAGAIN) {
+      usleep(50);
+      continue;
+    }
+    break;
+  }
+  exit(1);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static struct {
+  char* pos;
+  int nesting;
+  struct nlattr* nested[8];
+  char buf[1024];
+} nlmsg;
+
+static void netlink_init(int typ, int flags, const void* data, int size)
+{
+  memset(&nlmsg, 0, sizeof(nlmsg));
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_type = typ;
+  hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+  memcpy(hdr + 1, data, size);
+  nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
+}
+
+static void netlink_attr(int typ, const void* data, int size)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_len = sizeof(*attr) + size;
+  attr->nla_type = typ;
+  memcpy(attr + 1, data, size);
+  nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
+}
+
+static void netlink_nest(int typ)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_type = typ;
+  nlmsg.pos += sizeof(*attr);
+  nlmsg.nested[nlmsg.nesting++] = attr;
+}
+
+static void netlink_done(void)
+{
+  struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
+  attr->nla_len = nlmsg.pos - (char*)attr;
+}
+
+static int netlink_send(int sock)
+{
+  if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
+    exit(1);
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
+  struct sockaddr_nl addr;
+  memset(&addr, 0, sizeof(addr));
+  addr.nl_family = AF_NETLINK;
+  unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
+                      (struct sockaddr*)&addr, sizeof(addr));
+  if (n != hdr->nlmsg_len)
+    exit(1);
+  n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
+  if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
+    exit(1);
+  if (hdr->nlmsg_type != NLMSG_ERROR)
+    exit(1);
+  return -((struct nlmsgerr*)(hdr + 1))->error;
+}
+
+static void netlink_add_device_impl(const char* type, const char* name)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  if (name)
+    netlink_attr(IFLA_IFNAME, name, strlen(name));
+  netlink_nest(IFLA_LINKINFO);
+  netlink_attr(IFLA_INFO_KIND, type, strlen(type));
+}
+
+static void netlink_add_device(int sock, const char* type, const char* name)
+{
+  netlink_add_device_impl(type, name);
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_veth(int sock, const char* name, const char* peer)
+{
+  netlink_add_device_impl("veth", name);
+  netlink_nest(IFLA_INFO_DATA);
+  netlink_nest(VETH_INFO_PEER);
+  nlmsg.pos += sizeof(struct ifinfomsg);
+  netlink_attr(IFLA_IFNAME, peer, strlen(peer));
+  netlink_done();
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_hsr(int sock, const char* name, const char* slave1,
+                            const char* slave2)
+{
+  netlink_add_device_impl("hsr", name);
+  netlink_nest(IFLA_INFO_DATA);
+  int ifindex1 = if_nametoindex(slave1);
+  netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
+  int ifindex2 = if_nametoindex(slave2);
+  netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_device_change(int sock, const char* name, bool up,
+                                  const char* master, const void* mac,
+                                  int macsize)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  if (up)
+    hdr.ifi_flags = hdr.ifi_change = IFF_UP;
+  netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
+  netlink_attr(IFLA_IFNAME, name, strlen(name));
+  if (master) {
+    int ifindex = if_nametoindex(master);
+    netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
+  }
+  if (macsize)
+    netlink_attr(IFLA_ADDRESS, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int netlink_add_addr(int sock, const char* dev, const void* addr,
+                            int addrsize)
+{
+  struct ifaddrmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
+  hdr.ifa_scope = RT_SCOPE_UNIVERSE;
+  hdr.ifa_index = if_nametoindex(dev);
+  netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
+  netlink_attr(IFA_LOCAL, addr, addrsize);
+  netlink_attr(IFA_ADDRESS, addr, addrsize);
+  return netlink_send(sock);
+}
+
+static void netlink_add_addr4(int sock, const char* dev, const char* addr)
+{
+  struct in_addr in_addr;
+  inet_pton(AF_INET, addr, &in_addr);
+  int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
+  (void)err;
+}
+
+static void netlink_add_addr6(int sock, const char* dev, const char* addr)
+{
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, addr, &in6_addr);
+  int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
+  (void)err;
+}
+
+static void netlink_add_neigh(int sock, const char* name, const void* addr,
+                              int addrsize, const void* mac, int macsize)
+{
+  struct ndmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ndm_ifindex = if_nametoindex(name);
+  hdr.ndm_state = NUD_PERMANENT;
+  netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  netlink_attr(NDA_DST, addr, addrsize);
+  netlink_attr(NDA_LLADDR, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC 0xaaaaaaaaaaaa
+#define REMOTE_MAC 0xaaaaaaaaaabb
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  char sysctl[64];
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
+  write_file(sysctl, "0");
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
+  write_file(sysctl, "0");
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4);
+  netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6);
+  uint64_t macaddr = REMOTE_MAC;
+  struct in_addr in_addr;
+  inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr,
+                    ETH_ALEN);
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr,
+                    ETH_ALEN);
+  macaddr = LOCAL_MAC;
+  netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN);
+  close(sock);
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02x"
+#define DEV_MAC 0x00aaaaaaaaaa
+static void initialize_netdevices(void)
+{
+  char netdevsim[16];
+  sprintf(netdevsim, "netdevsim%d", (int)procid);
+  struct {
+    const char* type;
+    const char* dev;
+  } devtypes[] = {
+      {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
+      {"vcan", "vcan0"},           {"bond", "bond0"},
+      {"team", "team0"},           {"dummy", "dummy0"},
+      {"nlmon", "nlmon0"},         {"caif", "caif0"},
+      {"batadv", "batadv0"},       {"vxcan", "vxcan1"},
+      {"netdevsim", netdevsim},    {"veth", 0},
+  };
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  struct {
+    const char* name;
+    int macsize;
+    bool noipv6;
+  } devices[] = {
+      {"lo", ETH_ALEN},
+      {"sit0", 0},
+      {"bridge0", ETH_ALEN},
+      {"vcan0", 0, true},
+      {"tunl0", 0},
+      {"gre0", 0},
+      {"gretap0", ETH_ALEN},
+      {"ip_vti0", 0},
+      {"ip6_vti0", 0},
+      {"ip6tnl0", 0},
+      {"ip6gre0", 0},
+      {"ip6gretap0", ETH_ALEN},
+      {"erspan0", ETH_ALEN},
+      {"bond0", ETH_ALEN},
+      {"veth0", ETH_ALEN},
+      {"veth1", ETH_ALEN},
+      {"team0", ETH_ALEN},
+      {"veth0_to_bridge", ETH_ALEN},
+      {"veth1_to_bridge", ETH_ALEN},
+      {"veth0_to_bond", ETH_ALEN},
+      {"veth1_to_bond", ETH_ALEN},
+      {"veth0_to_team", ETH_ALEN},
+      {"veth1_to_team", ETH_ALEN},
+      {"veth0_to_hsr", ETH_ALEN},
+      {"veth1_to_hsr", ETH_ALEN},
+      {"hsr0", 0},
+      {"dummy0", ETH_ALEN},
+      {"nlmon0", 0},
+      {"vxcan1", 0, true},
+      {"caif0", ETH_ALEN},
+      {"batadv0", ETH_ALEN},
+      {netdevsim, ETH_ALEN},
+  };
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
+    netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
+    sprintf(slave0, "%s_slave_0", devmasters[i]);
+    sprintf(veth0, "veth0_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave0, veth0);
+    sprintf(slave1, "%s_slave_1", devmasters[i]);
+    sprintf(veth1, "veth1_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave1, veth1);
+    sprintf(master, "%s0", devmasters[i]);
+    netlink_device_change(sock, slave0, false, master, 0, 0);
+    netlink_device_change(sock, slave1, false, master, 0, 0);
+  }
+  netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
+  netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
+  netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
+  netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
+  netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
+  for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
+    char addr[32];
+    sprintf(addr, DEV_IPV4, i + 10);
+    netlink_add_addr4(sock, devices[i].name, addr);
+    if (!devices[i].noipv6) {
+      sprintf(addr, DEV_IPV6, i + 10);
+      netlink_add_addr6(sock, devices[i].name, addr);
+    }
+    uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
+    netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
+                          devices[i].macsize);
+  }
+  close(sock);
+}
+static void initialize_netdevices_init(void)
+{
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  struct {
+    const char* type;
+    int macsize;
+    bool noipv6;
+    bool noup;
+  } devtypes[] = {
+      {"nr", 7, true},
+      {"rose", 5, true, true},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
+    char dev[32], addr[32];
+    sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
+    sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
+    netlink_add_addr4(sock, dev, addr);
+    if (!devtypes[i].noipv6) {
+      sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
+      netlink_add_addr6(sock, dev, addr);
+    }
+    int macsize = devtypes[i].macsize;
+    uint64_t macaddr = 0xbbbbbb +
+                       ((unsigned long long)i << (8 * (macsize - 2))) +
+                       (procid << (8 * (macsize - 1)));
+    netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
+  }
+  close(sock);
+}
+
+static int read_tun(char* data, int size)
+{
+  if (tunfd < 0)
+    return -1;
+  int rv = read(tunfd, data, size);
+  if (rv < 0) {
+    if (errno == EAGAIN)
+      return -1;
+    if (errno == EBADFD)
+      return -1;
+    exit(1);
+  }
+  return rv;
+}
+
+static void flush_tun()
+{
+  char data[SYZ_TUN_MAX_PACKET_SIZE];
+  while (read_tun(&data[0], sizeof(data)) != -1) {
+  }
+}
+
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+  uint64_t pcnt, bcnt;
+};
+
+struct ipt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct ipt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct ipt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct ipt_table_desc {
+  const char* name;
+  struct ipt_getinfo info;
+  struct ipt_replace replace;
+};
+
+static struct ipt_table_desc ipv4_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+#define IPT_BASE_CTL 64
+#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
+#define IPT_SO_GET_INFO (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+
+struct arpt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct arpt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+  const char* name;
+  struct arpt_getinfo info;
+  struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables,
+                                int family, int level)
+{
+  struct ipt_get_entries entries;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables,
+                           int family, int level)
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct ipt_get_entries entries;
+  struct ipt_getinfo info;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_arptables(void)
+{
+  struct arpt_get_entries entries;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_arptables()
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct arpt_get_entries entries;
+  struct arpt_getinfo info;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    } else {
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+#define NF_BR_NUMHOOKS 6
+#define EBT_TABLE_MAXNAMELEN 32
+#define EBT_CHAIN_MAXNAMELEN 32
+#define EBT_BASE_CTL 128
+#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
+#define EBT_SO_GET_INFO (EBT_BASE_CTL)
+#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1)
+#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1)
+#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1)
+
+struct ebt_replace {
+  char name[EBT_TABLE_MAXNAMELEN];
+  unsigned int valid_hooks;
+  unsigned int nentries;
+  unsigned int entries_size;
+  struct ebt_entries* hook_entry[NF_BR_NUMHOOKS];
+  unsigned int num_counters;
+  struct ebt_counter* counters;
+  char* entries;
+};
+
+struct ebt_entries {
+  unsigned int distinguisher;
+  char name[EBT_CHAIN_MAXNAMELEN];
+  unsigned int counter_offset;
+  int policy;
+  unsigned int nentries;
+  char data[0] __attribute__((aligned(__alignof__(struct ebt_replace))));
+};
+
+struct ebt_table_desc {
+  const char* name;
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+static struct ebt_table_desc ebt_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "broute"},
+};
+
+static void checkpoint_ebtables(void)
+{
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace,
+                   &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->replace.entries_size > sizeof(table->entrytable))
+      exit(1);
+    table->replace.num_counters = 0;
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace,
+                   &optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void reset_ebtables()
+{
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+  socklen_t optlen;
+  unsigned i, j, h;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    if (table->replace.valid_hooks == 0)
+      continue;
+    memset(&replace, 0, sizeof(replace));
+    strcpy(replace.name, table->name);
+    optlen = sizeof(replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
+      exit(1);
+    replace.num_counters = 0;
+    table->replace.entries = 0;
+    for (h = 0; h < NF_BR_NUMHOOKS; h++)
+      table->replace.hook_entry[h] = 0;
+    if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
+      memset(&entrytable, 0, sizeof(entrytable));
+      replace.entries = entrytable;
+      optlen = sizeof(replace) + replace.entries_size;
+      if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
+        exit(1);
+      if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
+        continue;
+    }
+    for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
+      if (table->replace.valid_hooks & (1 << h)) {
+        table->replace.hook_entry[h] =
+            (struct ebt_entries*)table->entrytable + j;
+        j++;
+      }
+    }
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+  checkpoint_ebtables();
+  checkpoint_arptables();
+  checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                      AF_INET, SOL_IP);
+  checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                      AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+  reset_ebtables();
+  reset_arptables();
+  reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                 AF_INET, SOL_IP);
+  reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                 AF_INET6, SOL_IPV6);
+}
+
+static void setup_cgroups()
+{
+  if (mkdir("/syzcgroup", 0777)) {
+  }
+  if (mkdir("/syzcgroup/unified", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
+  }
+  if (chmod("/syzcgroup/unified", 0777)) {
+  }
+  write_file("/syzcgroup/unified/cgroup.subtree_control",
+             "+cpu +memory +io +pids +rdma");
+  if (mkdir("/syzcgroup/cpu", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/cpu", "cgroup", 0,
+            "cpuset,cpuacct,perf_event,hugetlb")) {
+  }
+  write_file("/syzcgroup/cpu/cgroup.clone_children", "1");
+  if (chmod("/syzcgroup/cpu", 0777)) {
+  }
+  if (mkdir("/syzcgroup/net", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/net", "cgroup", 0,
+            "net_cls,net_prio,devices,freezer")) {
+  }
+  if (chmod("/syzcgroup/net", 0777)) {
+  }
+}
+
+static void setup_cgroups_loop()
+{
+  int pid = getpid();
+  char file[128];
+  char cgroupdir[64];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/pids.max", cgroupdir);
+  write_file(file, "32");
+  snprintf(file, sizeof(file), "%s/memory.low", cgroupdir);
+  write_file(file, "%d", 298 << 20);
+  snprintf(file, sizeof(file), "%s/memory.high", cgroupdir);
+  write_file(file, "%d", 299 << 20);
+  snprintf(file, sizeof(file), "%s/memory.max", cgroupdir);
+  write_file(file, "%d", 300 << 20);
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+}
+
+static void setup_cgroups_test()
+{
+  char cgroupdir[64];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.cpu")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.net")) {
+  }
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+  setup_cgroups();
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+  typedef struct {
+    const char* name;
+    const char* value;
+  } sysctl_t;
+  static const sysctl_t sysctls[] = {
+      {"/proc/sys/kernel/shmmax", "16777216"},
+      {"/proc/sys/kernel/shmall", "536870912"},
+      {"/proc/sys/kernel/shmmni", "1024"},
+      {"/proc/sys/kernel/msgmax", "8192"},
+      {"/proc/sys/kernel/msgmni", "1024"},
+      {"/proc/sys/kernel/msgmnb", "1024"},
+      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
+    write_file(sysctls[i].name, sysctls[i].value);
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static void drop_caps(void)
+{
+  struct __user_cap_header_struct cap_hdr = {};
+  struct __user_cap_data_struct cap_data[2] = {};
+  cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_hdr.pid = getpid();
+  if (syscall(SYS_capget, &cap_hdr, &cap_data))
+    exit(1);
+  const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
+  cap_data[0].effective &= ~drop;
+  cap_data[0].permitted &= ~drop;
+  cap_data[0].inheritable &= ~drop;
+  if (syscall(SYS_capset, &cap_hdr, &cap_data))
+    exit(1);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  drop_caps();
+  initialize_netdevices_init();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exit(1);
+    }
+    exit(1);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    while (umount2(filename, MNT_DETACH) == 0) {
+    }
+    struct stat st;
+    if (lstat(filename, &st))
+      exit(1);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EPERM) {
+        int fd = open(filename, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exit(1);
+      if (umount2(filename, MNT_DETACH))
+        exit(1);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EPERM) {
+        int fd = open(dir, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exit(1);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exit(1);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+static void setup_loop()
+{
+  setup_cgroups_loop();
+  checkpoint_net_namespace();
+}
+
+static void reset_loop()
+{
+  reset_net_namespace();
+}
+
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setup_cgroups_test();
+  write_file("/proc/self/oom_score_adj", "1000");
+  flush_tun();
+}
+
+static void close_fds()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+static void setup_binfmt_misc()
+{
+  if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
+  }
+  write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:");
+  write_file("/proc/sys/fs/binfmt_misc/register",
+             ":syz1:M:1:\x02::./file0:POC");
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void execute_one(void)
+{
+  int i, call, thread;
+  for (call = 0; call < 5; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+  close_fds();
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  setup_loop();
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[32];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      exit(1);
+    reset_loop();
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      if (chdir(cwdbuf))
+        exit(1);
+      setup_test();
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+    remove_dir(cwdbuf);
