github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/executor/common_linux.h

// Copyright 2016 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

// This file is shared between executor and csource package.

#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#if SYZ_EXECUTOR
const int kExtraCoverSize = 1024 << 10;
struct cover_t;
static void cover_reset(cover_t* cov);
#endif

#if SYZ_EXECUTOR || SYZ_THREADED
#include <linux/futex.h>
#include <pthread.h>

typedef struct {
	int state;
} event_t;

static void event_init(event_t* ev)
{
	ev->state = 0;
}

static void event_reset(event_t* ev)
{
	ev->state = 0;
}

static void event_set(event_t* ev)
{
	if (ev->state)
		exitf("event already set");
	__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
	syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}

static void event_wait(event_t* ev)
{
	while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
		syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}

static int event_isset(event_t* ev)
{
	return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}

static int event_timedwait(event_t* ev, uint64 timeout)
{
	uint64 start = current_time_ms();
	uint64 now = start;
	for (;;) {
		uint64 remain = timeout - (now - start);
		struct timespec ts;
		ts.tv_sec = remain / 1000;
		ts.tv_nsec = (remain % 1000) * 1000 * 1000;
		syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
		if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
			return 1;
		now = current_time_ms();
		if (now - start > timeout)
			return 0;
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_REPEAT || SYZ_NET_INJECTION || SYZ_FAULT || SYZ_SANDBOX_NONE || \
    SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID ||               \
    SYZ_FAULT || SYZ_LEAK || SYZ_BINFMT_MISC || SYZ_SYSCTL ||                           \
    ((__NR_syz_usb_connect || __NR_syz_usb_connect_ath9k) && USB_DEBUG) ||              \
    __NR_syz_usbip_server_init
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

static bool write_file(const char* file, const char* what, ...)
{
	char buf[1024];
	va_list args;
	va_start(args, what);
	vsnprintf(buf, sizeof(buf), what, args);
	va_end(args);
	buf[sizeof(buf) - 1] = 0;
	int len = strlen(buf);

	int fd = open(file, O_WRONLY | O_CLOEXEC);
	if (fd == -1)
		return false;
	if (write(fd, buf, len) != len) {
		int err = errno;
		close(fd);
		debug("write(%s) failed: %d\n", file, err);
		errno = err;
		return false;
	}
	close(fd);
	return true;
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_NET_INJECTION || SYZ_DEVLINK_PCI || SYZ_WIFI || SYZ_802154 || \
    __NR_syz_genetlink_get_family_id || __NR_syz_80211_inject_frame || __NR_syz_80211_join_ibss || SYZ_NIC_VF
#include <arpa/inet.h>
#include <errno.h>
#include <net/if.h>
#include <netinet/in.h>
#include <stdbool.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>

#include <linux/genetlink.h>
#include <linux/if_addr.h>
#include <linux/if_link.h>
#include <linux/in6.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/veth.h>

struct nlmsg {
	char* pos;
	int nesting;
	struct nlattr* nested[8];
	char buf[4096];
};

static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
			 const void* data, int size)
{
	memset(nlmsg, 0, sizeof(*nlmsg));
	struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
	hdr->nlmsg_type = typ;
	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
	memcpy(hdr + 1, data, size);
	nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}

static void netlink_attr(struct nlmsg* nlmsg, int typ,
			 const void* data, int size)
{
	struct nlattr* attr = (struct nlattr*)nlmsg->pos;
	attr->nla_len = sizeof(*attr) + size;
	attr->nla_type = typ;
	if (size > 0)
		memcpy(attr + 1, data, size);
	nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_802154
static void netlink_nest(struct nlmsg* nlmsg, int typ)
{
	struct nlattr* attr = (struct nlattr*)nlmsg->pos;
	attr->nla_type = typ;
	nlmsg->pos += sizeof(*attr);
	nlmsg->nested[nlmsg->nesting++] = attr;
}

static void netlink_done(struct nlmsg* nlmsg)
{
	struct nlattr* attr = nlmsg->nested[--nlmsg->nesting];
	attr->nla_len = nlmsg->pos - (char*)attr;
}

#if SYZ_EXECUTOR || SYZ_NIC_VF
#include <ifaddrs.h>
#include <linux/ethtool.h>
#include <linux/sockios.h>
#include <sys/ioctl.h>

struct vf_intf {
	char pass_thru_intf[IFNAMSIZ];
	int ppid; // used by Child
};

static struct vf_intf vf_intf;

static void find_vf_interface(void)
{
#if SYZ_EXECUTOR
	if (!flag_nic_vf)
		return;
#endif
	struct ifaddrs* addresses = NULL;
	int pid = getpid();
	int ret = 0;

	memset(&vf_intf, 0, sizeof(struct vf_intf));

	debug("Checking for VF pass-thru interface.\n");
	if (getifaddrs(&addresses) == -1) {
		debug("%s: getifaddrs() failed.\n", __func__);
		return;
	}

	int fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);

	if (fd < 0) {
		debug("%s: socket() failed.\n", __func__);
		return;
	}
	struct ifreq ifr;
	struct ethtool_drvinfo drvinfo;
	struct ifaddrs* address = addresses;

	while (address) {
		debug("ifa_name: %s\n", address->ifa_name);
		memset(&ifr, 0, sizeof(struct ifreq));
		strcpy(ifr.ifr_name, address->ifa_name);
		memset(&drvinfo, 0, sizeof(struct ethtool_drvinfo));
		drvinfo.cmd = ETHTOOL_GDRVINFO;
		ifr.ifr_data = (caddr_t)&drvinfo;
		ret = ioctl(fd, SIOCETHTOOL, &ifr);

		if (ret < 0) {
			debug("%s: ioctl() failed.\n", __func__);
		} else if (strlen(drvinfo.bus_info)) {
			debug("bus_info: %s, strlen(drvinfo.bus_info)=%zu\n",
			      drvinfo.bus_info, strlen(drvinfo.bus_info));
			if (strcmp(drvinfo.bus_info, "0000:00:11.0") == 0) {
				if (strlen(address->ifa_name) < IFNAMSIZ) {
					strncpy(vf_intf.pass_thru_intf,
						address->ifa_name, IFNAMSIZ);
					vf_intf.ppid = pid;
				} else {
					debug("%s: %d strlen(%s) >= IFNAMSIZ.\n",
					      __func__, pid, address->ifa_name);
				}
				break;
			}
		}
		address = address->ifa_next;
	}
	freeifaddrs(addresses);
	if (!vf_intf.ppid) {
		memset(&vf_intf, 0, sizeof(struct vf_intf));
		debug("%s: %d could not find VF pass-thru interface.\n", __func__, pid);
		return;
	}
	debug("%s: %d found VF pass-thru interface %s\n",
	      __func__, pid, vf_intf.pass_thru_intf);
}
#endif // SYZ_NIC_VF

#endif

static int netlink_send_ext(struct nlmsg* nlmsg, int sock,
			    uint16 reply_type, int* reply_len, bool dofail)
{
#if SYZ_EXECUTOR
	if (in_execute_one && dofail) {
		// We can expect different sorts of breakages during fuzzing,
		// we should not kill the whole process because of them.
		failmsg("invalid netlink_send_ext arguments", "dofail is true during syscall execution");
	}
#endif
	if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
		fail("nlmsg overflow/bad nesting");
	struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
	hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
	struct sockaddr_nl addr;
	memset(&addr, 0, sizeof(addr));
	addr.nl_family = AF_NETLINK;
	ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr));
	if (n != (ssize_t)hdr->nlmsg_len) {
		if (dofail)
			failmsg("netlink_send_ext: short netlink write", "wrote=%zd, want=%d", n, hdr->nlmsg_len);
		debug("netlink_send_ext: short netlink write: %zd/%d errno=%d\n", n, hdr->nlmsg_len, errno);
		return -1;
	}
	n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
	if (reply_len)
		*reply_len = 0;
	if (n < 0) {
		if (dofail)
			fail("netlink_send_ext: netlink read failed");
		debug("netlink_send_ext: netlink read failed: errno=%d\n", errno);
		return -1;
	}
	if (n < (ssize_t)sizeof(struct nlmsghdr)) {
		errno = EINVAL;
		if (dofail)
			failmsg("netlink_send_ext: short netlink read", "read=%zd", n);
		debug("netlink_send_ext: short netlink read: %zd\n", n);
		return -1;
	}
	if (hdr->nlmsg_type == NLMSG_DONE)
		return 0;
	if (reply_len && hdr->nlmsg_type == reply_type) {
		*reply_len = n;
		return 0;
	}
	if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
		errno = EINVAL;
		if (dofail)
			failmsg("netlink_send_ext: short netlink read", "read=%zd", n);
		debug("netlink_send_ext: short netlink read: %zd\n", n);
		return -1;
	}
	if (hdr->nlmsg_type != NLMSG_ERROR) {
		errno = EINVAL;
		if (dofail)
			failmsg("netlink_send_ext: bad netlink ack type", "type=%d", hdr->nlmsg_type);
		debug("netlink_send_ext: short netlink ack: %d\n", hdr->nlmsg_type);
		return -1;
	}
	errno = -((struct nlmsgerr*)(hdr + 1))->error;
	return -errno;
}

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_NET_INJECTION || SYZ_DEVLINK_PCI || SYZ_WIFI || SYZ_802154
static int netlink_send(struct nlmsg* nlmsg, int sock)
{
	return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}
#endif

static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail)
{
	struct genlmsghdr genlhdr;
	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = CTRL_CMD_GETFAMILY;
	netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1);
	int n = 0;
	int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
	if (err < 0) {
		debug("netlink: failed to get family id for %.*s: %s\n", GENL_NAMSIZ, family_name, strerror(errno));
		return -1;
	}
	uint16 id = 0;
	struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr)));
	for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
		if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
			id = *(uint16*)(attr + 1);
			break;
		}
	}
	if (!id) {
		debug("netlink: failed to parse family id for %.*s\n", GENL_NAMSIZ, family_name);
		errno = EINVAL;
		return -1;
	}
	recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); // recv ack

	return id;
}

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_DEVLINK_PCI
static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset,
			    unsigned int total_len)
{
	struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset);

	if (offset == total_len || offset + hdr->nlmsg_len > total_len)
		return -1;
	return hdr->nlmsg_len;
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_802154

// Force few TX and RX queues per interface to avoid creating 2 sysfs entries
// per CPU per interface which takes a long time on machines with many cores.
static unsigned int queue_count = 2;

static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type,
				    const char* name, bool up)
{
	struct ifinfomsg hdr;
	memset(&hdr, 0, sizeof(hdr));
	if (up)
		hdr.ifi_flags = hdr.ifi_change = IFF_UP;
	netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
	if (name)
		netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name));

	netlink_attr(nlmsg, IFLA_NUM_TX_QUEUES, &queue_count, sizeof(queue_count));
	netlink_attr(nlmsg, IFLA_NUM_RX_QUEUES, &queue_count, sizeof(queue_count));

	netlink_nest(nlmsg, IFLA_LINKINFO);
	netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type));
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES
static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type,
			       const char* name)
{
	netlink_add_device_impl(nlmsg, type, name, false);
	netlink_done(nlmsg);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: adding device %s type %s: %s\n", name, type, strerror(errno));
	}
}

static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name,
			     const char* peer)
{
	netlink_add_device_impl(nlmsg, "veth", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	netlink_nest(nlmsg, VETH_INFO_PEER);
	nlmsg->pos += sizeof(struct ifinfomsg);
	netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer));
	netlink_attr(nlmsg, IFLA_NUM_TX_QUEUES, &queue_count, sizeof(queue_count));
	netlink_attr(nlmsg, IFLA_NUM_RX_QUEUES, &queue_count, sizeof(queue_count));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: adding device %s type veth peer %s: %s\n", name, peer, strerror(errno));
	}
}

static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name)
{
	netlink_add_device_impl(nlmsg, "xfrm", name, true);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	int if_id = 1;
	// This is IFLA_XFRM_IF_ID attr which is not present in older kernel headers.
	netlink_attr(nlmsg, 2, &if_id, sizeof(if_id));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: adding device %s type xfrm if_id %d: %s\n", name, if_id, strerror(errno));
	}
}

static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name,
			    const char* slave1, const char* slave2)
{
	netlink_add_device_impl(nlmsg, "hsr", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	int ifindex1 = if_nametoindex(slave1);
	netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
	int ifindex2 = if_nametoindex(slave2);
	netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: adding device %s type hsr slave1 %s slave2 %s: %s\n", name, slave1, slave2, strerror(errno));
	}
}

static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type, const char* name, const char* link)
{
	netlink_add_device_impl(nlmsg, type, name, false);
	netlink_done(nlmsg);
	int ifindex = if_nametoindex(link);
	netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: adding device %s type %s link %s: %s\n", name, type, link, strerror(errno));
	}
}

static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16 id, uint16 proto)
{
	netlink_add_device_impl(nlmsg, "vlan", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id));
	netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int ifindex = if_nametoindex(link);
	netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: add %s type vlan link %s id %d: %s\n", name, link, id, strerror(errno));
	}
}

static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link)
{
	netlink_add_device_impl(nlmsg, "macvlan", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	uint32 mode = MACVLAN_MODE_BRIDGE;
	netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int ifindex = if_nametoindex(link);
	netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: add %s type macvlan link %s mode %d: %s\n", name, link, mode, strerror(errno));
	}
}

static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name, uint32 vni, struct in_addr* addr4, struct in6_addr* addr6)
{
	netlink_add_device_impl(nlmsg, "geneve", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni));
	if (addr4)
		netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4));
	if (addr6)
		netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: add %s type geneve vni %u: %s\n", name, vni, strerror(errno));
	}
}

#define IFLA_IPVLAN_FLAGS 2
#define IPVLAN_MODE_L3S 2
#undef IPVLAN_F_VEPA
#define IPVLAN_F_VEPA 2

static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16 mode, uint16 flags)
{
	netlink_add_device_impl(nlmsg, "ipvlan", name, false);
	netlink_nest(nlmsg, IFLA_INFO_DATA);
	netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode));
	netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags));
	netlink_done(nlmsg);
	netlink_done(nlmsg);
	int ifindex = if_nametoindex(link);
	netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: add %s type ipvlan link %s mode %d: %s\n", name, link, mode, strerror(errno));
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_NET_INJECTION || SYZ_DEVLINK_PCI || SYZ_802154
static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up,
				  const char* master, const void* mac, int macsize,
				  const char* new_name)
{
	struct ifinfomsg hdr;
	memset(&hdr, 0, sizeof(hdr));
	if (up)
		hdr.ifi_flags = hdr.ifi_change = IFF_UP;
	hdr.ifi_index = if_nametoindex(name);
	netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
	if (new_name)
		netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name));
	if (master) {
		int ifindex = if_nametoindex(master);
		netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
	}
	if (macsize)
		netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: device %s up master %s: %s\n", name, master ? master : "NULL", strerror(errno));
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_NET_INJECTION
static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev,
			    const void* addr, int addrsize)
{
	struct ifaddrmsg hdr;
	memset(&hdr, 0, sizeof(hdr));
	hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
	hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
	hdr.ifa_scope = RT_SCOPE_UNIVERSE;
	hdr.ifa_index = if_nametoindex(dev);
	netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
	netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize);
	netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize);
	return netlink_send(nlmsg, sock);
}

static void netlink_add_addr4(struct nlmsg* nlmsg, int sock,
			      const char* dev, const char* addr)
{
	struct in_addr in_addr;
	inet_pton(AF_INET, addr, &in_addr);
	int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr));
	if (err < 0) {
		debug("netlink: add addr %s dev %s: %s\n", addr, dev, strerror(errno));
	}
}

static void netlink_add_addr6(struct nlmsg* nlmsg, int sock,
			      const char* dev, const char* addr)
{
	struct in6_addr in6_addr;
	inet_pton(AF_INET6, addr, &in6_addr);
	int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr));
	if (err < 0) {
		debug("netlink: add addr %s dev %s: %s\n", addr, dev, strerror(errno));
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_INJECTION
static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name,
			      const void* addr, int addrsize, const void* mac, int macsize)
{
	struct ndmsg hdr;
	memset(&hdr, 0, sizeof(hdr));
	hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
	hdr.ndm_ifindex = if_nametoindex(name);
	hdr.ndm_state = NUD_PERMANENT;
	netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
	netlink_attr(nlmsg, NDA_DST, addr, addrsize);
	netlink_attr(nlmsg, NDA_LLADDR, mac, macsize);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("netlink: add neigh %s addr %d lladdr %d: %s\n", name, addrsize, macsize, strerror(errno));
	}
}
#endif
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES || SYZ_NET_INJECTION || SYZ_DEVLINK_PCI || SYZ_WIFI || SYZ_802154
static struct nlmsg nlmsg;
#endif

#if SYZ_EXECUTOR || SYZ_NET_INJECTION
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <stdarg.h>
#include <stdbool.h>
#include <sys/ioctl.h>
#include <sys/stat.h>

#include <linux/if_ether.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <linux/tcp.h>

static int tunfd = -1;

#define TUN_IFACE "syz_tun"
#define LOCAL_MAC 0xaaaaaaaaaaaa
#define REMOTE_MAC 0xaaaaaaaaaabb
#define LOCAL_IPV4 "172.20.20.170"
#define REMOTE_IPV4 "172.20.20.187"
#define LOCAL_IPV6 "fe80::aa"
#define REMOTE_IPV6 "fe80::bb"

#ifndef IFF_NAPI
#define IFF_NAPI 0x0010
#endif
#if ENABLE_NAPI_FRAGS
static int tun_frags_enabled;
#ifndef IFF_NAPI_FRAGS
#define IFF_NAPI_FRAGS 0x0020
#endif
#endif

static void initialize_tun(void)
{
#if SYZ_EXECUTOR
	if (!flag_net_injection)
		return;
#endif
	tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
	if (tunfd == -1) {
#if SYZ_EXECUTOR
		fail("tun: can't open /dev/net/tun");
#else
		printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
		printf("otherwise fuzzing or reproducing might not work as intended\n");
		return;
#endif
	}
	// Remap tun onto higher fd number to hide it from fuzzer and to keep
	// fd numbers stable regardless of whether tun is opened or not (also see kMaxFd).
	const int kTunFd = 200;
	if (dup2(tunfd, kTunFd) < 0)
		fail("dup2(tunfd, kTunFd) failed");
	close(tunfd);
	tunfd = kTunFd;

	struct ifreq ifr;
	memset(&ifr, 0, sizeof(ifr));
	strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
	// Note: SYZ_ENABLE_NAPI_FRAGS is never enabled. This is code is only for reference
	// in case we figure out how IFF_NAPI_FRAGS works. With IFF_NAPI_FRAGS packets
	// don't reach destinations and bail out in udp_gro_receive (see #1594).
	// Also IFF_NAPI_FRAGS does not work with sandbox_namespace (see comment there).
#if ENABLE_NAPI_FRAGS
	ifr.ifr_flags |= IFF_NAPI | IFF_NAPI_FRAGS;
#endif
	if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
#if ENABLE_NAPI_FRAGS
		// IFF_NAPI_FRAGS requires root, so try without it.
		ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
		if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
#endif
			fail("tun: ioctl(TUNSETIFF) failed");
	}
#if ENABLE_NAPI_FRAGS
	// If IFF_NAPI_FRAGS is not supported it will be silently dropped,
	// so query the effective flags.
	if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
		fail("tun: ioctl(TUNGETIFF) failed");
	tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
	debug("tun_frags_enabled=%d\n", tun_frags_enabled);
#endif

	// Disable IPv6 DAD, otherwise the address remains unusable until DAD completes.
	// Don't panic because this is an optional config.
	char sysctl[64];
	sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
	write_file(sysctl, "0");
	// Disable IPv6 router solicitation to prevent IPv6 spam.
	// Don't panic because this is an optional config.
	sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
	write_file(sysctl, "0");
	// There seems to be no way to disable IPv6 MTD to prevent more IPv6 spam.