+  }
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  intptr_t res;
+  switch (call) {
+  case 0:
+    res = syscall(__NR_socket, 0xa, 1, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 1:
+    NONFAILING(*(uint32_t*)0x200000c0 = 1);
+    syscall(__NR_setsockopt, r[0], 6, 0x13, 0x200000c0, 0x151);
+    break;
+  case 2:
+    NONFAILING(*(uint16_t*)0x20000140 = 0xa);
+    NONFAILING(*(uint16_t*)0x20000142 = htobe16(0));
+    NONFAILING(*(uint32_t*)0x20000144 = htobe32(0));
+    NONFAILING(*(uint8_t*)0x20000148 = 0);
+    NONFAILING(*(uint8_t*)0x20000149 = 0);
+    NONFAILING(*(uint8_t*)0x2000014a = 0);
+    NONFAILING(*(uint8_t*)0x2000014b = 0);
+    NONFAILING(*(uint8_t*)0x2000014c = 0);
+    NONFAILING(*(uint8_t*)0x2000014d = 0);
+    NONFAILING(*(uint8_t*)0x2000014e = 0);
+    NONFAILING(*(uint8_t*)0x2000014f = 0);
+    NONFAILING(*(uint8_t*)0x20000150 = 0);
+    NONFAILING(*(uint8_t*)0x20000151 = 0);
+    NONFAILING(*(uint8_t*)0x20000152 = -1);
+    NONFAILING(*(uint8_t*)0x20000153 = -1);
+    NONFAILING(*(uint8_t*)0x20000154 = 0xac);
+    NONFAILING(*(uint8_t*)0x20000155 = 0x14);
+    NONFAILING(*(uint8_t*)0x20000156 = 0x14);
+    NONFAILING(*(uint8_t*)0x20000157 = 0x17);
+    NONFAILING(*(uint32_t*)0x20000158 = 0);
+    syscall(__NR_connect, r[0], 0x20000140, 0x1c);
+    break;
+  case 3:
+    NONFAILING(*(uint32_t*)0x20000240 = 2);
+    syscall(__NR_setsockopt, r[0], 0x29, 1, 0x20000240, 4);
+    break;
+  case 4:
+    NONFAILING(memcpy((void*)0x20000080, "tls\000", 4));
+    syscall(__NR_setsockopt, r[0], 6, 0x1f, 0x20000080, 0x152);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  setup_binfmt_misc();
+  install_segv_handler();
+  for (procid = 0; procid < 8; procid++) {
+    if (fork() == 0) {
+      use_temporary_dir();
+      do_sandbox_none();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00c4945b38d0e2583cc05d46b2ef8bc8715f826c.c b/syzkaller-repros/linux/00c4945b38d0e2583cc05d46b2ef8bc8715f826c.c
new file mode 100644
index 0000000..ecc4efc
--- /dev/null
+++ b/syzkaller-repros/linux/00c4945b38d0e2583cc05d46b2ef8bc8715f826c.c
@@ -0,0 +1,83 @@
+// WARNING in __debug_object_init (2)
+// https://syzkaller.appspot.com/bug?id=00c4945b38d0e2583cc05d46b2ef8bc8715f826c
+// status:invalid
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <endian.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifndef __NR_bpf
+#define __NR_bpf 321
+#endif
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  long res = 0;
+  *(uint32_t*)0x20000200 = 0xc;
+  *(uint32_t*)0x20000204 = 0xe;
+  *(uint64_t*)0x20000208 = 0x20000380;
+  memcpy((void*)0x20000380,
+         "\xb7\x02\x00\x00\x03\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07"
+         "\x03\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4"
+         "\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05"
+         "\x00\x00\x00\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00"
+         "\x01\x00\x7d\x60\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00"
+         "\x00\x00\x00\x85\x00\x00\x00\x0d\x00\x00\x00\xb7\x00\x00\x00\x00\x00"
+         "\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
+         112);
+  *(uint64_t*)0x20000210 = 0x20000340;
+  memcpy((void*)0x20000340, "syzkaller", 10);
+  *(uint32_t*)0x20000218 = 0;
+  *(uint32_t*)0x2000021c = 0;
+  *(uint64_t*)0x20000220 = 0;
+  *(uint32_t*)0x20000228 = 0;
+  *(uint32_t*)0x2000022c = 0;
+  *(uint8_t*)0x20000230 = 0;
+  *(uint8_t*)0x20000231 = 0;
+  *(uint8_t*)0x20000232 = 0;
+  *(uint8_t*)0x20000233 = 0;
+  *(uint8_t*)0x20000234 = 0;
+  *(uint8_t*)0x20000235 = 0;
+  *(uint8_t*)0x20000236 = 0;
+  *(uint8_t*)0x20000237 = 0;
+  *(uint8_t*)0x20000238 = 0;
+  *(uint8_t*)0x20000239 = 0;
+  *(uint8_t*)0x2000023a = 0;
+  *(uint8_t*)0x2000023b = 0;
+  *(uint8_t*)0x2000023c = 0;
+  *(uint8_t*)0x2000023d = 0;
+  *(uint8_t*)0x2000023e = 0;
+  *(uint8_t*)0x2000023f = 0;
+  *(uint32_t*)0x20000240 = 0;
+  *(uint32_t*)0x20000244 = 0;
+  res = syscall(__NR_bpf, 5, 0x20000200, 0x48);
+  if (res != -1)
+    r[0] = res;
+  *(uint32_t*)0x20000100 = r[0];
+  *(uint32_t*)0x20000104 = 0x2a0;
+  *(uint32_t*)0x20000108 = 0x34;
+  *(uint32_t*)0x2000010c = 0x29;
+  *(uint64_t*)0x20000110 = 0x20000280;
+  memcpy((void*)0x20000280, "\xb9\x07\x03\xe6\x68\x0d\x69\x8c\xb8\x9e\x40\xf0"
+                            "\x2c\xea\xd5\xdc\x57\xee\x41\xde\xa4\x3e\x63\xa3"
+                            "\x77\xfb\x8a\x97\x7c\x3f\x1d\x17\x88\xe8\xad\x30"
+                            "\xd8\x46\x48\xa2\x7f\x11\xc7\x2b\xe0\x00\x0e\x01"
+                            "\xe1\x97\x7d\x48",
+         52);
+  *(uint64_t*)0x20000118 = 0x200000c0;
+  *(uint32_t*)0x20000120 = 0x100;
+  *(uint32_t*)0x20000124 = 0;
+  syscall(__NR_bpf, 0xa, 0x20000100, 0x28);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00e7f2f74d18727ae04d47f616dcf919a0314f6b.c b/syzkaller-repros/linux/00e7f2f74d18727ae04d47f616dcf919a0314f6b.c
new file mode 100644
index 0000000..f632673
--- /dev/null
+++ b/syzkaller-repros/linux/00e7f2f74d18727ae04d47f616dcf919a0314f6b.c
@@ -0,0 +1,454 @@
+// possible deadlock in do_ip_setsockopt
+// https://syzkaller.appspot.com/bug?id=00e7f2f74d18727ae04d47f616dcf919a0314f6b
+// status:dup
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <endian.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+long r[2];
+void loop()
+{
+  memset(r, -1, sizeof(r));
+  syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
+  r[0] = syscall(__NR_socket, 2, 0x80003, 0x87);
+  memcpy((void*)0x203c1000, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00",
+         32);
+  *(uint32_t*)0x203c1020 = 0xe;
+  *(uint32_t*)0x203c1024 = 4;
+  *(uint32_t*)0x203c1028 = 0x280;
+  *(uint32_t*)0x203c102c = -1;
+  *(uint32_t*)0x203c1030 = 0;
+  *(uint32_t*)0x203c1034 = 0;
+  *(uint32_t*)0x203c1038 = 0;
+  *(uint32_t*)0x203c103c = -1;
+  *(uint32_t*)0x203c1040 = -1;
+  *(uint32_t*)0x203c1044 = 0;
+  *(uint32_t*)0x203c1048 = 0;
+  *(uint32_t*)0x203c104c = 0;
+  *(uint32_t*)0x203c1050 = -1;
+  *(uint32_t*)0x203c1054 = 4;
+  *(uint64_t*)0x203c1058 = 0x20008fc0;
+  *(uint8_t*)0x203c1060 = 0;
+  *(uint8_t*)0x203c1061 = 0;
+  *(uint8_t*)0x203c1062 = 0;
+  *(uint8_t*)0x203c1063 = 0;
+  *(uint8_t*)0x203c1064 = 0;
+  *(uint8_t*)0x203c1065 = 0;
+  *(uint8_t*)0x203c1066 = 0;
+  *(uint8_t*)0x203c1067 = 0;
+  *(uint8_t*)0x203c1068 = 0;
+  *(uint8_t*)0x203c1069 = 0;
+  *(uint8_t*)0x203c106a = 0;
+  *(uint8_t*)0x203c106b = 0;
+  *(uint8_t*)0x203c106c = 0;
+  *(uint8_t*)0x203c106d = 0;
+  *(uint8_t*)0x203c106e = 0;
+  *(uint8_t*)0x203c106f = 0;
+  *(uint8_t*)0x203c1070 = 0;
+  *(uint8_t*)0x203c1071 = 0;
+  *(uint8_t*)0x203c1072 = 0;
+  *(uint8_t*)0x203c1073 = 0;
+  *(uint8_t*)0x203c1074 = 0;
+  *(uint8_t*)0x203c1075 = 0;
+  *(uint8_t*)0x203c1076 = 0;
+  *(uint8_t*)0x203c1077 = 0;
+  *(uint8_t*)0x203c1078 = 0;
+  *(uint8_t*)0x203c1079 = 0;
+  *(uint8_t*)0x203c107a = 0;
+  *(uint8_t*)0x203c107b = 0;
+  *(uint8_t*)0x203c107c = 0;
+  *(uint8_t*)0x203c107d = 0;
+  *(uint8_t*)0x203c107e = 0;
+  *(uint8_t*)0x203c107f = 0;
+  *(uint8_t*)0x203c1080 = 0;
+  *(uint8_t*)0x203c1081 = 0;
+  *(uint8_t*)0x203c1082 = 0;
+  *(uint8_t*)0x203c1083 = 0;
+  *(uint8_t*)0x203c1084 = 0;
+  *(uint8_t*)0x203c1085 = 0;
+  *(uint8_t*)0x203c1086 = 0;
+  *(uint8_t*)0x203c1087 = 0;
+  *(uint8_t*)0x203c1088 = 0;
+  *(uint8_t*)0x203c1089 = 0;
+  *(uint8_t*)0x203c108a = 0;
+  *(uint8_t*)0x203c108b = 0;
+  *(uint8_t*)0x203c108c = 0;
+  *(uint8_t*)0x203c108d = 0;
+  *(uint8_t*)0x203c108e = 0;
+  *(uint8_t*)0x203c108f = 0;
+  *(uint8_t*)0x203c1090 = 0;
+  *(uint8_t*)0x203c1091 = 0;
+  *(uint8_t*)0x203c1092 = 0;
+  *(uint8_t*)0x203c1093 = 0;
+  *(uint8_t*)0x203c1094 = 0;
+  *(uint8_t*)0x203c1095 = 0;
+  *(uint8_t*)0x203c1096 = 0;
+  *(uint8_t*)0x203c1097 = 0;
+  *(uint8_t*)0x203c1098 = 0;
+  *(uint8_t*)0x203c1099 = 0;
+  *(uint8_t*)0x203c109a = 0;
+  *(uint8_t*)0x203c109b = 0;
+  *(uint8_t*)0x203c109c = 0;
+  *(uint8_t*)0x203c109d = 0;
+  *(uint8_t*)0x203c109e = 0;
+  *(uint8_t*)0x203c109f = 0;
+  *(uint8_t*)0x203c10a0 = 0;
+  *(uint8_t*)0x203c10a1 = 0;
+  *(uint8_t*)0x203c10a2 = 0;
+  *(uint8_t*)0x203c10a3 = 0;
+  *(uint8_t*)0x203c10a4 = 0;
+  *(uint8_t*)0x203c10a5 = 0;
+  *(uint8_t*)0x203c10a6 = 0;
+  *(uint8_t*)0x203c10a7 = 0;
+  *(uint8_t*)0x203c10a8 = 0;
+  *(uint8_t*)0x203c10a9 = 0;
+  *(uint8_t*)0x203c10aa = 0;
+  *(uint8_t*)0x203c10ab = 0;
+  *(uint8_t*)0x203c10ac = 0;
+  *(uint8_t*)0x203c10ad = 0;
+  *(uint8_t*)0x203c10ae = 0;
+  *(uint8_t*)0x203c10af = 0;
+  *(uint8_t*)0x203c10b0 = 0;
+  *(uint8_t*)0x203c10b1 = 0;
+  *(uint8_t*)0x203c10b2 = 0;
+  *(uint8_t*)0x203c10b3 = 0;
+  *(uint32_t*)0x203c10b4 = 0;
+  *(uint16_t*)0x203c10b8 = 0x70;
+  *(uint16_t*)0x203c10ba = 0x98;
+  *(uint32_t*)0x203c10bc = 0;
+  *(uint64_t*)0x203c10c0 = 0;
+  *(uint64_t*)0x203c10c8 = 0;
+  *(uint16_t*)0x203c10d0 = 0x28;
+  memcpy((void*)0x203c10d2, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00",
+         29);
+  *(uint8_t*)0x203c10ef = 0;
+  *(uint32_t*)0x203c10f0 = 0xfffffffe;
+  *(uint8_t*)0x203c10f8 = 0;
+  *(uint8_t*)0x203c10f9 = 0;
+  *(uint8_t*)0x203c10fa = 0;
+  *(uint8_t*)0x203c10fb = 0;
+  *(uint8_t*)0x203c10fc = 0;
+  *(uint8_t*)0x203c10fd = 0;
+  *(uint8_t*)0x203c10fe = 0;
+  *(uint8_t*)0x203c10ff = 0;
+  *(uint8_t*)0x203c1100 = 0;
+  *(uint8_t*)0x203c1101 = 0;
+  *(uint8_t*)0x203c1102 = 0;
+  *(uint8_t*)0x203c1103 = 0;
+  *(uint8_t*)0x203c1104 = 0;
+  *(uint8_t*)0x203c1105 = 0;
+  *(uint8_t*)0x203c1106 = 0;
+  *(uint8_t*)0x203c1107 = 0;
+  *(uint8_t*)0x203c1108 = 0;
+  *(uint8_t*)0x203c1109 = 0;
+  *(uint8_t*)0x203c110a = 0;
+  *(uint8_t*)0x203c110b = 0;
+  *(uint8_t*)0x203c110c = 0;
+  *(uint8_t*)0x203c110d = 0;
+  *(uint8_t*)0x203c110e = 0;
+  *(uint8_t*)0x203c110f = 0;
+  *(uint8_t*)0x203c1110 = 0;
+  *(uint8_t*)0x203c1111 = 0;
+  *(uint8_t*)0x203c1112 = 0;
+  *(uint8_t*)0x203c1113 = 0;
+  *(uint8_t*)0x203c1114 = 0;
+  *(uint8_t*)0x203c1115 = 0;
+  *(uint8_t*)0x203c1116 = 0;
+  *(uint8_t*)0x203c1117 = 0;
+  *(uint8_t*)0x203c1118 = 0;
+  *(uint8_t*)0x203c1119 = 0;
+  *(uint8_t*)0x203c111a = 0;
+  *(uint8_t*)0x203c111b = 0;
+  *(uint8_t*)0x203c111c = 0;
+  *(uint8_t*)0x203c111d = 0;
+  *(uint8_t*)0x203c111e = 0;
+  *(uint8_t*)0x203c111f = 0;
+  *(uint8_t*)0x203c1120 = 0;
+  *(uint8_t*)0x203c1121 = 0;
+  *(uint8_t*)0x203c1122 = 0;
+  *(uint8_t*)0x203c1123 = 0;
+  *(uint8_t*)0x203c1124 = 0;
+  *(uint8_t*)0x203c1125 = 0;
+  *(uint8_t*)0x203c1126 = 0;
+  *(uint8_t*)0x203c1127 = 0;
+  *(uint8_t*)0x203c1128 = 0;
+  *(uint8_t*)0x203c1129 = 0;
+  *(uint8_t*)0x203c112a = 0;
+  *(uint8_t*)0x203c112b = 0;
+  *(uint8_t*)0x203c112c = 0;
+  *(uint8_t*)0x203c112d = 0;
+  *(uint8_t*)0x203c112e = 0;
+  *(uint8_t*)0x203c112f = 0;
+  *(uint8_t*)0x203c1130 = 0;
+  *(uint8_t*)0x203c1131 = 0;
+  *(uint8_t*)0x203c1132 = 0;
+  *(uint8_t*)0x203c1133 = 0;
+  *(uint8_t*)0x203c1134 = 0;
+  *(uint8_t*)0x203c1135 = 0;
+  *(uint8_t*)0x203c1136 = 0;
+  *(uint8_t*)0x203c1137 = 0;
+  *(uint8_t*)0x203c1138 = 0;
+  *(uint8_t*)0x203c1139 = 0;
+  *(uint8_t*)0x203c113a = 0;
+  *(uint8_t*)0x203c113b = 0;
+  *(uint8_t*)0x203c113c = 0;
+  *(uint8_t*)0x203c113d = 0;
+  *(uint8_t*)0x203c113e = 0;
+  *(uint8_t*)0x203c113f = 0;
+  *(uint8_t*)0x203c1140 = 0;
+  *(uint8_t*)0x203c1141 = 0;
+  *(uint8_t*)0x203c1142 = 0;
+  *(uint8_t*)0x203c1143 = 0;
+  *(uint8_t*)0x203c1144 = 0;
+  *(uint8_t*)0x203c1145 = 0;
+  *(uint8_t*)0x203c1146 = 0;
+  *(uint8_t*)0x203c1147 = 0;
+  *(uint8_t*)0x203c1148 = 0;
+  *(uint8_t*)0x203c1149 = 0;
+  *(uint8_t*)0x203c114a = 0;
+  *(uint8_t*)0x203c114b = 0;
+  *(uint32_t*)0x203c114c = 0;
+  *(uint16_t*)0x203c1150 = 0x70;
+  *(uint16_t*)0x203c1152 = 0xb8;
+  *(uint32_t*)0x203c1154 = 0;
+  *(uint64_t*)0x203c1158 = 0;
+  *(uint64_t*)0x203c1160 = 0;
+  *(uint16_t*)0x203c1168 = 0x48;
+  memcpy((void*)0x203c116a, "\x54\x45\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00",
+         29);
+  *(uint8_t*)0x203c1187 = 1;
+  *(uint64_t*)0x203c1188 = htobe64(0);
+  *(uint64_t*)0x203c1190 = htobe64(1);
+  memcpy((void*)0x203c1198,
+         "\x62\x63\x73\x66\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+         16);
+  *(uint64_t*)0x203c11a8 = 0;
+  *(uint8_t*)0x203c11b0 = 0;
+  *(uint8_t*)0x203c11b1 = 0;
+  *(uint8_t*)0x203c11b2 = 0;
+  *(uint8_t*)0x203c11b3 = 0;
+  *(uint8_t*)0x203c11b4 = 0;
+  *(uint8_t*)0x203c11b5 = 0;
+  *(uint8_t*)0x203c11b6 = 0;
+  *(uint8_t*)0x203c11b7 = 0;
+  *(uint8_t*)0x203c11b8 = 0;
+  *(uint8_t*)0x203c11b9 = 0;
+  *(uint8_t*)0x203c11ba = 0;
+  *(uint8_t*)0x203c11bb = 0;
+  *(uint8_t*)0x203c11bc = 0;
+  *(uint8_t*)0x203c11bd = 0;
+  *(uint8_t*)0x203c11be = 0;
+  *(uint8_t*)0x203c11bf = 0;
+  *(uint8_t*)0x203c11c0 = 0;
+  *(uint8_t*)0x203c11c1 = 0;
+  *(uint8_t*)0x203c11c2 = 0;
+  *(uint8_t*)0x203c11c3 = 0;
+  *(uint8_t*)0x203c11c4 = 0;
+  *(uint8_t*)0x203c11c5 = 0;
+  *(uint8_t*)0x203c11c6 = 0;
+  *(uint8_t*)0x203c11c7 = 0;
+  *(uint8_t*)0x203c11c8 = 0;
+  *(uint8_t*)0x203c11c9 = 0;
+  *(uint8_t*)0x203c11ca = 0;
+  *(uint8_t*)0x203c11cb = 0;
+  *(uint8_t*)0x203c11cc = 0;
+  *(uint8_t*)0x203c11cd = 0;
+  *(uint8_t*)0x203c11ce = 0;
+  *(uint8_t*)0x203c11cf = 0;
+  *(uint8_t*)0x203c11d0 = 0;
+  *(uint8_t*)0x203c11d1 = 0;
+  *(uint8_t*)0x203c11d2 = 0;
+  *(uint8_t*)0x203c11d3 = 0;
+  *(uint8_t*)0x203c11d4 = 0;
+  *(uint8_t*)0x203c11d5 = 0;
+  *(uint8_t*)0x203c11d6 = 0;
+  *(uint8_t*)0x203c11d7 = 0;
+  *(uint8_t*)0x203c11d8 = 0;
+  *(uint8_t*)0x203c11d9 = 0;
+  *(uint8_t*)0x203c11da = 0;
+  *(uint8_t*)0x203c11db = 0;
+  *(uint8_t*)0x203c11dc = 0;
+  *(uint8_t*)0x203c11dd = 0;
+  *(uint8_t*)0x203c11de = 0;
+  *(uint8_t*)0x203c11df = 0;
+  *(uint8_t*)0x203c11e0 = 0;
+  *(uint8_t*)0x203c11e1 = 0;
+  *(uint8_t*)0x203c11e2 = 0;
+  *(uint8_t*)0x203c11e3 = 0;
+  *(uint8_t*)0x203c11e4 = 0;
+  *(uint8_t*)0x203c11e5 = 0;
+  *(uint8_t*)0x203c11e6 = 0;
+  *(uint8_t*)0x203c11e7 = 0;
+  *(uint8_t*)0x203c11e8 = 0;
+  *(uint8_t*)0x203c11e9 = 0;
+  *(uint8_t*)0x203c11ea = 0;
+  *(uint8_t*)0x203c11eb = 0;
+  *(uint8_t*)0x203c11ec = 0;
+  *(uint8_t*)0x203c11ed = 0;
+  *(uint8_t*)0x203c11ee = 0;
+  *(uint8_t*)0x203c11ef = 0;
+  *(uint8_t*)0x203c11f0 = 0;
+  *(uint8_t*)0x203c11f1 = 0;
+  *(uint8_t*)0x203c11f2 = 0;
+  *(uint8_t*)0x203c11f3 = 0;
+  *(uint8_t*)0x203c11f4 = 0;
+  *(uint8_t*)0x203c11f5 = 0;
+  *(uint8_t*)0x203c11f6 = 0;
+  *(uint8_t*)0x203c11f7 = 0;
+  *(uint8_t*)0x203c11f8 = 0;
+  *(uint8_t*)0x203c11f9 = 0;
+  *(uint8_t*)0x203c11fa = 0;
+  *(uint8_t*)0x203c11fb = 0;
+  *(uint8_t*)0x203c11fc = 0;
+  *(uint8_t*)0x203c11fd = 0;
+  *(uint8_t*)0x203c11fe = 0;
+  *(uint8_t*)0x203c11ff = 0;
+  *(uint8_t*)0x203c1200 = 0;
+  *(uint8_t*)0x203c1201 = 0;
+  *(uint8_t*)0x203c1202 = 0;
+  *(uint8_t*)0x203c1203 = 0;
+  *(uint32_t*)0x203c1204 = 0;
+  *(uint16_t*)0x203c1208 = 0x70;
+  *(uint16_t*)0x203c120a = 0x98;
+  *(uint32_t*)0x203c120c = 0;
+  *(uint64_t*)0x203c1210 = 0;
+  *(uint64_t*)0x203c1218 = 0;
+  *(uint16_t*)0x203c1220 = 0x28;
+  memcpy((void*)0x203c1222, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00",
+         29);
+  *(uint8_t*)0x203c123f = 0;
+  *(uint32_t*)0x203c1240 = 0;
+  *(uint8_t*)0x203c1248 = 0;
+  *(uint8_t*)0x203c1249 = 0;
+  *(uint8_t*)0x203c124a = 0;
+  *(uint8_t*)0x203c124b = 0;
+  *(uint8_t*)0x203c124c = 0;
+  *(uint8_t*)0x203c124d = 0;
+  *(uint8_t*)0x203c124e = 0;
+  *(uint8_t*)0x203c124f = 0;
+  *(uint8_t*)0x203c1250 = 0;
+  *(uint8_t*)0x203c1251 = 0;
+  *(uint8_t*)0x203c1252 = 0;
+  *(uint8_t*)0x203c1253 = 0;
+  *(uint8_t*)0x203c1254 = 0;
+  *(uint8_t*)0x203c1255 = 0;
+  *(uint8_t*)0x203c1256 = 0;
+  *(uint8_t*)0x203c1257 = 0;
+  *(uint8_t*)0x203c1258 = 0;
+  *(uint8_t*)0x203c1259 = 0;
+  *(uint8_t*)0x203c125a = 0;
+  *(uint8_t*)0x203c125b = 0;
+  *(uint8_t*)0x203c125c = 0;
+  *(uint8_t*)0x203c125d = 0;
+  *(uint8_t*)0x203c125e = 0;
+  *(uint8_t*)0x203c125f = 0;
+  *(uint8_t*)0x203c1260 = 0;
+  *(uint8_t*)0x203c1261 = 0;
+  *(uint8_t*)0x203c1262 = 0;
+  *(uint8_t*)0x203c1263 = 0;
+  *(uint8_t*)0x203c1264 = 0;
+  *(uint8_t*)0x203c1265 = 0;
+  *(uint8_t*)0x203c1266 = 0;
+  *(uint8_t*)0x203c1267 = 0;
+  *(uint8_t*)0x203c1268 = 0;
+  *(uint8_t*)0x203c1269 = 0;
+  *(uint8_t*)0x203c126a = 0;
+  *(uint8_t*)0x203c126b = 0;
+  *(uint8_t*)0x203c126c = 0;
+  *(uint8_t*)0x203c126d = 0;
+  *(uint8_t*)0x203c126e = 0;
+  *(uint8_t*)0x203c126f = 0;
+  *(uint8_t*)0x203c1270 = 0;
+  *(uint8_t*)0x203c1271 = 0;
+  *(uint8_t*)0x203c1272 = 0;
+  *(uint8_t*)0x203c1273 = 0;
+  *(uint8_t*)0x203c1274 = 0;
+  *(uint8_t*)0x203c1275 = 0;
+  *(uint8_t*)0x203c1276 = 0;
+  *(uint8_t*)0x203c1277 = 0;
+  *(uint8_t*)0x203c1278 = 0;
+  *(uint8_t*)0x203c1279 = 0;
+  *(uint8_t*)0x203c127a = 0;
+  *(uint8_t*)0x203c127b = 0;
+  *(uint8_t*)0x203c127c = 0;
+  *(uint8_t*)0x203c127d = 0;
+  *(uint8_t*)0x203c127e = 0;
+  *(uint8_t*)0x203c127f = 0;
+  *(uint8_t*)0x203c1280 = 0;
+  *(uint8_t*)0x203c1281 = 0;
+  *(uint8_t*)0x203c1282 = 0;
+  *(uint8_t*)0x203c1283 = 0;
+  *(uint8_t*)0x203c1284 = 0;
+  *(uint8_t*)0x203c1285 = 0;
+  *(uint8_t*)0x203c1286 = 0;
+  *(uint8_t*)0x203c1287 = 0;
+  *(uint8_t*)0x203c1288 = 0;
+  *(uint8_t*)0x203c1289 = 0;
+  *(uint8_t*)0x203c128a = 0;
+  *(uint8_t*)0x203c128b = 0;
+  *(uint8_t*)0x203c128c = 0;
+  *(uint8_t*)0x203c128d = 0;
+  *(uint8_t*)0x203c128e = 0;
+  *(uint8_t*)0x203c128f = 0;
+  *(uint8_t*)0x203c1290 = 0;
+  *(uint8_t*)0x203c1291 = 0;
+  *(uint8_t*)0x203c1292 = 0;
+  *(uint8_t*)0x203c1293 = 0;
+  *(uint8_t*)0x203c1294 = 0;
+  *(uint8_t*)0x203c1295 = 0;
+  *(uint8_t*)0x203c1296 = 0;
+  *(uint8_t*)0x203c1297 = 0;
+  *(uint8_t*)0x203c1298 = 0;
+  *(uint8_t*)0x203c1299 = 0;
+  *(uint8_t*)0x203c129a = 0;
+  *(uint8_t*)0x203c129b = 0;
+  *(uint32_t*)0x203c129c = 0;
+  *(uint16_t*)0x203c12a0 = 0x70;
+  *(uint16_t*)0x203c12a2 = 0x98;
+  *(uint32_t*)0x203c12a4 = 0;
+  *(uint64_t*)0x203c12a8 = 0;
+  *(uint64_t*)0x203c12b0 = 0;
+  *(uint16_t*)0x203c12b8 = 0x28;
+  memcpy((void*)0x203c12ba, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                            "\x00\x00\x00\x00\x00",
+         29);
+  *(uint8_t*)0x203c12d7 = 0;
+  *(uint32_t*)0x203c12d8 = 0;
+  *(uint64_t*)0x20008fc0 = 0;
+  *(uint64_t*)0x20008fc8 = 0;
+  *(uint64_t*)0x20008fd0 = 0;
+  *(uint64_t*)0x20008fd8 = 0;
+  *(uint64_t*)0x20008fe0 = 0;
+  *(uint64_t*)0x20008fe8 = 0;
+  *(uint64_t*)0x20008ff0 = 0;
+  *(uint64_t*)0x20008ff8 = 0;
+  syscall(__NR_setsockopt, r[0], 0, 0x40, 0x203c1000, 0x2e0);
+  r[1] = syscall(__NR_socket, 2, 2, 0);
+  *(uint32_t*)0x20e48000 = htobe32(0xe0000001);
+  *(uint8_t*)0x20e48004 = 0xac;
+  *(uint8_t*)0x20e48005 = 0x14;
+  *(uint8_t*)0x20e48006 = 0;
+  *(uint8_t*)0x20e48007 = 0xaa;
+  *(uint32_t*)0x20e48008 = htobe32(-1);
+  syscall(__NR_setsockopt, r[1], 0, 0x27, 0x20e48000, 0xc);
+}
+
+int main()
+{
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/00f119b8bb35a3acbcfafb9d36a2752b364e8d66.c b/syzkaller-repros/linux/00f119b8bb35a3acbcfafb9d36a2752b364e8d66.c
new file mode 100644
index 0000000..949002d
--- /dev/null
+++ b/syzkaller-repros/linux/00f119b8bb35a3acbcfafb9d36a2752b364e8d66.c
@@ -0,0 +1,587 @@
+// possible deadlock in path_openat
+// https://syzkaller.appspot.com/bug?id=00f119b8bb35a3acbcfafb9d36a2752b364e8d66
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (pthread_create(&th, &attr, fn, arg) == 0) {
+      pthread_attr_destroy(&attr);
+      return;
+    }
+    if (errno == EAGAIN) {
+      usleep(50);
+      continue;
+    }
+    break;
+  }
+  exit(1);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static long syz_open_procfs(volatile long a0, volatile long a1)
+{
+  char buf[128];
+  memset(buf, 0, sizeof(buf));
+  if (a0 == 0) {
+    snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
+  } else if (a0 == -1) {
+    snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
+  } else {
+    snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
+  }
+  int fd = open(buf, O_RDWR);
+  if (fd == -1)
+    fd = open(buf, O_RDONLY);
+  return fd;
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+  typedef struct {
+    const char* name;
+    const char* value;
+  } sysctl_t;
+  static const sysctl_t sysctls[] = {
+      {"/proc/sys/kernel/shmmax", "16777216"},
+      {"/proc/sys/kernel/shmall", "536870912"},
+      {"/proc/sys/kernel/shmmni", "1024"},
+      {"/proc/sys/kernel/msgmax", "8192"},
+      {"/proc/sys/kernel/msgmni", "1024"},
+      {"/proc/sys/kernel/msgmnb", "1024"},
+      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
+    write_file(sysctls[i].name, sysctls[i].value);
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  loop();
+  exit(1);
+}
+
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exit(1);
+    }
+    exit(1);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    while (umount2(filename, MNT_DETACH) == 0) {
+    }
+    struct stat st;
+    if (lstat(filename, &st))
+      exit(1);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EPERM) {
+        int fd = open(filename, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exit(1);
+      if (umount2(filename, MNT_DETACH))
+        exit(1);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EPERM) {
+        int fd = open(dir, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exit(1);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exit(1);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  write_file("/proc/self/oom_score_adj", "1000");
+}
+
+#define SYZ_HAVE_CLOSE_FDS 1
+static void close_fds()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void execute_one(void)
+{
+  int i, call, thread;
+  int collide = 0;
+again:
+  for (call = 0; call < 19; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      if (collide && (call % 2) == 0)
+        break;
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+  close_fds();
+  if (!collide) {
+    collide = 1;
+    goto again;
+  }
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[32];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      exit(1);
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      if (chdir(cwdbuf))
+        exit(1);
+      setup_test();
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+    remove_dir(cwdbuf);
+  }
+}
+
+#ifndef __NR_memfd_create
+#define __NR_memfd_create 319
+#endif
+
+uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
+                 0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    syscall(__NR_mknod, 0, 0x100c, 0);
+    break;
+  case 1:
+    memcpy((void*)0x20000600, "./bus\000", 6);
+    res = syscall(__NR_open, 0x20000600, 0x800, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 2:
+    memcpy((void*)0x20000000, "^posix_acl_accessppp1\\\000", 23);
+    res = syscall(__NR_memfd_create, 0x20000000, 0);
+    if (res != -1)
+      r[1] = res;
+    break;
+  case 3:
+    syscall(__NR_splice, r[0], 0, r[1], 0, 0x20, 0);
+    break;
+  case 4:
+    memcpy((void*)0x200001c0, "io\000", 3);
+    res = syz_open_procfs(0, 0x200001c0);
+    if (res != -1)
+      r[2] = res;
+    break;
+  case 5:
+    syscall(__NR_sendfile, r[2], r[2], 0, 1);
+    break;
+  case 6:
+    memcpy((void*)0x20000180, "./file0\000", 8);
+    syscall(__NR_mkdir, 0x20000180, 0);
+    break;
+  case 7:
+    memcpy((void*)0x20027000, "./file0\000", 8);
+    memcpy((void*)0x20018ffa, "tmpfs\000", 6);
+    syscall(__NR_mount, 0, 0x20027000, 0x20018ffa, 0, 0);
+    break;
+  case 8:
+    syscall(__NR_fchdir, -1);
+    break;
+  case 9:
+    memcpy((void*)0x20000200, "./file1\000", 8);
+    syscall(__NR_mkdir, 0x20000200, 0);
+    break;
+  case 10:
+    syscall(__NR_mkdir, 0, 0);
+    break;
+  case 11:
+    memcpy((void*)0x20000080, "./file0\000", 8);
+    memcpy((void*)0x20000100, "overlay\000", 8);
+    memcpy((void*)0x20000140,
+           "upperdir=./file0,lowerdir=.:file0,workdir=./file1", 49);
+    syscall(__NR_mount, 0x400000, 0x20000080, 0x20000100, 0, 0x20000140);
+    break;
+  case 12:
+    memcpy((void*)0x20000000, "./file0/file0\000", 14);
+    syscall(__NR_rmdir, 0x20000000);
+    break;
+  case 13:
+    memcpy((void*)0x20000280, "./file0\000", 8);
+    syscall(__NR_chdir, 0x20000280);
+    break;
+  case 14:
+    memcpy((void*)0x20000000, "./file0\000", 8);
+    syscall(__NR_execve, 0x20000000, 0, 0);
+    break;
+  case 15:
+    memcpy((void*)0x20000100, "net/udplite\000", 12);
+    res = syz_open_procfs(-1, 0x20000100);
+    if (res != -1)
+      r[3] = res;
+    break;
+  case 16:
+    memcpy((void*)0x20000200, "./bus\000", 6);
+    syscall(__NR_mknod, 0x20000200, 0x100c, 0);
+    break;
+  case 17:
+    memcpy((void*)0x20000600, "./bus\000", 6);
+    res = syscall(__NR_open, 0x20000600, 2, 0);
+    if (res != -1)
+      r[4] = res;
+    break;
+  case 18:
+    syscall(__NR_splice, r[3], 0, r[4], 0, 0x7ff, 0);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  use_temporary_dir();
+  do_sandbox_none();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/012edf00e41142489846a98eafd64783ab8ed000.c b/syzkaller-repros/linux/012edf00e41142489846a98eafd64783ab8ed000.c
new file mode 100644
index 0000000..de1e920
--- /dev/null
+++ b/syzkaller-repros/linux/012edf00e41142489846a98eafd64783ab8ed000.c
@@ -0,0 +1,385 @@
+// KASAN: slab-out-of-bounds Read in find_first_bit
+// https://syzkaller.appspot.com/bug?id=012edf00e41142489846a98eafd64783ab8ed000
+// status:invalid
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <errno.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <signal.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <sys/mount.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+#include <errno.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+static void fail(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static void exitf(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit(kRetryStatus);
+}
+
+static uint64_t current_time_ms()
+{
+  struct timespec ts;
+
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    fail("clock_gettime failed");
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir()
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    fail("failed to mkdtemp");
+  if (chmod(tmpdir, 0777))
+    fail("failed to chmod");
+  if (chdir(tmpdir))
+    fail("failed to chdir");
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static void setup_cgroups()
+{
+  if (mkdir("/syzcgroup", 0777)) {
+  }
+  if (mkdir("/syzcgroup/unified", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
+  }
+  if (chmod("/syzcgroup/unified", 0777)) {
+  }
+  if (!write_file("/syzcgroup/unified/cgroup.subtree_control",
+                  "+cpu +memory +io +pids +rdma")) {
+  }
+  if (mkdir("/syzcgroup/cpu", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/cpu", "cgroup", 0,
+            "cpuset,cpuacct,perf_event,hugetlb")) {
+  }
+  if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) {
+  }
+  if (chmod("/syzcgroup/cpu", 0777)) {
+  }
+  if (mkdir("/syzcgroup/net", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/net", "cgroup", 0,
+            "net_cls,net_prio,devices,freezer")) {
+  }
+  if (chmod("/syzcgroup/net", 0777)) {
+  }
+}
+
+static void setup_binfmt_misc()
+{
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz0:M:0:syz0::./file0:")) {
+  }
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz1:M:1:yz1::./file0:POC")) {
+  }
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    fail("sandbox fork failed");
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+
+  setup_cgroups();
+  setup_binfmt_misc();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  loop();
+  doexit(1);
+}
+
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exitf("opendir(%s) failed due to NOFILE, exiting", dir);
+    }
+    exitf("opendir(%s) failed", dir);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    struct stat st;
+    if (lstat(filename, &st))
+      exitf("lstat(%s) failed", filename);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exitf("unlink(%s) failed", filename);
+      if (umount2(filename, MNT_DETACH))
+        exitf("umount(%s) failed", filename);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exitf("umount(%s) failed", dir);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exitf("rmdir(%s) failed", dir);
+  }
+}
+
+static void execute_one();
+extern unsigned long long procid;
+
+static void loop()
+{
+  char cgroupdir[64];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  char cgroupdir_cpu[64];
+  snprintf(cgroupdir_cpu, sizeof(cgroupdir_cpu), "/syzcgroup/cpu/syz%llu",
+           procid);
+  char cgroupdir_net[64];
+  snprintf(cgroupdir_net, sizeof(cgroupdir_net), "/syzcgroup/net/syz%llu",
+           procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  if (mkdir(cgroupdir_cpu, 0777)) {
+  }
+  if (mkdir(cgroupdir_net, 0777)) {
+  }
+  int pid = getpid();
+  char procs_file[128];
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_cpu);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_net);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[32];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      fail("failed to mkdir");
+    int pid = fork();
+    if (pid < 0)
+      fail("clone failed");
+    if (pid == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+      setpgrp();
+      if (chdir(cwdbuf))
+        fail("failed to chdir");
+      if (symlink(cgroupdir, "./cgroup")) {
+      }
+      if (symlink(cgroupdir_cpu, "./cgroup.cpu")) {
+      }
+      if (symlink(cgroupdir_net, "./cgroup.net")) {
+      }
+      execute_one();
+      doexit(0);
+    }
+
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      int res = waitpid(-1, &status, __WALL | WNOHANG);
+      if (res == pid) {
+        break;
+      }
+      usleep(1000);
+      if (current_time_ms() - start < 3 * 1000)
+        continue;
+      kill(-pid, SIGKILL);
+      kill(pid, SIGKILL);
+      while (waitpid(-1, &status, __WALL) != pid) {
+      }
+      break;
+    }
+    remove_dir(cwdbuf);
+  }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
+unsigned long long procid;
+void execute_one()
+{
+  long res = 0;
+  memcpy((void*)0x20000180, "./cgroup", 9);
+  res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 0x200002, 0);
+  if (res != -1)
+    r[0] = res;
+  memcpy((void*)0x20000040, "memory.high", 12);
+  res = syscall(__NR_openat, r[0], 0x20000040, 2, 0);
+  if (res != -1)
+    r[1] = res;
+  syscall(__NR_write, r[1], 0x20000740, 0x6b);
+}
+
+int main()
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  char* cwd = get_current_dir_name();
+  for (;;) {
+    if (chdir(cwd))
+      fail("failed to chdir");
+    use_temporary_dir();
+    do_sandbox_none();
+  }
+}
diff --git a/syzkaller-repros/linux/012fc28616476a6eba042bfeb6cf261b55750d4a.c b/syzkaller-repros/linux/012fc28616476a6eba042bfeb6cf261b55750d4a.c
new file mode 100644
index 0000000..8c4b79a
--- /dev/null
+++ b/syzkaller-repros/linux/012fc28616476a6eba042bfeb6cf261b55750d4a.c
@@ -0,0 +1,285 @@
+// kernel BUG at drivers/android/binder_alloc.c:LINE!
+// https://syzkaller.appspot.com/bug?id=012fc28616476a6eba042bfeb6cf261b55750d4a
+// status:fixed
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <fcntl.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <net/if_arp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+__attribute__((noreturn)) static void doexit(int status)
+{
+  volatile unsigned i;
+  syscall(__NR_exit_group, status);
+  for (i = 0;; i++) {
+  }
+}
+
+#include <stdint.h>
+#include <string.h>
+
+const int kFailStatus = 67;
+const int kRetryStatus = 69;
+
+static void fail(const char* msg, ...)
+{
+  int e = errno;
+  va_list args;
+  va_start(args, msg);
+  vfprintf(stderr, msg, args);
+  va_end(args);
+  fprintf(stderr, " (errno %d)\n", e);
+  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
+}
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    fail("tun: snprintf failed");
+  if ((size_t)rv >= size)
+    fail("tun: string '%s...' doesn't fit into buffer", str);
+}
+
+static void snprintf_check(char* str, size_t size, const char* format,
+                           ...)
+{
+  va_list args;
+
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+
+#define COMMAND_MAX_LEN 128
+#define PATH_PREFIX                                                    \
+  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
+#define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
+
+static void execute_command(const char* format, ...)
+{
+  va_list args;
+  char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
+  int rv;
+
+  va_start(args, format);
+  memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
+  vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format,
+                  args);
+  rv = system(command);
+  if (rv != 0)
+    fail("tun: command \"%s\" failed with code %d", &command[0], rv);
+
+  va_end(args);
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define MAX_PIDS 32
+#define ADDR_MAX_LEN 32
+
+#define LOCAL_MAC "aa:aa:aa:aa:aa:%02hx"
+#define REMOTE_MAC "bb:bb:bb:bb:bb:%02hx"
+
+#define LOCAL_IPV4 "172.20.%d.170"
+#define REMOTE_IPV4 "172.20.%d.187"
+
+#define LOCAL_IPV6 "fe80::%02hxaa"
+#define REMOTE_IPV6 "fe80::%02hxbb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(uint64_t pid)
+{
+  if (pid >= MAX_PIDS)
+    fail("tun: no more than %d executors", MAX_PIDS);
+  int id = pid;
+
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf(
+        "tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as "
+           "intended\n");
+    return;
+  }
+
+  char iface[IFNAMSIZ];
+  snprintf_check(iface, sizeof(iface), "syz%d", id);
+
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, iface, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      fail("tun: ioctl(TUNSETIFF) failed");
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    fail("tun: ioctl(TUNGETIFF) failed");
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+
+  char local_mac[ADDR_MAX_LEN];
+  snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id);
+  char remote_mac[ADDR_MAX_LEN];
+  snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id);
+
+  char local_ipv4[ADDR_MAX_LEN];
+  snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id);
+  char remote_ipv4[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id);
+
+  char local_ipv6[ADDR_MAX_LEN];
+  snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id);
+  char remote_ipv6[ADDR_MAX_LEN];
+  snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id);
+
+  execute_command("sysctl -w net.ipv6.conf.%s.accept_dad=0", iface);
+
+  execute_command("sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  iface);
+
+  execute_command("ip link set dev %s address %s", iface, local_mac);
+  execute_command("ip addr add %s/24 dev %s", local_ipv4, iface);
+  execute_command("ip -6 addr add %s/120 dev %s", local_ipv6, iface);
+  execute_command("ip neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv4, remote_mac, iface);
+  execute_command("ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  remote_ipv6, remote_mac, iface);
+  execute_command("ip link set dev %s up", iface);
+}
+
+static void setup_tun(uint64_t pid, bool enable_tun)
+{
+  if (enable_tun)
+    initialize_tun(pid);
+}
+
+static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
+{
+  if (a0 == 0xc || a0 == 0xb) {
+    char buf[128];
+    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
+            (uint8_t)a1, (uint8_t)a2);
+    return open(buf, O_RDWR, 0);
+  } else {
+    char buf[1024];
+    char* hash;
+    strncpy(buf, (char*)a0, sizeof(buf));
+    buf[sizeof(buf) - 1] = 0;
+    while ((hash = strchr(buf, '#'))) {
+      *hash = '0' + (char)(a1 % 10);
+      a1 /= 10;
+    }
+    return open(buf, a2, 0);
+  }
+}
+
+long r[48];
+void loop()
+{
+  memset(r, -1, sizeof(r));
+  r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
+                 0xfffffffffffffffful, 0x0ul);
+  memcpy((void*)0x20005000,
+         "\x2f\x64\x65\x76\x2f\x62\x69\x6e\x64\x65\x72\x23\x00", 13);
+  r[2] = syz_open_dev(0x20005000ul, 0x0ul, 0x0ul);
+  memcpy((void*)0x201acff3,
+         "\x2f\x64\x65\x76\x2f\x62\x69\x6e\x64\x65\x72\x23\x00", 13);
+  r[4] = syz_open_dev(0x201acff3ul, 0x0ul, 0x0ul);
+  r[5] = syscall(__NR_mmap, 0x20000000ul, 0x2000ul, 0x0ul, 0x20011ul,
+                 r[4], 0x0ul);
+  r[6] = syscall(__NR_ioctl, r[4], 0x40046207ul, 0x0ul);
+  *(uint64_t*)0x20008fd0 = (uint64_t)0x4;
+  *(uint64_t*)0x20008fd8 = (uint64_t)0x0;
+  *(uint64_t*)0x20008fe0 = (uint64_t)0x20003fe8;
+  *(uint64_t*)0x20008fe8 = (uint64_t)0x0;
+  *(uint64_t*)0x20008ff0 = (uint64_t)0x0;
+  *(uint64_t*)0x20008ff8 = (uint64_t)0x20009000;
+  *(uint32_t*)0x20003fe8 = (uint32_t)0x630b;
+  r[14] = syscall(__NR_ioctl, r[4], 0xc0306201ul, 0x20008fd0ul);
+  *(uint64_t*)0x20007000 = (uint64_t)0x4;
+  *(uint64_t*)0x20007008 = (uint64_t)0x0;
+  *(uint64_t*)0x20007010 = (uint64_t)0x20005fd4;
+  *(uint64_t*)0x20007018 = (uint64_t)0x0;
+  *(uint64_t*)0x20007020 = (uint64_t)0x0;
+  *(uint64_t*)0x20007028 = (uint64_t)0x20002000;
+  *(uint32_t*)0x20005fd4 = (uint32_t)0x40486311;
+  *(uint64_t*)0x20005fd8 = (uint64_t)0x0;
+  *(uint64_t*)0x20005fe0 = (uint64_t)0x0;
+  r[24] = syscall(__NR_ioctl, r[2], 0xc0306201ul, 0x20007000ul);
+  *(uint64_t*)0x2000dfd0 = (uint64_t)0x54;
+  *(uint64_t*)0x2000dfd8 = (uint64_t)0x0;
+  *(uint64_t*)0x2000dfe0 = (uint64_t)0x2000dfac;
+  *(uint64_t*)0x2000dfe8 = (uint64_t)0xca;
+  *(uint64_t*)0x2000dff0 = (uint64_t)0x0;
+  *(uint64_t*)0x2000dff8 = (uint64_t)0x2000df36;
+  *(uint32_t*)0x2000dfac = (uint32_t)0x400c630e;
+  *(uint32_t*)0x2000dfb0 = (uint32_t)0x3;
+  *(uint64_t*)0x2000dfb4 = (uint64_t)0x4;
+  *(uint32_t*)0x2000dfbc = (uint32_t)0x40106308;
+  *(uint64_t*)0x2000dfc0 = (uint64_t)0x0;
+  *(uint64_t*)0x2000dfc8 = (uint64_t)0x3;
+  *(uint32_t*)0x2000dfd0 = (uint32_t)0x400c630e;
+  *(uint32_t*)0x2000dfd4 = (uint32_t)0x4;
+  *(uint64_t*)0x2000dfd8 = (uint64_t)0x0;
+  *(uint32_t*)0x2000dfe0 = (uint32_t)0x40046306;
+  *(uint32_t*)0x2000dfe4 = (uint32_t)0x1;
+  *(uint32_t*)0x2000dfe8 = (uint32_t)0x40086303;
+  *(uint64_t*)0x2000dfec = (uint64_t)0x0;
+  *(uint32_t*)0x2000dff4 = (uint32_t)0x40086310;
+  *(uint64_t*)0x2000dff8 = (uint64_t)0x4;
+  memcpy((void*)0x2000df36,
+         "\x12\x25\xbd\x0c\xe6\xff\xb6\xfa\x93\xcf\x99\x08\x03\xad\x59"
+         "\x00\x79\x04\xcf\x4b\x9e\x3e\x9f\x75\x1e\xc4\x7a\xc3\xd7\x8c"
+         "\x46\x3c\x71\xd1\xcc\x33\x2c\xbe\x58\xac\x10\xd8\xf7\xd8\x04"
+         "\xb3\xa7\x1f\xe6\xa4\x26\x46\x11\x42\x56\xe3\x8e\x1a\x44\x7e"
+         "\x77\xee\x7b\x5b\x5f\x1c\x97\xe0\x0b\x8c\x88\x25\xdc\x1c\x49"
+         "\xe0\xdd\xb3\x8c\x1c\x4d\xeb\xf8\x0f\xe1\x3a\x47\xbe\xb3\x01"
+         "\xfb\xc4\x8a\x73\xff\x16\x59\xef\x42\x50\xe4\xf3\x1c\xfd\x1b"
+         "\x0c\x21\xe1\xa8\x7d\xaa\xc3\x17\xe8\x2f\x47\x2d\x45\x05\xfc"
+         "\x50\x46\x58\x00\x4b\x79\x93\xde\x11\x23\x3f\x60\xa9\x0e\x1c"
+         "\xe0\x34\xb8\xa8\xca\x17\x68\x54\xe9\x3f\xc8\xab\x9d\x3a\x17"
+         "\x6b\x31\x76\xce\xaa\x62\x64\x44\x01\x69\xda\x3e\x1c\x39\x1b"
+         "\x95\x92\xda\x7d\xa3\x5c\x2d\xa5\x5d\xe5\xe7\x68\x15\x0f\x51"
+         "\x35\x72\xbd\x99\x10\x3a\x2c\x99\xaf\xc2\x07\xd1\x22\xe6\x29"
+         "\x11\xa1\xc8\x90\xd1\x4a\xa9",
+         202);
+  r[47] = syscall(__NR_ioctl, r[4], 0xc0306201ul, 0x2000dfd0ul);
+}
+
+int main()
+{
+  setup_tun(0, true);
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/0141bd6b37153edec9c4ffa0f0e990c7228897f9.c b/syzkaller-repros/linux/0141bd6b37153edec9c4ffa0f0e990c7228897f9.c
new file mode 100644
index 0000000..77f5a33
--- /dev/null
+++ b/syzkaller-repros/linux/0141bd6b37153edec9c4ffa0f0e990c7228897f9.c
@@ -0,0 +1,712 @@
+// KASAN: slab-out-of-bounds Read in hidraw_ioctl
+// https://syzkaller.appspot.com/bug?id=0141bd6b37153edec9c4ffa0f0e990c7228897f9