	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (sock == -1)
		fail("socket(AF_NETLINK) failed");

	netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4);
	netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6);
	uint64 macaddr = REMOTE_MAC;
	struct in_addr in_addr;
	inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
	netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN);
	struct in6_addr in6_addr;
	inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
	netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN);
	macaddr = LOCAL_MAC;
	netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL);
	close(sock);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_init_net_socket || SYZ_DEVLINK_PCI || __NR_syz_socket_connect_nvme_tcp
const int kInitNetNsFd = 201; // see kMaxFd
#endif

#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI || SYZ_NET_DEVICES

#include <linux/genetlink.h>
#include <stdbool.h>

#define DEVLINK_FAMILY_NAME "devlink"

#define DEVLINK_CMD_PORT_GET 5
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
#define DEVLINK_CMD_RELOAD 37
#endif
#define DEVLINK_ATTR_BUS_NAME 1
#define DEVLINK_ATTR_DEV_NAME 2
#define DEVLINK_ATTR_NETDEV_NAME 7
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
#define DEVLINK_ATTR_NETNS_FD 138
#endif

#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd)
{
	struct genlmsghdr genlhdr;
	int sock;
	int id, err;

	sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock == -1)
		fail("socket(AF_NETLINK) failed");

	id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true);
	if (id == -1)
		goto error;

	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = DEVLINK_CMD_RELOAD;
	netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
	netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);
	netlink_attr(&nlmsg, DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd));
	err = netlink_send(&nlmsg, sock);
	if (err < 0) {
		debug("netlink: failed to move devlink instance %s/%s into network namespace: %s\n",
		      bus_name, dev_name, strerror(errno));
	}
error:
	close(sock);
}
#endif

static struct nlmsg nlmsg2;

static void initialize_devlink_ports(const char* bus_name, const char* dev_name,
				     const char* netdev_prefix)
{
	struct genlmsghdr genlhdr;
	int len, total_len, id, err, offset;
	uint16 netdev_index;

	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock == -1)
		fail("socket(AF_NETLINK) failed");

	int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (rtsock == -1)
		fail("socket(AF_NETLINK) failed");

	id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true);
	if (id == -1)
		goto error;

	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = DEVLINK_CMD_PORT_GET;
	netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr));
	netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
	netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);

	err = netlink_send_ext(&nlmsg, sock, id, &total_len, true);
	if (err < 0) {
		debug("netlink: failed to get port get reply: %s\n", strerror(errno));
		goto error;
	}

	offset = 0;
	netdev_index = 0;
	while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) {
		struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr)));
		for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
			if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) {
				char* port_name;
				char netdev_name[IFNAMSIZ];
				port_name = (char*)(attr + 1);
				snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index);
				netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name);
				break;
			}
		}
		offset += len;
		netdev_index++;
	}
error:
	close(rtsock);
	close(sock);
}

#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
#include <fcntl.h>
#include <sched.h>

static void initialize_devlink_pci(void)
{
#if SYZ_EXECUTOR
	if (!flag_devlink_pci)
		return;
#endif
	int netns = open("/proc/self/ns/net", O_RDONLY);
	if (netns == -1)
		fail("open(/proc/self/ns/net) failed");
	int ret = setns(kInitNetNsFd, 0);
	if (ret == -1)
		fail("set_ns(init_netns_fd) failed");
	netlink_devlink_netns_move("pci", "0000:00:10.0", netns);
	ret = setns(netns, 0);
	if (ret == -1)
		fail("set_ns(this_netns_fd) failed");
	close(netns);

	initialize_devlink_ports("pci", "0000:00:10.0", "netpci");
}
#endif
#endif

#if SYZ_EXECUTOR || SYZ_WIFI || __NR_syz_80211_inject_frame || __NR_syz_80211_join_ibss

#define WIFI_INITIAL_DEVICE_COUNT 2
#define WIFI_MAC_BASE \
	{             \
	    0x08, 0x02, 0x11, 0x00, 0x00, 0x00}
#define WIFI_IBSS_BSSID \
	{               \
	    0x50, 0x50, 0x50, 0x50, 0x50, 0x50}
#define WIFI_IBSS_SSID \
	{              \
	    0x10, 0x10, 0x10, 0x10, 0x10, 0x10}
#define WIFI_DEFAULT_FREQUENCY 2412
#define WIFI_DEFAULT_SIGNAL 0
#define WIFI_DEFAULT_RX_RATE 1

// consts from drivers/net/wireless/mac80211_hwsim.h
#define HWSIM_CMD_REGISTER 1
#define HWSIM_CMD_FRAME 2
#define HWSIM_CMD_NEW_RADIO 4
#define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14
#define HWSIM_ATTR_PERM_ADDR 22

#endif

#if SYZ_EXECUTOR || SYZ_WIFI || __NR_syz_80211_join_ibss
#include <linux/genetlink.h>
#include <linux/if_ether.h>
#include <linux/nl80211.h>
#include <linux/rtnetlink.h>
#include <net/if.h>
#include <stdbool.h>
#include <sys/ioctl.h>

// From linux/if.h, but we cannot include the file as it conflicts with net/if.h
#define IF_OPER_UP 6

// IBSS parameters for nl80211_join_ibss
struct join_ibss_props {
	int wiphy_freq;
	bool wiphy_freq_fixed;
	uint8* mac;
	uint8* ssid;
	int ssid_len;
};

static int set_interface_state(const char* interface_name, int on)
{
	struct ifreq ifr;
	int sock = socket(AF_INET, SOCK_DGRAM, 0);
	if (sock < 0) {
		debug("set_interface_state: failed to open socket, errno %d\n", errno);
		return -1;
	}

	memset(&ifr, 0, sizeof(ifr));
	strcpy(ifr.ifr_name, interface_name);
	int ret = ioctl(sock, SIOCGIFFLAGS, &ifr);
	if (ret < 0) {
		debug("set_interface_state: failed to execute SIOCGIFFLAGS, ret %d\n", ret);
		close(sock);
		return -1;
	}

	if (on)
		ifr.ifr_flags |= IFF_UP;
	else
		ifr.ifr_flags &= ~IFF_UP;

	ret = ioctl(sock, SIOCSIFFLAGS, &ifr);
	close(sock);
	if (ret < 0) {
		debug("set_interface_state: failed to execute SIOCSIFFLAGS, ret %d\n", ret);
		return -1;
	}
	return 0;
}

static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32 ifindex,
				 uint32 iftype, bool dofail)
{
	struct genlmsghdr genlhdr;

	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = NL80211_CMD_SET_INTERFACE;
	netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
	netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype));
	int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail);
	if (err < 0) {
		debug("nl80211_set_interface failed: %s\n", strerror(errno));
	}
	return err;
}

static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32 ifindex,
			     struct join_ibss_props* props, bool dofail)
{
	struct genlmsghdr genlhdr;

	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = NL80211_CMD_JOIN_IBSS;
	netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
	netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len);
	netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq));
	if (props->mac)
		netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN);
	if (props->wiphy_freq_fixed)
		netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0);
	int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail);
	if (err < 0) {
		debug("nl80211_join_ibss failed: %s\n", strerror(errno));
	}
	return err;
}

static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail)
{
	struct ifinfomsg info;
	memset(&info, 0, sizeof(info));
	info.ifi_family = AF_UNSPEC;
	info.ifi_index = ifindex;

	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (sock == -1) {
		debug("get_ifla_operstate: socket failed: %d\n", errno);
		return -1;
	}

	netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info));
	int n;
	int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail);
	close(sock);

	if (err) {
		debug("get_ifla_operstate: failed to query: %s\n", strerror(errno));
		return -1;
	}

	struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf));
	for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) {
		if (attr->rta_type == IFLA_OPERSTATE)
			return *((int32_t*)RTA_DATA(attr));
	}

	return -1;
}

static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail)
{
	int ifindex = if_nametoindex(interface);
	while (true) {
		usleep(1000); // 1 ms
		int ret = get_ifla_operstate(nlmsg, ifindex, dofail);
		if (ret < 0)
			return ret;
		if (ret == operstate)
			return 0;
	}
	return 0;
}

static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface,
					struct join_ibss_props* ibss_props, bool dofail)
{
	int ifindex = if_nametoindex(interface);
	if (ifindex == 0) {
		debug("nl80211_setup_ibss_interface: if_nametoindex failed for %.32s, ret 0\n", interface);
		return -1;
	}

	int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail);
	if (ret < 0) {
		debug("nl80211_setup_ibss_interface: nl80211_set_interface failed for %.32s, ret %d\n", interface, ret);
		return -1;
	}

	ret = set_interface_state(interface, 1);
	if (ret < 0) {
		debug("nl80211_setup_ibss_interface: set_interface_state failed for %.32s, ret %d\n", interface, ret);
		return -1;
	}

	ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail);
	if (ret < 0) {
		debug("nl80211_setup_ibss_interface: nl80211_join_ibss failed for %.32s, ret %d\n", interface, ret);
		return -1;
	}

	return 0;
}
#endif

#if SYZ_EXECUTOR || SYZ_WIFI
#include <fcntl.h>
#include <linux/rfkill.h>
#include <sys/stat.h>
#include <sys/types.h>

static int hwsim80211_create_device(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8 mac_addr[ETH_ALEN])
{
	struct genlmsghdr genlhdr;
	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = HWSIM_CMD_NEW_RADIO;
	netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(nlmsg, HWSIM_ATTR_SUPPORT_P2P_DEVICE, NULL, 0);
	netlink_attr(nlmsg, HWSIM_ATTR_PERM_ADDR, mac_addr, ETH_ALEN);
	int err = netlink_send(nlmsg, sock);
	if (err < 0) {
		debug("hwsim80211_create_device failed: %s\n", strerror(errno));
	}
	return err;
}

static void initialize_wifi_devices(void)
{
	// Set up virtual wifi devices and join them into an IBSS network.
	// An IBSS network is created here in order to put these devices in an operable state right from
	// the beginning. It has the following positive effects.
	// 1. Frame injection becomes possible from the very start.
	// 2. A number of nl80211 commands expect their target wireless interface to be in an operable state.
	// 3. Simplification of reproducer generation - in many cases the reproducer will not have to spend time
	//    selecting system calls that set up the environment.
	//
	// IBSS network was chosen as the simplest network type to begin with.

#if SYZ_EXECUTOR
	if (!flag_wifi)
		return;
#endif
	int rfkill = open("/dev/rfkill", O_RDWR);
	if (rfkill == -1)
		fail("open(/dev/rfkill) failed");
	struct rfkill_event event = {0};
	event.type = RFKILL_TYPE_ALL;
	event.op = RFKILL_OP_CHANGE_ALL;
	if (write(rfkill, &event, sizeof(event)) != (ssize_t)(sizeof(event)))
		fail("write(/dev/rfkill) failed");
	close(rfkill);

	uint8 mac_addr[6] = WIFI_MAC_BASE;
	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock < 0)
		fail("initialize_wifi_devices: failed to create socket");
	int hwsim_family_id = netlink_query_family_id(&nlmsg, sock, "MAC80211_HWSIM", true);
	int nl80211_family_id = netlink_query_family_id(&nlmsg, sock, "nl80211", true);
	if (hwsim_family_id < 0 || nl80211_family_id < 0)
		fail("netlink_query_family_id failed");
	uint8 ssid[] = WIFI_IBSS_SSID;
	uint8 bssid[] = WIFI_IBSS_BSSID;
	struct join_ibss_props ibss_props = {
	    .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = true, .mac = bssid, .ssid = ssid, .ssid_len = sizeof(ssid)};

	for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) {
		// Virtual wifi devices will have consequtive mac addresses
		mac_addr[5] = device_id;
		int ret = hwsim80211_create_device(&nlmsg, sock, hwsim_family_id, mac_addr);
		if (ret < 0)
			failmsg("initialize_wifi_devices: failed to create device", "device=%d", device_id);

		// For each device, unless HWSIM_ATTR_NO_VIF is passed, a network interface is created
		// automatically. Such interfaces are named "wlan0", "wlan1" and so on.
		char interface[6] = "wlan0";
		interface[4] += device_id;

		if (nl80211_setup_ibss_interface(&nlmsg, sock, nl80211_family_id, interface, &ibss_props, true) < 0)
			failmsg("initialize_wifi_devices: failed set up IBSS network", "device=%d", device_id);
	}

	// Wait for all devices to join the IBSS network
	for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) {
		char interface[6] = "wlan0";
		interface[4] += device_id;
		int ret = await_ifla_operstate(&nlmsg, interface, IF_OPER_UP, true);
		if (ret < 0)
			failmsg("initialize_wifi_devices: get_ifla_operstate failed",
				"device=%d, ret=%d", device_id, ret);
	}

	close(sock);
}
#endif

#if SYZ_EXECUTOR || (SYZ_NET_DEVICES && SYZ_NIC_VF) || SYZ_SWAP
static int runcmdline(char* cmdline)
{
	debug("%s\n", cmdline);
	int ret = system(cmdline);
	if (ret) {
		debug("FAIL: %s\n", cmdline);
	}
	return ret;
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_DEVICES
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <stdarg.h>
#include <stdbool.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/uio.h>

#include <linux/if_ether.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <linux/tcp.h>

// Addresses are chosen to be in the same subnet as tun addresses.
#define DEV_IPV4 "172.20.20.%d"
#define DEV_IPV6 "fe80::%02x"
#define DEV_MAC 0x00aaaaaaaaaa

static void netdevsim_add(unsigned int addr, unsigned int port_count)
{
	// These devices are sticky and are not deleted on net namespace destruction.
	// So try to delete the previous version of the device.
	write_file("/sys/bus/netdevsim/del_device", "%u", addr);
	if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) {
		char buf[32];
		snprintf(buf, sizeof(buf), "netdevsim%d", addr);
		initialize_devlink_ports("netdevsim", buf, "netdevsim");
	}
}

#define WG_GENL_NAME "wireguard"
enum wg_cmd {
	WG_CMD_GET_DEVICE,
	WG_CMD_SET_DEVICE,
};
enum wgdevice_attribute {
	WGDEVICE_A_UNSPEC,
	WGDEVICE_A_IFINDEX,
	WGDEVICE_A_IFNAME,
	WGDEVICE_A_PRIVATE_KEY,
	WGDEVICE_A_PUBLIC_KEY,
	WGDEVICE_A_FLAGS,
	WGDEVICE_A_LISTEN_PORT,
	WGDEVICE_A_FWMARK,
	WGDEVICE_A_PEERS,
};
enum wgpeer_attribute {
	WGPEER_A_UNSPEC,
	WGPEER_A_PUBLIC_KEY,
	WGPEER_A_PRESHARED_KEY,
	WGPEER_A_FLAGS,
	WGPEER_A_ENDPOINT,
	WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
	WGPEER_A_LAST_HANDSHAKE_TIME,
	WGPEER_A_RX_BYTES,
	WGPEER_A_TX_BYTES,
	WGPEER_A_ALLOWEDIPS,
	WGPEER_A_PROTOCOL_VERSION,
};
enum wgallowedip_attribute {
	WGALLOWEDIP_A_UNSPEC,
	WGALLOWEDIP_A_FAMILY,
	WGALLOWEDIP_A_IPADDR,
	WGALLOWEDIP_A_CIDR_MASK,
};

static void netlink_wireguard_setup(void)
{
	const char ifname_a[] = "wg0";
	const char ifname_b[] = "wg1";
	const char ifname_c[] = "wg2";
	const char private_a[] = "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43";
	const char private_b[] = "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e";
	const char private_c[] = "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42";
	const char public_a[] = "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c";
	const char public_b[] = "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b";
	const char public_c[] = "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22";
	const uint16 listen_a = 20001;
	const uint16 listen_b = 20002;
	const uint16 listen_c = 20003;
	const uint16 af_inet = AF_INET;
	const uint16 af_inet6 = AF_INET6;
	// Unused, but useful in case we change this:
	// const struct sockaddr_in endpoint_a_v4 = {
	//     .sin_family = AF_INET,
	//     .sin_port = htons(listen_a),
	//     .sin_addr = {htonl(INADDR_LOOPBACK)}};
	const struct sockaddr_in endpoint_b_v4 = {
	    .sin_family = AF_INET,
	    .sin_port = htons(listen_b),
	    .sin_addr = {htonl(INADDR_LOOPBACK)}};
	const struct sockaddr_in endpoint_c_v4 = {
	    .sin_family = AF_INET,
	    .sin_port = htons(listen_c),
	    .sin_addr = {htonl(INADDR_LOOPBACK)}};
	struct sockaddr_in6 endpoint_a_v6 = {
	    .sin6_family = AF_INET6,
	    .sin6_port = htons(listen_a)};
	endpoint_a_v6.sin6_addr = in6addr_loopback;
	// Unused, but useful in case we change this:
	// const struct sockaddr_in6 endpoint_b_v6 = {
	//     .sin6_family = AF_INET6,
	//     .sin6_port = htons(listen_b)};
	// endpoint_b_v6.sin6_addr = in6addr_loopback;
	struct sockaddr_in6 endpoint_c_v6 = {
	    .sin6_family = AF_INET6,
	    .sin6_port = htons(listen_c)};
	endpoint_c_v6.sin6_addr = in6addr_loopback;
	const struct in_addr first_half_v4 = {0};
	const struct in_addr second_half_v4 = {(uint32)htonl(128 << 24)};
	const struct in6_addr first_half_v6 = {{{0}}};
	const struct in6_addr second_half_v6 = {{{0x80}}};
	const uint8 half_cidr = 1;
	const uint16 persistent_keepalives[] = {1, 3, 7, 9, 14, 19};

	struct genlmsghdr genlhdr = {
	    .cmd = WG_CMD_SET_DEVICE,
	    .version = 1};
	int sock;
	int id, err;

	sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock == -1) {
		debug("socket(AF_NETLINK) failed: %s\n", strerror(errno));
		return;
	}

	id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true);
	if (id == -1)
		goto error;

	netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1);
	netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32);
	netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[0], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6, sizeof(endpoint_c_v6));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[1], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	err = netlink_send(&nlmsg, sock);
	if (err < 0) {
		debug("netlink: failed to setup wireguard instance: %s\n", strerror(errno));
	}

	netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1);
	netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32);
	netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[2], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4, sizeof(endpoint_c_v4));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[3], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	err = netlink_send(&nlmsg, sock);
	if (err < 0) {
		debug("netlink: failed to setup wireguard instance: %s\n", strerror(errno));
	}

	netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1);
	netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32);
	netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[4], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
	netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4));
	netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[5], 2);
	netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_nest(&nlmsg, NLA_F_NESTED | 0);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
	netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6));
	netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	netlink_done(&nlmsg);
	err = netlink_send(&nlmsg, sock);
	if (err < 0) {
		debug("netlink: failed to setup wireguard instance: %s\n", strerror(errno));
	}

error:
	close(sock);
}

#if SYZ_EXECUTOR || SYZ_NIC_VF

static void netlink_nicvf_setup(void)
{
	char cmdline[256];

#if SYZ_EXECUTOR
	if (!flag_nic_vf)
		return;
#endif
	if (!vf_intf.ppid)
		return;

	debug("ppid = %d, vf_intf.pass_thru_intf: %s\n",
	      vf_intf.ppid, vf_intf.pass_thru_intf);

	sprintf(cmdline, "nsenter -t 1 -n ip link set %s netns %d",
		vf_intf.pass_thru_intf, getpid());
	if (runcmdline(cmdline))
		failmsg("failed to run command", "%s", cmdline);
	sprintf(cmdline, "ip a s %s", vf_intf.pass_thru_intf);
	if (runcmdline(cmdline))
		failmsg("failed to run command", "%s", cmdline);
	sprintf(cmdline, "ip link set %s down", vf_intf.pass_thru_intf);
	if (runcmdline(cmdline))
		failmsg("failed to run command", "%s", cmdline);
	sprintf(cmdline, "ip link set %s name nicvf0", vf_intf.pass_thru_intf);
	if (runcmdline(cmdline))
		failmsg("failed to run command", "%s", cmdline);
	debug("nicvf0 VF pass-through setup complete.\n");
}
#endif // SYZ_NIC_VF

// We test in a separate namespace, which does not have any network devices initially (even lo).
// Create/up as many as we can.
static void initialize_netdevices(void)
{
#if SYZ_EXECUTOR
	if (!flag_net_devices)
		return;
#endif
	// TODO: add the following devices:
	// - vxlan
	// - ipip
	// - lowpan (requires link to device of type IEEE802154, e.g. wpan0)
	// - ipoib (requires link to device of type ARPHRD_INFINIBAND)
	// - vrf
	// - rmnet
	// - openvswitch
	// Naive attempts to add devices of these types fail with various errors.
	// Also init namespace contains the following devices (which presumably can't be
	// created in non-init namespace), can we use them somehow?
	// - ifb0/1
	// - teql0
	// - eql
	// Note: netdevsim devices can't have the same name even in different namespaces.
	char netdevsim[16];
	sprintf(netdevsim, "netdevsim%d", (int)procid);
	struct {
		const char* type;
		const char* dev;
	} devtypes[] = {
	    // Note: ip6erspan device can't be added if ip6gretap exists in the same namespace.
	    {"ip6gretap", "ip6gretap0"},
	    {"bridge", "bridge0"},
	    {"vcan", "vcan0"},
	    {"bond", "bond0"},
	    {"team", "team0"},
	    {"dummy", "dummy0"},
#if SYZ_EXECUTOR || SYZ_NIC_VF
	    {"nicvf", "nicvf0"},
#endif
	    {"nlmon", "nlmon0"},
	    {"caif", "caif0"},
	    {"batadv", "batadv0"},
	    // Note: this adds vxcan0/vxcan1 pair, similar to veth (creating vxcan0 would fail).
	    {"vxcan", "vxcan1"},
	    // This adds connected veth0 and veth1 devices.
	    {"veth", 0},
	    {"wireguard", "wg0"},
	    {"wireguard", "wg1"},
	    {"wireguard", "wg2"},
	};
	const char* devmasters[] = {"bridge", "bond", "team", "batadv"};
	// If you extend this array, also update netdev_addr_id in vnet.txt
	// and devnames in socket.txt.
	struct {
		const char* name;
		int macsize;
		bool noipv6;
	} devices[] = {
	    {"lo", ETH_ALEN},
	    {"sit0", 0},
	    {"bridge0", ETH_ALEN},
	    {"vcan0", 0, true},
	    {"tunl0", 0},
	    {"gre0", 0},
	    {"gretap0", ETH_ALEN},
	    {"ip_vti0", 0},
	    {"ip6_vti0", 0},
	    {"ip6tnl0", 0},
	    {"ip6gre0", 0},
	    {"ip6gretap0", ETH_ALEN},
	    {"erspan0", ETH_ALEN},
	    {"bond0", ETH_ALEN},
	    {"veth0", ETH_ALEN},
	    {"veth1", ETH_ALEN},
	    {"team0", ETH_ALEN},
	    {"veth0_to_bridge", ETH_ALEN},
	    {"veth1_to_bridge", ETH_ALEN},
	    {"veth0_to_bond", ETH_ALEN},
	    {"veth1_to_bond", ETH_ALEN},
	    {"veth0_to_team", ETH_ALEN},
	    {"veth1_to_team", ETH_ALEN},
	    {"veth0_to_hsr", ETH_ALEN},
	    {"veth1_to_hsr", ETH_ALEN},
	    {"hsr0", 0},
	    {"dummy0", ETH_ALEN},
#if SYZ_EXECUTOR || SYZ_NIC_VF
	    {"nicvf0", 0, true},
#endif
	    {"nlmon0", 0},
	    {"vxcan0", 0, true},
	    {"vxcan1", 0, true},
	    {"caif0", ETH_ALEN}, // TODO: up'ing caif fails with ENODEV
	    {"batadv0", ETH_ALEN},
	    {netdevsim, ETH_ALEN},
	    {"xfrm0", ETH_ALEN},
	    {"veth0_virt_wifi", ETH_ALEN},
	    {"veth1_virt_wifi", ETH_ALEN},
	    {"virt_wifi0", ETH_ALEN},
	    {"veth0_vlan", ETH_ALEN},
	    {"veth1_vlan", ETH_ALEN},
	    {"vlan0", ETH_ALEN},
	    {"vlan1", ETH_ALEN},
	    {"macvlan0", ETH_ALEN},
	    {"macvlan1", ETH_ALEN},
	    {"ipvlan0", ETH_ALEN},
	    {"ipvlan1", ETH_ALEN},
	    {"veth0_macvtap", ETH_ALEN},
	    {"veth1_macvtap", ETH_ALEN},
	    {"macvtap0", ETH_ALEN},
	    {"macsec0", ETH_ALEN},
	    {"veth0_to_batadv", ETH_ALEN},
	    {"veth1_to_batadv", ETH_ALEN},
	    {"batadv_slave_0", ETH_ALEN},
	    {"batadv_slave_1", ETH_ALEN},
	    {"geneve0", ETH_ALEN},
	    {"geneve1", ETH_ALEN},
	    {"wg0", 0},
	    {"wg1", 0},
	    {"wg2", 0},
	};
	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (sock == -1)
		fail("socket(AF_NETLINK) failed");
	unsigned i;
	for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
		netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev);
	// This creates connected bridge/bond/team_slave devices of type veth,
	// and makes them slaves of bridge/bond/team devices, respectively.
	// Note: slave devices don't need MAC/IP addresses, only master devices.
	//       veth0_to_* is not slave devices, which still need ip addresses.
	for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
		char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
		sprintf(slave0, "%s_slave_0", devmasters[i]);
		sprintf(veth0, "veth0_to_%s", devmasters[i]);
		netlink_add_veth(&nlmsg, sock, slave0, veth0);
		sprintf(slave1, "%s_slave_1", devmasters[i]);
		sprintf(veth1, "veth1_to_%s", devmasters[i]);
		netlink_add_veth(&nlmsg, sock, slave1, veth1);
		sprintf(master, "%s0", devmasters[i]);
		netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL);
		netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL);
	}
	netlink_add_xfrm(&nlmsg, sock, "xfrm0");