+// status:open
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/usb/ch9.h>
+
+unsigned long long procid;
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+#define USB_DEBUG 0
+
+#define USB_MAX_EP_NUM 32
+
+struct usb_device_index {
+  struct usb_device_descriptor* dev;
+  struct usb_config_descriptor* config;
+  unsigned config_length;
+  struct usb_interface_descriptor* iface;
+  struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM];
+  unsigned eps_num;
+};
+
+static bool parse_usb_descriptor(char* buffer, size_t length,
+                                 struct usb_device_index* index)
+{
+  if (length <
+      sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface))
+    return false;
+  index->dev = (struct usb_device_descriptor*)buffer;
+  index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev));
+  index->config_length = length - sizeof(*index->dev);
+  index->iface =
+      (struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) +
+                                         sizeof(*index->config));
+  index->eps_num = 0;
+  size_t offset = 0;
+  while (true) {
+    if (offset + 1 >= length)
+      break;
+    uint8_t desc_length = buffer[offset];
+    uint8_t desc_type = buffer[offset + 1];
+    if (desc_length <= 2)
+      break;
+    if (offset + desc_length > length)
+      break;
+    if (desc_type == USB_DT_ENDPOINT) {
+      index->eps[index->eps_num] =
+          (struct usb_endpoint_descriptor*)(buffer + offset);
+      index->eps_num++;
+    }
+    if (index->eps_num == USB_MAX_EP_NUM)
+      break;
+    offset += desc_length;
+  }
+  return true;
+}
+
+enum usb_fuzzer_event_type {
+  USB_FUZZER_EVENT_INVALID,
+  USB_FUZZER_EVENT_CONNECT,
+  USB_FUZZER_EVENT_DISCONNECT,
+  USB_FUZZER_EVENT_SUSPEND,
+  USB_FUZZER_EVENT_RESUME,
+  USB_FUZZER_EVENT_CONTROL,
+};
+
+struct usb_fuzzer_event {
+  uint32_t type;
+  uint32_t length;
+  char data[0];
+};
+
+struct usb_fuzzer_init {
+  uint64_t speed;
+  const char* driver_name;
+  const char* device_name;
+};
+
+struct usb_fuzzer_ep_io {
+  uint16_t ep;
+  uint16_t flags;
+  uint32_t length;
+  char data[0];
+};
+
+#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
+#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
+#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
+#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
+#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
+#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t)
+
+int usb_fuzzer_open()
+{
+  return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
+}
+
+int usb_fuzzer_init(int fd, uint32_t speed, const char* driver,
+                    const char* device)
+{
+  struct usb_fuzzer_init arg;
+  arg.speed = speed;
+  arg.driver_name = driver;
+  arg.device_name = device;
+  return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
+}
+
+int usb_fuzzer_run(int fd)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
+}
+
+int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
+}
+
+int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
+}
+
+int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
+}
+
+int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
+}
+
+int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io);
+}
+
+int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
+}
+
+int usb_fuzzer_configure(int fd)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
+}
+
+int usb_fuzzer_vbus_draw(int fd, uint32_t power)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
+}
+
+#define USB_MAX_PACKET_SIZE 1024
+
+struct usb_fuzzer_control_event {
+  struct usb_fuzzer_event inner;
+  struct usb_ctrlrequest ctrl;
+  char data[USB_MAX_PACKET_SIZE];
+};
+
+struct usb_fuzzer_ep_io_data {
+  struct usb_fuzzer_ep_io inner;
+  char data[USB_MAX_PACKET_SIZE];
+};
+
+struct vusb_connect_string_descriptor {
+  uint32_t len;
+  char* str;
+} __attribute__((packed));
+
+struct vusb_connect_descriptors {
+  uint32_t qual_len;
+  char* qual;
+  uint32_t bos_len;
+  char* bos;
+  uint32_t strs_len;
+  struct vusb_connect_string_descriptor strs[0];
+} __attribute__((packed));
+
+static const char* default_string = "syzkaller";
+
+static bool lookup_connect_response(struct vusb_connect_descriptors* descs,
+                                    struct usb_device_index* index,
+                                    struct usb_ctrlrequest* ctrl,
+                                    char** response_data,
+                                    uint32_t* response_length)
+{
+  uint8_t str_idx;
+  switch (ctrl->bRequestType & USB_TYPE_MASK) {
+  case USB_TYPE_STANDARD:
+    switch (ctrl->bRequest) {
+    case USB_REQ_GET_DESCRIPTOR:
+      switch (ctrl->wValue >> 8) {
+      case USB_DT_DEVICE:
+        *response_data = (char*)index->dev;
+        *response_length = sizeof(*index->dev);
+        return true;
+      case USB_DT_CONFIG:
+        *response_data = (char*)index->config;
+        *response_length = index->config_length;
+        return true;
+      case USB_DT_STRING:
+        str_idx = (uint8_t)ctrl->wValue;
+        if (str_idx >= descs->strs_len) {
+          *response_data = (char*)default_string;
+          *response_length = strlen(default_string);
+        } else {
+          *response_data = descs->strs[str_idx].str;
+          *response_length = descs->strs[str_idx].len;
+        }
+        return true;
+      case USB_DT_BOS:
+        *response_data = descs->bos;
+        *response_length = descs->bos_len;
+        return true;
+      case USB_DT_DEVICE_QUALIFIER:
+        *response_data = descs->qual;
+        *response_length = descs->qual_len;
+        return true;
+      default:
+        exit(1);
+        return false;
+      }
+      break;
+    default:
+      exit(1);
+      return false;
+    }
+    break;
+  default:
+    exit(1);
+    return false;
+  }
+  return false;
+}
+
+static volatile long syz_usb_connect(volatile long a0, volatile long a1,
+                                     volatile long a2, volatile long a3)
+{
+  uint64_t speed = a0;
+  uint64_t dev_len = a1;
+  char* dev = (char*)a2;
+  struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3;
+  if (!dev) {
+    return -1;
+  }
+  struct usb_device_index index;
+  memset(&index, 0, sizeof(index));
+  int rv = 0;
+  rv = parse_usb_descriptor(dev, dev_len, &index);
+  if (!rv) {
+    return rv;
+  }
+  int fd = usb_fuzzer_open();
+  if (fd < 0) {
+    return fd;
+  }
+  char device[32];
+  sprintf(&device[0], "dummy_udc.%llu", procid);
+  rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
+  if (rv < 0) {
+    return rv;
+  }
+  rv = usb_fuzzer_run(fd);
+  if (rv < 0) {
+    return rv;
+  }
+  bool done = false;
+  while (!done) {
+    struct usb_fuzzer_control_event event;
+    event.inner.type = 0;
+    event.inner.length = sizeof(event.ctrl);
+    rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+    if (rv < 0) {
+      return rv;
+    }
+    if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
+      continue;
+    bool response_found = false;
+    char* response_data = NULL;
+    uint32_t response_length = 0;
+    if (event.ctrl.bRequestType & USB_DIR_IN) {
+      response_found = lookup_connect_response(
+          descs, &index, &event.ctrl, &response_data, &response_length);
+      if (!response_found) {
+        return -1;
+      }
+    } else {
+      if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD ||
+          event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) {
+        exit(1);
+        return -1;
+      }
+      done = true;
+    }
+    if (done) {
+      rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower);
+      if (rv < 0) {
+        return rv;
+      }
+      rv = usb_fuzzer_configure(fd);
+      if (rv < 0) {
+        return rv;
+      }
+      unsigned ep;
+      for (ep = 0; ep < index.eps_num; ep++) {
+        rv = usb_fuzzer_ep_enable(fd, index.eps[ep]);
+        if (rv < 0) {
+        } else {
+        }
+      }
+    }
+    struct usb_fuzzer_ep_io_data response;
+    response.inner.ep = 0;
+    response.inner.flags = 0;
+    if (response_length > sizeof(response.data))
+      response_length = 0;
+    if (event.ctrl.wLength < response_length)
+      response_length = event.ctrl.wLength;
+    response.inner.length = response_length;
+    if (response_data)
+      memcpy(&response.data[0], response_data, response_length);
+    else
+      memset(&response.data[0], 0, response_length);
+    if (event.ctrl.bRequestType & USB_DIR_IN)
+      rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+    else
+      rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+    if (rv < 0) {
+      return rv;
+    }
+  }
+  sleep_ms(200);
+  return fd;
+}
+
+struct vusb_descriptor {
+  uint8_t req_type;
+  uint8_t desc_type;
+  uint32_t len;
+  char data[0];
+} __attribute__((packed));
+
+struct vusb_descriptors {
+  uint32_t len;
+  struct vusb_descriptor* generic;
+  struct vusb_descriptor* descs[0];
+} __attribute__((packed));
+
+struct vusb_response {
+  uint8_t type;
+  uint8_t req;
+  uint32_t len;
+  char data[0];
+} __attribute__((packed));
+
+struct vusb_responses {
+  uint32_t len;
+  struct vusb_response* generic;
+  struct vusb_response* resps[0];
+} __attribute__((packed));
+
+static bool lookup_control_response(struct vusb_descriptors* descs,
+                                    struct vusb_responses* resps,
+                                    struct usb_ctrlrequest* ctrl,
+                                    char** response_data,
+                                    uint32_t* response_length)
+{
+  int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) /
+                  sizeof(descs->descs[0]);
+  int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) /
+                  sizeof(resps->resps[0]);
+  uint8_t req = ctrl->bRequest;
+  uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK;
+  uint8_t desc_type = ctrl->wValue >> 8;
+  if (req == USB_REQ_GET_DESCRIPTOR) {
+    int i;
+    for (i = 0; i < descs_num; i++) {
+      struct vusb_descriptor* desc = descs->descs[i];
+      if (!desc)
+        continue;
+      if (desc->req_type == req_type && desc->desc_type == desc_type) {
+        *response_length = desc->len;
+        if (*response_length != 0)
+          *response_data = &desc->data[0];
+        else
+          *response_data = NULL;
+        return true;
+      }
+    }
+    if (descs->generic) {
+      *response_data = &descs->generic->data[0];
+      *response_length = descs->generic->len;
+      return true;
+    }
+  } else {
+    int i;
+    for (i = 0; i < resps_num; i++) {
+      struct vusb_response* resp = resps->resps[i];
+      if (!resp)
+        continue;
+      if (resp->type == req_type && resp->req == req) {
+        *response_length = resp->len;
+        if (*response_length != 0)
+          *response_data = &resp->data[0];
+        else
+          *response_data = NULL;
+        return true;
+      }
+    }
+    if (resps->generic) {
+      *response_data = &resps->generic->data[0];
+      *response_length = resps->generic->len;
+      return true;
+    }
+  }
+  return false;
+}
+
+static volatile long syz_usb_control_io(volatile long a0, volatile long a1,
+                                        volatile long a2)
+{
+  int fd = a0;
+  struct vusb_descriptors* descs = (struct vusb_descriptors*)a1;
+  struct vusb_responses* resps = (struct vusb_responses*)a2;
+  struct usb_fuzzer_control_event event;
+  event.inner.type = 0;
+  event.inner.length = USB_MAX_PACKET_SIZE;
+  int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+  if (rv < 0) {
+    return rv;
+  }
+  if (event.inner.type != USB_FUZZER_EVENT_CONTROL) {
+    return -1;
+  }
+  bool response_found = false;
+  char* response_data = NULL;
+  uint32_t response_length = 0;
+  if (event.ctrl.bRequestType & USB_DIR_IN) {
+    response_found = lookup_control_response(descs, resps, &event.ctrl,
+                                             &response_data, &response_length);
+    if (!response_found) {
+      return -1;
+    }
+  } else {
+    response_length = event.ctrl.wLength;
+  }
+  struct usb_fuzzer_ep_io_data response;
+  response.inner.ep = 0;
+  response.inner.flags = 0;
+  if (response_length > sizeof(response.data))
+    response_length = 0;
+  if (event.ctrl.wLength < response_length)
+    response_length = event.ctrl.wLength;
+  response.inner.length = response_length;
+  if (response_data)
+    memcpy(&response.data[0], response_data, response_length);
+  else
+    memset(&response.data[0], 0, response_length);
+  if (event.ctrl.bRequestType & USB_DIR_IN) {
+    rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+  } else {
+    rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+  }
+  if (rv < 0) {
+    return rv;
+  }
+  sleep_ms(200);
+  return 0;
+}
+
+static volatile long syz_usb_disconnect(volatile long a0)
+{
+  int fd = a0;
+  int rv = close(fd);
+  sleep_ms(200);
+  return rv;
+}
+
+static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
+{
+  if (a0 == 0xc || a0 == 0xb) {
+    char buf[128];
+    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
+            (uint8_t)a2);
+    return open(buf, O_RDWR, 0);
+  } else {
+    char buf[1024];
+    char* hash;
+    strncpy(buf, (char*)a0, sizeof(buf) - 1);
+    buf[sizeof(buf) - 1] = 0;
+    while ((hash = strchr(buf, '#'))) {
+      *hash = '0' + (char)(a1 % 10);
+      a1 /= 10;
+    }
+    return open(buf, a2, 0);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  write_file("/proc/self/oom_score_adj", "1000");
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      setup_test();
+      execute_one();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_one(void)
+{
+  intptr_t res = 0;
+  memcpy(
+      (void*)0x20000400,
+      "\x12\x01\x00\x00\x00\x00\x00\x20\x6d\x04\x1c\xc7\x40\x00\x00\x00\x00\x01"
+      "\x09\x02\x24\x00\x01\x00\x00\xa0\x00\x09\x04\x00\x00\x09\x03\x01\x01\x00"
+      "\x09\x21\x00\x00\x00\x01\x22\x15\x00\x09\x05\x81\x03\x00\x00\x00\x00\x00"
+      "\xee\xb4\x88\x8f\xff\xfc\x1f\xe0\x2d\xa3\x65\xa9\xc4\xce\xfe\x8b\x90\x61"
+      "\x70\x1c\x3c\xcd\x35\x2d\x15\x83\x2b\xe2\x59\x85\x90\x20\x08\x5b\x4a\x55"
+      "\x25\xda\xaa\xfd\xc4\x9f\x59\x66\xf9\x00\x63\x4c\x11\xc5\x62\x10\x23\x5d"
+      "\xca\x74\xb0\x5a\xbe\xdf\x3b\x46\xe5\xd9\x29\x2b\x05\x00\xe1\x8c\x4a\x00"
+      "\x00\x00\x00\x9c\xc7\x04\xcc\x79\x15\x55\x97\x94\x80\x5a\x7a\xb1\x3d\x44"
+      "\x84\x90\xdb\xac\xf2\x68\xac\x24\x72\x3a\xcf\x3c\xa4\x84\x0a\xf0\x39\xb7"
+      "\xf9\xb8\x36\xbd\xe4\x66\xbe\x4d\x32\x35\x99\x80\x1b\x61\xa4\xa4\xfd\x48"
+      "\x44\xf9\xeb\xc1\xd2\xc0\x99\xd1\x74\x7d\x8a\x91\xb7\x62\xf8\x21\x02\x49"
+      "\x1b\x72\x36\x20\xa3\xb8\x27\x0a\x84\x5f\xf9\xf1\xc3\xb2\x59\x2b\x1c\x7b"
+      "\xf2\x32\x64\xe0\x73\x61\x9b\x76\x05\xc4\x6f\xe4\x0f\xa7\xc3\xf5\x04\xd8"
+      "\xc8\xea\x34\xf3\xb2\x2e\x92\x00\x55\xf2\x4e\x2e\xb6\x78\xb7\x27\xfb\x1a"
+      "\xc5\xfd\x57\x81\x44\xe9\x37\xfd\x37\xa0\xd3\xc6\x04\x6a\xbd\xe8\x52\x6b"
+      "\x5f\xca\xf1\x40\xe7\xf4\x81\x2a\x08\x24\xfa\x5f\x4d\x83\x94\x8b\xa6\x68"
+      "\xf5\x6a\xe3\xe8\x62\x0d\x99\xb9\xc1\xf7\x85\x82\x65\x28\x78\x50\x84\x94"
+      "\xe0\xc4\x14\xf9\x8f\x00\x11\xe4\x80\x59\xb8\x75\x82\x9a\x88\x8f\xe1\x7b"
+      "\x21\xdf\xa2\x20\x06\xeb\xc7\x72\x17\x4d\x01\x54\x90\xa6\x44\x73\xe4\xc9"
+      "\x35\x70\x45\x01\x30\x1c\xf5\x2e\xd2\x74\x04\xac\x30\xd1\x8c\xbb\xee\xe2"
+      "\x4d\x2b\x8f\x6e\x05\x9c\x28\x8d\x50\xcc\x67\xf3\x86\x7c\xe5\x40\x31\xe1"
+      "\x90\x5d\xc7\xc5\xea\xa2\x6b\xe3\xf4\x42\xf0\x3b\x58\xa2\x86\xa0\xfd\xf0"
+      "\xf9\xf5\x56\xb7\x2c\xe8\x9f\x13\xbc\xd8\xe8\x93\xda\x40\x0a\xd1\x31\x8d"
+      "\x76\xa8\x62\xa7\x6f\xb7\xa1\x49\xaf\x39\x37\x9d\x9f\x4e\xdf\x33\xe0\x83"
+      "\xb8\x26\x9d\xa2\x4c\xc9\xf0\x90\xff\xe7\xeb\x07\x8a\x60\x50\x1f\x47\x43"
+      "\x95\x46\x5e\x68\x7f\x67\xcf\xef\x7b\xc9\x04\x42\xc4\x2d\x43\xd1\x08\x41"
+      "\x3a\x24\xdc\x94\x25\xf0\xb3\x26\xc2\xf3\x75\x9c\xb7\x96\xfa\x6a\x86\x75"
+      "\x57\x55\x08\x49\xb6\xc9\xc5\xa3\x4b\x7a\x64\x98\xeb\xd5\x0e\x4e\x0c\xe1"
+      "\xda\x1d\x05\x8d\xeb\x3d\x42\x44\x73\x32\xcb\xbd\xe6\xec\xc1\x23\xcc\x2e"
+      "\x4d\x4d\x3e\x50\x2b\xdd\xa0\xdb\xc9\x54\x78\xa0\x2c\xef\xc6\xdf\x24\x2c"
+      "\xca\x03\x8f\xc4\x38\x36\x94\xde\x69\x8b\xec\xde\xeb\xdc\xe5\x9a\x82\xff"
+      "\x59\x44\x83\x31\x9b\x51\xea\xed\xd1\x51\xc3\xf8\x9f\x28\x21\x22\x45\xf0"
+      "\xc8\xa4\x1d\x0d\x95\x7b\x4c\x11\xb9\x04\xab\x8a\x11\x46\x43\x88\x31\x63"
+      "\xb1\x68\x27\x5d\xc3\x8b\x0d\x9d\x64\xfc\xc9\xd1\x62\x3f\xcb\xf0\x7e\x5a"
+      "\x33\x6a\x0f\x00\x00\x00\x00\x00\x00\x0a\x37\x25\x33\x11\x27\x6f\xf7\x04"
+      "\x39\xc7\x6d\xef\xb6\x22\x9b\xb9\x59\xb0\x07\xf3\x41\xce\x76\x6c\x42\x91"
+      "\x20\x98\x57\x70\x75\x9f\x34\xda\x7c\x1c\x5f\x0b\xbc\x9c\xac\xbf\x7f\xe7"
+      "\x09\x00\x00\x00\xc5\x5a\x93\xdc\xf8\x42\x86\x4e\x00\x00\x00",
+      681);
+  res = syz_usb_connect(0, 0x36, 0x20000400, 0);
+  if (res != -1)
+    r[0] = res;
+  syz_usb_control_io(r[0], 0, 0);
+  *(uint32_t*)0x20000340 = 0x34;
+  *(uint64_t*)0x20000344 = 0;
+  *(uint64_t*)0x2000034c = 0;
+  *(uint64_t*)0x20000354 = 0;
+  *(uint64_t*)0x2000035c = 0x20000380;
+  memcpy((void*)0x20000380,
+         "\x00\x22\x15\x00\x00\x00\x8e\x03\xdd\x03\x4f\x4e\x37\x85\x15\xe0\x81",
+         17);
+  *(uint32_t*)0x20001bc0 = 0xcc;
+  *(uint64_t*)0x20001bc4 = 0;
+  *(uint64_t*)0x20001bcc = 0;
+  *(uint64_t*)0x20001bd4 = 0;
+  *(uint64_t*)0x20001bdc = 0;
+  *(uint64_t*)0x20001be4 = 0;
+  syz_usb_control_io(r[0], 0x20000340, 0x20001bc0);
+  memcpy((void*)0x200002c0, "/dev/hidraw#\000", 13);
+  res = syz_open_dev(0x200002c0, 0, 1);
+  if (res != -1)
+    r[1] = res;
+  syz_usb_disconnect(r[0]);
+  syscall(__NR_ioctl, r[1], 0x80404805, 0);
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  loop();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/0151c6d6d26830854a402ac8e60d197f5cb1a475.c b/syzkaller-repros/linux/0151c6d6d26830854a402ac8e60d197f5cb1a475.c
new file mode 100644
index 0000000..bc51123
--- /dev/null
+++ b/syzkaller-repros/linux/0151c6d6d26830854a402ac8e60d197f5cb1a475.c
@@ -0,0 +1,1251 @@
+// INFO: rcu detected stall in kvm_arch_vcpu_ioctl_run
+// https://syzkaller.appspot.com/bug?id=0151c6d6d26830854a402ac8e60d197f5cb1a475
+// status:dup
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/kvm.h>
+#include <linux/net.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/tcp.h>
+
+unsigned long long procid;
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
+
+#define BITMASK_LEN_OFF(type, bf_off, bf_len)                                  \
+  (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
+
+#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len)                      \
+  if ((bf_off) == 0 && (bf_len) == 0) {                                        \
+    *(type*)(addr) = (type)(val);                                              \
+  } else {                                                                     \
+    type new_val = *(type*)(addr);                                             \
+    new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len));                     \
+    new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off);          \
+    *(type*)(addr) = new_val;                                                  \
+  }
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    exit(1);
+  if ((size_t)rv >= size)
+    exit(1);
+}
+
+#define COMMAND_MAX_LEN 128
+#define PATH_PREFIX                                                            \
+  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
+#define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
+
+static void execute_command(bool panic, const char* format, ...)
+{
+  va_list args;
+  char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
+  int rv;
+  va_start(args, format);
+  memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
+  vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args);
+  va_end(args);
+  rv = system(command);
+  if (rv) {
+    if (panic)
+      exit(1);
+  }
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC "aa:aa:aa:aa:aa:aa"
+#define REMOTE_MAC "aa:aa:aa:aa:aa:bb"
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE);
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  TUN_IFACE);
+  execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC);
+  execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE);
+  execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV4, REMOTE_MAC, TUN_IFACE);
+  execute_command(0, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE);
+  execute_command(0, "ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV6, REMOTE_MAC, TUN_IFACE);
+  execute_command(1, "ip link set dev %s up", TUN_IFACE);
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02hx"
+#define DEV_MAC "aa:aa:aa:aa:aa:%02hx"
+
+static void snprintf_check(char* str, size_t size, const char* format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+static void initialize_netdevices(void)
+{
+  unsigned i;
+  const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"};
+  const char* devnames[] = {"lo",
+                            "sit0",
+                            "bridge0",
+                            "vcan0",
+                            "tunl0",
+                            "gre0",
+                            "gretap0",
+                            "ip_vti0",
+                            "ip6_vti0",
+                            "ip6tnl0",
+                            "ip6gre0",
+                            "ip6gretap0",
+                            "erspan0",
+                            "bond0",
+                            "veth0",
+                            "veth1",
+                            "team0",
+                            "veth0_to_bridge",
+                            "veth1_to_bridge",
+                            "veth0_to_bond",
+                            "veth1_to_bond",
+                            "veth0_to_team",
+                            "veth1_to_team"};
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++)
+    execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]);
+  execute_command(0, "ip link add type veth");
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    execute_command(
+        0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(
+        0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set veth0_to_%s up", devmasters[i]);
+    execute_command(0, "ip link set veth1_to_%s up", devmasters[i]);
+  }
+  execute_command(0, "ip link set bridge_slave_0 up");
+  execute_command(0, "ip link set bridge_slave_1 up");
+  for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) {
+    char addr[32];
+    snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10);
+    execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10);
+    execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10);
+    execute_command(0, "ip link set dev %s address %s", devnames[i], addr);
+    execute_command(0, "ip link set dev %s up", devnames[i]);
+  }
+}
+
+static int read_tun(char* data, int size)
+{
+  if (tunfd < 0)
+    return -1;
+  int rv = read(tunfd, data, size);
+  if (rv < 0) {
+    if (errno == EAGAIN)
+      return -1;
+    if (errno == EBADFD)
+      return -1;
+    exit(1);
+  }
+  return rv;
+}
+
+static void flush_tun()
+{
+  char data[SYZ_TUN_MAX_PACKET_SIZE];
+  while (read_tun(&data[0], sizeof(data)) != -1) {
+  }
+}
+
+static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4,
+                              long a5, long a6, long a7)
+{
+  return 0;
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+  uint64_t pcnt, bcnt;
+};
+
+struct ipt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct ipt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct ipt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct ipt_table_desc {
+  const char* name;
+  struct ipt_getinfo info;
+  struct ipt_replace replace;
+};
+
+static struct ipt_table_desc ipv4_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+#define IPT_BASE_CTL 64
+#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
+#define IPT_SO_GET_INFO (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+
+struct arpt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct arpt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+  const char* name;
+  struct arpt_getinfo info;
+  struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables,
+                                int family, int level)
+{
+  struct ipt_get_entries entries;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables,
+                           int family, int level)
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct ipt_get_entries entries;
+  struct ipt_getinfo info;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_arptables(void)
+{
+  struct arpt_get_entries entries;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_arptables()
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct arpt_get_entries entries;
+  struct arpt_getinfo info;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    } else {
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+struct ebt_table_desc {
+  const char* name;
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+static struct ebt_table_desc ebt_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "broute"},
+};
+
+static void checkpoint_ebtables(void)
+{
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace,
+                   &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->replace.entries_size > sizeof(table->entrytable))
+      exit(1);
+    table->replace.num_counters = 0;
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace,
+                   &optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void reset_ebtables()
+{
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+  socklen_t optlen;
+  unsigned i, j, h;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    if (table->replace.valid_hooks == 0)
+      continue;
+    memset(&replace, 0, sizeof(replace));
+    strcpy(replace.name, table->name);
+    optlen = sizeof(replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
+      exit(1);
+    replace.num_counters = 0;
+    table->replace.entries = 0;
+    for (h = 0; h < NF_BR_NUMHOOKS; h++)
+      table->replace.hook_entry[h] = 0;
+    if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
+      memset(&entrytable, 0, sizeof(entrytable));
+      replace.entries = entrytable;
+      optlen = sizeof(replace) + replace.entries_size;
+      if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
+        exit(1);
+      if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
+        continue;
+    }
+    for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
+      if (table->replace.valid_hooks & (1 << h)) {
+        table->replace.hook_entry[h] =
+            (struct ebt_entries*)table->entrytable + j;
+        j++;
+      }
+    }
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+  checkpoint_ebtables();
+  checkpoint_arptables();
+  checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                      AF_INET, SOL_IP);
+  checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                      AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+  reset_ebtables();
+  reset_arptables();
+  reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                 AF_INET, SOL_IP);
+  reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                 AF_INET6, SOL_IPV6);
+}
+
+static void setup_cgroups()
+{
+  if (mkdir("/syzcgroup", 0777)) {
+  }
+  if (mkdir("/syzcgroup/unified", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
+  }
+  if (chmod("/syzcgroup/unified", 0777)) {
+  }
+  if (!write_file("/syzcgroup/unified/cgroup.subtree_control",
+                  "+cpu +memory +io +pids +rdma")) {
+  }
+  if (mkdir("/syzcgroup/cpu", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/cpu", "cgroup", 0,
+            "cpuset,cpuacct,perf_event,hugetlb")) {
+  }
+  if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) {
+  }
+  if (chmod("/syzcgroup/cpu", 0777)) {
+  }
+  if (mkdir("/syzcgroup/net", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/net", "cgroup", 0,
+            "net_cls,net_prio,devices,freezer")) {
+  }
+  if (chmod("/syzcgroup/net", 0777)) {
+  }
+}
+static void setup_binfmt_misc()
+{
+  if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
+  }
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz0:M:0:\x01::./file0:")) {
+  }
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz1:M:1:\x02::./file0:POC")) {
+  }
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+  setup_cgroups();
+  setup_binfmt_misc();
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exit(1);
+    }
+    exit(1);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    while (umount2(filename, MNT_DETACH) == 0) {
+    }
+    struct stat st;
+    if (lstat(filename, &st))
+      exit(1);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EPERM) {
+        int fd = open(filename, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exit(1);
+      if (umount2(filename, MNT_DETACH))
+        exit(1);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EPERM) {
+        int fd = open(dir, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exit(1);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exit(1);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_LOOP 1
+static void setup_loop()
+{
+  int pid = getpid();
+  char cgroupdir[64];
+  char procs_file[128];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir);
+  if (!write_file(procs_file, "%d", pid)) {
+  }
+  checkpoint_net_namespace();
+}
+
+#define SYZ_HAVE_RESET_LOOP 1
+static void reset_loop()
+{
+  reset_net_namespace();
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  char cgroupdir[64];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.cpu")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.net")) {
+  }
+  flush_tun();
+}
+
+#define SYZ_HAVE_RESET_TEST 1
+static void reset_test()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  setup_loop();
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[32];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      exit(1);
+    reset_loop();
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      if (chdir(cwdbuf))
+        exit(1);
+      setup_test();
+      execute_one();
+      reset_test();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+    remove_dir(cwdbuf);
+  }
+}
+#ifndef __NR_sched_setattr
+#define __NR_sched_setattr 314
+#endif
+
+uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
+
+void execute_one(void)
+{
+  long res = 0;
+  NONFAILING(*(uint32_t*)0x20000040 = 0);
+  NONFAILING(*(uint32_t*)0x20000044 = 1);
+  NONFAILING(*(uint64_t*)0x20000048 = 0);
+  NONFAILING(*(uint32_t*)0x20000050 = 0);
+  NONFAILING(*(uint32_t*)0x20000054 = 8);
+  NONFAILING(*(uint64_t*)0x20000058 = 0);
+  NONFAILING(*(uint64_t*)0x20000060 = 0);
+  NONFAILING(*(uint64_t*)0x20000068 = 0);
+  syscall(__NR_sched_setattr, 0, 0x20000040, 0);
+  NONFAILING(*(uint32_t*)0x20000040 = 1);
+  NONFAILING(*(uint32_t*)0x20000044 = 0x70);
+  NONFAILING(*(uint8_t*)0x20000048 = 0);
+  NONFAILING(*(uint8_t*)0x20000049 = 0);
+  NONFAILING(*(uint8_t*)0x2000004a = 0);
+  NONFAILING(*(uint8_t*)0x2000004b = 0);
+  NONFAILING(*(uint32_t*)0x2000004c = 0);
+  NONFAILING(*(uint64_t*)0x20000050 = 0x50d);
+  NONFAILING(*(uint64_t*)0x20000058 = 0);
+  NONFAILING(*(uint64_t*)0x20000060 = 0);
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 0, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 1, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 2, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 3, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 4, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 5, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 6, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 7, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 8, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 9, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 10, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 11, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 12, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 13, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 14, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 15, 2));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 17, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 18, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 19, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 20, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 21, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 22, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 23, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 24, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 25, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 26, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 27, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 28, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000068, 0, 29, 35));
+  NONFAILING(*(uint32_t*)0x20000070 = 0);
+  NONFAILING(*(uint32_t*)0x20000074 = 0);
+  NONFAILING(*(uint64_t*)0x20000078 = 0x20000000);
+  NONFAILING(*(uint64_t*)0x20000080 = 0);
+  NONFAILING(*(uint64_t*)0x20000088 = 0);
+  NONFAILING(*(uint64_t*)0x20000090 = 0);
+  NONFAILING(*(uint32_t*)0x20000098 = 0);
+  NONFAILING(*(uint32_t*)0x2000009c = 0);
+  NONFAILING(*(uint64_t*)0x200000a0 = 0);
+  NONFAILING(*(uint32_t*)0x200000a8 = 0);
+  NONFAILING(*(uint16_t*)0x200000ac = 0);
+  NONFAILING(*(uint16_t*)0x200000ae = 0);
+  syscall(__NR_perf_event_open, 0x20000040, 0, 0, -1, 0);
+  NONFAILING(*(uint32_t*)0x20000100 = 0);
+  NONFAILING(*(uint32_t*)0x20000104 = 0x70);
+  NONFAILING(*(uint8_t*)0x20000108 = 0);
+  NONFAILING(*(uint8_t*)0x20000109 = 0);
+  NONFAILING(*(uint8_t*)0x2000010a = 0);
+  NONFAILING(*(uint8_t*)0x2000010b = 0);
+  NONFAILING(*(uint32_t*)0x2000010c = 0);
+  NONFAILING(*(uint64_t*)0x20000110 = 0);
+  NONFAILING(*(uint64_t*)0x20000118 = 0);
+  NONFAILING(*(uint64_t*)0x20000120 = 0);
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 0, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 1, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 4, 2, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 3, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 4, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 5, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 6, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 7, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 4, 8, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 9, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 10, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 11, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 12, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 13, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 14, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 15, 2));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 17, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 18, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 19, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 20, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 21, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 22, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 23, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 24, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 25, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 26, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 27, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 28, 1));
+  NONFAILING(STORE_BY_BITMASK(uint64_t, 0x20000128, 0, 29, 35));
+  NONFAILING(*(uint32_t*)0x20000130 = 0);
+  NONFAILING(*(uint32_t*)0x20000134 = 0);
+  NONFAILING(*(uint64_t*)0x20000138 = 0);
+  NONFAILING(*(uint64_t*)0x20000140 = 0);
+  NONFAILING(*(uint64_t*)0x20000148 = 0);
+  NONFAILING(*(uint64_t*)0x20000150 = 0);
+  NONFAILING(*(uint32_t*)0x20000158 = 0);
+  NONFAILING(*(uint32_t*)0x2000015c = 0);
+  NONFAILING(*(uint64_t*)0x20000160 = 0);
+  NONFAILING(*(uint32_t*)0x20000168 = 0);
+  NONFAILING(*(uint16_t*)0x2000016c = 0);
+  NONFAILING(*(uint16_t*)0x2000016e = 0);
+  syscall(__NR_perf_event_open, 0x20000100, 0, 0x10, 0xffffff9c, 0);
+  NONFAILING(memcpy((void*)0x20000200, "/dev/kvm", 9));
+  res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000200, 0, 0);
+  if (res != -1)
+    r[0] = res;
+  res = syscall(__NR_ioctl, r[0], 0xae01, 0);
+  if (res != -1)
+    r[1] = res;
+  res = syscall(__NR_ioctl, r[1], 0xae41, 0);
+  if (res != -1)
+    r[2] = res;
+  NONFAILING(*(uint32_t*)0x20bf7000 = 0);
+  NONFAILING(*(uint32_t*)0x20bf7004 = 3);
+  NONFAILING(*(uint64_t*)0x20bf7008 = 0);
+  NONFAILING(*(uint64_t*)0x20bf7010 = 0x2000);
+  NONFAILING(*(uint64_t*)0x20bf7018 = 0x20000000);
+  syscall(__NR_ioctl, r[1], 0x4020ae46, 0x20bf7000);
+  NONFAILING(*(uint64_t*)0x20000140 = 8);
+  NONFAILING(*(uint64_t*)0x20000148 = 0x20000180);
+  NONFAILING(memcpy(
+      (void*)0x20000180,
+      "\x0f\x20\xc0\x66\x35\x00\x00\x00\x20\x0f\x22\xc0\x0f\x07\xba\x40\x00\x66"
+      "\xb8\x02\x00\x00\x00\x66\xef\xba\xf8\x0c\x66\xb8\x48\x09\x03\x87\x66\xef"
+      "\xba\xfc\x0c\x66\xed\x66\x0f\x38\x03\x7f\x29\x0f\x01\x7e\x00\x66\xb9\x22"
+      "\x09\x00\x00\x66\xb8\x6e\xe7\x57\x10\x66\xba\x76\x62\xe6\x1d\x0f\x30\x66"
+      "\xb8\x04\x00\x00\x00\x0f\x23\xd0\x0f\x21\xf8\x66\x35\x20\x00\x00\x0c\x0f"
+      "\x23\xf8\x66\xb9\x65\x0b\x00\x00\x66\xb8\x00\x00\x00\x00\x66\xba\x00\x80"
+      "\x00\x00\x0f\x30\xf2\x3e\x0f\x35",
+      116));
+  NONFAILING(*(uint64_t*)0x20000150 = 0x74);
+  syz_kvm_setup_cpu(-1, r[2], 0x20000000, 0x20000140, 1, 0, 0x20000040,
+                    0x10000000000000e9);
+  syscall(__NR_ioctl, r[2], 0xae80, 0);
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  install_segv_handler();
+  for (procid = 0; procid < 8; procid++) {
+    if (fork() == 0) {
+      use_temporary_dir();
+      do_sandbox_none();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/01859161eb0429722fcb2d9e5e82f8f23c207c9b.c b/syzkaller-repros/linux/01859161eb0429722fcb2d9e5e82f8f23c207c9b.c
new file mode 100644
index 0000000..15b1b6c
--- /dev/null
+++ b/syzkaller-repros/linux/01859161eb0429722fcb2d9e5e82f8f23c207c9b.c
@@ -0,0 +1,561 @@
+// general protection fault in debugfs_create_files
+// https://syzkaller.appspot.com/bug?id=01859161eb0429722fcb2d9e5e82f8f23c207c9b
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/if_addr.h>
+#include <linux/if_ether.h>
+#include <linux/if_link.h>
+#include <linux/if_tun.h>
+#include <linux/in6.h>
+#include <linux/ip.h>
+#include <linux/neighbour.h>
+#include <linux/net.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/tcp.h>
+#include <linux/veth.h>
+
+unsigned long long procid;
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static struct {
+  char* pos;
+  int nesting;
+  struct nlattr* nested[8];
+  char buf[1024];
+} nlmsg;
+
+static void netlink_init(int typ, int flags, const void* data, int size)
+{
+  memset(&nlmsg, 0, sizeof(nlmsg));
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_type = typ;
+  hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+  memcpy(hdr + 1, data, size);
+  nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
+}
+
+static void netlink_attr(int typ, const void* data, int size)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_len = sizeof(*attr) + size;
+  attr->nla_type = typ;
+  memcpy(attr + 1, data, size);
+  nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
+}
+
+static void netlink_nest(int typ)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_type = typ;
+  nlmsg.pos += sizeof(*attr);
+  nlmsg.nested[nlmsg.nesting++] = attr;
+}
+
+static void netlink_done(void)
+{
+  struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
+  attr->nla_len = nlmsg.pos - (char*)attr;
+}
+
+static int netlink_send(int sock)
+{
+  if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
+    exit(1);
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
+  struct sockaddr_nl addr;
+  memset(&addr, 0, sizeof(addr));
+  addr.nl_family = AF_NETLINK;
+  unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
+                      (struct sockaddr*)&addr, sizeof(addr));
+  if (n != hdr->nlmsg_len)
+    exit(1);
+  n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
+  if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
+    exit(1);
+  if (hdr->nlmsg_type != NLMSG_ERROR)
+    exit(1);
+  return -((struct nlmsgerr*)(hdr + 1))->error;
+}
+
+static void netlink_add_device_impl(const char* type, const char* name)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  if (name)
+    netlink_attr(IFLA_IFNAME, name, strlen(name));
+  netlink_nest(IFLA_LINKINFO);
+  netlink_attr(IFLA_INFO_KIND, type, strlen(type));
+}
+
+static void netlink_add_device(int sock, const char* type, const char* name)
+{
+  netlink_add_device_impl(type, name);
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_veth(int sock, const char* name, const char* peer)
+{
+  netlink_add_device_impl("veth", name);
+  netlink_nest(IFLA_INFO_DATA);
+  netlink_nest(VETH_INFO_PEER);
+  nlmsg.pos += sizeof(struct ifinfomsg);
+  netlink_attr(IFLA_IFNAME, peer, strlen(peer));
+  netlink_done();
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_hsr(int sock, const char* name, const char* slave1,
+                            const char* slave2)
+{
+  netlink_add_device_impl("hsr", name);
+  netlink_nest(IFLA_INFO_DATA);
+  int ifindex1 = if_nametoindex(slave1);
+  netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
+  int ifindex2 = if_nametoindex(slave2);
+  netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_device_change(int sock, const char* name, bool up,
+                                  const char* master, const void* mac,
+                                  int macsize)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  if (up)
+    hdr.ifi_flags = hdr.ifi_change = IFF_UP;
+  netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
+  netlink_attr(IFLA_IFNAME, name, strlen(name));
+  if (master) {
+    int ifindex = if_nametoindex(master);
+    netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
+  }
+  if (macsize)
+    netlink_attr(IFLA_ADDRESS, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int netlink_add_addr(int sock, const char* dev, const void* addr,
+                            int addrsize)
+{
+  struct ifaddrmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
+  hdr.ifa_scope = RT_SCOPE_UNIVERSE;
+  hdr.ifa_index = if_nametoindex(dev);
+  netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
+  netlink_attr(IFA_LOCAL, addr, addrsize);
+  netlink_attr(IFA_ADDRESS, addr, addrsize);
+  return netlink_send(sock);
+}
+
+static void netlink_add_addr4(int sock, const char* dev, const char* addr)
+{
+  struct in_addr in_addr;
+  inet_pton(AF_INET, addr, &in_addr);
+  int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
+  (void)err;
+}
+
+static void netlink_add_addr6(int sock, const char* dev, const char* addr)
+{
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, addr, &in6_addr);
+  int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
+  (void)err;
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02hx"
+#define DEV_MAC 0x00aaaaaaaaaa
+static void initialize_netdevices(void)
+{
+  char netdevsim[16];
+  sprintf(netdevsim, "netdevsim%d", (int)procid);
+  struct {
+    const char* type;
+    const char* dev;
+  } devtypes[] = {
+      {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
+      {"vcan", "vcan0"},           {"bond", "bond0"},
+      {"team", "team0"},           {"dummy", "dummy0"},
+      {"nlmon", "nlmon0"},         {"caif", "caif0"},