	// bond/team_slave_* will set up automatically when set their master.
	// But bridge_slave_* need to set up manually.
	netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL);
	netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL);

	// Setup hsr device (slightly different from what we do for devmasters).
	netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr");
	netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr");
	netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
	netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL);
	netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL);

	netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi");
	netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0", "veth1_virt_wifi");

	netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan");
	netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q));
	netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD));
	netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan");
	netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan");
	netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0);
	netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S, IPVLAN_F_VEPA);

	netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap");
	netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap");
	netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap");

	char addr[32];
	sprintf(addr, DEV_IPV4, 14 + 10); // should point to veth0
	struct in_addr geneve_addr4;
	if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0)
		fail("geneve0 inet_pton failed");
	struct in6_addr geneve_addr6;
	// Must not be link local (our device addresses are link local).
	if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0)
		fail("geneve1 inet_pton failed");
	netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0);
	netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6);

	netdevsim_add((int)procid, 4); // Number of port is in sync with value in sys/linux/socket_netlink_generic_devlink.txt

	netlink_wireguard_setup();

#if SYZ_EXECUTOR || SYZ_NIC_VF
	netlink_nicvf_setup();
#endif

	for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
		// Assign some unique address to devices. Some devices won't up without this.
		// Shift addresses by 10 because 0 subnet address can mean special things.
		char addr[32];
		sprintf(addr, DEV_IPV4, i + 10);
		netlink_add_addr4(&nlmsg, sock, devices[i].name, addr);
		if (!devices[i].noipv6) {
			sprintf(addr, DEV_IPV6, i + 10);
			netlink_add_addr6(&nlmsg, sock, devices[i].name, addr);
		}
		uint64 macaddr = DEV_MAC + ((i + 10ull) << 40);
		netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr, devices[i].macsize, NULL);
	}
	close(sock);
}

// Same as initialize_netdevices, but called in init net namespace.
static void initialize_netdevices_init(void)
{
#if SYZ_EXECUTOR
	if (!flag_net_devices)
		return;
#endif
	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (sock == -1)
		fail("socket(AF_NETLINK) failed");
	struct {
		const char* type;
		int macsize;
		bool noipv6;
		bool noup;
	} devtypes[] = {
	    // NETROM device, see net/netrom/{af_netrom,nr_dev}.c
	    {"nr", 7, true},
	    // ROSE device, see net/rose/{af_rose,rose_dev}.c
	    // We don't up it yet because it crashes kernel right away:
	    // https://groups.google.com/d/msg/syzkaller/v-4B3zoBC-4/02SCKEzJBwAJ
	    {"rose", 5, true, true},
	};
	unsigned i;
	for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
		char dev[32], addr[32];
		sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
		// Note: syscall descriptions know these addresses.
		sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
		netlink_add_addr4(&nlmsg, sock, dev, addr);
		if (!devtypes[i].noipv6) {
			sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
			netlink_add_addr6(&nlmsg, sock, dev, addr);
		}
		int macsize = devtypes[i].macsize;
		uint64 macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) +
				 (procid << (8 * (macsize - 1)));
		netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr, macsize, NULL);
	}
	close(sock);

#if SYZ_EXECUTOR || SYZ_NIC_VF
	find_vf_interface();
#endif
}
#endif

#if SYZ_EXECUTOR || SYZ_NET_INJECTION && (__NR_syz_extract_tcp_res || SYZ_REPEAT)
#include <errno.h>

static int read_tun(char* data, int size)
{
	if (tunfd < 0)
		return -1;

	int rv = read(tunfd, data, size);
	if (rv < 0) {
		// EBADF can be returned if the test closes tunfd with close_range syscall.
		// Tun sometimes returns EBADFD, unclear if it's a kernel bug or not.
		if (errno == EAGAIN || errno == EBADF || errno == EBADFD)
			return -1;
		fail("tun read failed");
	}
	return rv;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_emit_ethernet && SYZ_NET_INJECTION
#include <stdbool.h>
#include <sys/uio.h>

#if ENABLE_NAPI_FRAGS
#define MAX_FRAGS 4
struct vnet_fragmentation {
	uint32 full;
	uint32 count;
	uint32 frags[MAX_FRAGS];
};
#endif

static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2)
{
	// syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt])
	// vnet_fragmentation {
	// 	full	int32[0:1]
	// 	count	int32[1:4]
	// 	frags	array[int32[0:4096], 4]
	// }
	if (tunfd < 0)
		return (uintptr_t)-1;

	uint32 length = a0;
	char* data = (char*)a1;
	debug_dump_data(data, length);

#if ENABLE_NAPI_FRAGS
	struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2;
	struct iovec vecs[MAX_FRAGS + 1];
	uint32 nfrags = 0;
	if (!tun_frags_enabled || frags == NULL) {
		vecs[nfrags].iov_base = data;
		vecs[nfrags].iov_len = length;
		nfrags++;
	} else {
		bool full = frags->full;
		uint32 count = frags->count;
		if (count > MAX_FRAGS)
			count = MAX_FRAGS;
		uint32 i;
		for (i = 0; i < count && length != 0; i++) {
			uint32 size = frags->frags[i];
			if (size > length)
				size = length;
			vecs[nfrags].iov_base = data;
			vecs[nfrags].iov_len = size;
			nfrags++;
			data += size;
			length -= size;
		}
		if (length != 0 && (full || nfrags == 0)) {
			vecs[nfrags].iov_base = data;
			vecs[nfrags].iov_len = length;
			nfrags++;
		}
	}
	return writev(tunfd, vecs, nfrags);
#else
	return write(tunfd, data, length);
#endif
}
#endif

#if SYZ_EXECUTOR || __NR_syz_io_uring_submit || __NR_syz_io_uring_complete || __NR_syz_io_uring_setup

#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16

// Once a io_uring is set up by calling io_uring_setup, the offsets to the member fields
// to be used on the mmap'ed area are set in structs io_sqring_offsets and io_cqring_offsets.
// Except io_sqring_offsets.array, the offsets are static while all depend on how struct io_rings
// is organized in code. The offsets can be marked as resources in syzkaller descriptions but
// this makes it difficult to generate correct programs by the fuzzer. Thus, the offsets are
// hard-coded here (and in the descriptions), and array offset is later computed once the number
// of entries is available. Another way to obtain the offsets is to setup another io_uring here
// and use what it returns. It is slower but might be more maintainable.
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320

#if SYZ_EXECUTOR || __NR_syz_io_uring_complete

// From linux/io_uring.h
struct io_uring_cqe {
	uint64 user_data;
	uint32 res;
	uint32 flags;
};

static long syz_io_uring_complete(volatile long a0)
{
	// syzlang: syz_io_uring_complete(ring_ptr ring_ptr)
	// C:       syz_io_uring_complete(char* ring_ptr)

	// It is not checked if the ring is empty

	// Cast to original
	char* ring_ptr = (char*)a0;

	// Compute the head index and the next head value
	uint32 cq_ring_mask = *(uint32*)(ring_ptr + CQ_RING_MASK_OFFSET);
	uint32* cq_head_ptr = (uint32*)(ring_ptr + CQ_HEAD_OFFSET);
	uint32 cq_head = *cq_head_ptr & cq_ring_mask;
	uint32 cq_head_next = *cq_head_ptr + 1;

	// Compute the ptr to the src cq entry on the ring
	char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE;

	// Get the cq entry from the ring
	struct io_uring_cqe cqe;
	memcpy(&cqe, cqe_src, sizeof(cqe));

	// Advance the head. Head is a free-flowing integer and relies on natural wrapping.
	// Ensure that the kernel will never see a head update without the preceeding CQE
	// stores being done.
	__atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE);

	// In the descriptions (sys/linux/io_uring.txt), openat and openat2 are passed
	// with a unique range of sqe.user_data (0x12345 and 0x23456) to identify the operations
	// which produces an fd instance. Check cqe.user_data, which should be the same
	// as sqe.user_data for that operation. If it falls in that unique range, return
	// cqe.res as fd. Otherwise, just return an invalid fd.
	return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1;
}

#endif

#if SYZ_EXECUTOR || __NR_syz_io_uring_setup

struct io_sqring_offsets {
	uint32 head;
	uint32 tail;
	uint32 ring_mask;
	uint32 ring_entries;
	uint32 flags;
	uint32 dropped;
	uint32 array;
	uint32 resv1;
	uint64 resv2;
};

struct io_cqring_offsets {
	uint32 head;
	uint32 tail;
	uint32 ring_mask;
	uint32 ring_entries;
	uint32 overflow;
	uint32 cqes;
	uint64 resv[2];
};

struct io_uring_params {
	uint32 sq_entries;
	uint32 cq_entries;
	uint32 flags;
	uint32 sq_thread_cpu;
	uint32 sq_thread_idle;
	uint32 features;
	uint32 resv[4];
	struct io_sqring_offsets sq_off;
	struct io_cqring_offsets cq_off;
};

#define IORING_OFF_SQ_RING 0
#define IORING_OFF_SQES 0x10000000ULL
#define IORING_SETUP_SQE128 (1U << 10)
#define IORING_SETUP_CQE32 (1U << 11)

#include <sys/mman.h>
#include <unistd.h>

// Wrapper for io_uring_setup and the subsequent mmap calls that map the ring and the sqes
static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3)
{
	// syzlang: syz_io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params], ring_ptr ptr[out, ring_ptr], sqes_ptr ptr[out, sqes_ptr]) fd_io_uring
	// C:       syz_io_uring_setup(uint32 entries, struct io_uring_params* params, void** ring_ptr_out, void** sqes_ptr_out) // returns uint32 fd_io_uring

	// Cast to original
	uint32 entries = (uint32)a0;
	struct io_uring_params* setup_params = (struct io_uring_params*)a1;
	void** ring_ptr_out = (void**)a2;
	void** sqes_ptr_out = (void**)a3;
	// Temporarily disable IORING_SETUP_CQE32 and IORING_SETUP_SQE128 that may change SIZEOF_IO_URING_CQE and SIZEOF_IO_URING_SQE.
	// Tracking bug: https://github.com/google/syzkaller/issues/4531.
	setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128);
	uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params);

	// Compute the ring sizes
	uint32 sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32);
	uint32 cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE;

	// Asssumed IORING_FEAT_SINGLE_MMAP, which is always the case with the current implementation
	// The implication is that the sq_ring_ptr and the cq_ring_ptr are the same but the
	// difference is in the offsets to access the fields of these rings.
	uint32 ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
	*ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING);

	uint32 sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
	*sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);

	uint32* array = (uint32*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array);
	for (uint32 index = 0; index < entries; index++)
		array[index] = index;

	return fd_io_uring;
}

#endif

#if SYZ_EXECUTOR || __NR_syz_io_uring_submit

static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2)
{
	// syzlang: syz_io_uring_submit(ring_ptr ring_ptr, sqes_ptr sqes_ptr, 		sqe ptr[in, io_uring_sqe])
	// C:       syz_io_uring_submit(char* ring_ptr,       io_uring_sqe* sqes_ptr,    io_uring_sqe* sqe)

	// It is not checked if the ring is full

	// Cast to original
	char* ring_ptr = (char*)a0; // This will be exposed to offsets in bytes
	char* sqes_ptr = (char*)a1;

	char* sqe = (char*)a2;

	uint32 sq_ring_mask = *(uint32*)(ring_ptr + SQ_RING_MASK_OFFSET);
	uint32* sq_tail_ptr = (uint32*)(ring_ptr + SQ_TAIL_OFFSET);
	uint32 sq_tail = *sq_tail_ptr & sq_ring_mask;

	// Get the ptr to the destination for the sqe
	char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE;

	// Write the sqe entry to its destination in sqes
	memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE);

	// Write the index to the sqe array
	uint32 sq_tail_next = *sq_tail_ptr + 1;

	// Advance the tail. Tail is a free-flowing integer and relies on natural wrapping.
	// Ensure that the kernel will never see a tail update without the preceeding SQE
	// stores being done.
	__atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE);

	// Now the application is free to call io_uring_enter() to submit the sqe
	return 0;
}

#endif

#endif

#if SYZ_EXECUTOR || __NR_syz_usbip_server_init

#include <errno.h>
#include <fcntl.h>
#include <linux/usb/ch9.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>

// This should be coherent with CONFIG_USBIP_VHCI_HC_PORTS.
#define VHCI_HC_PORTS 8
#define VHCI_PORTS (VHCI_HC_PORTS * 2)

static long syz_usbip_server_init(volatile long a0)
{
	// port_alloc[0] corresponds to ports which can be used by usb2 and
	// port_alloc[1] corresponds to ports which can be used by usb3.
	static int port_alloc[2];

	int speed = (int)a0;
	bool usb3 = (speed == USB_SPEED_SUPER);

	int socket_pair[2];
	if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) {
		// This can happen if the test calls prlimit(RLIMIT_AS).
		debug("syz_usbip_server_init: socketpair failed (%d)\n", errno);
		return -1;
	}

	int client_fd = socket_pair[0];
	int server_fd = socket_pair[1];

	int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED);
	if (available_port_num > VHCI_HC_PORTS) {
		debug("syz_usbip_server_init : no more available port for : %d\n", available_port_num);
		return -1;
	}

	// Each port number corresponds to a particular vhci_hcd (USB/IP Virtual Host Controller) and it is used by either
	// an usb2 device or usb3 device. There are 16 ports available in each vhci_hcd.
	// (VHCI_PORTS = 16 in our case.) When they are occupied, the following vhci_hcd's ports are used.
	// First 16 ports correspond to vhci_hcd0, next 16 ports correspond to
	// vhci_hcd1 etc. In a vhci_hcd, first 8 ports are used by usb2 devices and last 8 are used by usb3 devices.
	int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num;

	// Under normal USB/IP usage, devid represents the device ID on the server.
	// When fuzzing with syzkaller we don't have an actual server or an actual device, so use 0 for devid.
	char buffer[100];
	sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed);

	write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer);
	return server_fd;
}

#endif

#if SYZ_EXECUTOR || __NR_syz_btf_id_by_name

#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>

// Some items in linux/btf.h are relatively new, so we copy them here for
// backward compatibility.
#define BTF_MAGIC 0xeB9F

struct btf_header {
	__u16 magic;
	__u8 version;
	__u8 flags;
	__u32 hdr_len;
	__u32 type_off;
	__u32 type_len;
	__u32 str_off;
	__u32 str_len;
};

#define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f)
#define BTF_INFO_VLEN(info) ((info) & 0xffff)

#define BTF_KIND_INT 1
#define BTF_KIND_ARRAY 3
#define BTF_KIND_STRUCT 4
#define BTF_KIND_UNION 5
#define BTF_KIND_ENUM 6
#define BTF_KIND_FUNC_PROTO 13
#define BTF_KIND_VAR 14
#define BTF_KIND_DATASEC 15

struct btf_type {
	__u32 name_off;
	__u32 info;
	union {
		__u32 size;
		__u32 type;
	};
};

struct btf_enum {
	__u32 name_off;
	__s32 val;
};

struct btf_array {
	__u32 type;
	__u32 index_type;
	__u32 nelems;
};

struct btf_member {
	__u32 name_off;
	__u32 type;
	__u32 offset;
};

struct btf_param {
	__u32 name_off;
	__u32 type;
};

struct btf_var {
	__u32 linkage;
};

struct btf_var_secinfo {
	__u32 type;
	__u32 offset;
	__u32 size;
};

// Set the limit on the maximum size of btf/vmlinux to be 10 MiB.
#define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024)

// Read out all the content of /sys/kernel/btf/vmlinux to the fixed address
// buffer and return it. Return NULL if failed.
static char* read_btf_vmlinux()
{
	static bool is_read = false;
	static char buf[VMLINUX_MAX_SUPPORT_SIZE];

	// There could be a race condition here, but it should not be harmful.
	if (is_read)
		return buf;

	int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY);
	if (fd < 0)
		return NULL;

	unsigned long bytes_read = 0;
	for (;;) {
		ssize_t ret = read(fd, buf + bytes_read,
				   VMLINUX_MAX_SUPPORT_SIZE - bytes_read);

		if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE)
			return NULL;

		if (ret == 0)
			break;

		bytes_read += ret;
	}

	is_read = true;
	return buf;
}

// Given a pointer to a C-string as the only argument a0, return the
// corresponding btf ID for this name. Return -1 if there is an error when
// opening the vmlinux file or the name is not found in vmlinux.
static long syz_btf_id_by_name(volatile long a0)
{
	// syzlang: syz_btf_id_by_name(name ptr[in, string]) btf_id
	// C:		syz_btf_id_by_name(char* name)
	char* target = (char*)a0;

	char* vmlinux = read_btf_vmlinux();
	if (vmlinux == NULL)
		return -1;

	struct btf_header* btf_header = (struct btf_header*)vmlinux;
	if (btf_header->magic != BTF_MAGIC)
		return -1;
	// These offsets are bytes relative to the end of the header.
	char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off;
	char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off;
	// Scan through the btf type section, and find a type description that
	// matches the provided name.
	unsigned int bytes_parsed = 0;
	// BTF index starts at 1.
	long idx = 1;
	while (bytes_parsed < btf_header->type_len) {
		struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed);
		uint32 kind = BTF_INFO_KIND(btf_type->info);
		uint32 vlen = BTF_INFO_VLEN(btf_type->info);
		char* name = btf_str_sec + btf_type->name_off;

		if (strcmp(name, target) == 0)
			return idx;

		// From /include/uapi/linux/btf.h, some kinds of types are
		// followed by extra data.
		size_t skip;
		switch (kind) {
		case BTF_KIND_INT:
			skip = sizeof(uint32);
			break;
		case BTF_KIND_ENUM:
			skip = sizeof(struct btf_enum) * vlen;
			break;
		case BTF_KIND_ARRAY:
			skip = sizeof(struct btf_array);
			break;
		case BTF_KIND_STRUCT:
		case BTF_KIND_UNION:
			skip = sizeof(struct btf_member) * vlen;
			break;
		case BTF_KIND_FUNC_PROTO:
			skip = sizeof(struct btf_param) * vlen;
			break;
		case BTF_KIND_VAR:
			skip = sizeof(struct btf_var);
			break;
		case BTF_KIND_DATASEC:
			skip = sizeof(struct btf_var_secinfo) * vlen;
			break;
		default:
			skip = 0;
		}

		bytes_parsed += sizeof(struct btf_type) + skip;
		idx++;
	}

	return -1;
}

#endif // SYZ_EXECUTOR || __NR_syz_btf_id_by_name

// Same as memcpy except that it accepts offset to dest and src.
#if SYZ_EXECUTOR || __NR_syz_memcpy_off
static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4)
{
	// C:       syz_memcpy_off(void* dest, uint32 dest_off, void* src, uint32 src_off, size_t n)

	// Cast to original
	char* dest = (char*)a0;
	uint32 dest_off = (uint32)a1;
	char* src = (char*)a2;
	uint32 src_off = (uint32)a3;
	size_t n = (size_t)a4;

	return (long)memcpy(dest + dest_off, src + src_off, n);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_create_resource
// syz_create_resource(val intptr) intptr
// Variants of this pseudo-syscall are used to create resources from arbitrary values.
// For example:
//   syz_create_resource$foo(x int32) resource_foo
// allows the fuzzer to use the same random int32 value in multiple syscalls,
// and should increase probability of generation of syscalls related to foo.
static long syz_create_resource(volatile long val)
{
	return val;
}
#endif

#if (SYZ_EXECUTOR || SYZ_REPEAT && SYZ_NET_INJECTION) && SYZ_EXECUTOR_USES_FORK_SERVER
static void flush_tun()
{
#if SYZ_EXECUTOR
	if (!flag_net_injection)
		return;
#endif
	char data[1000];
	while (read_tun(&data[0], sizeof(data)) != -1) {
	}
}
#endif

#if SYZ_EXECUTOR || __NR_syz_extract_tcp_res && SYZ_NET_INJECTION
#ifndef __ANDROID__
// Can't include <linux/ipv6.h>, since it causes
// conflicts due to some structs redefinition.
struct ipv6hdr {
	__u8 priority : 4,
	    version : 4;
	__u8 flow_lbl[3];

	__be16 payload_len;
	__u8 nexthdr;
	__u8 hop_limit;

	struct in6_addr saddr;
	struct in6_addr daddr;
};
#endif

struct tcp_resources {
	uint32 seq;
	uint32 ack;
};

static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2)
{
	// syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32)

	if (tunfd < 0)
		return (uintptr_t)-1;

	// We just need this to be large enough to hold headers that we parse (ethernet/ip/tcp).
	// Rest of the packet (if any) will be silently truncated which is fine.
	char data[1000];
	int rv = read_tun(&data[0], sizeof(data));
	if (rv == -1)
		return (uintptr_t)-1;
	size_t length = rv;
	debug_dump_data(data, length);

	if (length < sizeof(struct ethhdr))
		return (uintptr_t)-1;
	struct ethhdr* ethhdr = (struct ethhdr*)&data[0];

	struct tcphdr* tcphdr = 0;
	if (ethhdr->h_proto == htons(ETH_P_IP)) {
		if (length < sizeof(struct ethhdr) + sizeof(struct iphdr))
			return (uintptr_t)-1;
		struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)];
		if (iphdr->protocol != IPPROTO_TCP)
			return (uintptr_t)-1;
		if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr))
			return (uintptr_t)-1;
		tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4];
	} else {
		if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr))
			return (uintptr_t)-1;
		struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)];
		// TODO: parse and skip extension headers.
		if (ipv6hdr->nexthdr != IPPROTO_TCP)
			return (uintptr_t)-1;
		if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr))
			return (uintptr_t)-1;
		tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)];
	}

	struct tcp_resources* res = (struct tcp_resources*)a0;
	res->seq = htonl((ntohl(tcphdr->seq) + (uint32)a1));
	res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32)a2));

	debug("extracted seq: %08x\n", res->seq);
	debug("extracted ack: %08x\n", res->ack);

	return 0;
}
#endif

#if SYZ_EXECUTOR || SYZ_CLOSE_FDS || __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k
#define MAX_FDS 30
#endif

#if SYZ_EXECUTOR || __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k ||       \
    __NR_syz_usb_ep_write || __NR_syz_usb_ep_read || __NR_syz_usb_control_io || \
    __NR_syz_usb_disconnect
#include <errno.h>
#include <fcntl.h>
#include <linux/usb/ch9.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>

#include "common_usb_linux.h"
#endif

#if SYZ_EXECUTOR || __NR_syz_open_dev
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
	if (a0 == 0xc || a0 == 0xb) {
		// syz_open_dev$char(dev const[0xc], major intptr, minor intptr) fd
		// syz_open_dev$block(dev const[0xb], major intptr, minor intptr) fd
		char buf[128];
		sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8)a1, (uint8)a2);
		return open(buf, O_RDWR, 0);
	} else {
		// syz_open_dev(dev ptr[in, string["/dev/foo#"]], id intptr, flags flags[open_flags]) fd
		unsigned long nb = a1;
		char buf[1024];
		char* hash;
		strncpy(buf, (char*)a0, sizeof(buf) - 1);
		buf[sizeof(buf) - 1] = 0;
		while ((hash = strchr(buf, '#'))) {
			*hash = '0' + (char)(nb % 10); // 10 devices should be enough for everyone.
			nb /= 10;
		}
		return open(buf, a2 & ~O_CREAT, 0);
	}
}
#endif

#if SYZ_EXECUTOR || __NR_syz_open_procfs
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

static long syz_open_procfs(volatile long a0, volatile long a1)
{
	// syz_open_procfs(pid pid, file ptr[in, string[procfs_file]]) fd

	char buf[128];
	memset(buf, 0, sizeof(buf));
	if (a0 == 0) {
		snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
	} else if (a0 == -1) {
		snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
	} else {
		snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
	}
	int fd = open(buf, O_RDWR);
	if (fd == -1)
		fd = open(buf, O_RDONLY);
	return fd;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_open_pts
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>

static long syz_open_pts(volatile long a0, volatile long a1)
{
	// syz_openpts(fd fd[tty], flags flags[open_flags]) fd[tty]
	int ptyno = 0;
	if (ioctl(a0, TIOCGPTN, &ptyno))
		return -1;
	char buf[128];
	sprintf(buf, "/dev/pts/%d", ptyno);
	return open(buf, a1, 0);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_init_net_socket
#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <fcntl.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

// syz_init_net_socket opens a socket in init net namespace.
// Used for families that can only be created in init net namespace.
static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto)
{
	int netns = open("/proc/self/ns/net", O_RDONLY);
	if (netns == -1)
		return netns;
	if (setns(kInitNetNsFd, 0))
		return -1;
	int sock = syscall(__NR_socket, domain, type, proto);
	int err = errno;
	if (setns(netns, 0)) {
		// The operation may fail if the fd is closed by
		// a syscall from another thread.
		exitf("setns(netns) failed");
	}
	close(netns);
	errno = err;
	return sock;
}
#else
static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto)
{
	return syscall(__NR_socket, domain, type, proto);
}
#endif
#endif

#if SYZ_EXECUTOR || __NR_syz_socket_connect_nvme_tcp
#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE
#include <arpa/inet.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <sched.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_socket_connect_nvme_tcp()
{
	struct sockaddr_in nvme_local_address;
	int netns = open("/proc/self/ns/net", O_RDONLY);
	if (netns == -1)
		return netns;
	if (setns(kInitNetNsFd, 0))
		return -1;
	int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0);
	int err = errno;
	if (setns(netns, 0)) {
		// The operation may fail if the fd is closed by
		// a syscall from another thread.
		exitf("setns(netns) failed");
	}
	close(netns);
	errno = err;
	// We only connect to an NVMe-oF/TCP server on 127.0.0.1:4420
	nvme_local_address.sin_family = AF_INET;
	nvme_local_address.sin_port = htobe16(4420);
	nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001);
	err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address));
	if (err != 0) {
		close(sock);
		return -1;
	}
	return sock;
}
#else
static long syz_socket_connect_nvme_tcp()
{
	return syscall(__NR_socket, -1, 0, 0);
}
#endif
#endif

#if SYZ_EXECUTOR || SYZ_VHCI_INJECTION
#include <errno.h>
#include <fcntl.h>
#include <linux/rfkill.h>
#include <pthread.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/uio.h>

#define BTPROTO_HCI 1
#define ACL_LINK 1
#define SCAN_PAGE 2

typedef struct {
	uint8 b[6];
} __attribute__((packed)) bdaddr_t;

#define HCI_COMMAND_PKT 1
#define HCI_EVENT_PKT 4
#define HCI_VENDOR_PKT 0xff

struct hci_command_hdr {
	uint16 opcode;
	uint8 plen;
} __attribute__((packed));

struct hci_event_hdr {
	uint8 evt;
	uint8 plen;
} __attribute__((packed));

#define HCI_EV_CONN_COMPLETE 0x03
struct hci_ev_conn_complete {
	uint8 status;
	uint16 handle;
	bdaddr_t bdaddr;
	uint8 link_type;
	uint8 encr_mode;
} __attribute__((packed));

#define HCI_EV_CONN_REQUEST 0x04
struct hci_ev_conn_request {
	bdaddr_t bdaddr;
	uint8 dev_class[3];
	uint8 link_type;
} __attribute__((packed));

#define HCI_EV_REMOTE_FEATURES 0x0b
struct hci_ev_remote_features {
	uint8 status;
	uint16 handle;
	uint8 features[8];
} __attribute__((packed));

#define HCI_EV_CMD_COMPLETE 0x0e
struct hci_ev_cmd_complete {
	uint8 ncmd;
	uint16 opcode;
} __attribute__((packed));

#define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a

#define HCI_OP_READ_BUFFER_SIZE 0x1005
struct hci_rp_read_buffer_size {
	uint8 status;
	uint16 acl_mtu;
	uint8 sco_mtu;
	uint16 acl_max_pkt;
	uint16 sco_max_pkt;
} __attribute__((packed));

#define HCI_OP_READ_BD_ADDR 0x1009
struct hci_rp_read_bd_addr {
	uint8 status;
	bdaddr_t bdaddr;
} __attribute__((packed));

#define HCI_EV_LE_META 0x3e
struct hci_ev_le_meta {
	uint8 subevent;
} __attribute__((packed));

#define HCI_EV_LE_CONN_COMPLETE 0x01
struct hci_ev_le_conn_complete {
	uint8 status;
	uint16 handle;
	uint8 role;
	uint8 bdaddr_type;
	bdaddr_t bdaddr;
	uint16 interval;
	uint16 latency;
	uint16 supervision_timeout;
	uint8 clk_accurancy;
} __attribute__((packed));

struct hci_dev_req {
	uint16 dev_id;
	uint32 dev_opt;
};

struct vhci_vendor_pkt_request {
	uint8 type;
	uint8 opcode;
} __attribute__((packed));

struct vhci_pkt {
	uint8 type;
	union {
		struct {
			uint8 opcode;
			uint16 id;
		} __attribute__((packed)) vendor_pkt;
		struct hci_command_hdr command_hdr;
	};
} __attribute__((packed));

#define HCIDEVUP _IOW('H', 201, int)
#define HCISETSCAN _IOW('H', 221, int)

static int vhci_fd = -1;

static void rfkill_unblock_all()
{
	int fd = open("/dev/rfkill", O_WRONLY);
	if (fd < 0)
		fail("open /dev/rfkill failed");
	struct rfkill_event event = {0};
	event.idx = 0;
	event.type = RFKILL_TYPE_ALL;
	event.op = RFKILL_OP_CHANGE_ALL;
	event.soft = 0;
	event.hard = 0;
	if (write(fd, &event, sizeof(event)) < 0)
		fail("write rfkill event failed");
	close(fd);
}

static void hci_send_event_packet(int fd, uint8 evt, void* data, size_t data_len)
{
	struct iovec iv[3];

	struct hci_event_hdr hdr;
	hdr.evt = evt;
	hdr.plen = data_len;

	uint8 type = HCI_EVENT_PKT;

	iv[0].iov_base = &type;
	iv[0].iov_len = sizeof(type);
	iv[1].iov_base = &hdr;
	iv[1].iov_len = sizeof(hdr);
	iv[2].iov_base = data;
	iv[2].iov_len = data_len;

	if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0)
		fail("writev failed");
}

static void hci_send_event_cmd_complete(int fd, uint16 opcode, void* data, size_t data_len)
{
	struct iovec iv[4];

	struct hci_event_hdr hdr;
	hdr.evt = HCI_EV_CMD_COMPLETE;
	hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len;

	struct hci_ev_cmd_complete evt_hdr;
	evt_hdr.ncmd = 1;
	evt_hdr.opcode = opcode;

	uint8 type = HCI_EVENT_PKT;

	iv[0].iov_base = &type;
	iv[0].iov_len = sizeof(type);
	iv[1].iov_base = &hdr;
	iv[1].iov_len = sizeof(hdr);
	iv[2].iov_base = &evt_hdr;
	iv[2].iov_len = sizeof(evt_hdr);
	iv[3].iov_base = data;
	iv[3].iov_len = data_len;

	if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0)
		fail("writev failed");
}

static bool process_command_pkt(int fd, char* buf, ssize_t buf_size)
{
	struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf;
	if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) ||
	    hdr->plen != buf_size - sizeof(struct hci_command_hdr))
		failmsg("process_command_pkt: invalid size", "suze=%zx", buf_size);

	switch (hdr->opcode) {
	case HCI_OP_WRITE_SCAN_ENABLE: {
		uint8 status = 0;
		hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status));
		return true;
	}
	case HCI_OP_READ_BD_ADDR: {
		struct hci_rp_read_bd_addr rp = {0};
		rp.status = 0;
		memset(&rp.bdaddr, 0xaa, 6);
		hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp));
		return false;
	}
	case HCI_OP_READ_BUFFER_SIZE: {
		struct hci_rp_read_buffer_size rp = {0};
		rp.status = 0;
		rp.acl_mtu = 1021;
		rp.sco_mtu = 96;
		rp.acl_max_pkt = 4;
		rp.sco_max_pkt = 6;
		hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp));
		return false;
	}
	}

	char dummy[0xf9] = {0};
	hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy));
	return false;
}

static void* event_thread(void* arg)
{
	while (1) {
		char buf[1024] = {0};
		ssize_t buf_size = read(vhci_fd, buf, sizeof(buf));
		if (buf_size < 0)
			fail("read failed");
		debug_dump_data(buf, buf_size);
		if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) {
			if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1))
				break;
		}
	}
	return NULL;
}

// Matches hci_handles in sys/linux/dev_vhci.txt.
#define HCI_HANDLE_1 200
#define HCI_HANDLE_2 201

#define HCI_PRIMARY 0
#define HCI_OP_RESET 0x0c03

static void initialize_vhci()
{
#if SYZ_EXECUTOR
	if (!flag_vhci_injection)
		return;
#endif

	int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);
	if (hci_sock < 0)
		fail("socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) failed");

	vhci_fd = open("/dev/vhci", O_RDWR);
	if (vhci_fd == -1)
		fail("open /dev/vhci failed");

	// Remap vhci onto higher fd number to hide it from fuzzer and to keep
	// fd numbers stable regardless of whether vhci is opened or not (also see kMaxFd).
	const int kVhciFd = 202;
	if (dup2(vhci_fd, kVhciFd) < 0)
		fail("dup2(vhci_fd, kVhciFd) failed");
	close(vhci_fd);
	vhci_fd = kVhciFd;

	struct vhci_vendor_pkt_request vendor_pkt_req = {HCI_VENDOR_PKT, HCI_PRIMARY};
	if (write(vhci_fd, &vendor_pkt_req, sizeof(vendor_pkt_req)) != sizeof(vendor_pkt_req))
		fail("vendor_pkt_req write failed");

	struct vhci_pkt vhci_pkt;
	if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt))
		fail("vhci_pkt read failed");

	if (vhci_pkt.type == HCI_COMMAND_PKT && vhci_pkt.command_hdr.opcode == HCI_OP_RESET) {
		char response[1] = {0};
		hci_send_event_cmd_complete(vhci_fd, HCI_OP_RESET, response, sizeof(response));

		if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt))
			fail("vhci_pkt read failed");
	}

	if (vhci_pkt.type != HCI_VENDOR_PKT)
		fail("wrong response packet");

	int dev_id = vhci_pkt.vendor_pkt.id;
	debug("hci dev id: %x\n", dev_id);

	pthread_t th;
	if (pthread_create(&th, NULL, event_thread, NULL))
		fail("pthread_create failed");

	// Bring hci device up
	int ret = ioctl(hci_sock, HCIDEVUP, dev_id);
	if (ret) {
		if (errno == ERFKILL) {
			rfkill_unblock_all();
			ret = ioctl(hci_sock, HCIDEVUP, dev_id);
		}

		if (ret && errno != EALREADY)
			fail("ioctl(HCIDEVUP) failed");
	}

	// Activate page scanning mode which is required to fake a connection.
	struct hci_dev_req dr = {0};
	dr.dev_id = dev_id;
	dr.dev_opt = SCAN_PAGE;
	if (ioctl(hci_sock, HCISETSCAN, &dr))
		fail("ioctl(HCISETSCAN) failed");

	// Fake a connection with bd address 10:aa:aa:aa:aa:aa.
	// This is a fixed address used in sys/linux/socket_bluetooth.txt.
	struct hci_ev_conn_request request;
	memset(&request, 0, sizeof(request));
	memset(&request.bdaddr, 0xaa, 6);
	*(uint8*)&request.bdaddr.b[5] = 0x10;
	request.link_type = ACL_LINK;
	hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request));

	struct hci_ev_conn_complete complete;
	memset(&complete, 0, sizeof(complete));
	complete.status = 0;
	complete.handle = HCI_HANDLE_1;
	memset(&complete.bdaddr, 0xaa, 6);
	*(uint8*)&complete.bdaddr.b[5] = 0x10;
	complete.link_type = ACL_LINK;
	complete.encr_mode = 0;
	hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete));

	struct hci_ev_remote_features features;
	memset(&features, 0, sizeof(features));
	features.status = 0;
	features.handle = HCI_HANDLE_1;
	hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features));

	// Fake a low-energy connection with bd address 11:aa:aa:aa:aa:aa.
	// This is a fixed address used in sys/linux/socket_bluetooth.txt.
	struct {
		struct hci_ev_le_meta le_meta;
		struct hci_ev_le_conn_complete le_conn;
	} le_conn;
	memset(&le_conn, 0, sizeof(le_conn));
	le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE;
	memset(&le_conn.le_conn.bdaddr, 0xaa, 6);
	*(uint8*)&le_conn.le_conn.bdaddr.b[5] = 0x11;
	le_conn.le_conn.role = 1;
	le_conn.le_conn.handle = HCI_HANDLE_2;
	hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn));

	pthread_join(th, NULL);
	close(hci_sock);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_emit_vhci && SYZ_VHCI_INJECTION
static long syz_emit_vhci(volatile long a0, volatile long a1)
{
	if (vhci_fd < 0)
		return (uintptr_t)-1;

	char* data = (char*)a0;
	uint32 length = a1;

	return write(vhci_fd, data, length);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_genetlink_get_family_id
#include <errno.h>
#include <sys/socket.h>

static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg)
{
	debug("syz_genetlink_get_family_id(%s, %d)\n", (char*)name, (int)sock_arg);
	int fd = sock_arg;
	if (fd < 0) {
		fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
		if (fd == -1) {
			debug("syz_genetlink_get_family_id: socket failed: %d\n", errno);
			return -1;
		}
	}
	struct nlmsg nlmsg_tmp;
	int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
	if ((int)sock_arg < 0)
		close(fd);
	if (ret < 0) {
		debug("syz_genetlink_get_family_id: netlink_query_family_id failed: %d\n", ret);
		return -1;
	}

	return ret;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_mount_image || __NR_syz_read_part_table
#include "common_zlib.h"
#include <errno.h>
#include <fcntl.h>
#include <linux/loop.h>
#include <stdbool.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>

// Setup the loop device needed for mounting a filesystem image. Takes care of
// creating and initializing the underlying file backing the loop device and
// returns the fds to the file and device.
// Returns 0 on success, -1 otherwise.
static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p)
{
	int err = 0, loopfd = -1;
	int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
	if (memfd == -1) {
		err = errno;
		goto error;
	}
	if (puff_zlib_to_file(data, size, memfd)) {
		err = errno;
		debug("setup_loop_device: could not decompress data: %d\n", errno);
		goto error_close_memfd;
	}

	loopfd = open(loopname, O_RDWR);
	if (loopfd == -1) {
		err = errno;
		debug("setup_loop_device: open failed: %d\n", errno);
		goto error_close_memfd;
	}
	if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
		if (errno != EBUSY) {
			err = errno;
			goto error_close_loop;
		}
		ioctl(loopfd, LOOP_CLR_FD, 0);
		usleep(1000);
		if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
			err = errno;
			goto error_close_loop;
		}
	}

	close(memfd);
	*loopfd_p = loopfd;
	return 0;

error_close_loop:
	close(loopfd);
error_close_memfd:
	close(memfd);
error:
	errno = err;
	return -1;
}

#if SYZ_EXECUTOR || __NR_syz_mount_image

static void reset_loop_device(const char* loopname)
{
	int loopfd = open(loopname, O_RDWR);
	if (loopfd == -1) {
		debug("reset_loop_device: open failed: %d\n", errno);
		return;
	}
	if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
		debug("reset_loop_device: LOOP_CLR_FD failed: %d\n", errno);
	}
	close(loopfd);
}

#endif

#endif

#if SYZ_EXECUTOR || __NR_syz_read_part_table
// syz_read_part_table(size len[img], img ptr[in, compressed_image])
static long syz_read_part_table(volatile unsigned long size, volatile long image)
{
	unsigned char* data = (unsigned char*)image;
	int err = 0, res = -1, loopfd = -1;
	char loopname[64];

	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
	if (setup_loop_device(data, size, loopname, &loopfd) == -1)
		return -1;

	struct loop_info64 info;
	if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) {
		err = errno;
		goto error_clear_loop;
	}
#if SYZ_EXECUTOR
	cover_reset(0);
#endif
	info.lo_flags |= LO_FLAGS_PARTSCAN;
	if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) {
		err = errno;
		goto error_clear_loop;
	}
	res = 0;
	// If we managed to parse some partitions, symlink them into our work dir.
	for (unsigned long i = 1, j = 0; i < 8; i++) {
		snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i);
		struct stat statbuf;
		if (stat(loopname, &statbuf) == 0) {
			char linkname[64];
			snprintf(linkname, sizeof(linkname), "./file%d", (int)j++);
			if (symlink(loopname, linkname)) {
				debug("syz_read_part_table: symlink(%s, %s) failed: %d\n", loopname, linkname, errno);
			}
		}
	}
error_clear_loop:
	if (res)
		ioctl(loopfd, LOOP_CLR_FD, 0);
	close(loopfd);
	errno = err;
	return res;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_mount_image
#include <stddef.h>
#include <string.h>
#include <sys/mount.h>