+      {"batadv", "batadv0"},       {"vxcan", "vxcan1"},
+      {"netdevsim", netdevsim},    {"veth", 0},
+  };
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  struct {
+    const char* name;
+    int macsize;
+    bool noipv6;
+  } devices[] = {
+      {"lo", ETH_ALEN},
+      {"sit0", 0},
+      {"bridge0", ETH_ALEN},
+      {"vcan0", 0, true},
+      {"tunl0", 0},
+      {"gre0", 0},
+      {"gretap0", ETH_ALEN},
+      {"ip_vti0", 0},
+      {"ip6_vti0", 0},
+      {"ip6tnl0", 0},
+      {"ip6gre0", 0},
+      {"ip6gretap0", ETH_ALEN},
+      {"erspan0", ETH_ALEN},
+      {"bond0", ETH_ALEN},
+      {"veth0", ETH_ALEN},
+      {"veth1", ETH_ALEN},
+      {"team0", ETH_ALEN},
+      {"veth0_to_bridge", ETH_ALEN},
+      {"veth1_to_bridge", ETH_ALEN},
+      {"veth0_to_bond", ETH_ALEN},
+      {"veth1_to_bond", ETH_ALEN},
+      {"veth0_to_team", ETH_ALEN},
+      {"veth1_to_team", ETH_ALEN},
+      {"veth0_to_hsr", ETH_ALEN},
+      {"veth1_to_hsr", ETH_ALEN},
+      {"hsr0", 0},
+      {"dummy0", ETH_ALEN},
+      {"nlmon0", 0},
+      {"vxcan1", 0, true},
+      {"caif0", ETH_ALEN},
+      {"batadv0", ETH_ALEN},
+      {netdevsim, ETH_ALEN},
+  };
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
+    netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
+    sprintf(slave0, "%s_slave_0", devmasters[i]);
+    sprintf(veth0, "veth0_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave0, veth0);
+    sprintf(slave1, "%s_slave_1", devmasters[i]);
+    sprintf(veth1, "veth1_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave1, veth1);
+    sprintf(master, "%s0", devmasters[i]);
+    netlink_device_change(sock, slave0, false, master, 0, 0);
+    netlink_device_change(sock, slave1, false, master, 0, 0);
+  }
+  netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
+  netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
+  netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
+  netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
+  netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
+  for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
+    char addr[32];
+    sprintf(addr, DEV_IPV4, i + 10);
+    netlink_add_addr4(sock, devices[i].name, addr);
+    if (!devices[i].noipv6) {
+      sprintf(addr, DEV_IPV6, i + 10);
+      netlink_add_addr6(sock, devices[i].name, addr);
+    }
+    uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
+    netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
+                          devices[i].macsize);
+  }
+  close(sock);
+}
+static void initialize_netdevices_init(void)
+{
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  struct {
+    const char* type;
+    int macsize;
+    bool noipv6;
+    bool noup;
+  } devtypes[] = {
+      {"nr", 7, true}, {"rose", 5, true, true},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
+    char dev[32], addr[32];
+    sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
+    sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
+    netlink_add_addr4(sock, dev, addr);
+    if (!devtypes[i].noipv6) {
+      sprintf(addr, "fe88::%02hx:%02hx", i, (int)procid + 1);
+      netlink_add_addr6(sock, dev, addr);
+    }
+    int macsize = devtypes[i].macsize;
+    uint64_t macaddr = 0xbbbbbb +
+                       ((unsigned long long)i << (8 * (macsize - 2))) +
+                       (procid << (8 * (macsize - 1)));
+    netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
+  }
+  close(sock);
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+  typedef struct {
+    const char* name;
+    const char* value;
+  } sysctl_t;
+  static const sysctl_t sysctls[] = {
+      {"/proc/sys/kernel/shmmax", "16777216"},
+      {"/proc/sys/kernel/shmall", "536870912"},
+      {"/proc/sys/kernel/shmmni", "1024"},
+      {"/proc/sys/kernel/msgmax", "8192"},
+      {"/proc/sys/kernel/msgmni", "1024"},
+      {"/proc/sys/kernel/msgmnb", "1024"},
+      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
+    write_file(sysctls[i].name, sysctls[i].value);
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  initialize_netdevices_init();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+}
+
+#define SYZ_HAVE_RESET_TEST 1
+static void reset_test()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  int iter;
+  for (iter = 0;; iter++) {
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      setup_test();
+      execute_one();
+      reset_test();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+  }
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+void execute_one(void)
+{
+  long res = 0;
+  memcpy((void*)0x200002c0, "/dev/loop-control\x00", 18);
+  res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200002c0, 0, 0);
+  if (res != -1)
+    r[0] = res;
+  syscall(__NR_ioctl, r[0], 0x4c81, 0);
+  syscall(__NR_ioctl, r[0], 0x4c80, 0);
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  for (procid = 0; procid < 6; procid++) {
+    if (fork() == 0) {
+      do_sandbox_none();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/019d7516d9b862b6e8dab44b9b60b5823a8b279e.c b/syzkaller-repros/linux/019d7516d9b862b6e8dab44b9b60b5823a8b279e.c
new file mode 100644
index 0000000..079bf9f
--- /dev/null
+++ b/syzkaller-repros/linux/019d7516d9b862b6e8dab44b9b60b5823a8b279e.c
@@ -0,0 +1,673 @@
+// KMSAN: uninit-value in read_eprom_word
+// https://syzkaller.appspot.com/bug?id=019d7516d9b862b6e8dab44b9b60b5823a8b279e
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <sched.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <linux/if_addr.h>
+#include <linux/if_ether.h>
+#include <linux/if_link.h>
+#include <linux/if_tun.h>
+#include <linux/in6.h>
+#include <linux/ip.h>
+#include <linux/neighbour.h>
+#include <linux/net.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/tcp.h>
+#include <linux/usb/ch9.h>
+#include <linux/veth.h>
+
+unsigned long long procid;
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static struct {
+  char* pos;
+  int nesting;
+  struct nlattr* nested[8];
+  char buf[1024];
+} nlmsg;
+
+static void netlink_init(int typ, int flags, const void* data, int size)
+{
+  memset(&nlmsg, 0, sizeof(nlmsg));
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_type = typ;
+  hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+  memcpy(hdr + 1, data, size);
+  nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
+}
+
+static void netlink_attr(int typ, const void* data, int size)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_len = sizeof(*attr) + size;
+  attr->nla_type = typ;
+  memcpy(attr + 1, data, size);
+  nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
+}
+
+static int netlink_send(int sock)
+{
+  if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
+    exit(1);
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
+  struct sockaddr_nl addr;
+  memset(&addr, 0, sizeof(addr));
+  addr.nl_family = AF_NETLINK;
+  unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
+                      (struct sockaddr*)&addr, sizeof(addr));
+  if (n != hdr->nlmsg_len)
+    exit(1);
+  n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
+  if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
+    exit(1);
+  if (hdr->nlmsg_type != NLMSG_ERROR)
+    exit(1);
+  return -((struct nlmsgerr*)(hdr + 1))->error;
+}
+
+static void netlink_device_change(int sock, const char* name, bool up,
+                                  const char* master, const void* mac,
+                                  int macsize)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  if (up)
+    hdr.ifi_flags = hdr.ifi_change = IFF_UP;
+  netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
+  netlink_attr(IFLA_IFNAME, name, strlen(name));
+  if (master) {
+    int ifindex = if_nametoindex(master);
+    netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
+  }
+  if (macsize)
+    netlink_attr(IFLA_ADDRESS, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int netlink_add_addr(int sock, const char* dev, const void* addr,
+                            int addrsize)
+{
+  struct ifaddrmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
+  hdr.ifa_scope = RT_SCOPE_UNIVERSE;
+  hdr.ifa_index = if_nametoindex(dev);
+  netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
+  netlink_attr(IFA_LOCAL, addr, addrsize);
+  netlink_attr(IFA_ADDRESS, addr, addrsize);
+  return netlink_send(sock);
+}
+
+static void netlink_add_addr4(int sock, const char* dev, const char* addr)
+{
+  struct in_addr in_addr;
+  inet_pton(AF_INET, addr, &in_addr);
+  int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
+  (void)err;
+}
+
+static void netlink_add_addr6(int sock, const char* dev, const char* addr)
+{
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, addr, &in6_addr);
+  int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
+  (void)err;
+}
+
+static void netlink_add_neigh(int sock, const char* name, const void* addr,
+                              int addrsize, const void* mac, int macsize)
+{
+  struct ndmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ndm_ifindex = if_nametoindex(name);
+  hdr.ndm_state = NUD_PERMANENT;
+  netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  netlink_attr(NDA_DST, addr, addrsize);
+  netlink_attr(NDA_LLADDR, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC 0xaaaaaaaaaaaa
+#define REMOTE_MAC 0xaaaaaaaaaabb
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  char sysctl[64];
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
+  write_file(sysctl, "0");
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
+  write_file(sysctl, "0");
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4);
+  netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6);
+  uint64_t macaddr = REMOTE_MAC;
+  struct in_addr in_addr;
+  inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr,
+                    ETH_ALEN);
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr,
+                    ETH_ALEN);
+  macaddr = LOCAL_MAC;
+  netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN);
+  close(sock);
+}
+
+#define USB_MAX_EP_NUM 32
+
+struct usb_device_index {
+  struct usb_device_descriptor* dev;
+  struct usb_config_descriptor* config;
+  unsigned config_length;
+  struct usb_interface_descriptor* iface;
+  struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM];
+  unsigned eps_num;
+};
+
+static bool parse_usb_descriptor(char* buffer, size_t length,
+                                 struct usb_device_index* index)
+{
+  if (length <
+      sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface))
+    return false;
+  index->dev = (struct usb_device_descriptor*)buffer;
+  index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev));
+  index->config_length = length - sizeof(*index->dev);
+  index->iface =
+      (struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) +
+                                         sizeof(*index->config));
+  index->eps_num = 0;
+  size_t offset = 0;
+  while (true) {
+    if (offset == length)
+      break;
+    if (offset + 1 < length)
+      break;
+    uint8_t length = buffer[offset];
+    uint8_t type = buffer[offset + 1];
+    if (type == USB_DT_ENDPOINT) {
+      index->eps[index->eps_num] =
+          (struct usb_endpoint_descriptor*)(buffer + offset);
+      index->eps_num++;
+    }
+    if (index->eps_num == USB_MAX_EP_NUM)
+      break;
+    offset += length;
+  }
+  return true;
+}
+
+enum usb_fuzzer_event_type {
+  USB_FUZZER_EVENT_INVALID,
+  USB_FUZZER_EVENT_CONNECT,
+  USB_FUZZER_EVENT_DISCONNECT,
+  USB_FUZZER_EVENT_SUSPEND,
+  USB_FUZZER_EVENT_RESUME,
+  USB_FUZZER_EVENT_CONTROL,
+};
+
+struct usb_fuzzer_event {
+  uint32_t type;
+  uint32_t length;
+  char data[0];
+};
+
+struct usb_fuzzer_init {
+  uint64_t speed;
+  const char* driver_name;
+  const char* device_name;
+};
+
+struct usb_fuzzer_ep_io {
+  uint16_t ep;
+  uint16_t flags;
+  uint32_t length;
+  char data[0];
+};
+
+#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
+#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
+#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 2, struct usb_fuzzer_event)
+#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 4, struct usb_endpoint_descriptor)
+#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 6, struct usb_fuzzer_ep_io)
+#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 8)
+#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 9, uint32_t)
+
+int usb_fuzzer_open()
+{
+  return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
+}
+
+int usb_fuzzer_init(int fd, uint32_t speed, const char* driver,
+                    const char* device)
+{
+  struct usb_fuzzer_init arg;
+  arg.speed = speed;
+  arg.driver_name = driver;
+  arg.device_name = device;
+  return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
+}
+
+int usb_fuzzer_run(int fd)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
+}
+
+int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_event* event)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, event);
+}
+
+int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
+}
+
+int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
+}
+
+int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
+}
+
+int usb_fuzzer_configure(int fd)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
+}
+
+int usb_fuzzer_vbus_draw(int fd, uint32_t power)
+{
+  return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
+}
+
+#define USB_MAX_PACKET_SIZE 1024
+
+struct usb_fuzzer_control_event {
+  struct usb_fuzzer_event inner;
+  struct usb_ctrlrequest ctrl;
+};
+
+struct usb_fuzzer_ep_io_data {
+  struct usb_fuzzer_ep_io inner;
+  char data[USB_MAX_PACKET_SIZE];
+};
+
+struct vusb_connect_string_descriptor {
+  uint32_t len;
+  char* str;
+} __attribute__((packed));
+
+struct vusb_connect_descriptors {
+  uint32_t qual_len;
+  char* qual;
+  uint32_t bos_len;
+  char* bos;
+  uint32_t strs_len;
+  struct vusb_connect_string_descriptor strs[0];
+} __attribute__((packed));
+
+static bool lookup_connect_response(struct vusb_connect_descriptors* descs,
+                                    struct usb_device_index* index,
+                                    struct usb_ctrlrequest* ctrl,
+                                    char** response_data,
+                                    uint32_t* response_length, bool* done)
+{
+  uint8_t str_idx;
+  switch (ctrl->bRequestType & USB_TYPE_MASK) {
+  case USB_TYPE_STANDARD:
+    switch (ctrl->bRequest) {
+    case USB_REQ_GET_DESCRIPTOR:
+      switch (ctrl->wValue >> 8) {
+      case USB_DT_DEVICE:
+        *response_data = (char*)index->dev;
+        *response_length = sizeof(*index->dev);
+        return true;
+      case USB_DT_CONFIG:
+        *response_data = (char*)index->config;
+        *response_length = index->config_length;
+        return true;
+      case USB_DT_STRING:
+        str_idx = (uint8_t)ctrl->wValue;
+        if (str_idx >= descs->strs_len)
+          return false;
+        *response_data = descs->strs[str_idx].str;
+        *response_length = descs->strs[str_idx].len;
+        return true;
+      case USB_DT_BOS:
+        *response_data = descs->bos;
+        *response_length = descs->bos_len;
+        return true;
+      case USB_DT_DEVICE_QUALIFIER:
+        *response_data = descs->qual;
+        *response_length = descs->qual_len;
+        return true;
+      default:
+        exit(1);
+        return false;
+      }
+      break;
+    case USB_REQ_SET_CONFIGURATION:
+      *response_length = 0;
+      *response_data = NULL;
+      *done = true;
+      return true;
+    default:
+      exit(1);
+      return false;
+    }
+    break;
+  default:
+    exit(1);
+    return false;
+  }
+  return false;
+}
+
+static volatile long syz_usb_connect(volatile long a0, volatile long a1,
+                                     volatile long a2, volatile long a3)
+{
+  int64_t speed = a0;
+  int64_t dev_len = a1;
+  char* dev = (char*)a2;
+  struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3;
+  if (!dev)
+    return -1;
+  struct usb_device_index index;
+  memset(&index, 0, sizeof(index));
+  int rv = false;
+  rv = parse_usb_descriptor(dev, dev_len, &index);
+  if (!rv)
+    return -1;
+  int fd = usb_fuzzer_open();
+  if (fd < 0)
+    return -1;
+  char device[32];
+  sprintf(&device[0], "dummy_udc.%llu", procid);
+  rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
+  if (rv < 0)
+    return -1;
+  rv = usb_fuzzer_run(fd);
+  if (rv < 0)
+    return -1;
+  bool done = false;
+  while (!done) {
+    struct usb_fuzzer_control_event event;
+    event.inner.type = 0;
+    event.inner.length = sizeof(event.ctrl);
+    rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_event*)&event);
+    if (rv < 0)
+      return -1;
+    if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
+      continue;
+    bool response_found = false;
+    char* response_data = NULL;
+    uint32_t response_length = 0;
+    response_found = lookup_connect_response(
+        descs, &index, &event.ctrl, &response_data, &response_length, &done);
+    if (!response_found)
+      return -1;
+    if (done) {
+      int rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower);
+      if (rv < 0)
+        return -1;
+      rv = usb_fuzzer_configure(fd);
+      if (rv < 0)
+        return -1;
+      unsigned ep;
+      for (ep = 0; ep < index.eps_num; ep++) {
+        rv = usb_fuzzer_ep_enable(fd, index.eps[ep]);
+        if (rv < 0)
+          exit(1);
+      }
+    }
+    struct usb_fuzzer_ep_io_data response;
+    response.inner.ep = 0;
+    response.inner.flags = 0;
+    if (response_length > sizeof(response.data))
+      response_length = 0;
+    response.inner.length = response_length;
+    if (response_data)
+      memcpy(&response.data[0], response_data, response_length);
+    if (event.ctrl.wLength < response.inner.length)
+      response.inner.length = event.ctrl.wLength;
+    usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+  }
+  sleep_ms(200);
+  return fd;
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+  typedef struct {
+    const char* name;
+    const char* value;
+  } sysctl_t;
+  static const sysctl_t sysctls[] = {
+      {"/proc/sys/kernel/shmmax", "16777216"},
+      {"/proc/sys/kernel/shmall", "536870912"},
+      {"/proc/sys/kernel/shmmni", "1024"},
+      {"/proc/sys/kernel/msgmax", "8192"},
+      {"/proc/sys/kernel/msgmni", "1024"},
+      {"/proc/sys/kernel/msgmnb", "1024"},
+      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
+    write_file(sysctls[i].name, sysctls[i].value);
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  loop();
+  exit(1);
+}
+
+static void close_fds()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+void loop(void)
+{
+  *(uint8_t*)0x20000040 = 0x12;
+  *(uint8_t*)0x20000041 = 1;
+  *(uint16_t*)0x20000042 = 0;
+  *(uint8_t*)0x20000044 = 0x4f;
+  *(uint8_t*)0x20000045 = 0xdf;
+  *(uint8_t*)0x20000046 = 0x4d;
+  *(uint8_t*)0x20000047 = 8;
+  *(uint16_t*)0x20000048 = 0x50d;
+  *(uint16_t*)0x2000004a = 0x122;
+  *(uint16_t*)0x2000004c = 0xc169;
+  *(uint8_t*)0x2000004e = 0;
+  *(uint8_t*)0x2000004f = 0;
+  *(uint8_t*)0x20000050 = 0;
+  *(uint8_t*)0x20000051 = 1;
+  *(uint8_t*)0x20000052 = 9;
+  *(uint8_t*)0x20000053 = 2;
+  *(uint16_t*)0x20000054 = 0x12;
+  *(uint8_t*)0x20000056 = 1;
+  *(uint8_t*)0x20000057 = 0;
+  *(uint8_t*)0x20000058 = 0;
+  *(uint8_t*)0x20000059 = 0;
+  *(uint8_t*)0x2000005a = 0;
+  *(uint8_t*)0x2000005b = 9;
+  *(uint8_t*)0x2000005c = 4;
+  *(uint8_t*)0x2000005d = 0x96;
+  *(uint8_t*)0x2000005e = 0;
+  *(uint8_t*)0x2000005f = 0;
+  *(uint8_t*)0x20000060 = 0xdc;
+  *(uint8_t*)0x20000061 = 0x6b;
+  *(uint8_t*)0x20000062 = 0x5a;
+  *(uint8_t*)0x20000063 = 0;
+  syz_usb_connect(0, 0x24, 0x20000040, 0);
+  close_fds();
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  do_sandbox_none();
+  return 0;
+}
diff --git a/syzkaller-repros/linux/01a1672c0e73257a656ba72e7b3695154c2ccceb.c b/syzkaller-repros/linux/01a1672c0e73257a656ba72e7b3695154c2ccceb.c
new file mode 100644
index 0000000..a68c524
--- /dev/null
+++ b/syzkaller-repros/linux/01a1672c0e73257a656ba72e7b3695154c2ccceb.c
@@ -0,0 +1,1695 @@
+// KASAN: stack-out-of-bounds Read in check_stack_object
+// https://syzkaller.appspot.com/bug?id=01a1672c0e73257a656ba72e7b3695154c2ccceb
+// status:dup
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+#include <linux/if_addr.h>
+#include <linux/if_ether.h>
+#include <linux/if_link.h>
+#include <linux/if_tun.h>
+#include <linux/in6.h>
+#include <linux/ip.h>
+#include <linux/neighbour.h>
+#include <linux/net.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/tcp.h>
+#include <linux/veth.h>
+
+unsigned long long procid;
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
+#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)               \
+  *(type*)(addr) =                                                             \
+      htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) |           \
+            (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
+
+struct csum_inet {
+  uint32_t acc;
+};
+
+static void csum_inet_init(struct csum_inet* csum)
+{
+  csum->acc = 0;
+}
+
+static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
+                             size_t length)
+{
+  if (length == 0)
+    return;
+  size_t i;
+  for (i = 0; i < length - 1; i += 2)
+    csum->acc += *(uint16_t*)&data[i];
+  if (length & 1)
+    csum->acc += (uint16_t)data[length - 1];
+  while (csum->acc > 0xffff)
+    csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
+}
+
+static uint16_t csum_inet_digest(struct csum_inet* csum)
+{
+  return ~csum->acc;
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+static struct {
+  char* pos;
+  int nesting;
+  struct nlattr* nested[8];
+  char buf[1024];
+} nlmsg;
+
+static void netlink_init(int typ, int flags, const void* data, int size)
+{
+  memset(&nlmsg, 0, sizeof(nlmsg));
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_type = typ;
+  hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+  memcpy(hdr + 1, data, size);
+  nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
+}
+
+static void netlink_attr(int typ, const void* data, int size)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_len = sizeof(*attr) + size;
+  attr->nla_type = typ;
+  memcpy(attr + 1, data, size);
+  nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
+}
+
+static void netlink_nest(int typ)
+{
+  struct nlattr* attr = (struct nlattr*)nlmsg.pos;
+  attr->nla_type = typ;
+  nlmsg.pos += sizeof(*attr);
+  nlmsg.nested[nlmsg.nesting++] = attr;
+}
+
+static void netlink_done(void)
+{
+  struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
+  attr->nla_len = nlmsg.pos - (char*)attr;
+}
+
+static int netlink_send(int sock)
+{
+  if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
+    exit(1);
+  struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
+  hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
+  struct sockaddr_nl addr;
+  memset(&addr, 0, sizeof(addr));
+  addr.nl_family = AF_NETLINK;
+  unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
+                      (struct sockaddr*)&addr, sizeof(addr));
+  if (n != hdr->nlmsg_len)
+    exit(1);
+  n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
+  if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
+    exit(1);
+  if (hdr->nlmsg_type != NLMSG_ERROR)
+    exit(1);
+  return -((struct nlmsgerr*)(hdr + 1))->error;
+}
+
+static void netlink_add_device_impl(const char* type, const char* name)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  if (name)
+    netlink_attr(IFLA_IFNAME, name, strlen(name));
+  netlink_nest(IFLA_LINKINFO);
+  netlink_attr(IFLA_INFO_KIND, type, strlen(type));
+}
+
+static void netlink_add_device(int sock, const char* type, const char* name)
+{
+  netlink_add_device_impl(type, name);
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_veth(int sock, const char* name, const char* peer)
+{
+  netlink_add_device_impl("veth", name);
+  netlink_nest(IFLA_INFO_DATA);
+  netlink_nest(VETH_INFO_PEER);
+  nlmsg.pos += sizeof(struct ifinfomsg);
+  netlink_attr(IFLA_IFNAME, peer, strlen(peer));
+  netlink_done();
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_add_hsr(int sock, const char* name, const char* slave1,
+                            const char* slave2)
+{
+  netlink_add_device_impl("hsr", name);
+  netlink_nest(IFLA_INFO_DATA);
+  int ifindex1 = if_nametoindex(slave1);
+  netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
+  int ifindex2 = if_nametoindex(slave2);
+  netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
+  netlink_done();
+  netlink_done();
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static void netlink_device_change(int sock, const char* name, bool up,
+                                  const char* master, const void* mac,
+                                  int macsize)
+{
+  struct ifinfomsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  if (up)
+    hdr.ifi_flags = hdr.ifi_change = IFF_UP;
+  netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
+  netlink_attr(IFLA_IFNAME, name, strlen(name));
+  if (master) {
+    int ifindex = if_nametoindex(master);
+    netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
+  }
+  if (macsize)
+    netlink_attr(IFLA_ADDRESS, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int netlink_add_addr(int sock, const char* dev, const void* addr,
+                            int addrsize)
+{
+  struct ifaddrmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
+  hdr.ifa_scope = RT_SCOPE_UNIVERSE;
+  hdr.ifa_index = if_nametoindex(dev);
+  netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
+  netlink_attr(IFA_LOCAL, addr, addrsize);
+  netlink_attr(IFA_ADDRESS, addr, addrsize);
+  return netlink_send(sock);
+}
+
+static void netlink_add_addr4(int sock, const char* dev, const char* addr)
+{
+  struct in_addr in_addr;
+  inet_pton(AF_INET, addr, &in_addr);
+  int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
+  (void)err;
+}
+
+static void netlink_add_addr6(int sock, const char* dev, const char* addr)
+{
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, addr, &in6_addr);
+  int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
+  (void)err;
+}
+
+static void netlink_add_neigh(int sock, const char* name, const void* addr,
+                              int addrsize, const void* mac, int macsize)
+{
+  struct ndmsg hdr;
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
+  hdr.ndm_ifindex = if_nametoindex(name);
+  hdr.ndm_state = NUD_PERMANENT;
+  netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
+  netlink_attr(NDA_DST, addr, addrsize);
+  netlink_attr(NDA_LLADDR, mac, macsize);
+  int err = netlink_send(sock);
+  (void)err;
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC 0xaaaaaaaaaaaa
+#define REMOTE_MAC 0xaaaaaaaaaabb
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  char sysctl[64];
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
+  write_file(sysctl, "0");
+  sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
+  write_file(sysctl, "0");
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4);
+  netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6);
+  uint64_t macaddr = REMOTE_MAC;
+  struct in_addr in_addr;
+  inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr,
+                    ETH_ALEN);
+  struct in6_addr in6_addr;
+  inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
+  netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr,
+                    ETH_ALEN);
+  macaddr = LOCAL_MAC;
+  netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN);
+  close(sock);
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02hx"
+#define DEV_MAC 0x00aaaaaaaaaa
+static void initialize_netdevices(void)
+{
+  char netdevsim[16];
+  sprintf(netdevsim, "netdevsim%d", (int)procid);
+  struct {
+    const char* type;
+    const char* dev;
+  } devtypes[] = {
+      {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
+      {"vcan", "vcan0"},           {"bond", "bond0"},
+      {"team", "team0"},           {"dummy", "dummy0"},
+      {"nlmon", "nlmon0"},         {"caif", "caif0"},
+      {"batadv", "batadv0"},       {"vxcan", "vxcan1"},
+      {"netdevsim", netdevsim},    {"veth", 0},
+  };
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  struct {
+    const char* name;
+    int macsize;
+    bool noipv6;
+  } devices[] = {
+      {"lo", ETH_ALEN},
+      {"sit0", 0},
+      {"bridge0", ETH_ALEN},
+      {"vcan0", 0, true},
+      {"tunl0", 0},
+      {"gre0", 0},
+      {"gretap0", ETH_ALEN},
+      {"ip_vti0", 0},
+      {"ip6_vti0", 0},
+      {"ip6tnl0", 0},
+      {"ip6gre0", 0},
+      {"ip6gretap0", ETH_ALEN},
+      {"erspan0", ETH_ALEN},
+      {"bond0", ETH_ALEN},
+      {"veth0", ETH_ALEN},
+      {"veth1", ETH_ALEN},
+      {"team0", ETH_ALEN},
+      {"veth0_to_bridge", ETH_ALEN},
+      {"veth1_to_bridge", ETH_ALEN},
+      {"veth0_to_bond", ETH_ALEN},
+      {"veth1_to_bond", ETH_ALEN},
+      {"veth0_to_team", ETH_ALEN},
+      {"veth1_to_team", ETH_ALEN},
+      {"veth0_to_hsr", ETH_ALEN},
+      {"veth1_to_hsr", ETH_ALEN},
+      {"hsr0", 0},
+      {"dummy0", ETH_ALEN},
+      {"nlmon0", 0},
+      {"vxcan1", 0, true},
+      {"caif0", ETH_ALEN},
+      {"batadv0", ETH_ALEN},
+      {netdevsim, ETH_ALEN},
+  };
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
+    netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
+    sprintf(slave0, "%s_slave_0", devmasters[i]);
+    sprintf(veth0, "veth0_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave0, veth0);
+    sprintf(slave1, "%s_slave_1", devmasters[i]);
+    sprintf(veth1, "veth1_to_%s", devmasters[i]);
+    netlink_add_veth(sock, slave1, veth1);
+    sprintf(master, "%s0", devmasters[i]);
+    netlink_device_change(sock, slave0, false, master, 0, 0);
+    netlink_device_change(sock, slave1, false, master, 0, 0);
+  }
+  netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
+  netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
+  netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
+  netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
+  netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
+  netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
+  for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
+    char addr[32];
+    sprintf(addr, DEV_IPV4, i + 10);
+    netlink_add_addr4(sock, devices[i].name, addr);
+    if (!devices[i].noipv6) {
+      sprintf(addr, DEV_IPV6, i + 10);
+      netlink_add_addr6(sock, devices[i].name, addr);
+    }
+    uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
+    netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
+                          devices[i].macsize);
+  }
+  close(sock);
+}
+static void initialize_netdevices_init(void)
+{
+  int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (sock == -1)
+    exit(1);
+  struct {
+    const char* type;
+    int macsize;
+    bool noipv6;
+    bool noup;
+  } devtypes[] = {
+      {"nr", 7, true},
+      {"rose", 5, true, true},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
+    char dev[32], addr[32];
+    sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
+    sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
+    netlink_add_addr4(sock, dev, addr);
+    if (!devtypes[i].noipv6) {
+      sprintf(addr, "fe88::%02hx:%02hx", i, (int)procid + 1);
+      netlink_add_addr6(sock, dev, addr);
+    }
+    int macsize = devtypes[i].macsize;
+    uint64_t macaddr = 0xbbbbbb +
+                       ((unsigned long long)i << (8 * (macsize - 2))) +
+                       (procid << (8 * (macsize - 1)));
+    netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
+  }
+  close(sock);
+}
+
+static int read_tun(char* data, int size)
+{
+  if (tunfd < 0)
+    return -1;
+  int rv = read(tunfd, data, size);
+  if (rv < 0) {
+    if (errno == EAGAIN)
+      return -1;
+    if (errno == EBADFD)
+      return -1;
+    exit(1);
+  }
+  return rv;
+}
+
+#define MAX_FRAGS 4
+struct vnet_fragmentation {
+  uint32_t full;
+  uint32_t count;
+  uint32_t frags[MAX_FRAGS];
+};
+
+static long syz_emit_ethernet(long a0, long a1, long a2)
+{
+  if (tunfd < 0)
+    return (uintptr_t)-1;
+  uint32_t length = a0;
+  char* data = (char*)a1;
+  struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2;
+  struct iovec vecs[MAX_FRAGS + 1];
+  uint32_t nfrags = 0;
+  if (!tun_frags_enabled || frags == NULL) {
+    vecs[nfrags].iov_base = data;
+    vecs[nfrags].iov_len = length;
+    nfrags++;
+  } else {
+    bool full = true;
+    uint32_t i, count = 0;
+    NONFAILING(full = frags->full);
+    NONFAILING(count = frags->count);
+    if (count > MAX_FRAGS)
+      count = MAX_FRAGS;
+    for (i = 0; i < count && length != 0; i++) {
+      uint32_t size = 0;
+      NONFAILING(size = frags->frags[i]);
+      if (size > length)
+        size = length;
+      vecs[nfrags].iov_base = data;
+      vecs[nfrags].iov_len = size;
+      nfrags++;
+      data += size;
+      length -= size;
+    }
+    if (length != 0 && (full || nfrags == 0)) {
+      vecs[nfrags].iov_base = data;
+      vecs[nfrags].iov_len = length;
+      nfrags++;
+    }
+  }
+  return writev(tunfd, vecs, nfrags);
+}
+
+static void flush_tun()
+{
+  char data[SYZ_TUN_MAX_PACKET_SIZE];
+  while (read_tun(&data[0], sizeof(data)) != -1) {
+  }
+}
+
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+  uint64_t pcnt, bcnt;
+};
+
+struct ipt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct ipt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct ipt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct ipt_table_desc {
+  const char* name;
+  struct ipt_getinfo info;
+  struct ipt_replace replace;
+};
+
+static struct ipt_table_desc ipv4_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+#define IPT_BASE_CTL 64
+#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
+#define IPT_SO_GET_INFO (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+
+struct arpt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct arpt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+  const char* name;
+  struct arpt_getinfo info;
+  struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables,
+                                int family, int level)
+{
+  struct ipt_get_entries entries;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables,
+                           int family, int level)
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct ipt_get_entries entries;
+  struct ipt_getinfo info;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_arptables(void)
+{
+  struct arpt_get_entries entries;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_arptables()
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct arpt_get_entries entries;
+  struct arpt_getinfo info;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    } else {
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+#define NF_BR_NUMHOOKS 6
+#define EBT_TABLE_MAXNAMELEN 32
+#define EBT_CHAIN_MAXNAMELEN 32
+#define EBT_BASE_CTL 128
+#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
+#define EBT_SO_GET_INFO (EBT_BASE_CTL)
+#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1)
+#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1)
+#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1)
+
+struct ebt_replace {
+  char name[EBT_TABLE_MAXNAMELEN];
+  unsigned int valid_hooks;
+  unsigned int nentries;
+  unsigned int entries_size;
+  struct ebt_entries* hook_entry[NF_BR_NUMHOOKS];
+  unsigned int num_counters;
+  struct ebt_counter* counters;
+  char* entries;
+};
+
+struct ebt_entries {
+  unsigned int distinguisher;
+  char name[EBT_CHAIN_MAXNAMELEN];
+  unsigned int counter_offset;
+  int policy;
+  unsigned int nentries;
+  char data[0] __attribute__((aligned(__alignof__(struct ebt_replace))));
+};
+
+struct ebt_table_desc {
+  const char* name;
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+static struct ebt_table_desc ebt_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "broute"},
+};
+
+static void checkpoint_ebtables(void)
+{
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace,
+                   &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->replace.entries_size > sizeof(table->entrytable))
+      exit(1);
+    table->replace.num_counters = 0;
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace,
+                   &optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void reset_ebtables()
+{
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+  socklen_t optlen;
+  unsigned i, j, h;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    if (table->replace.valid_hooks == 0)
+      continue;
+    memset(&replace, 0, sizeof(replace));
+    strcpy(replace.name, table->name);
+    optlen = sizeof(replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
+      exit(1);
+    replace.num_counters = 0;
+    table->replace.entries = 0;
+    for (h = 0; h < NF_BR_NUMHOOKS; h++)
+      table->replace.hook_entry[h] = 0;
+    if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
+      memset(&entrytable, 0, sizeof(entrytable));
+      replace.entries = entrytable;
+      optlen = sizeof(replace) + replace.entries_size;
+      if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
+        exit(1);
+      if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
+        continue;
+    }
+    for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
+      if (table->replace.valid_hooks & (1 << h)) {
+        table->replace.hook_entry[h] =
+            (struct ebt_entries*)table->entrytable + j;
+        j++;
+      }
+    }
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+  checkpoint_ebtables();
+  checkpoint_arptables();
+  checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                      AF_INET, SOL_IP);
+  checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                      AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+  reset_ebtables();
+  reset_arptables();
+  reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                 AF_INET, SOL_IP);
+  reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                 AF_INET6, SOL_IPV6);
+}
+
+static void setup_cgroups()
+{
+  if (mkdir("/syzcgroup", 0777)) {
+  }
+  if (mkdir("/syzcgroup/unified", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
+  }
+  if (chmod("/syzcgroup/unified", 0777)) {
+  }
+  write_file("/syzcgroup/unified/cgroup.subtree_control",
+             "+cpu +memory +io +pids +rdma");
+  if (mkdir("/syzcgroup/cpu", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/cpu", "cgroup", 0,
+            "cpuset,cpuacct,perf_event,hugetlb")) {
+  }
+  write_file("/syzcgroup/cpu/cgroup.clone_children", "1");
+  if (chmod("/syzcgroup/cpu", 0777)) {
+  }
+  if (mkdir("/syzcgroup/net", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/net", "cgroup", 0,
+            "net_cls,net_prio,devices,freezer")) {
+  }
+  if (chmod("/syzcgroup/net", 0777)) {
+  }
+}
+static void setup_binfmt_misc()
+{
+  if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
+  }
+  write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:");
+  write_file("/proc/sys/fs/binfmt_misc/register",
+             ":syz1:M:1:\x02::./file0:POC");
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+  setup_cgroups();
+  setup_binfmt_misc();
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 200 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+  typedef struct {
+    const char* name;
+    const char* value;
+  } sysctl_t;
+  static const sysctl_t sysctls[] = {
+      {"/proc/sys/kernel/shmmax", "16777216"},
+      {"/proc/sys/kernel/shmall", "536870912"},
+      {"/proc/sys/kernel/shmmni", "1024"},
+      {"/proc/sys/kernel/msgmax", "8192"},
+      {"/proc/sys/kernel/msgmni", "1024"},
+      {"/proc/sys/kernel/msgmnb", "1024"},
+      {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+  };
+  unsigned i;
+  for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
+    write_file(sysctls[i].name, sysctls[i].value);
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  initialize_netdevices_init();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exit(1);
+    }
+    exit(1);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];
+    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
+    while (umount2(filename, MNT_DETACH) == 0) {
+    }
+    struct stat st;
+    if (lstat(filename, &st))
+      exit(1);
+    if (S_ISDIR(st.st_mode)) {
+      remove_dir(filename);
+      continue;
+    }
+    int i;
+    for (i = 0;; i++) {
+      if (unlink(filename) == 0)
+        break;
+      if (errno == EPERM) {
+        int fd = open(filename, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno != EBUSY || i > 100)
+        exit(1);
+      if (umount2(filename, MNT_DETACH))
+        exit(1);
+    }
+  }
+  closedir(dp);
+  int i;
+  for (i = 0;; i++) {
+    if (rmdir(dir) == 0)
+      break;
+    if (i < 100) {
+      if (errno == EPERM) {
+        int fd = open(dir, O_RDONLY);
+        if (fd != -1) {
+          long flags = 0;
+          if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
+            close(fd);
+          continue;
+        }
+      }
+      if (errno == EROFS) {
+        break;
+      }
+      if (errno == EBUSY) {
+        if (umount2(dir, MNT_DETACH))
+          exit(1);
+        continue;
+      }
+      if (errno == ENOTEMPTY) {
+        if (iter < 100) {
+          iter++;
+          goto retry;
+        }
+      }
+    }
+    exit(1);
+  }
+}
+
+static void kill_and_wait(int pid, int* status)
+{
+  kill(-pid, SIGKILL);
+  kill(pid, SIGKILL);
+  int i;
+  for (i = 0; i < 100; i++) {
+    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
+      return;
+    usleep(1000);
+  }
+  DIR* dir = opendir("/sys/fs/fuse/connections");
+  if (dir) {
+    for (;;) {
+      struct dirent* ent = readdir(dir);
+      if (!ent)
+        break;
+      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
+        continue;
+      char abort[300];
+      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
+               ent->d_name);
+      int fd = open(abort, O_WRONLY);
+      if (fd == -1) {
+        continue;
+      }
+      if (write(fd, abort, 1) < 0) {
+      }
+      close(fd);
+    }
+    closedir(dir);
+  } else {
+  }
+  while (waitpid(-1, status, __WALL) != pid) {
+  }
+}
+
+#define SYZ_HAVE_SETUP_LOOP 1
+static void setup_loop()
+{
+  int pid = getpid();
+  char cgroupdir[64];
+  char file[128];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/pids.max", cgroupdir);
+  write_file(file, "32");
+  snprintf(file, sizeof(file), "%s/memory.low", cgroupdir);
+  write_file(file, "%d", 298 << 20);
+  snprintf(file, sizeof(file), "%s/memory.high", cgroupdir);
+  write_file(file, "%d", 299 << 20);
+  snprintf(file, sizeof(file), "%s/memory.max", cgroupdir);
+  write_file(file, "%d", 300 << 20);
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (mkdir(cgroupdir, 0777)) {
+  }
+  snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
+  write_file(file, "%d", pid);
+  checkpoint_net_namespace();
+}
+
+#define SYZ_HAVE_RESET_LOOP 1
+static void reset_loop()
+{
+  reset_net_namespace();
+}
+
+#define SYZ_HAVE_SETUP_TEST 1
+static void setup_test()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  char cgroupdir[64];
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.cpu")) {
+  }
+  snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
+  if (symlink(cgroupdir, "./cgroup.net")) {
+  }
+  write_file("/proc/self/oom_score_adj", "1000");
+  flush_tun();
+}
+
+#define SYZ_HAVE_RESET_TEST 1
+static void reset_test()
+{
+  int fd;
+  for (fd = 3; fd < 30; fd++)
+    close(fd);
+}
+
+struct thread_t {
+  int created, call;
+  event_t ready, done;
+};
+
+static struct thread_t threads[16];
+static void execute_call(int call);
+static int running;
+
+static void* thr(void* arg)
+{
+  struct thread_t* th = (struct thread_t*)arg;
+  for (;;) {
+    event_wait(&th->ready);
+    event_reset(&th->ready);
+    execute_call(th->call);
+    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
+    event_set(&th->done);
+  }
+  return 0;
+}
+
+static void execute_one(void)
+{
+  int i, call, thread;
+  int collide = 0;
+again:
+  for (call = 0; call < 8; call++) {
+    for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
+         thread++) {
+      struct thread_t* th = &threads[thread];
+      if (!th->created) {
+        th->created = 1;
+        event_init(&th->ready);
+        event_init(&th->done);
+        event_set(&th->done);
+        thread_start(thr, th);
+      }
+      if (!event_isset(&th->done))
+        continue;
+      event_reset(&th->done);
+      th->call = call;
+      __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
+      event_set(&th->ready);
+      if (collide && (call % 2) == 0)
+        break;
+      event_timedwait(&th->done, 45);
+      break;
+    }
+  }
+  for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
+    sleep_ms(1);
+  if (!collide) {
+    collide = 1;
+    goto again;
+  }
+}
+
+static void execute_one(void);
+
+#define WAIT_FLAGS __WALL
+
+static void loop(void)
+{
+  setup_loop();
+  int iter;
+  for (iter = 0;; iter++) {
+    char cwdbuf[32];
+    sprintf(cwdbuf, "./%d", iter);
+    if (mkdir(cwdbuf, 0777))
+      exit(1);
+    reset_loop();
+    int pid = fork();
+    if (pid < 0)
+      exit(1);
+    if (pid == 0) {
+      if (chdir(cwdbuf))
+        exit(1);
+      setup_test();
+      execute_one();
+      reset_test();
+      exit(0);
+    }
+    int status = 0;
+    uint64_t start = current_time_ms();
+    for (;;) {
+      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
+        break;
+      sleep_ms(1);
+      if (current_time_ms() - start < 5 * 1000)
+        continue;
+      kill_and_wait(pid, &status);
+      break;
+    }
+    remove_dir(cwdbuf);
+  }
+}
+
+uint64_t r[1] = {0xffffffffffffffff};
+
+void execute_call(int call)
+{
+  long res;
+  switch (call) {
+  case 0:
+    NONFAILING(*(uint32_t*)0x2001d000 = 1);
+    NONFAILING(*(uint32_t*)0x2001d004 = 0x70);
+    NONFAILING(*(uint8_t*)0x2001d008 = 0);
+    NONFAILING(*(uint8_t*)0x2001d009 = 0);
+    NONFAILING(*(uint8_t*)0x2001d00a = 0);
+    NONFAILING(*(uint8_t*)0x2001d00b = 0);
+    NONFAILING(*(uint32_t*)0x2001d00c = 0);
+    NONFAILING(*(uint64_t*)0x2001d010 = 0x7f);
+    NONFAILING(*(uint64_t*)0x2001d018 = 0);
+    NONFAILING(*(uint64_t*)0x2001d020 = 0);
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1));
+    NONFAILING(STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 35));
+    NONFAILING(*(uint32_t*)0x2001d030 = 0);
+    NONFAILING(*(uint32_t*)0x2001d034 = 0);
+    NONFAILING(*(uint64_t*)0x2001d038 = 0);
+    NONFAILING(*(uint64_t*)0x2001d040 = 0);
+    NONFAILING(*(uint64_t*)0x2001d048 = 0);
+    NONFAILING(*(uint64_t*)0x2001d050 = 0);
+    NONFAILING(*(uint32_t*)0x2001d058 = 0);
+    NONFAILING(*(uint32_t*)0x2001d05c = 0);
+    NONFAILING(*(uint64_t*)0x2001d060 = 0);
+    NONFAILING(*(uint32_t*)0x2001d068 = 0);
+    NONFAILING(*(uint16_t*)0x2001d06c = 0);
+    NONFAILING(*(uint16_t*)0x2001d06e = 0);
+    syscall(__NR_perf_event_open, 0x2001d000, 0, -1, -1, 0);
+    break;
+  case 1:
+    syscall(__NR_connect, -1, 0, 0);
+    break;
+  case 2:
+    res = syscall(__NR_socket, 0xa, 2, 0);
+    if (res != -1)
+      r[0] = res;
+    break;
+  case 3:
+    syscall(__NR_setsockopt, r[0], 0x29, 0x36, 0, 0);
+    break;
+  case 4:
+    NONFAILING(*(uint16_t*)0x20002740 = 0xa);
+    NONFAILING(*(uint16_t*)0x20002742 = htobe16(0));
+    NONFAILING(*(uint32_t*)0x20002744 = htobe32(0));
+    NONFAILING(*(uint8_t*)0x20002748 = 0xfe);
+    NONFAILING(*(uint8_t*)0x20002749 = 0x80);
+    NONFAILING(*(uint8_t*)0x2000274a = 0);
+    NONFAILING(*(uint8_t*)0x2000274b = 0);
+    NONFAILING(*(uint8_t*)0x2000274c = 0);
+    NONFAILING(*(uint8_t*)0x2000274d = 0);
+    NONFAILING(*(uint8_t*)0x2000274e = 0);
+    NONFAILING(*(uint8_t*)0x2000274f = 0);
+    NONFAILING(*(uint8_t*)0x20002750 = 0);
+    NONFAILING(*(uint8_t*)0x20002751 = 0);
+    NONFAILING(*(uint8_t*)0x20002752 = 0);
+    NONFAILING(*(uint8_t*)0x20002753 = 0);
+    NONFAILING(*(uint8_t*)0x20002754 = 0);
+    NONFAILING(*(uint8_t*)0x20002755 = 0);
+    NONFAILING(*(uint8_t*)0x20002756 = 0);