// syz_mount_image(
// 	fs ptr[in, string[fs]],
// 	dir ptr[in, filename],
// 	flags flags[mount_flags],
// 	opts ptr[in, fs_options],
// 	chdir bool8,
// 	size len[img],
// 	img ptr[in, compressed_image]
// ) fd_dir
static long syz_mount_image(
    volatile long fsarg,
    volatile long dir,
    volatile long flags,
    volatile long optsarg,
    volatile long change_dir,
    volatile unsigned long size,
    volatile long image)
{
	unsigned char* data = (unsigned char*)image;
	int res = -1, err = 0, need_loop_device = !!size;
	char* mount_opts = (char*)optsarg;
	char* target = (char*)dir;
	char* fs = (char*)fsarg;
	char* source = NULL;
	char loopname[64];

	if (need_loop_device) {
		int loopfd;
		// Some filesystems (e.g. FUSE) do not need a backing device or
		// filesystem image.
		memset(loopname, 0, sizeof(loopname));
		snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
		if (setup_loop_device(data, size, loopname, &loopfd) == -1)
			return -1;
		// If BLK_DEV_WRITE_MOUNTED is set, we won't be able to mount()
		// while holding the loop device fd.
		close(loopfd);
		source = loopname;
	}

	mkdir(target, 0777);
	char opts[256];
	memset(opts, 0, sizeof(opts));
	// Leave some space for the additional options we append below.
	if (strlen(mount_opts) > (sizeof(opts) - 32)) {
		debug("ERROR: syz_mount_image parameter optsarg bigger than internal opts\n");
	}
	strncpy(opts, mount_opts, sizeof(opts) - 32);
	if (strcmp(fs, "iso9660") == 0) {
		flags |= MS_RDONLY;
	} else if (strncmp(fs, "ext", 3) == 0) {
		// For ext2/3/4 we have to have errors=continue because the image
		// can contain errors=panic flag and can legally crash kernel.
		bool has_remount_ro = false;
		char* remount_ro_start = strstr(opts, "errors=remount-ro");
		if (remount_ro_start != NULL) {
			// syzkaller can sometimes break the options format, so we have to make sure this option can really be parsed.
			char after = *(remount_ro_start + strlen("errors=remount-ro"));
			char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
			has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ','));
		}
		if (strstr(opts, "errors=panic") || !has_remount_ro)
			strcat(opts, ",errors=continue");
	} else if (strcmp(fs, "xfs") == 0) {
		// For xfs we need nouuid because xfs has a global uuids table
		// and if two parallel executors mounts fs with the same uuid, second mount fails.
		strcat(opts, ",nouuid");
	} else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) {
		// Otherwise ordinary withdrawals turn into kernel panics, see #6189.
		strcat(opts, ",errors=withdraw");
	}
	debug("syz_mount_image: size=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, loopname, target, fs, (uint64)flags, opts);
#if SYZ_EXECUTOR
	cover_reset(0);
#endif
	res = mount(source, target, fs, flags, opts);
	if (res == -1) {
		debug("syz_mount_image > mount error: %d\n", errno);
		err = errno;
		goto error_clear_loop;
	}
	res = open(target, O_RDONLY | O_DIRECTORY);
	if (res == -1) {
		debug("syz_mount_image > open error: %d\n", errno);
		err = errno;
		goto error_clear_loop;
	}
	if (change_dir) {
		res = chdir(target);
		if (res == -1) {
			debug("syz_mount_image > chdir error: %d\n", errno);
			err = errno;
		}
	}

error_clear_loop:
	if (need_loop_device)
		reset_loop_device(loopname);
	errno = err;
	return res;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_assert_syzos_uexit || __NR_syz_kvm_assert_reg || __NR_syz_kvm_assert_syzos_kvm_exit
// KVM is not yet supported on RISC-V
#if !GOARCH_riscv64 && !GOARCH_arm
#include <errno.h>
#include <fcntl.h>
#include <linux/kvm.h>
#include <stdarg.h>
#include <stddef.h>
#include <sys/ioctl.h>
#include <sys/stat.h>

#if GOARCH_amd64
#include "common_kvm_amd64.h"
#elif GOARCH_386
#include "common_kvm_386.h"
#elif GOARCH_arm64
#include "common_kvm_arm64.h"
#elif GOARCH_ppc64 || GOARCH_ppc64le
#include "common_kvm_ppc64.h"
#elif !GOARCH_arm && (SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu)
static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7)
{
	return 0;
}
#endif
#endif
#endif

#if (SYZ_EXECUTOR || SYZ_NET_RESET) && SYZ_EXECUTOR_USES_FORK_SERVER
#include <errno.h>
#include <net/if.h>
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>

#include <linux/net.h>

// checkpoint/reset_net_namespace partially resets net namespace to initial state
// after each test. Currently it resets only ipv4 netfilter state.
// Ideally, we just create a new net namespace for each test,
// however it's too slow (1-1.5 seconds per namespace, not parallelizable).

// Linux headers do not compile for C++, so we have to define the structs manualy.
#define XT_TABLE_SIZE 1536
#define XT_MAX_ENTRIES 10

struct xt_counters {
	uint64 pcnt, bcnt;
};

struct ipt_getinfo {
	char name[32];
	unsigned int valid_hooks;
	unsigned int hook_entry[5];
	unsigned int underflow[5];
	unsigned int num_entries;
	unsigned int size;
};

struct ipt_get_entries {
	char name[32];
	unsigned int size;
	uint64 entrytable[XT_TABLE_SIZE / sizeof(uint64)];
};

struct ipt_replace {
	char name[32];
	unsigned int valid_hooks;
	unsigned int num_entries;
	unsigned int size;
	unsigned int hook_entry[5];
	unsigned int underflow[5];
	unsigned int num_counters;
	struct xt_counters* counters;
	uint64 entrytable[XT_TABLE_SIZE / sizeof(uint64)];
};

struct ipt_table_desc {
	const char* name;
	struct ipt_getinfo info;
	struct ipt_replace replace;
};

static struct ipt_table_desc ipv4_tables[] = {
    {.name = "filter"},
    {.name = "nat"},
    {.name = "mangle"},
    {.name = "raw"},
    {.name = "security"},
};

static struct ipt_table_desc ipv6_tables[] = {
    {.name = "filter"},
    {.name = "nat"},
    {.name = "mangle"},
    {.name = "raw"},
    {.name = "security"},
};

#define IPT_BASE_CTL 64
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
#define IPT_SO_GET_INFO (IPT_BASE_CTL)
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)

struct arpt_getinfo {
	char name[32];
	unsigned int valid_hooks;
	unsigned int hook_entry[3];
	unsigned int underflow[3];
	unsigned int num_entries;
	unsigned int size;
};

struct arpt_get_entries {
	char name[32];
	unsigned int size;
	uint64 entrytable[XT_TABLE_SIZE / sizeof(uint64)];
};

struct arpt_replace {
	char name[32];
	unsigned int valid_hooks;
	unsigned int num_entries;
	unsigned int size;
	unsigned int hook_entry[3];
	unsigned int underflow[3];
	unsigned int num_counters;
	struct xt_counters* counters;
	uint64 entrytable[XT_TABLE_SIZE / sizeof(uint64)];
};

struct arpt_table_desc {
	const char* name;
	struct arpt_getinfo info;
	struct arpt_replace replace;
};

static struct arpt_table_desc arpt_tables[] = {
    {.name = "filter"},
};

#define ARPT_BASE_CTL 96
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)

static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
{
	int fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		// ENOENT can be returned if smack lsm is used. Smack tried to aplly netlbl to created sockets,
		// but the fuzzer can manage to remove netlbl entry for SOCK_STREAM/IPPROTO_TCP using
		// NLBL_MGMT_C_REMOVE, which is unfortunately global (not part of net namespace). In this state
		// creation of such sockets will fail all the time in all processes (so in some sense the machine
		// is indeed broken), but ignoring the error is still probably the best option given we allow
		// the fuzzer to invoke NLBL_MGMT_C_REMOVE in the first place.
		case ENOENT:
			return;
		}
		failmsg("iptable checkpoint: socket(SOCK_STREAM, IPPROTO_TCP) failed", "family=%d", family);
	}
	for (int i = 0; i < num_tables; i++) {
		struct ipt_table_desc* table = &tables[i];
		strcpy(table->info.name, table->name);
		strcpy(table->replace.name, table->name);
		socklen_t optlen = sizeof(table->info);
		if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
			switch (errno) {
			case EPERM:
			case ENOENT:
			case ENOPROTOOPT:
				continue;
			}
			failmsg("iptable checkpoint: getsockopt(IPT_SO_GET_INFO) failed",
				"table=%s, family=%d", table->name, family);
		}
		debug("iptable checkpoint %s/%d: checkpoint entries=%d hooks=%x size=%d\n",
		      table->name, family, table->info.num_entries,
		      table->info.valid_hooks, table->info.size);
		if (table->info.size > sizeof(table->replace.entrytable))
			failmsg("iptable checkpoint: table size is too large", "table=%s, family=%d, size=%u",
				table->name, family, table->info.size);
		if (table->info.num_entries > XT_MAX_ENTRIES)
			failmsg("iptable checkpoint: too many counters", "table=%s, family=%d, counters=%d",
				table->name, family, table->info.num_entries);
		struct ipt_get_entries entries;
		memset(&entries, 0, sizeof(entries));
		strcpy(entries.name, table->name);
		entries.size = table->info.size;
		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
		if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
			failmsg("iptable checkpoint: getsockopt(IPT_SO_GET_ENTRIES) failed",
				"table=%s, family=%d", table->name, family);
		table->replace.valid_hooks = table->info.valid_hooks;
		table->replace.num_entries = table->info.num_entries;
		table->replace.size = table->info.size;
		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
	}
	close(fd);
}

static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
{
	int fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		case ENOENT:
			return;
		}
		failmsg("iptable: socket(SOCK_STREAM, IPPROTO_TCP) failed", "family=%d", family);
	}
	for (int i = 0; i < num_tables; i++) {
		struct ipt_table_desc* table = &tables[i];
		if (table->info.valid_hooks == 0)
			continue;
		struct ipt_getinfo info;
		memset(&info, 0, sizeof(info));
		strcpy(info.name, table->name);
		socklen_t optlen = sizeof(info);
		if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
			failmsg("iptable: getsockopt(IPT_SO_GET_INFO) failed",
				"table=%s, family=%d", table->name, family);
		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
			struct ipt_get_entries entries;
			memset(&entries, 0, sizeof(entries));
			strcpy(entries.name, table->name);
			entries.size = table->info.size;
			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
			if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
				failmsg("iptable: getsockopt(IPT_SO_GET_ENTRIES) failed",
					"table=%s, family=%d", table->name, family);
			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
				continue;
		}
		debug("iptable %s/%d: resetting\n", table->name, family);
		struct xt_counters counters[XT_MAX_ENTRIES];
		table->replace.num_counters = info.num_entries;
		table->replace.counters = counters;
		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
		if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
			failmsg("iptable: setsockopt(IPT_SO_SET_REPLACE) failed",
				"table=%s, family=%d", table->name, family);
	}
	close(fd);
}

static void checkpoint_arptables(void)
{
	int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		case ENOENT:
			return;
		}
		fail("arptable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) failed");
	}
	for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
		struct arpt_table_desc* table = &arpt_tables[i];
		strcpy(table->info.name, table->name);
		strcpy(table->replace.name, table->name);
		socklen_t optlen = sizeof(table->info);
		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
			switch (errno) {
			case EPERM:
			case ENOENT:
			case ENOPROTOOPT:
				continue;
			}
			failmsg("arptable checkpoint: getsockopt(ARPT_SO_GET_INFO) failed", "table=%s", table->name);
		}
		debug("arptable checkpoint %s: entries=%d hooks=%x size=%d\n",
		      table->name, table->info.num_entries, table->info.valid_hooks, table->info.size);
		if (table->info.size > sizeof(table->replace.entrytable))
			failmsg("arptable checkpoint: table size is too large",
				"table=%s, size=%u", table->name, table->info.size);
		if (table->info.num_entries > XT_MAX_ENTRIES)
			failmsg("arptable checkpoint: too many counters",
				"table=%s, counters=%u", table->name, table->info.num_entries);
		struct arpt_get_entries entries;
		memset(&entries, 0, sizeof(entries));
		strcpy(entries.name, table->name);
		entries.size = table->info.size;
		optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
			failmsg("arptable checkpoint: getsockopt(ARPT_SO_GET_ENTRIES) failed", "table=%s", table->name);
		table->replace.valid_hooks = table->info.valid_hooks;
		table->replace.num_entries = table->info.num_entries;
		table->replace.size = table->info.size;
		memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
		memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
		memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
	}
	close(fd);
}

static void reset_arptables()
{
	int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		case ENOENT:
			return;
		}
		fail("arptable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
	}
	for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
		struct arpt_table_desc* table = &arpt_tables[i];
		if (table->info.valid_hooks == 0)
			continue;
		struct arpt_getinfo info;
		memset(&info, 0, sizeof(info));
		strcpy(info.name, table->name);
		socklen_t optlen = sizeof(info);
		if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
			failmsg("arptable: getsockopt(ARPT_SO_GET_INFO) failed", "table=%s", table->name);
		if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
			struct arpt_get_entries entries;
			memset(&entries, 0, sizeof(entries));
			strcpy(entries.name, table->name);
			entries.size = table->info.size;
			optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
			if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
				failmsg("arptable: getsockopt(ARPT_SO_GET_ENTRIES) failed", "table=%s", table->name);
			if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
				continue;
			debug("arptable %s: data changed\n", table->name);
		} else {
			debug("arptable %s: header changed\n", table->name);
		}
		debug("arptable %s: resetting\n", table->name);
		struct xt_counters counters[XT_MAX_ENTRIES];
		table->replace.num_counters = info.num_entries;
		table->replace.counters = counters;
		optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
		if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
			failmsg("arptable: setsockopt(ARPT_SO_SET_REPLACE) failed",
				"table=%s", table->name);
	}
	close(fd);
}

// ebtables.h is broken too:
// ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
// ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’

#define NF_BR_NUMHOOKS 6
#define EBT_TABLE_MAXNAMELEN 32
#define EBT_CHAIN_MAXNAMELEN 32
#define EBT_BASE_CTL 128
#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
#define EBT_SO_GET_INFO (EBT_BASE_CTL)
#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1)
#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1)
#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1)

struct ebt_replace {
	char name[EBT_TABLE_MAXNAMELEN];
	unsigned int valid_hooks;
	unsigned int nentries;
	unsigned int entries_size;
	struct ebt_entries* hook_entry[NF_BR_NUMHOOKS];
	unsigned int num_counters;
	struct ebt_counter* counters;
	char* entries;
};

struct ebt_entries {
	unsigned int distinguisher;
	char name[EBT_CHAIN_MAXNAMELEN];
	unsigned int counter_offset;
	int policy;
	unsigned int nentries;
	char data[0] __attribute__((aligned(__alignof__(struct ebt_replace))));
};

struct ebt_table_desc {
	const char* name;
	struct ebt_replace replace;
	char entrytable[XT_TABLE_SIZE];
};

static struct ebt_table_desc ebt_tables[] = {
    {.name = "filter"},
    {.name = "nat"},
    {.name = "broute"},
};

static void checkpoint_ebtables(void)
{
	int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		case ENOENT:
			return;
		}
		fail("ebtable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
	}
	for (size_t i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
		struct ebt_table_desc* table = &ebt_tables[i];
		strcpy(table->replace.name, table->name);
		socklen_t optlen = sizeof(table->replace);
		if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) {
			switch (errno) {
			case EPERM:
			case ENOENT:
			case ENOPROTOOPT:
				continue;
			}
			failmsg("ebtable checkpoint: getsockopt(EBT_SO_GET_INIT_INFO) failed",
				"table=%s", table->name);
		}
		debug("ebtable checkpoint %s: entries=%d hooks=%x size=%d\n",
		      table->name, table->replace.nentries, table->replace.valid_hooks,
		      table->replace.entries_size);
		if (table->replace.entries_size > sizeof(table->entrytable))
			failmsg("ebtable checkpoint: table size is too large", "table=%s, size=%u",
				table->name, table->replace.entries_size);
		table->replace.num_counters = 0;
		table->replace.entries = table->entrytable;
		optlen = sizeof(table->replace) + table->replace.entries_size;
		if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen))
			failmsg("ebtable checkpoint: getsockopt(EBT_SO_GET_INIT_ENTRIES) failed",
				"table=%s", table->name);
	}
	close(fd);
}

static void reset_ebtables()
{
	int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (fd == -1) {
		switch (errno) {
		case EAFNOSUPPORT:
		case ENOPROTOOPT:
		case ENOENT:
			return;
		}
		fail("ebtable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
	}
	for (unsigned i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
		struct ebt_table_desc* table = &ebt_tables[i];
		if (table->replace.valid_hooks == 0)
			continue;
		struct ebt_replace replace;
		memset(&replace, 0, sizeof(replace));
		strcpy(replace.name, table->name);
		socklen_t optlen = sizeof(replace);
		if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
			failmsg("ebtable: getsockopt(EBT_SO_GET_INFO)", "table=%s", table->name);
		replace.num_counters = 0;
		table->replace.entries = 0;
		for (unsigned h = 0; h < NF_BR_NUMHOOKS; h++)
			table->replace.hook_entry[h] = 0;
		if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
			char entrytable[XT_TABLE_SIZE];
			memset(&entrytable, 0, sizeof(entrytable));
			replace.entries = entrytable;
			optlen = sizeof(replace) + replace.entries_size;
			if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
				failmsg("ebtable: getsockopt(EBT_SO_GET_ENTRIES) failed", "table=%s", table->name);
			if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
				continue;
		}
		debug("ebtable %s: resetting\n", table->name);
		// Kernel does not seem to return actual entry points (wat?).
		for (unsigned j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
			if (table->replace.valid_hooks & (1 << h)) {
				table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j;
				j++;
			}
		}
		table->replace.entries = table->entrytable;
		optlen = sizeof(table->replace) + table->replace.entries_size;
		if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
			failmsg("ebtable: setsockopt(EBT_SO_SET_ENTRIES) failed", "table=%s", table->name);
	}
	close(fd);
}

static void checkpoint_net_namespace(void)
{
#if SYZ_EXECUTOR
	if (!flag_net_reset || flag_sandbox_setuid)
		return;
#endif
	checkpoint_ebtables();
	checkpoint_arptables();
	checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
	checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
}

static void reset_net_namespace(void)
{
#if SYZ_EXECUTOR
	if (!flag_net_reset || flag_sandbox_setuid)
		return;
#endif
	reset_ebtables();
	reset_arptables();
	reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
	reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
}
#endif

#if SYZ_EXECUTOR || (SYZ_CGROUPS && (SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID))
#include <fcntl.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>

static void mount_cgroups(const char* dir, const char** controllers, int count)
{
	if (mkdir(dir, 0777)) {
		debug("mkdir(%s) failed: %d\n", dir, errno);
		return;
	}
	// First, probe one-by-one to understand what controllers are present.
	char enabled[128] = {0};
	int i = 0;
	for (; i < count; i++) {
		if (mount("none", dir, "cgroup", 0, controllers[i])) {
			debug("mount(%s, %s) failed: %d\n", dir, controllers[i], errno);
			continue;
		}
		umount(dir);
		strcat(enabled, ",");
		strcat(enabled, controllers[i]);
	}
	if (enabled[0] == 0) {
		if (rmdir(dir) && errno != EBUSY)
			failmsg("rmdir failed", "dir=%s", dir);
		return;
	}
	// Now mount all at once.
	if (mount("none", dir, "cgroup", 0, enabled + 1)) {
		// In systemd/stretch images this is failing with EBUSY
		// (systemd starts messing with these mounts?),
		// so we don't fail, but just log the error.
		debug("mount(%s, %s) failed: %d\n", dir, enabled + 1, errno);
		if (rmdir(dir) && errno != EBUSY)
			failmsg("rmdir failed", "dir=%s enabled=%s", dir, enabled);
	}
	if (chmod(dir, 0777)) {
		debug("chmod(%s) failed: %d\n", dir, errno);
	}
}

static void mount_cgroups2(const char** controllers, int count)
{
	if (mkdir("/syzcgroup/unified", 0777)) {
		debug("mkdir(/syzcgroup/unified) failed: %d\n", errno);
		return;
	}
	if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
		debug("mount(cgroup2) failed: %d\n", errno);
		// For all cases when we don't end up mounting cgroup/cgroup2
		// in /syzcgroup/{unified,net,cpu}, we need to remove the dir.
		// Otherwise these will end up as normal dirs and the fuzzer may
		// create huge files there. These files won't be cleaned up
		// after tests and may easily consume all disk space.
		// EBUSY usually means that cgroup is already mounted there
		// by a previous run of e.g. syz-execprog.
		if (rmdir("/syzcgroup/unified") && errno != EBUSY)
			fail("rmdir(/syzcgroup/unified) failed");
		return;
	}
	if (chmod("/syzcgroup/unified", 0777)) {
		debug("chmod(/syzcgroup/unified) failed: %d\n", errno);
	}
	int control = open("/syzcgroup/unified/cgroup.subtree_control", O_WRONLY);
	if (control == -1)
		return;
	int i;
	for (i = 0; i < count; i++)
		if (write(control, controllers[i], strlen(controllers[i])) < 0) {
			debug("write(cgroup.subtree_control, %s) failed: %d\n", controllers[i], errno);
		}
	close(control);
}

static void setup_cgroups()
{
	// We want to cover both cgroup and cgroup2.
	// Each resource controller can be bound to only one of them,
	// so to cover both we divide all controllers into 3 arbitrary groups.
	// One group is then bound to cgroup2/unified, and 2 other groups
	// are bound to 2 cgroup hierarchies.
	// Note: we need to enable controllers one-by-one for both cgroup and cgroup2.
	// If we enable all at the same time and one of them fails (b/c of older kernel
	// or not enabled configs), then all will fail.
	const char* unified_controllers[] = {"+cpu", "+io", "+pids"};
	const char* net_controllers[] = {"net", "net_prio", "devices", "blkio", "freezer"};
	const char* cpu_controllers[] = {"cpuset", "cpuacct", "hugetlb", "rlimit", "memory"};
	if (mkdir("/syzcgroup", 0777)) {
		// Can happen due to e.g. read-only file system (EROFS).
		debug("mkdir(/syzcgroup) failed: %d\n", errno);
		return;
	}
	mount_cgroups2(unified_controllers, sizeof(unified_controllers) / sizeof(unified_controllers[0]));
	mount_cgroups("/syzcgroup/net", net_controllers, sizeof(net_controllers) / sizeof(net_controllers[0]));
	mount_cgroups("/syzcgroup/cpu", cpu_controllers, sizeof(cpu_controllers) / sizeof(cpu_controllers[0]));
	write_file("/syzcgroup/cpu/cgroup.clone_children", "1");
	write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1");
}

#if (SYZ_EXECUTOR || SYZ_REPEAT) && SYZ_EXECUTOR_USES_FORK_SERVER
static void setup_cgroups_loop()
{
#if SYZ_EXECUTOR
	if (!flag_cgroups)
		return;
#endif
	int pid = getpid();
	char file[128];
	char cgroupdir[64];
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
	if (mkdir(cgroupdir, 0777)) {
		debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
	}
	// Restrict number of pids per test process to prevent fork bombs.
	// We have up to 16 threads + main process + loop.
	// 32 pids should be enough for everyone.
	snprintf(file, sizeof(file), "%s/pids.max", cgroupdir);
	write_file(file, "32");
	// Setup some v1 groups to make things more interesting.
	snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
	write_file(file, "%d", pid);
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
	if (mkdir(cgroupdir, 0777)) {
		debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
	}
	snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
	write_file(file, "%d", pid);
	// Restrict memory consumption.
	// We have some syscalls that inherently consume lots of memory,
	// e.g. mounting some filesystem images requires at least 128MB
	// image in memory. We restrict RLIMIT_AS to 200MB. Here we gradually
	// increase memory limits to make things more interesting.
	// Also this takes into account KASAN quarantine size.
	// If the limit is lower than KASAN quarantine size, then it can happen
	// so that we kill the process, but all of its memory is in quarantine
	// and is still accounted against memcg. As the result memcg won't
	// allow to allocate any memory in the parent and in the new test process.
	// The current limit of 300MB supports up to 9.6GB RAM (quarantine is 1/32).
	snprintf(file, sizeof(file), "%s/memory.soft_limit_in_bytes", cgroupdir);
	write_file(file, "%d", 299 << 20);
	snprintf(file, sizeof(file), "%s/memory.limit_in_bytes", cgroupdir);
	write_file(file, "%d", 300 << 20);
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
	if (mkdir(cgroupdir, 0777)) {
		debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
	}
	snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
	write_file(file, "%d", pid);
}

static void setup_cgroups_test()
{
#if SYZ_EXECUTOR
	if (!flag_cgroups)
		return;
#endif
	char cgroupdir[64];
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
	if (symlink(cgroupdir, "./cgroup")) {
		debug("symlink(%s, ./cgroup) failed: %d\n", cgroupdir, errno);
	}
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
	if (symlink(cgroupdir, "./cgroup.cpu")) {
		debug("symlink(%s, ./cgroup.cpu) failed: %d\n", cgroupdir, errno);
	}
	snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
	if (symlink(cgroupdir, "./cgroup.net")) {
		debug("symlink(%s, ./cgroup.net) failed: %d\n", cgroupdir, errno);
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
static void initialize_cgroups()
{
#if SYZ_EXECUTOR
	if (!flag_cgroups)
		return;
#endif
	if (mkdir("./syz-tmp/newroot/syzcgroup", 0700))
		fail("mkdir failed");
	if (mkdir("./syz-tmp/newroot/syzcgroup/unified", 0700))
		fail("mkdir failed");
	if (mkdir("./syz-tmp/newroot/syzcgroup/cpu", 0700))
		fail("mkdir failed");
	if (mkdir("./syz-tmp/newroot/syzcgroup/net", 0700))
		fail("mkdir failed");
	unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
	if (mount("/syzcgroup/unified", "./syz-tmp/newroot/syzcgroup/unified", NULL, bind_mount_flags, NULL)) {
		debug("mount(cgroup2, MS_BIND) failed: %d\n", errno);
	}
	if (mount("/syzcgroup/cpu", "./syz-tmp/newroot/syzcgroup/cpu", NULL, bind_mount_flags, NULL)) {
		debug("mount(cgroup/cpu, MS_BIND) failed: %d\n", errno);
	}
	if (mount("/syzcgroup/net", "./syz-tmp/newroot/syzcgroup/net", NULL, bind_mount_flags, NULL)) {
		debug("mount(cgroup/net, MS_BIND) failed: %d\n", errno);
	}
}
#endif
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
static void setup_gadgetfs();
static void setup_binderfs();
static void setup_fusectl();
// Mount tmpfs and chroot into it in sandbox=none and sandbox=namespace.
// This is to prevent persistent changes to the root file system (e.g. setting attributes) that may
// hinder fuzzing.
// See https://github.com/google/syzkaller/issues/4939 for more details.
static void sandbox_common_mount_tmpfs(void)
{
	// Android systems set fs.mount-max to a very low value, causing ENOSPC when doing the mounts below
	// (see https://github.com/google/syzkaller/issues/4972). 100K mounts should be enough for everyone.
	write_file("/proc/sys/fs/mount-max", "100000");
	if (mkdir("./syz-tmp", 0777))
		fail("mkdir(syz-tmp) failed");
	if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
		fail("mount(tmpfs) failed");
	if (mkdir("./syz-tmp/newroot", 0777))
		fail("mkdir failed");
	if (mkdir("./syz-tmp/newroot/dev", 0700))
		fail("mkdir failed");
	unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
	if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL))
		fail("mount(dev) failed");
	if (mkdir("./syz-tmp/newroot/proc", 0700))
		fail("mkdir failed");
	if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL))
		fail("mount(proc) failed");
	if (mkdir("./syz-tmp/newroot/selinux", 0700))
		fail("mkdir failed");
	// selinux mount used to be at /selinux, but then moved to /sys/fs/selinux.
	const char* selinux_path = "./syz-tmp/newroot/selinux";
	if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) {
		if (errno != ENOENT)
			fail("mount(/selinux) failed");
		if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT)
			fail("mount(/sys/fs/selinux) failed");
	}
	if (mkdir("./syz-tmp/newroot/sys", 0700))
		fail("mkdir(/sys) failed");
	if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL))
		fail("mount(sysfs) failed");
	if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT)
		fail("mount(debug) failed");
	if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT)
		fail("mount(smackfs) failed");
	if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT)
		fail("mount(binfmt_misc) failed");

	// If user wants to supply custom inputs, those can be placed to /syz-inputs
	// That folder will be mounted to fuzzer sandbox
	// https://groups.google.com/g/syzkaller/c/U-DISFjKLzg
	if (mkdir("./syz-tmp/newroot/syz-inputs", 0700))
		fail("mkdir(/syz-inputs) failed");

	if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT)
		fail("mount(syz-inputs) failed");

#if SYZ_EXECUTOR || SYZ_CGROUPS
	initialize_cgroups();
#endif
	if (mkdir("./syz-tmp/pivot", 0777))
		fail("mkdir failed");
	if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
		debug("pivot_root failed\n");
		if (chdir("./syz-tmp"))
			fail("chdir failed");
	} else {
		debug("pivot_root OK\n");
		if (chdir("/"))
			fail("chdir failed");
		if (umount2("./pivot", MNT_DETACH))
			fail("umount failed");
	}
	if (chroot("./newroot"))
		fail("chroot failed");
	if (chdir("/"))
		fail("chdir failed");
	setup_gadgetfs();
	setup_binderfs();
	setup_fusectl();
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
#include <sys/mount.h>
#include <sys/stat.h>

static void setup_gadgetfs()
{
	if (mkdir("/dev/gadgetfs", 0777)) {
		debug("mkdir(/dev/gadgetfs) failed: %d\n", errno);
	}
	if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) {
		debug("mount of gadgetfs at /dev/gadgetfs failed: %d\n", errno);
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <errno.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <unistd.h>

static void setup_fusectl()
{
	if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
		debug("mount(fusectl) failed: %d\n", errno);
	}
}

static void setup_binderfs()
{
	// NOTE: this function must be called after chroot.
	// Bind an instance of binderfs specific just to this executor - it will
	// only be visible in its mount namespace and will help isolate binder
	// devices during fuzzing.
	// These commands will just silently fail if binderfs is not supported.
	// Ideally it should have been added as a separate feature (with lots of
	// minor changes throughout the code base), but it seems to be an overkill
	// for just 2 simple lines of code.
	if (mkdir("/dev/binderfs", 0777)) {
		debug("mkdir(/dev/binderfs) failed: %d\n", errno);
	}

	if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
		debug("mount of binder at /dev/binderfs failed: %d\n", errno);
	}
#if !SYZ_EXECUTOR && !SYZ_USE_TMP_DIR
	// Do a local symlink right away.
	if (symlink("/dev/binderfs", "./binderfs")) {
		debug("symlink(/dev/binderfs, ./binderfs) failed: %d\n", errno);
	}
#endif
}

#include <sched.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/time.h>
#include <sys/wait.h>

static void loop();

static void sandbox_common()
{
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	if (getppid() == 1)
		exitf("the sandbox parent process was killed");

#if SYZ_EXECUTOR || __NR_syz_init_net_socket || SYZ_DEVLINK_PCI || __NR_syz_socket_connect_nvme_tcp
	int netns = open("/proc/self/ns/net", O_RDONLY);
	if (netns == -1)
		fail("open(/proc/self/ns/net) failed");
	if (dup2(netns, kInitNetNsFd) < 0)
		fail("dup2(netns, kInitNetNsFd) failed");
	close(netns);
#endif

	struct rlimit rlim;
#if SYZ_EXECUTOR
	rlim.rlim_cur = rlim.rlim_max = (200 << 20) +
					(kMaxThreads * kCoverSize + kExtraCoverSize) * sizeof(void*);
#else
	rlim.rlim_cur = rlim.rlim_max = (200 << 20);
#endif
	setrlimit(RLIMIT_AS, &rlim);
	rlim.rlim_cur = rlim.rlim_max = 32 << 20;
	setrlimit(RLIMIT_MEMLOCK, &rlim);
	rlim.rlim_cur = rlim.rlim_max = 136 << 20;
	setrlimit(RLIMIT_FSIZE, &rlim);
	rlim.rlim_cur = rlim.rlim_max = 1 << 20;
	setrlimit(RLIMIT_STACK, &rlim);
	// Note: core size is also restricted by RLIMIT_FSIZE.
	rlim.rlim_cur = rlim.rlim_max = 128 << 20;
	setrlimit(RLIMIT_CORE, &rlim);
	rlim.rlim_cur = rlim.rlim_max = 256; // see kMaxFd
	setrlimit(RLIMIT_NOFILE, &rlim);

	// CLONE_NEWNS/NEWCGROUP cause EINVAL on some systems,
	// so we do them separately of clone in do_sandbox_namespace.
	if (unshare(CLONE_NEWNS)) {
		debug("unshare(CLONE_NEWNS): %d\n", errno);
	}
	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
		debug("mount(\"/\", MS_REC | MS_PRIVATE): %d\n", errno);
	}
	if (unshare(CLONE_NEWIPC)) {
		debug("unshare(CLONE_NEWIPC): %d\n", errno);
	}
	if (unshare(0x02000000)) {
		debug("unshare(CLONE_NEWCGROUP): %d\n", errno);
	}
	if (unshare(CLONE_NEWUTS)) {
		debug("unshare(CLONE_NEWUTS): %d\n", errno);
	}
	if (unshare(CLONE_SYSVSEM)) {
		debug("unshare(CLONE_SYSVSEM): %d\n", errno);
	}
	// These sysctl's restrict ipc resource usage (by default it's possible
	// to eat all system memory by creating e.g. lots of large sem sets).
	// These sysctl's are per-namespace, so we need to set them inside
	// of the test ipc namespace (after CLONE_NEWIPC).
	typedef struct {
		const char* name;
		const char* value;
	} sysctl_t;
	static const sysctl_t sysctls[] = {
	    {"/proc/sys/kernel/shmmax", "16777216"},
	    {"/proc/sys/kernel/shmall", "536870912"},
	    {"/proc/sys/kernel/shmmni", "1024"},
	    {"/proc/sys/kernel/msgmax", "8192"},
	    {"/proc/sys/kernel/msgmni", "1024"},
	    {"/proc/sys/kernel/msgmnb", "1024"},
	    {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
	};
	unsigned i;
	for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
		write_file(sysctls[i].name, sysctls[i].value);
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE
static int wait_for_loop(int pid)
{
	if (pid < 0)
		fail("sandbox fork failed");
	debug("spawned loop pid %d\n", pid);
	int status = 0;
	while (waitpid(-1, &status, __WALL) != pid) {
	}
	return WEXITSTATUS(status);
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <linux/capability.h>

static void drop_caps(void)
{
	struct __user_cap_header_struct cap_hdr = {};
	struct __user_cap_data_struct cap_data[2] = {};
	cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
	cap_hdr.pid = getpid();
	if (syscall(SYS_capget, &cap_hdr, &cap_data))
		fail("capget failed");
	// Drop CAP_SYS_PTRACE so that test processes can't attach to parent processes.
	// Previously it lead to hangs because the loop process stopped due to SIGSTOP.
	// Note that a process can always ptrace its direct children, which is enough for testing purposes.
	//
	// A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
	// as the result rcu and other system services that use kernel threads will stop functioning.
	// Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
	// values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
	// which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
	// See the following bug for details:
	// https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
	const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
	cap_data[0].effective &= ~drop;
	cap_data[0].permitted &= ~drop;
	cap_data[0].inheritable &= ~drop;
	if (syscall(SYS_capset, &cap_hdr, &cap_data))
		fail("capset failed");
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE
#include <sched.h>
#include <sys/types.h>

static int do_sandbox_none(void)
{
	// CLONE_NEWPID takes effect for the first child of the current process,
	// so we do it before fork to make the loop "init" process of the namespace.
	// We ought to do fail here, but sandbox=none is used in pkg/ipc tests
	// and they are usually run under non-root.
	// Also since debug is stripped by pkg/csource, we need to do {}
	// even though we generally don't do {} around single statements.
	if (unshare(CLONE_NEWPID)) {
		debug("unshare(CLONE_NEWPID): %d\n", errno);
	}
	int pid = fork();
	if (pid != 0)
		return wait_for_loop(pid);

#if SYZ_EXECUTOR || SYZ_VHCI_INJECTION
	initialize_vhci();
#endif
	sandbox_common();
	drop_caps();
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices_init();
#endif
	if (unshare(CLONE_NEWNET)) {
		debug("unshare(CLONE_NEWNET): %d\n", errno);
	}
	// Enable access to IPPROTO_ICMP sockets, must be done after CLONE_NEWNET.
	write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
	initialize_devlink_pci();
#endif
#if SYZ_EXECUTOR || SYZ_NET_INJECTION
	initialize_tun();
#endif
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices();
#endif
#if SYZ_EXECUTOR || SYZ_WIFI
	initialize_wifi_devices();
#endif
	sandbox_common_mount_tmpfs();
	loop();
	doexit(1);
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_SETUID
#include <grp.h>
#include <sched.h>
#include <sys/prctl.h>

#define SYZ_HAVE_SANDBOX_SETUID 1
static int do_sandbox_setuid(void)
{
	if (unshare(CLONE_NEWPID)) {
		debug("unshare(CLONE_NEWPID): %d\n", errno);
	}
	int pid = fork();
	if (pid != 0)
		return wait_for_loop(pid);

#if SYZ_EXECUTOR || SYZ_VHCI_INJECTION
	initialize_vhci();
#endif
	sandbox_common();
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices_init();
#endif
	if (unshare(CLONE_NEWNET)) {
		debug("unshare(CLONE_NEWNET): %d\n", errno);
	}
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
	initialize_devlink_pci();
#endif
#if SYZ_EXECUTOR || SYZ_NET_INJECTION
	initialize_tun();
#endif
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices();
#endif
#if SYZ_EXECUTOR || SYZ_WIFI
	initialize_wifi_devices();
#endif
	setup_binderfs();
	setup_fusectl();

	const int nobody = 65534;
	if (setgroups(0, NULL))
		fail("failed to setgroups");
	if (syscall(SYS_setresgid, nobody, nobody, nobody))
		fail("failed to setresgid");
	if (syscall(SYS_setresuid, nobody, nobody, nobody))
		fail("failed to setresuid");

	// setresuid and setresgid clear the parent-death signal.
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	// This is required to open /proc/self/ files.
	// Otherwise they are owned by root and we can't open them after setuid.
	// See task_dump_owner function in kernel.
	prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);

	loop();
	doexit(1);
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_NAMESPACE
#include <sched.h>
#include <sys/mman.h>
#include <sys/mount.h>

static int real_uid;
static int real_gid;
__attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20];

static int namespace_sandbox_proc(void* arg)
{
	sandbox_common();

	// /proc/self/setgroups is not present on some systems, ignore error.
	write_file("/proc/self/setgroups", "deny");
	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid))
		fail("write of /proc/self/uid_map failed");
	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid))
		fail("write of /proc/self/gid_map failed");

#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices_init();
#endif
	// CLONE_NEWNET must always happen before tun setup,
	// because we want the tun device in the test namespace.
	if (unshare(CLONE_NEWNET))
		fail("unshare(CLONE_NEWNET)");
	// Enable access to IPPROTO_ICMP sockets, must be done after CLONE_NEWNET.
	write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
	initialize_devlink_pci();
#endif
#if SYZ_EXECUTOR || SYZ_NET_INJECTION
	// We setup tun here as it needs to be in the test net namespace,
	// which in turn needs to be in the test user namespace.
	// However, IFF_NAPI_FRAGS will fail as we are not root already.
	// TODO: we should create tun in the init net namespace and use setns
	// to move it to the target namespace.
	initialize_tun();
#endif
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices();
#endif
#if SYZ_EXECUTOR || SYZ_WIFI
	initialize_wifi_devices();
#endif

	sandbox_common_mount_tmpfs();
	drop_caps();

	loop();
	doexit(1);
}

#define SYZ_HAVE_SANDBOX_NAMESPACE 1
static int do_sandbox_namespace(void)
{
#if SYZ_EXECUTOR || SYZ_VHCI_INJECTION
	// HCIDEVUP requires CAP_ADMIN, so this needs to happen early.
	initialize_vhci();
#endif
	real_uid = getuid();
	real_gid = getgid();
	mprotect(sandbox_stack, 4096, PROT_NONE); // to catch stack underflows
	int pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64],
			CLONE_NEWUSER | CLONE_NEWPID, 0);
	return wait_for_loop(pid);
}
#endif

#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID
// seccomp only supported for Arm, Arm64, X86, and X86_64 archs
#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
#include <assert.h>
#include <errno.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/syscall.h>

#include "android/android_seccomp.h"

#if GOARCH_amd64 || GOARCH_386
// Syz-executor is linked against glibc when fuzzing runs on Cuttlefish x86-x64.
// However Android blocks calls into mkdir, rmdir, symlink which causes
// syz-executor to crash. When fuzzing runs on Android device this issue
// is not observed, because syz-executor is linked against Bionic. Under
// the hood Bionic invokes mkdirat, inlinkat and symlinkat, which are
// allowed by seccomp-bpf.
// This issue may exist not only in Android, but also in Linux in general
// where seccomp filtering is enforced.
//
// This trick makes linker believe it matched the correct version of mkdir,
// rmdir, symlink. So now behavior is the same across ARM and non-ARM builds.
inline int mkdir(const char* path, mode_t mode)
{
	return mkdirat(AT_FDCWD, path, mode);
}

inline int rmdir(const char* path)
{
	return unlinkat(AT_FDCWD, path, AT_REMOVEDIR);
}

inline int symlink(const char* old_path, const char* new_path)
{
	return symlinkat(old_path, AT_FDCWD, new_path);
}
#endif

#endif
#include <fcntl.h> // open(2)
#include <grp.h> // setgroups
#include <sys/xattr.h> // setxattr, getxattr

#define AID_NET_BT_ADMIN 3001
#define AID_NET_BT 3002
#define AID_INET 3003
#define AID_EVERYBODY 9997
#define AID_APP 10000

#define UNTRUSTED_APP_UID (AID_APP + 999)
#define UNTRUSTED_APP_GID (AID_APP + 999)

#define SYSTEM_UID 1000
#define SYSTEM_GID 1000

const char* const SELINUX_CONTEXT_UNTRUSTED_APP = "u:r:untrusted_app:s0:c512,c768";
const char* const SELINUX_LABEL_APP_DATA_FILE = "u:object_r:app_data_file:s0:c512,c768";
const char* const SELINUX_CONTEXT_FILE = "/proc/thread-self/attr/current";
const char* const SELINUX_XATTR_NAME = "security.selinux";

const gid_t UNTRUSTED_APP_GROUPS[] = {UNTRUSTED_APP_GID, AID_NET_BT_ADMIN, AID_NET_BT, AID_INET, AID_EVERYBODY};
const size_t UNTRUSTED_APP_NUM_GROUPS = sizeof(UNTRUSTED_APP_GROUPS) / sizeof(UNTRUSTED_APP_GROUPS[0]);

const gid_t SYSTEM_GROUPS[] = {SYSTEM_GID, AID_NET_BT_ADMIN, AID_NET_BT, AID_INET, AID_EVERYBODY};
const size_t SYSTEM_NUM_GROUPS = sizeof(SYSTEM_GROUPS) / sizeof(SYSTEM_GROUPS[0]);

// Similar to libselinux getcon(3), but:
// - No library dependency
// - No dynamic memory allocation
// - Uses fail() instead of returning an error code
static void getcon(char* context, size_t context_size)
{
	int fd = open(SELINUX_CONTEXT_FILE, O_RDONLY);
	if (fd < 0)
		fail("getcon: couldn't open context file");

	ssize_t nread = read(fd, context, context_size);

	close(fd);

	if (nread <= 0)
		fail("getcon: failed to read context file");

	// The contents of the context file MAY end with a newline
	// and MAY not have a null terminator.  Handle this here.
	if (context[nread - 1] == '\n')
		context[nread - 1] = '\0';
}