+    NONFAILING(*(uint8_t*)0x20002757 = 0);
+    NONFAILING(*(uint32_t*)0x20002758 = 4);
+    syscall(__NR_connect, r[0], 0x20002740, 0x79);
+    break;
+  case 5:
+    syscall(__NR_sendmmsg, r[0], 0x20007e00, 0x136a88c8311572c, 0);
+    break;
+  case 6:
+    syscall(__NR_msgget, 0, 0);
+    break;
+  case 7:
+    NONFAILING(*(uint8_t*)0x2000a000 = -1);
+    NONFAILING(*(uint8_t*)0x2000a001 = 0xe0);
+    NONFAILING(*(uint8_t*)0x2000a002 = -1);
+    NONFAILING(*(uint8_t*)0x2000a003 = -1);
+    NONFAILING(*(uint8_t*)0x2000a004 = -1);
+    NONFAILING(*(uint8_t*)0x2000a005 = -1);
+    NONFAILING(*(uint8_t*)0x2000a006 = -1);
+    NONFAILING(*(uint8_t*)0x2000a007 = -1);
+    NONFAILING(*(uint8_t*)0x2000a008 = -1);
+    NONFAILING(*(uint8_t*)0x2000a009 = -1);
+    NONFAILING(*(uint8_t*)0x2000a00a = -1);
+    NONFAILING(*(uint8_t*)0x2000a00b = -1);
+    NONFAILING(*(uint16_t*)0x2000a00c = htobe16(0x800));
+    NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000a00e, 5, 0, 4));
+    NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000a00e, 4, 4, 4));
+    NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000a00f, 0, 0, 2));
+    NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000a00f, 0, 2, 6));
+    NONFAILING(*(uint16_t*)0x2000a010 = htobe16(0xfec3));
+    NONFAILING(*(uint16_t*)0x2000a012 = htobe16(0));
+    NONFAILING(*(uint16_t*)0x2000a014 = htobe16(0));
+    NONFAILING(*(uint8_t*)0x2000a016 = 0);
+    NONFAILING(*(uint8_t*)0x2000a017 = 0x29);
+    NONFAILING(*(uint16_t*)0x2000a018 = htobe16(0));
+    NONFAILING(*(uint8_t*)0x2000a01a = 0xac);
+    NONFAILING(*(uint8_t*)0x2000a01b = 0x14);
+    NONFAILING(*(uint8_t*)0x2000a01c = -1);
+    NONFAILING(*(uint8_t*)0x2000a01d = 0xbb);
+    NONFAILING(*(uint32_t*)0x2000a01e = htobe32(0xe0000001));
+    NONFAILING(*(uint16_t*)0x2000a022 = htobe16(0));
+    NONFAILING(*(uint16_t*)0x2000a024 = htobe16(0));
+    NONFAILING(*(uint16_t*)0x2000a026 = htobe16(8));
+    NONFAILING(*(uint16_t*)0x2000a028 = htobe16(0));
+    struct csum_inet csum_1;
+    csum_inet_init(&csum_1);
+    NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x0, 4));
+    NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x0, 4));
+    uint16_t csum_1_chunk_2 = 0x1100;
+    csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2);
+    uint16_t csum_1_chunk_3 = 0x800;
+    csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2);
+    NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x0, 8));
+    NONFAILING(*(uint16_t*)0x2000a028 = csum_inet_digest(&csum_1));
+    struct csum_inet csum_2;
+    csum_inet_init(&csum_2);
+    NONFAILING(csum_inet_update(&csum_2, (const uint8_t*)0x2000a00e, 20));
+    NONFAILING(*(uint16_t*)0x2000a018 = csum_inet_digest(&csum_2));
+    syz_emit_ethernet(0xfed1, 0x2000a000, 0);
+    break;
+  }
+}
+int main(void)
+{
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  install_segv_handler();
+  for (procid = 0; procid < 6; procid++) {
+    if (fork() == 0) {
+      use_temporary_dir();
+      do_sandbox_none();
+    }
+  }
+  sleep(1000000);
+  return 0;
+}
diff --git a/syzkaller-repros/linux/01b33168320de6a151ec997be395d50b9dbdbbf4.c b/syzkaller-repros/linux/01b33168320de6a151ec997be395d50b9dbdbbf4.c
new file mode 100644
index 0000000..0c6c592
--- /dev/null
+++ b/syzkaller-repros/linux/01b33168320de6a151ec997be395d50b9dbdbbf4.c
@@ -0,0 +1,1259 @@
+// KASAN: use-after-free Read in sock_i_ino
+// https://syzkaller.appspot.com/bug?id=01b33168320de6a151ec997be395d50b9dbdbbf4
+// status:fixed
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+#define _GNU_SOURCE
+
+#include <arpa/inet.h>
+#include <dirent.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if_arp.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <sched.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <linux/futex.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/if_tun.h>
+#include <linux/ip.h>
+#include <linux/net.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/tcp.h>
+
+unsigned long long procid;
+
+static __thread int skip_segv;
+static __thread jmp_buf segv_env;
+
+static void segv_handler(int sig, siginfo_t* info, void* ctx)
+{
+  uintptr_t addr = (uintptr_t)info->si_addr;
+  const uintptr_t prog_start = 1 << 20;
+  const uintptr_t prog_end = 100 << 20;
+  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
+      (addr < prog_start || addr > prog_end)) {
+    _longjmp(segv_env, 1);
+  }
+  exit(sig);
+}
+
+static void install_segv_handler(void)
+{
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = SIG_IGN;
+  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
+  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = segv_handler;
+  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+  sigaction(SIGSEGV, &sa, NULL);
+  sigaction(SIGBUS, &sa, NULL);
+}
+
+#define NONFAILING(...)                                                        \
+  {                                                                            \
+    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+    if (_setjmp(segv_env) == 0) {                                              \
+      __VA_ARGS__;                                                             \
+    }                                                                          \
+    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);                       \
+  }
+
+static void sleep_ms(uint64_t ms)
+{
+  usleep(ms * 1000);
+}
+
+static uint64_t current_time_ms(void)
+{
+  struct timespec ts;
+  if (clock_gettime(CLOCK_MONOTONIC, &ts))
+    exit(1);
+  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
+}
+
+static void use_temporary_dir(void)
+{
+  char tmpdir_template[] = "./syzkaller.XXXXXX";
+  char* tmpdir = mkdtemp(tmpdir_template);
+  if (!tmpdir)
+    exit(1);
+  if (chmod(tmpdir, 0777))
+    exit(1);
+  if (chdir(tmpdir))
+    exit(1);
+}
+
+static void thread_start(void* (*fn)(void*), void* arg)
+{
+  pthread_t th;
+  pthread_attr_t attr;
+  pthread_attr_init(&attr);
+  pthread_attr_setstacksize(&attr, 128 << 10);
+  if (pthread_create(&th, &attr, fn, arg))
+    exit(1);
+  pthread_attr_destroy(&attr);
+}
+
+typedef struct {
+  int state;
+} event_t;
+
+static void event_init(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_reset(event_t* ev)
+{
+  ev->state = 0;
+}
+
+static void event_set(event_t* ev)
+{
+  if (ev->state)
+    exit(1);
+  __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
+  syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
+}
+
+static void event_wait(event_t* ev)
+{
+  while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
+}
+
+static int event_isset(event_t* ev)
+{
+  return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
+}
+
+static int event_timedwait(event_t* ev, uint64_t timeout)
+{
+  uint64_t start = current_time_ms();
+  uint64_t now = start;
+  for (;;) {
+    uint64_t remain = timeout - (now - start);
+    struct timespec ts;
+    ts.tv_sec = remain / 1000;
+    ts.tv_nsec = (remain % 1000) * 1000 * 1000;
+    syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
+    if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
+      return 1;
+    now = current_time_ms();
+    if (now - start > timeout)
+      return 0;
+  }
+}
+
+static void vsnprintf_check(char* str, size_t size, const char* format,
+                            va_list args)
+{
+  int rv;
+  rv = vsnprintf(str, size, format, args);
+  if (rv < 0)
+    exit(1);
+  if ((size_t)rv >= size)
+    exit(1);
+}
+
+#define COMMAND_MAX_LEN 128
+#define PATH_PREFIX                                                            \
+  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
+#define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
+
+static void execute_command(bool panic, const char* format, ...)
+{
+  va_list args;
+  char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
+  int rv;
+  va_start(args, format);
+  memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
+  vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args);
+  va_end(args);
+  rv = system(command);
+  if (rv) {
+    if (panic)
+      exit(1);
+  }
+}
+
+static int tunfd = -1;
+static int tun_frags_enabled;
+#define SYZ_TUN_MAX_PACKET_SIZE 1000
+
+#define TUN_IFACE "syz_tun"
+
+#define LOCAL_MAC "aa:aa:aa:aa:aa:aa"
+#define REMOTE_MAC "aa:aa:aa:aa:aa:bb"
+
+#define LOCAL_IPV4 "172.20.20.170"
+#define REMOTE_IPV4 "172.20.20.187"
+
+#define LOCAL_IPV6 "fe80::aa"
+#define REMOTE_IPV6 "fe80::bb"
+
+#define IFF_NAPI 0x0010
+#define IFF_NAPI_FRAGS 0x0020
+
+static void initialize_tun(void)
+{
+  tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
+  if (tunfd == -1) {
+    printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
+    printf("otherwise fuzzing or reproducing might not work as intended\n");
+    return;
+  }
+  const int kTunFd = 240;
+  if (dup2(tunfd, kTunFd) < 0)
+    exit(1);
+  close(tunfd);
+  tunfd = kTunFd;
+  struct ifreq ifr;
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
+  if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
+    ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+    if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
+      exit(1);
+  }
+  if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
+    exit(1);
+  tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE);
+  execute_command(0, "sysctl -w net.ipv6.conf.%s.router_solicitations=0",
+                  TUN_IFACE);
+  execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC);
+  execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE);
+  execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV4, REMOTE_MAC, TUN_IFACE);
+  execute_command(0, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE);
+  execute_command(0, "ip -6 neigh add %s lladdr %s dev %s nud permanent",
+                  REMOTE_IPV6, REMOTE_MAC, TUN_IFACE);
+  execute_command(1, "ip link set dev %s up", TUN_IFACE);
+}
+
+#define DEV_IPV4 "172.20.20.%d"
+#define DEV_IPV6 "fe80::%02hx"
+#define DEV_MAC "aa:aa:aa:aa:aa:%02hx"
+
+static void snprintf_check(char* str, size_t size, const char* format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  vsnprintf_check(str, size, format, args);
+  va_end(args);
+}
+static void initialize_netdevices(void)
+{
+  unsigned i;
+  const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"};
+  const char* devnames[] = {"lo",
+                            "sit0",
+                            "bridge0",
+                            "vcan0",
+                            "tunl0",
+                            "gre0",
+                            "gretap0",
+                            "ip_vti0",
+                            "ip6_vti0",
+                            "ip6tnl0",
+                            "ip6gre0",
+                            "ip6gretap0",
+                            "erspan0",
+                            "bond0",
+                            "veth0",
+                            "veth1",
+                            "team0",
+                            "veth0_to_bridge",
+                            "veth1_to_bridge",
+                            "veth0_to_bond",
+                            "veth1_to_bond",
+                            "veth0_to_team",
+                            "veth1_to_team"};
+  const char* devmasters[] = {"bridge", "bond", "team"};
+  for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++)
+    execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]);
+  execute_command(0, "ip link add type veth");
+  for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
+    execute_command(
+        0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(
+        0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s",
+        devmasters[i], devmasters[i]);
+    execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i],
+                    devmasters[i]);
+    execute_command(0, "ip link set veth0_to_%s up", devmasters[i]);
+    execute_command(0, "ip link set veth1_to_%s up", devmasters[i]);
+  }
+  execute_command(0, "ip link set bridge_slave_0 up");
+  execute_command(0, "ip link set bridge_slave_1 up");
+  for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) {
+    char addr[32];
+    snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10);
+    execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10);
+    execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]);
+    snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10);
+    execute_command(0, "ip link set dev %s address %s", devnames[i], addr);
+    execute_command(0, "ip link set dev %s up", devnames[i]);
+  }
+}
+
+static int read_tun(char* data, int size)
+{
+  if (tunfd < 0)
+    return -1;
+  int rv = read(tunfd, data, size);
+  if (rv < 0) {
+    if (errno == EAGAIN)
+      return -1;
+    if (errno == EBADFD)
+      return -1;
+    exit(1);
+  }
+  return rv;
+}
+
+static void flush_tun()
+{
+  char data[SYZ_TUN_MAX_PACKET_SIZE];
+  while (read_tun(&data[0], sizeof(data)) != -1) {
+  }
+}
+
+static bool write_file(const char* file, const char* what, ...)
+{
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return false;
+  if (write(fd, buf, len) != len) {
+    int err = errno;
+    close(fd);
+    errno = err;
+    return false;
+  }
+  close(fd);
+  return true;
+}
+
+#define XT_TABLE_SIZE 1536
+#define XT_MAX_ENTRIES 10
+
+struct xt_counters {
+  uint64_t pcnt, bcnt;
+};
+
+struct ipt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct ipt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct ipt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[5];
+  unsigned int underflow[5];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct ipt_table_desc {
+  const char* name;
+  struct ipt_getinfo info;
+  struct ipt_replace replace;
+};
+
+static struct ipt_table_desc ipv4_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+static struct ipt_table_desc ipv6_tables[] = {
+    {.name = "filter"}, {.name = "nat"},      {.name = "mangle"},
+    {.name = "raw"},    {.name = "security"},
+};
+
+#define IPT_BASE_CTL 64
+#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
+#define IPT_SO_GET_INFO (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
+
+struct arpt_getinfo {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_entries;
+  unsigned int size;
+};
+
+struct arpt_get_entries {
+  char name[32];
+  unsigned int size;
+  void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
+};
+
+struct arpt_replace {
+  char name[32];
+  unsigned int valid_hooks;
+  unsigned int num_entries;
+  unsigned int size;
+  unsigned int hook_entry[3];
+  unsigned int underflow[3];
+  unsigned int num_counters;
+  struct xt_counters* counters;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+struct arpt_table_desc {
+  const char* name;
+  struct arpt_getinfo info;
+  struct arpt_replace replace;
+};
+
+static struct arpt_table_desc arpt_tables[] = {
+    {.name = "filter"},
+};
+
+#define ARPT_BASE_CTL 96
+#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
+#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
+
+static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables,
+                                int family, int level)
+{
+  struct ipt_get_entries entries;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_iptables(struct ipt_table_desc* tables, int num_tables,
+                           int family, int level)
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct ipt_get_entries entries;
+  struct ipt_getinfo info;
+  socklen_t optlen;
+  int fd, i;
+  fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < num_tables; i++) {
+    struct ipt_table_desc* table = &tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_arptables(void)
+{
+  struct arpt_get_entries entries;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    strcpy(table->info.name, table->name);
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->info.size > sizeof(table->replace.entrytable))
+      exit(1);
+    if (table->info.num_entries > XT_MAX_ENTRIES)
+      exit(1);
+    memset(&entries, 0, sizeof(entries));
+    strcpy(entries.name, table->name);
+    entries.size = table->info.size;
+    optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+      exit(1);
+    table->replace.valid_hooks = table->info.valid_hooks;
+    table->replace.num_entries = table->info.num_entries;
+    table->replace.size = table->info.size;
+    memcpy(table->replace.hook_entry, table->info.hook_entry,
+           sizeof(table->replace.hook_entry));
+    memcpy(table->replace.underflow, table->info.underflow,
+           sizeof(table->replace.underflow));
+    memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
+  }
+  close(fd);
+}
+
+static void reset_arptables()
+{
+  struct xt_counters counters[XT_MAX_ENTRIES];
+  struct arpt_get_entries entries;
+  struct arpt_getinfo info;
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
+    struct arpt_table_desc* table = &arpt_tables[i];
+    if (table->info.valid_hooks == 0)
+      continue;
+    memset(&info, 0, sizeof(info));
+    strcpy(info.name, table->name);
+    optlen = sizeof(info);
+    if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
+      exit(1);
+    if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
+      memset(&entries, 0, sizeof(entries));
+      strcpy(entries.name, table->name);
+      entries.size = table->info.size;
+      optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
+      if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
+        exit(1);
+      if (memcmp(table->replace.entrytable, entries.entrytable,
+                 table->info.size) == 0)
+        continue;
+    } else {
+    }
+    table->replace.num_counters = info.num_entries;
+    table->replace.counters = counters;
+    optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) +
+             table->replace.size;
+    if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+struct ebt_table_desc {
+  const char* name;
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+};
+
+static struct ebt_table_desc ebt_tables[] = {
+    {.name = "filter"},
+    {.name = "nat"},
+    {.name = "broute"},
+};
+
+static void checkpoint_ebtables(void)
+{
+  socklen_t optlen;
+  unsigned i;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    strcpy(table->replace.name, table->name);
+    optlen = sizeof(table->replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace,
+                   &optlen)) {
+      switch (errno) {
+      case EPERM:
+      case ENOENT:
+      case ENOPROTOOPT:
+        continue;
+      }
+      exit(1);
+    }
+    if (table->replace.entries_size > sizeof(table->entrytable))
+      exit(1);
+    table->replace.num_counters = 0;
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace,
+                   &optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void reset_ebtables()
+{
+  struct ebt_replace replace;
+  char entrytable[XT_TABLE_SIZE];
+  socklen_t optlen;
+  unsigned i, j, h;
+  int fd;
+  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    switch (errno) {
+    case EAFNOSUPPORT:
+    case ENOPROTOOPT:
+      return;
+    }
+    exit(1);
+  }
+  for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
+    struct ebt_table_desc* table = &ebt_tables[i];
+    if (table->replace.valid_hooks == 0)
+      continue;
+    memset(&replace, 0, sizeof(replace));
+    strcpy(replace.name, table->name);
+    optlen = sizeof(replace);
+    if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
+      exit(1);
+    replace.num_counters = 0;
+    table->replace.entries = 0;
+    for (h = 0; h < NF_BR_NUMHOOKS; h++)
+      table->replace.hook_entry[h] = 0;
+    if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
+      memset(&entrytable, 0, sizeof(entrytable));
+      replace.entries = entrytable;
+      optlen = sizeof(replace) + replace.entries_size;
+      if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
+        exit(1);
+      if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
+        continue;
+    }
+    for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
+      if (table->replace.valid_hooks & (1 << h)) {
+        table->replace.hook_entry[h] =
+            (struct ebt_entries*)table->entrytable + j;
+        j++;
+      }
+    }
+    table->replace.entries = table->entrytable;
+    optlen = sizeof(table->replace) + table->replace.entries_size;
+    if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
+      exit(1);
+  }
+  close(fd);
+}
+
+static void checkpoint_net_namespace(void)
+{
+  checkpoint_ebtables();
+  checkpoint_arptables();
+  checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                      AF_INET, SOL_IP);
+  checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                      AF_INET6, SOL_IPV6);
+}
+
+static void reset_net_namespace(void)
+{
+  reset_ebtables();
+  reset_arptables();
+  reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]),
+                 AF_INET, SOL_IP);
+  reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]),
+                 AF_INET6, SOL_IPV6);
+}
+
+static void setup_cgroups()
+{
+  if (mkdir("/syzcgroup", 0777)) {
+  }
+  if (mkdir("/syzcgroup/unified", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
+  }
+  if (chmod("/syzcgroup/unified", 0777)) {
+  }
+  if (!write_file("/syzcgroup/unified/cgroup.subtree_control",
+                  "+cpu +memory +io +pids +rdma")) {
+  }
+  if (mkdir("/syzcgroup/cpu", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/cpu", "cgroup", 0,
+            "cpuset,cpuacct,perf_event,hugetlb")) {
+  }
+  if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) {
+  }
+  if (chmod("/syzcgroup/cpu", 0777)) {
+  }
+  if (mkdir("/syzcgroup/net", 0777)) {
+  }
+  if (mount("none", "/syzcgroup/net", "cgroup", 0,
+            "net_cls,net_prio,devices,freezer")) {
+  }
+  if (chmod("/syzcgroup/net", 0777)) {
+  }
+  if (!write_file("/proc/self/oom_score_adj", "-1000")) {
+  }
+}
+static void setup_binfmt_misc()
+{
+  if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
+  }
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz0:M:0:\x01::./file0:")) {
+  }
+  if (!write_file("/proc/sys/fs/binfmt_misc/register",
+                  ":syz1:M:1:\x02::./file0:POC")) {
+  }
+}
+
+static void setup_common()
+{
+  if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
+  }
+  setup_cgroups();
+  setup_binfmt_misc();
+}
+
+static void loop();
+
+static void sandbox_common()
+{
+  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  setpgrp();
+  setsid();
+  struct rlimit rlim;
+  rlim.rlim_cur = rlim.rlim_max = 160 << 20;
+  setrlimit(RLIMIT_AS, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+  setrlimit(RLIMIT_MEMLOCK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
+  setrlimit(RLIMIT_FSIZE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
+  setrlimit(RLIMIT_STACK, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 0;
+  setrlimit(RLIMIT_CORE, &rlim);
+  rlim.rlim_cur = rlim.rlim_max = 256;
+  setrlimit(RLIMIT_NOFILE, &rlim);
+  if (unshare(CLONE_NEWNS)) {
+  }
+  if (unshare(CLONE_NEWIPC)) {
+  }
+  if (unshare(0x02000000)) {
+  }
+  if (unshare(CLONE_NEWUTS)) {
+  }
+  if (unshare(CLONE_SYSVSEM)) {
+  }
+}
+
+int wait_for_loop(int pid)
+{
+  if (pid < 0)
+    exit(1);
+  int status = 0;
+  while (waitpid(-1, &status, __WALL) != pid) {
+  }
+  return WEXITSTATUS(status);
+}
+
+static int do_sandbox_none(void)
+{
+  if (unshare(CLONE_NEWPID)) {
+  }
+  int pid = fork();
+  if (pid != 0)
+    return wait_for_loop(pid);
+  setup_common();
+  sandbox_common();
+  if (unshare(CLONE_NEWNET)) {
+  }
+  initialize_tun();
+  initialize_netdevices();
+  loop();
+  exit(1);
+}
+
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+static void remove_dir(const char* dir)
+{
+  DIR* dp;
+  struct dirent* ep;
+  int iter = 0;
+retry:
+  while (umount2(dir, MNT_DETACH) == 0) {
+  }
+  dp = opendir(dir);
+  if (dp == NULL) {
+    if (errno == EMFILE) {
+      exit(1);
+    }
+    exit(1);
+  }
+  while ((ep = readdir(dp))) {
+    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
+      continue;
+    char filename[FILENAME_MAX];