// Similar to libselinux setcon(3), but:
// - No library dependency
// - No dynamic memory allocation
// - Uses fail() instead of returning an error code
static void setcon(const char* context)
{
	char new_context[512];

	// Attempt to write the new context
	int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY);

	if (fd < 0)
		fail("setcon: could not open context file");

	ssize_t bytes_written = write(fd, context, strlen(context));

	// N.B.: We cannot reuse this file descriptor, since the target SELinux context
	//       may not be able to read from it.
	close(fd);

	if (bytes_written != (ssize_t)strlen(context))
		failmsg("setcon: could not write entire context", "wrote=%zi, expected=%zu", bytes_written, strlen(context));

	// Validate the transition by checking the context
	getcon(new_context, sizeof(new_context));

	if (strcmp(context, new_context) != 0)
		failmsg("setcon: failed to change", "want=%s, context=%s", context, new_context);
}

// Similar to libselinux setfilecon(3), but:
// - No library dependency
// - No dynamic memory allocation
// - Uses fail() instead of returning an error code
static void setfilecon(const char* path, const char* context)
{
	char new_context[512];

	if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
		fail("setfilecon: setxattr failed");
	if (getxattr(path, SELINUX_XATTR_NAME, new_context, sizeof(new_context)) < 0)
		fail("setfilecon: getxattr failed");
	if (strcmp(context, new_context) != 0)
		failmsg("setfilecon: could not set context", "want=%s, got=%s", context, new_context);
}

#define SYZ_HAVE_SANDBOX_ANDROID 1

static int do_sandbox_android(uint64 sandbox_arg)
{
	setup_fusectl();
#if SYZ_EXECUTOR || SYZ_VHCI_INJECTION
	initialize_vhci();
#endif
	sandbox_common();
	drop_caps();

#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices_init();
#endif
	// CLONE_NEWNET must always happen before tun setup, because we want the tun
	// device in the test namespace. If we don't do this, executor will crash with
	// SYZFATAL: executor NUM failed NUM times: executor NUM: EOF
	if (unshare(CLONE_NEWNET)) {
		debug("unshare(CLONE_NEWNET): %d\n", errno);
	}
	// Enable access to IPPROTO_ICMP sockets, must be done after CLONE_NEWNET.
	write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
	initialize_devlink_pci();
#endif
#if SYZ_EXECUTOR || SYZ_NET_INJECTION
	initialize_tun();
#endif
#if SYZ_EXECUTOR || SYZ_NET_DEVICES
	initialize_netdevices();
#endif
	uid_t uid = UNTRUSTED_APP_UID;
	size_t num_groups = UNTRUSTED_APP_NUM_GROUPS;
	const gid_t* groups = UNTRUSTED_APP_GROUPS;
	gid_t gid = UNTRUSTED_APP_GID;
	debug("executor received sandbox_arg=%llu\n", sandbox_arg);
	if (sandbox_arg == 1) {
		uid = SYSTEM_UID;
		num_groups = SYSTEM_NUM_GROUPS;
		groups = SYSTEM_GROUPS;
		gid = SYSTEM_GID;

		debug("fuzzing under SYSTEM account\n");
	}
	if (chown(".", uid, uid) != 0)
		failmsg("do_sandbox_android: chmod failed", "sandbox_arg=%llu", sandbox_arg);

	if (setgroups(num_groups, groups) != 0)
		failmsg("do_sandbox_android: setgroups failed", "sandbox_arg=%llu", sandbox_arg);

	if (setresgid(gid, gid, gid) != 0)
		failmsg("do_sandbox_android: setresgid failed", "sandbox_arg=%llu", sandbox_arg);

	setup_binderfs();

#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
	// Will fail() if anything fails.
	// Must be called when the new process still has CAP_SYS_ADMIN, in this case,
	// before changing uid from 0, which clears capabilities.
	int account = SCFS_RestrictedApp;
	if (sandbox_arg == 1)
		account = SCFS_SystemAccount;
	set_app_seccomp_filter(account);
#endif

	if (setresuid(uid, uid, uid) != 0)
		failmsg("do_sandbox_android: setresuid failed", "sandbox_arg=%llu", sandbox_arg);

	// setresuid and setresgid clear the parent-death signal.
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);

	setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
	if (uid == UNTRUSTED_APP_UID)
		setcon(SELINUX_CONTEXT_UNTRUSTED_APP);

	loop();
	doexit(1);
}
#endif

#if SYZ_EXECUTOR || SYZ_REPEAT && SYZ_USE_TMP_DIR
#include <dirent.h>
#include <errno.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>

#define FS_IOC_SETFLAGS _IOW('f', 2, long)

// One does not simply remove a directory.
// There can be mounts, so we need to try to umount.
// Moreover, a mount can be mounted several times, so we need to try to umount in a loop.
// Moreover, after umount a dir can become non-empty again, so we need another loop.
// Moreover, a mount can be re-mounted as read-only and then we will fail to make a dir empty.
static void remove_dir(const char* dir)
{
	int iter = 0;
	DIR* dp = 0;

#if SYZ_EXECUTOR || !SYZ_SANDBOX_ANDROID
	// Starting from v6.9, it does no longer make sense to use MNT_DETACH, because
	// a loop device may only be reused in RW mode if no mounted filesystem keeps a
	// reference to it. So we have to umount them synchronously.
	// MNT_FORCE should hopefully prevent hangs for filesystems that may require a complex cleanup.
	//
	// This declaration should not be moved under retry label, since label followed by a declaration
	// is not supported by old compilers.
	const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW;
#endif

retry:
#if SYZ_EXECUTOR || !SYZ_SANDBOX_ANDROID
#if SYZ_EXECUTOR
	if (!flag_sandbox_android)
#endif
		while (umount2(dir, umount_flags) == 0) {
			debug("umount(%s)\n", dir);
		}
#endif
	dp = opendir(dir);
	if (dp == NULL) {
		if (errno == EMFILE) {
			// This happens when the test process casts prlimit(NOFILE) on us.
			// Ideally we somehow prevent test processes from messing with parent processes.
			// But full sandboxing is expensive, so let's ignore this error for now.
			exitf("opendir(%s) failed due to NOFILE, exiting", dir);
		}
		exitf("opendir(%s) failed", dir);
	}
	struct dirent* ep = 0;
	while ((ep = readdir(dp))) {
		if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
			continue;
		char filename[FILENAME_MAX];
		snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
		// If it's 9p mount with broken transport, lstat will fail.
		// So try to umount first.
#if SYZ_EXECUTOR || !SYZ_SANDBOX_ANDROID
#if SYZ_EXECUTOR
		if (!flag_sandbox_android)
#endif
			while (umount2(filename, umount_flags) == 0) {
				debug("umount(%s)\n", filename);
			}
#endif
		struct stat st;
		if (lstat(filename, &st))
			exitf("lstat(%s) failed", filename);
		if (S_ISDIR(st.st_mode)) {
			remove_dir(filename);
			continue;
		}
		int i;
		for (i = 0;; i++) {
			if (unlink(filename) == 0)
				break;
			if (errno == EPERM) {
				// Try to reset FS_XFLAG_IMMUTABLE.
				int fd = open(filename, O_RDONLY);
				if (fd != -1) {
					long flags = 0;
					if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
						debug("reset FS_XFLAG_IMMUTABLE\n");
					}
					close(fd);
					continue;
				}
			}
			if (errno == EROFS) {
				debug("ignoring EROFS\n");
				break;
			}
			if (errno != EBUSY || i > 100)
				exitf("unlink(%s) failed", filename);
#if SYZ_EXECUTOR || !SYZ_SANDBOX_ANDROID
#if SYZ_EXECUTOR
			if (!flag_sandbox_android) {
#endif
				debug("umount(%s)\n", filename);
				if (umount2(filename, umount_flags))
					exitf("umount(%s) failed", filename);
#if SYZ_EXECUTOR
			}
#endif
#endif
		}
	}
	closedir(dp);
	for (int i = 0;; i++) {
		if (rmdir(dir) == 0)
			break;
		if (i < 100) {
			if (errno == EPERM) {
				// Try to reset FS_XFLAG_IMMUTABLE.
				int fd = open(dir, O_RDONLY);
				if (fd != -1) {
					long flags = 0;
					if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
						debug("reset FS_XFLAG_IMMUTABLE\n");
					}
					close(fd);
					continue;
				}
			}
			if (errno == EROFS) {
				debug("ignoring EROFS\n");
				break;
			}
			if (errno == EBUSY) {
#if SYZ_EXECUTOR || !SYZ_SANDBOX_ANDROID
#if SYZ_EXECUTOR
				if (!flag_sandbox_android) {
#endif
					debug("umount(%s)\n", dir);
					if (umount2(dir, umount_flags))
						exitf("umount(%s) failed", dir);
#if SYZ_EXECUTOR
				}
#endif
#endif
				continue;
			}
			if (errno == ENOTEMPTY) {
				if (iter < 100) {
					iter++;
					goto retry;
				}
			}
		}
		exitf("rmdir(%s) failed", dir);
	}
}
#endif

#if SYZ_EXECUTOR || SYZ_FAULT
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

static int inject_fault(int nth)
{
	int fd;
	fd = open("/proc/thread-self/fail-nth", O_RDWR);
	// We treat errors here as temporal/non-critical because we see
	// occasional ENOENT/EACCES errors returned. It seems that fuzzer
	// somehow gets its hands to it.
	if (fd == -1)
		exitf("failed to open /proc/thread-self/fail-nth");
	char buf[16];
	sprintf(buf, "%d", nth);
	if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
		exitf("failed to write /proc/thread-self/fail-nth");
	return fd;
}
#endif

#if SYZ_EXECUTOR
static int fault_injected(int fail_fd)
{
	char buf[16];
	int n = read(fail_fd, buf, sizeof(buf) - 1);
	if (n <= 0)
		exitf("failed to read /proc/thread-self/fail-nth");
	int res = n == 2 && buf[0] == '0' && buf[1] == '\n';
	buf[0] = '0';
	if (write(fail_fd, buf, 1) != 1)
		exitf("failed to write /proc/thread-self/fail-nth");
	close(fail_fd);
	return res;
}
#endif

#if (SYZ_EXECUTOR || SYZ_REPEAT) && SYZ_EXECUTOR_USES_FORK_SERVER
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>

static void kill_and_wait(int pid, int* status)
{
	kill(-pid, SIGKILL);
	kill(pid, SIGKILL);
	// First, give it up to 100 ms to surrender.
	for (int i = 0; i < 100; i++) {
		if (waitpid(-1, status, WNOHANG | __WALL) == pid)
			return;
		usleep(1000);
	}
	// Now, try to abort fuse connections as they cause deadlocks,
	// see Documentation/filesystems/fuse.txt for details.
	// There is no good way to figure out the right connections
	// provided that the process could use unshare(CLONE_NEWNS),
	// so we abort all.
	debug("kill is not working\n");
	DIR* dir = opendir("/sys/fs/fuse/connections");
	if (dir) {
		for (;;) {
			struct dirent* ent = readdir(dir);
			if (!ent)
				break;
			if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
				continue;
			char abort[300];
			snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
			int fd = open(abort, O_WRONLY);
			if (fd == -1) {
				debug("failed to open %s: %d\n", abort, errno);
				continue;
			}
			debug("aborting fuse conn %s\n", ent->d_name);
			if (write(fd, abort, 1) < 0) {
				debug("failed to abort: %d\n", errno);
			}
			close(fd);
		}
		closedir(dir);
	} else {
		debug("failed to open /sys/fs/fuse/connections: %d\n", errno);
	}
	// Now, just wait, no other options.
	while (waitpid(-1, status, __WALL) != pid) {
	}
}
#endif

#if (SYZ_EXECUTOR || SYZ_REPEAT && (SYZ_CGROUPS || SYZ_NET_RESET)) && SYZ_EXECUTOR_USES_FORK_SERVER
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#define SYZ_HAVE_SETUP_LOOP 1
static void setup_loop()
{
#if SYZ_EXECUTOR || SYZ_CGROUPS
	setup_cgroups_loop();
#endif
#if SYZ_EXECUTOR || SYZ_NET_RESET
	checkpoint_net_namespace();
#endif
}
#endif

#if (SYZ_EXECUTOR || SYZ_REPEAT && (SYZ_NET_RESET || __NR_syz_mount_image || __NR_syz_read_part_table)) && SYZ_EXECUTOR_USES_FORK_SERVER
#define SYZ_HAVE_RESET_LOOP 1
static void reset_loop()
{
#if SYZ_EXECUTOR || __NR_syz_mount_image || __NR_syz_read_part_table
	char buf[64];
	snprintf(buf, sizeof(buf), "/dev/loop%llu", procid);
	int loopfd = open(buf, O_RDWR);
	if (loopfd != -1) {
		ioctl(loopfd, LOOP_CLR_FD, 0);
		close(loopfd);
	}
#endif
#if SYZ_EXECUTOR || SYZ_NET_RESET
	reset_net_namespace();
#endif
}
#endif

#if (SYZ_EXECUTOR || SYZ_REPEAT) && SYZ_EXECUTOR_USES_FORK_SERVER
#include <sys/prctl.h>
#include <unistd.h>

#define SYZ_HAVE_SETUP_TEST 1
static void setup_test()
{
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	// We don't check for getppid() == 1 here b/c of unshare(CLONE_NEWPID),
	// our parent is normally pid 1.
	setpgrp();
#if SYZ_EXECUTOR || SYZ_CGROUPS
	setup_cgroups_test();
#endif
	// It's the leaf test process we want to be always killed first.
	write_file("/proc/self/oom_score_adj", "1000");
#if SYZ_EXECUTOR || SYZ_NET_INJECTION
	// Read all remaining packets from tun to better
	// isolate consequently executing programs.
	flush_tun();
#endif
#if SYZ_EXECUTOR || SYZ_USE_TMP_DIR
	// Add a binderfs symlink to the tmp folder.
	if (symlink("/dev/binderfs", "./binderfs")) {
		debug("symlink(/dev/binderfs, ./binderfs) failed: %d", errno);
	}
#endif
}
#endif

#if SYZ_EXECUTOR || SYZ_CLOSE_FDS
#include <sys/syscall.h>
#define SYZ_HAVE_CLOSE_FDS 1
static void close_fds()
{
#if SYZ_EXECUTOR
	if (!flag_close_fds)
		return;
#endif
#ifdef SYS_close_range
	if (!syscall(SYS_close_range, 3, MAX_FDS, 0))
		return;
#endif
	// Keeping a 9p transport pipe open will hang the proccess dead,
	// so close all opened file descriptors.
	// Also close all USB emulation descriptors to trigger exit from USB
	// event loop to collect coverage.
	for (int fd = 3; fd < MAX_FDS; fd++)
		close(fd);
}
#endif

#if SYZ_EXECUTOR || SYZ_FAULT
#include <errno.h>

static const char* setup_fault()
{
	int fd = open("/proc/self/make-it-fail", O_WRONLY);
	if (fd == -1)
		return "CONFIG_FAULT_INJECTION is not enabled";
	close(fd);

	fd = open("/proc/thread-self/fail-nth", O_WRONLY);
	if (fd == -1)
		return "kernel does not have systematic fault injection support";
	close(fd);

	static struct {
		const char* file;
		const char* val;
		bool fatal;
	} files[] = {
	    {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
	    // These are enabled by separate configs (e.g. CONFIG_FAIL_FUTEX)
	    // and we did not check all of them in host.checkFaultInjection, so we ignore errors.
	    {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
	    {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
	    {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
	    {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
	};
	unsigned i;
	for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
		if (!write_file(files[i].file, files[i].val)) {
			debug("failed to write %s: %d\n", files[i].file, errno);
			if (files[i].fatal)
				return "failed to write fault injection file";
		}
	}
	return NULL;
}
#endif

#if SYZ_EXECUTOR || SYZ_LEAK
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

#define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak"

static const char* setup_leak()
{
	if (!write_file(KMEMLEAK_FILE, "scan=off")) {
		if (errno == EBUSY)
			return "KMEMLEAK disabled: increase CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE"
			       " or unset CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF";
		return "failed to write(kmemleak, \"scan=off\")";
	}
	// Flush boot leaks.
	if (!write_file(KMEMLEAK_FILE, "scan"))
		return "failed to write(kmemleak, \"scan\")";
	sleep(5); // account for MSECS_MIN_AGE
	if (!write_file(KMEMLEAK_FILE, "scan"))
		return "failed to write(kmemleak, \"scan\")";
	if (!write_file(KMEMLEAK_FILE, "clear"))
		return "failed to write(kmemleak, \"clear\")";
	return NULL;
}

#define SYZ_HAVE_LEAK_CHECK 1
#if SYZ_EXECUTOR
static void check_leaks(char** frames, int nframes)
#else
static void check_leaks(void)
#endif
{
	int fd = open(KMEMLEAK_FILE, O_RDWR);
	if (fd == -1)
		fail("failed to open(kmemleak)");
	// KMEMLEAK has false positives. To mitigate most of them, it checksums
	// potentially leaked objects, and reports them only on the next scan
	// iff the checksum does not change. Because of that we do the following
	// intricate dance:
	// Scan, sleep, scan again. At this point we can get some leaks.
	// If there are leaks, we sleep and scan again, this can remove
	// false leaks. Then, read kmemleak again. If we get leaks now, then
	// hopefully these are true positives during the previous testing cycle.
	uint64 start = current_time_ms();
	if (write(fd, "scan", 4) != 4)
		fail("failed to write(kmemleak, \"scan\")");
	sleep(1);
	// Account for MSECS_MIN_AGE
	// (1 second less because scanning will take at least a second).
	while (current_time_ms() - start < 4 * 1000)
		sleep(1);
	if (write(fd, "scan", 4) != 4)
		fail("failed to write(kmemleak, \"scan\")");
	static char buf[128 << 10];
	ssize_t n = read(fd, buf, sizeof(buf) - 1);
	if (n < 0)
		fail("failed to read(kmemleak)");
	int nleaks = 0;
	if (n != 0) {
		sleep(1);
		if (write(fd, "scan", 4) != 4)
			fail("failed to write(kmemleak, \"scan\")");
		if (lseek(fd, 0, SEEK_SET) < 0)
			fail("failed to lseek(kmemleak)");
		n = read(fd, buf, sizeof(buf) - 1);
		if (n < 0)
			fail("failed to read(kmemleak)");
		buf[n] = 0;
		char* pos = buf;
		char* end = buf + n;
		while (pos < end) {
			char* next = strstr(pos + 1, "unreferenced object");
			if (!next)
				next = end;
			char prev = *next;
			*next = 0;
#if SYZ_EXECUTOR
			int f;
			for (f = 0; f < nframes; f++) {
				if (strstr(pos, frames[f]))
					break;
			}
			if (f != nframes) {
				*next = prev;
				pos = next;
				continue;
			}
#endif
			// BUG in output should be recognized by manager.
			fprintf(stderr, "BUG: memory leak\n%s\n", pos);
			*next = prev;
			pos = next;
			nleaks++;
		}
	}
	if (write(fd, "clear", 5) != 5)
		fail("failed to write(kmemleak, \"clear\")");
	close(fd);
	if (nleaks)
		doexit(1);
}
#endif

#if SYZ_EXECUTOR || SYZ_BINFMT_MISC
#include <fcntl.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>

static const char* setup_binfmt_misc()
{
	// EBUSY means it's already mounted here.
	if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0) && errno != EBUSY) {
		debug("mount(binfmt_misc) failed: %d\n", errno);
		return NULL;
	}
	if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:") ||
	    !write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"))
		return "write(/proc/sys/fs/binfmt_misc/register) failed";
	return NULL;
}
#endif

#if SYZ_EXECUTOR || SYZ_KCSAN
static const char* setup_kcsan()
{
	if (!write_file("/sys/kernel/debug/kcsan", "on"))
		return "write(/sys/kernel/debug/kcsan, on) failed";
	return NULL;
}
#endif

#if SYZ_EXECUTOR || SYZ_USB
static const char* setup_usb()
{
	if (chmod("/dev/raw-gadget", 0666))
		return "failed to chmod /dev/raw-gadget";
	return NULL;
}
#endif

#if SYZ_EXECUTOR || SYZ_SYSCTL
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <sys/wait.h>

static void setup_sysctl()
{
	// See ctrl-alt-del comment below.
	int cad_pid = fork();
	if (cad_pid < 0)
		fail("fork failed");
	if (cad_pid == 0) {
		for (;;)
			sleep(100);
	}
	char tmppid[32];
	snprintf(tmppid, sizeof(tmppid), "%d", cad_pid);

	// TODO: consider moving all sysctl's into CMDLINE config later.
	// Kernel has support for setting sysctl's via command line since 3db978d480e28 (v5.8).
	struct {
		const char* name;
		const char* data;
	} files[] = {
#if GOARCH_amd64 || GOARCH_386
	    // nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
	    // It happens a lot in qemu, and the messages are frequently corrupted
	    // (intermixed with other kernel output as they are printed from NMI)
	    // and are not matched against the suppression in pkg/report.
	    // This write prevents these messages from being printed.
	    {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
#endif
	    {"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
	    // bpf_jit_kallsyms and disabling bpf_jit_harden are required
	    // for unwinding through bpf functions.
	    {"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
	    {"/proc/sys/net/core/bpf_jit_harden", "0"},
	    // This is to provide more useful info in crash reports.
	    {"/proc/sys/kernel/kptr_restrict", "0"},
	    {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
	    // This is to restrict effects of recursive exponential mounts, for details see
	    // "mnt: Add a per mount namespace limit on the number of mounts" commit.
	    {"/proc/sys/fs/mount-max", "100"},
	    // Dumping all tasks to console can take too long.
	    {"/proc/sys/vm/oom_dump_tasks", "0"},
	    // Executor hits lots of SIGSEGVs, no point in logging them.
	    {"/proc/sys/debug/exception-trace", "0"},
	    {"/proc/sys/kernel/printk", "7 4 1 3"},
	    // Faster gc (1 second) is intended to make tests more repeatable.
	    {"/proc/sys/kernel/keys/gc_delay", "1"},
	    // We always want to prefer killing the allocating test process rather than somebody else
	    // (sshd or another random test process).
	    {"/proc/sys/vm/oom_kill_allocating_task", "1"},
	    // This blocks some of the ways the fuzzer can trigger a reboot.
	    // ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting.
	    // We set cad_pid to a transient process pid ctrl-alt-del a no-op.
	    // Note: we need to write a live process pid.
	    // For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
	    {"/proc/sys/kernel/ctrl-alt-del", "0"},
	    {"/proc/sys/kernel/cad_pid", tmppid},

	};
	for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
		if (!write_file(files[i].name, files[i].data)) {
			debug("write to %s failed: %s\n", files[i].name, strerror(errno));
		}
	}
	kill(cad_pid, SIGKILL);
	while (waitpid(cad_pid, NULL, 0) != cad_pid)
		;
}
#endif

#if SYZ_EXECUTOR || SYZ_802154
#include <net/if.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>

#define NL802154_CMD_SET_SHORT_ADDR 11
#define NL802154_ATTR_IFINDEX 3
#define NL802154_ATTR_SHORT_ADDR 10

static const char* setup_802154()
{
	const char* error = NULL;
	int sock_generic = -1;
	int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
	if (sock_route == -1) {
		error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) failed";
		goto fail;
	}
	sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock_generic == -1) {
		error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed";
		goto fail;
	}
	{
		int nl802154_family_id = netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true);
		if (nl802154_family_id < 0) {
			error = "netlink_query_family_id failed";
			goto fail;
		}

		for (int i = 0; i < 2; i++) {
			// wpan0/1 are created by CONFIG_IEEE802154_HWSIM.
			// sys/linux/socket_ieee802154.txt knowns about these names and consts.
			char devname[] = "wpan0";
			devname[strlen(devname) - 1] += i;
			uint64 hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8);
			uint16 shortaddr = 0xaaa0 + i;
			int ifindex = if_nametoindex(devname);
			struct genlmsghdr genlhdr;
			memset(&genlhdr, 0, sizeof(genlhdr));
			genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR;
			netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr));
			netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
			netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr, sizeof(shortaddr));
			if (netlink_send(&nlmsg, sock_generic) < 0) {
				error = "NL802154_CMD_SET_SHORT_ADDR failed";
				goto fail;
			}
			netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr, sizeof(hwaddr), 0);
			if (i == 0) {
				netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0", false);
				netlink_done(&nlmsg);
				netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
				if (netlink_send(&nlmsg, sock_route) < 0) {
					error = "netlink: adding device lowpan0 type lowpan link wpan0";
					goto fail;
				}
			}
		}
	}
fail:
	close(sock_route);
	close(sock_generic);
	return error;
}
#endif

#if GOARCH_s390x
#include <sys/mman.h>
// Ugly way to work around gcc's "error: function called through a non-compatible type".
// Simply casting via (void*) inline does not work b/c gcc sees through a chain of casts.
// The macro is used in generated C code.
#define CAST(f) ({void* p = (void*)f; p; })
#endif

#if SYZ_EXECUTOR || __NR_syz_fuse_handle_req
#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>

// From linux/fuse.h
#define FUSE_MIN_READ_BUFFER 8192

// From linux/fuse.h
enum fuse_opcode {
	FUSE_LOOKUP = 1,
	FUSE_FORGET = 2, // no reply
	FUSE_GETATTR = 3,
	FUSE_SETATTR = 4,
	FUSE_READLINK = 5,
	FUSE_SYMLINK = 6,
	FUSE_MKNOD = 8,
	FUSE_MKDIR = 9,
	FUSE_UNLINK = 10,
	FUSE_RMDIR = 11,
	FUSE_RENAME = 12,
	FUSE_LINK = 13,
	FUSE_OPEN = 14,
	FUSE_READ = 15,
	FUSE_WRITE = 16,
	FUSE_STATFS = 17,
	FUSE_RELEASE = 18,
	FUSE_FSYNC = 20,
	FUSE_SETXATTR = 21,
	FUSE_GETXATTR = 22,
	FUSE_LISTXATTR = 23,
	FUSE_REMOVEXATTR = 24,
	FUSE_FLUSH = 25,
	FUSE_INIT = 26,
	FUSE_OPENDIR = 27,
	FUSE_READDIR = 28,
	FUSE_RELEASEDIR = 29,
	FUSE_FSYNCDIR = 30,
	FUSE_GETLK = 31,
	FUSE_SETLK = 32,
	FUSE_SETLKW = 33,
	FUSE_ACCESS = 34,
	FUSE_CREATE = 35,
	FUSE_INTERRUPT = 36,
	FUSE_BMAP = 37,
	FUSE_DESTROY = 38,
	FUSE_IOCTL = 39,
	FUSE_POLL = 40,
	FUSE_NOTIFY_REPLY = 41,
	FUSE_BATCH_FORGET = 42,
	FUSE_FALLOCATE = 43,
	FUSE_READDIRPLUS = 44,
	FUSE_RENAME2 = 45,
	FUSE_LSEEK = 46,
	FUSE_COPY_FILE_RANGE = 47,
	FUSE_SETUPMAPPING = 48,
	FUSE_REMOVEMAPPING = 49,
	FUSE_SYNCFS = 50,
	FUSE_TMPFILE = 51,
	FUSE_STATX = 52,

	// CUSE specific operations
	CUSE_INIT = 4096,

	// Reserved opcodes: helpful to detect structure endian-ness
	CUSE_INIT_BSWAP_RESERVED = 1048576, // CUSE_INIT << 8
	FUSE_INIT_BSWAP_RESERVED = 436207616, // FUSE_INIT << 24
};

// From linux/fuse.h
struct fuse_in_header {
	uint32 len;
	uint32 opcode;
	uint64 unique;
	uint64 nodeid;
	uint32 uid;
	uint32 gid;
	uint32 pid;
	uint32 padding;
};

// From linux/fuse.h
struct fuse_out_header {
	uint32 len;
	// This is actually a int32_t but *_t variants fail to compile inside
	// the executor (it appends an additional _t for some reason) and int32
	// does not exist. Since we don't touch this field, defining it as
	// unsigned should not cause any problems.
	uint32 error;
	uint64 unique;
};

// Struct shared between syz_fuse_handle_req() and the fuzzer. Used to provide
// a fuzzed response for each request type.
struct syz_fuse_req_out {
	struct fuse_out_header* init;
	struct fuse_out_header* lseek;
	struct fuse_out_header* bmap;
	struct fuse_out_header* poll;
	struct fuse_out_header* getxattr;
	struct fuse_out_header* lk;
	struct fuse_out_header* statfs;
	struct fuse_out_header* write;
	struct fuse_out_header* read;
	struct fuse_out_header* open;
	struct fuse_out_header* attr;
	struct fuse_out_header* entry;
	struct fuse_out_header* dirent;
	struct fuse_out_header* direntplus;
	struct fuse_out_header* create_open;
	struct fuse_out_header* ioctl;
	struct fuse_out_header* statx;
};

// Link the reponse to the request and send it to /dev/fuse.
static int fuse_send_response(int fd,
			      const struct fuse_in_header* in_hdr,
			      struct fuse_out_header* out_hdr)
{
	if (!out_hdr) {
		debug("fuse_send_response: received a NULL out_hdr\n");
		return -1;
	}

	out_hdr->unique = in_hdr->unique;
	if (write(fd, out_hdr, out_hdr->len) == -1) {
		debug("fuse_send_response > write failed: %d\n", errno);
		return -1;
	}

	return 0;
}

// This function reads a request from /dev/fuse and tries to pick the correct
// response from the input struct syz_fuse_req_out (a3). Responses are still
// generated by the fuzzer.
static volatile long syz_fuse_handle_req(volatile long a0, // /dev/fuse fd.
					 volatile long a1, // Read buffer.
					 volatile long a2, // Buffer len.
					 volatile long a3) // syz_fuse_req_out.
{
	struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3;
	struct fuse_out_header* out_hdr = NULL;
	char* buf = (char*)a1;
	int buf_len = (int)a2;
	int fd = (int)a0;

	if (!req_out) {
		debug("syz_fuse_handle_req: received a NULL syz_fuse_req_out\n");
		return -1;
	}
	if (buf_len < FUSE_MIN_READ_BUFFER) {
		debug("FUSE requires the read buffer to be at least %u\n", FUSE_MIN_READ_BUFFER);
		return -1;
	}

	int ret = read(fd, buf, buf_len);
	if (ret == -1) {
		debug("syz_fuse_handle_req > read failed: %d\n", errno);
		return -1;
	}
	// Safe to do because ret > 0 (!= -1) and < FUSE_MIN_READ_BUFFER (= 8192).
	if ((size_t)ret < sizeof(struct fuse_in_header)) {
		debug("syz_fuse_handle_req: received a truncated FUSE header\n");
		return -1;
	}

	const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf;
	debug("syz_fuse_handle_req: received opcode %d\n", in_hdr->opcode);
	if (in_hdr->len > (uint32)ret) {
		debug("syz_fuse_handle_req: received a truncated message\n");
		return -1;
	}

	switch (in_hdr->opcode) {
	case FUSE_GETATTR:
	case FUSE_SETATTR:
		out_hdr = req_out->attr;
		break;
	case FUSE_LOOKUP:
	case FUSE_SYMLINK:
	case FUSE_LINK:
	case FUSE_MKNOD:
	case FUSE_MKDIR:
		out_hdr = req_out->entry;
		break;
	case FUSE_OPEN:
	case FUSE_OPENDIR:
		out_hdr = req_out->open;
		break;
	case FUSE_STATFS:
		out_hdr = req_out->statfs;
		break;
	case FUSE_RMDIR:
	case FUSE_RENAME:
	case FUSE_RENAME2:
	case FUSE_FALLOCATE:
	case FUSE_SETXATTR:
	case FUSE_REMOVEXATTR:
	case FUSE_FSYNCDIR:
	case FUSE_FSYNC:
	case FUSE_SETLKW:
	case FUSE_SETLK:
	case FUSE_ACCESS:
	case FUSE_FLUSH:
	case FUSE_RELEASE:
	case FUSE_RELEASEDIR:
	case FUSE_UNLINK:
	case FUSE_DESTROY:
		// These opcodes do not have any reply data. Hence, we pick
		// another response and only use the shared header.
		out_hdr = req_out->init;
		if (!out_hdr) {
			debug("syz_fuse_handle_req: received a NULL out_hdr\n");
			return -1;
		}
		out_hdr->len = sizeof(struct fuse_out_header);
		break;
	case FUSE_READ:
		out_hdr = req_out->read;
		break;
	case FUSE_READDIR:
		out_hdr = req_out->dirent;
		break;
	case FUSE_READDIRPLUS:
		out_hdr = req_out->direntplus;
		break;
	case FUSE_INIT:
		out_hdr = req_out->init;
		break;
	case FUSE_LSEEK:
		out_hdr = req_out->lseek;
		break;
	case FUSE_GETLK:
		out_hdr = req_out->lk;
		break;
	case FUSE_BMAP:
		out_hdr = req_out->bmap;
		break;
	case FUSE_POLL:
		out_hdr = req_out->poll;
		break;
	case FUSE_GETXATTR:
	case FUSE_LISTXATTR:
		out_hdr = req_out->getxattr;
		break;
	case FUSE_WRITE:
	case FUSE_COPY_FILE_RANGE:
		out_hdr = req_out->write;
		break;
	case FUSE_FORGET:
	case FUSE_BATCH_FORGET:
		// FUSE_FORGET and FUSE_BATCH_FORGET expect no reply.
		return 0;
	case FUSE_CREATE:
		out_hdr = req_out->create_open;
		break;
	case FUSE_IOCTL:
		out_hdr = req_out->ioctl;
		break;
	case FUSE_STATX:
		out_hdr = req_out->statx;
		break;
	default:
		debug("syz_fuse_handle_req: unknown FUSE opcode\n");
		return -1;
	}

	return fuse_send_response(fd, in_hdr, out_hdr);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_80211_inject_frame
#include <errno.h>
#include <linux/genetlink.h>
#include <linux/if_ether.h>
#include <linux/nl80211.h>
#include <net/if.h>
#include <sys/ioctl.h>

// This pseudo syscall performs 802.11 frame injection.
//
// Its current implementation performs the injection by means of mac80211_hwsim.
// The procedure consists of the following steps:
// 1. Open a netlink socket
// 2. Register as an application responsible for wireless medium simulation by executing
//    HWSIM_CMD_REGISTER. This is a preq-requisite for the following step. After HWSIM_CMD_REGISTER
//    is executed, mac80211_hwsim stops simulating a perfect medium.
//    It is also important to note that this command registers a specific socket, not a netlink port.
// 3. Inject a frame to the required interface by executing HWSIM_CMD_FRAME.
// 4. Close the socket. mac80211_hwsim will detect this and return to perfect medium simulation.
//
// Note that we cannot (should not) open a socket, register it once and then use it for frame injection
// throughout the lifetime of a proc. When some socket is registered, mac80211_hwsim does not broadcast
// frames to all interfaces itself. As we do not perform this activity either, a permanently registered
// socket will disrupt normal network operation.

#define HWSIM_ATTR_RX_RATE 5
#define HWSIM_ATTR_SIGNAL 6
#define HWSIM_ATTR_ADDR_RECEIVER 1
#define HWSIM_ATTR_FRAME 3

#define WIFI_MAX_INJECT_LEN 2048

static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family)
{
	struct genlmsghdr genlhdr;
	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = HWSIM_CMD_REGISTER;
	netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr));
	int err = netlink_send_ext(nlmsg, sock, 0, NULL, false);
	if (err < 0) {
		debug("hwsim_register_device failed: %s\n", strerror(errno));
	}
	return err;
}

static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8* mac_addr, uint8* data, int len)
{
	struct genlmsghdr genlhdr;
	uint32 rx_rate = WIFI_DEFAULT_RX_RATE;
	uint32 signal = WIFI_DEFAULT_SIGNAL;

	memset(&genlhdr, 0, sizeof(genlhdr));
	genlhdr.cmd = HWSIM_CMD_FRAME;
	netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr));
	netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate));
	netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal));
	netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN);
	netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len);
	int err = netlink_send_ext(nlmsg, sock, 0, NULL, false);
	if (err < 0) {
		debug("hwsim_inject_frame failed: %s\n", strerror(errno));
	}
	return err;
}

static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2)
{
	uint8* mac_addr = (uint8*)a0;
	uint8* buf = (uint8*)a1;
	int buf_len = (int)a2;
	struct nlmsg tmp_msg;

	if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) {
		debug("syz_80211_inject_frame: wrong buffer size %d\n", buf_len);
		return -1;
	}

	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock < 0) {
		debug("syz_80211_inject_frame: socket creation failed, errno %d\n", errno);
		return -1;
	}

	int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false);
	if (hwsim_family_id < 0) {
		debug("syz_80211_inject_frame: failed to query family id\n");
		close(sock);
		return -1;
	}
	int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id);
	if (ret < 0) {
		debug("syz_80211_inject_frame: failed to register socket, ret %d\n", ret);
		close(sock);
		return -1;
	}

	ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len);
	close(sock);
	if (ret < 0) {
		debug("syz_80211_inject_frame: failed to inject message, ret %d\n", ret);
		return -1;
	}

	return 0;
}

#endif

#if SYZ_EXECUTOR || __NR_syz_80211_join_ibss

#define WIFI_MAX_SSID_LEN 32

#define WIFI_JOIN_IBSS_NO_SCAN 0
#define WIFI_JOIN_IBSS_BG_SCAN 1
#define WIFI_JOIN_IBSS_BG_NO_SCAN 2

static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3)
{
	char* interface = (char*)a0;
	uint8* ssid = (uint8*)a1;
	int ssid_len = (int)a2;
	int mode = (int)a3; // This parameter essentially determines whether it will perform a scan

	struct nlmsg tmp_msg;
	uint8 bssid[ETH_ALEN] = WIFI_IBSS_BSSID;

	if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) {
		debug("syz_80211_join_ibss: invalid ssid len %d\n", ssid_len);
		return -1;
	}

	if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) {
		debug("syz_80211_join_ibss: invalid mode %d\n", mode);
		return -1;
	}

	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
	if (sock < 0) {
		debug("syz_80211_join_ibss: socket creation failed, errno %d\n", errno);
		return -1;
	}

	int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false);
	if (nl80211_family_id < 0) {
		debug("syz_80211_join_ibss: netlink_query_family_id failed\n");
		close(sock);
		return -1;
	}
	struct join_ibss_props ibss_props = {
	    .wiphy_freq = WIFI_DEFAULT_FREQUENCY,
	    .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN),
	    .mac = bssid,
	    .ssid = ssid,
	    .ssid_len = ssid_len};

	int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false);
	close(sock);
	if (ret < 0) {
		debug("syz_80211_join_ibss: failed set up IBSS network for %.32s\n", interface);
		return -1;
	}

	if (mode == WIFI_JOIN_IBSS_NO_SCAN) {
		ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false);
		if (ret < 0) {
			debug("syz_80211_join_ibss: await_ifla_operstate failed for %.32s, ret %d\n", interface, ret);
			return -1;
		}
	}

	return 0;
}

#endif

#if SYZ_EXECUTOR || __NR_syz_clone || __NR_syz_clone3
#if SYZ_EXECUTOR
// The slowdown multiplier is already taken into account.
#define USLEEP_FORKED_CHILD (3 * syscall_timeout_ms * 1000)
#else
#define USLEEP_FORKED_CHILD (3 * /*{{{BASE_CALL_TIMEOUT_MS}}}*/ *1000)
#endif

static long handle_clone_ret(long ret)
{
	if (ret != 0) {
#if SYZ_EXECUTOR || SYZ_HANDLE_SEGV
		__atomic_store_n(&clone_ongoing, 0, __ATOMIC_RELAXED);
#endif
		return ret;
	}
	// Exit if we're in the child process - not all kernels provide the proper means
	// to prevent fork-bombs.
	// But first sleep for some time. This will hopefully foster IPC fuzzing.
	usleep(USLEEP_FORKED_CHILD);
	// Note that exit_group is a bad choice here because if we created just a thread, then
	// the whole process will be killed. A plain exit will work fine in any case.
	syscall(__NR_exit, 0);
	while (1) {
	}
}
#endif

#if SYZ_EXECUTOR || __NR_syz_clone
#include <sched.h>

// syz_clone is mostly needed on kernels which do not suport clone3.
static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len,
		      volatile long ptid, volatile long ctid, volatile long tls)
{
	// ABI requires 16-byte stack alignment.
	long sp = (stack + stack_len) & ~15;
#if SYZ_EXECUTOR || SYZ_HANDLE_SEGV
	__atomic_store_n(&clone_ongoing, 1, __ATOMIC_RELAXED);
#endif
	// Clear the CLONE_VM flag. Otherwise it'll very likely corrupt syz-executor.
	long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
	return handle_clone_ret(ret);
}
#endif

#if SYZ_EXECUTOR || __NR_syz_clone3
#include <linux/sched.h>
#include <sched.h>

#define MAX_CLONE_ARGS_BYTES 256
static long syz_clone3(volatile long a0, volatile long a1)
{
	unsigned long copy_size = a1;
	if (copy_size < sizeof(uint64) || copy_size > MAX_CLONE_ARGS_BYTES)
		return -1;
	// The structure may have different sizes on different kernel versions, so copy it as raw bytes.
	char clone_args[MAX_CLONE_ARGS_BYTES];
	memcpy(&clone_args, (void*)a0, copy_size);

	// As in syz_clone, clear the CLONE_VM flag. Flags are in the first 8-byte integer field.
	uint64* flags = (uint64*)&clone_args;
	*flags &= ~CLONE_VM;
#if SYZ_EXECUTOR || SYZ_HANDLE_SEGV
	__atomic_store_n(&clone_ongoing, 1, __ATOMIC_RELAXED);
#endif
	return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size));
}

#endif

#if SYZ_EXECUTOR || __NR_syz_pkey_set
#include <errno.h>
#define RESERVED_PKEY 15
// syz_pkey_set(key pkey, val flags[pkey_flags])
static long syz_pkey_set(volatile long pkey, volatile long val)
{
#if GOARCH_amd64 || GOARCH_386
	if (pkey == RESERVED_PKEY) {
		errno = EINVAL;
		return -1;
	}
	uint32 eax = 0;
	uint32 ecx = 0;
	asm volatile("rdpkru"
		     : "=a"(eax)
		     : "c"(ecx)
		     : "edx");
	// PKRU register contains 2 bits per key.
	// Max number of keys is 16.
	// Clear old bits for the key:
	eax &= ~(3 << ((pkey % 16) * 2));
	// Set new bits for the key:
	eax |= (val & 3) << ((pkey % 16) * 2);
	uint32 edx = 0;
	asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx));
#endif
	return 0;
}
#endif

#if SYZ_EXECUTOR || SYZ_SWAP
#include <fcntl.h>
#include <linux/falloc.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/swap.h>
#include <sys/types.h>

#define SWAP_FILE "./swap-file"
#define SWAP_FILE_SIZE (128 * 1000 * 1000) // 128 MB.

static const char* setup_swap()
{
	// The call must be idempotent, so first disable swap and remove the swap file.
	swapoff(SWAP_FILE);
	unlink(SWAP_FILE);
	// Zero-fill the file.
	int fd = open(SWAP_FILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600);
	if (fd == -1)
		return "swap file open failed";
	// We cannot do ftruncate -- swapon complains about this. Do fallocate instead.
	fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE);
	close(fd);
	// Set up the swap file.
	char cmdline[64];
	sprintf(cmdline, "mkswap %s", SWAP_FILE);
	if (runcmdline(cmdline))
		return "mkswap failed";
	if (swapon(SWAP_FILE, SWAP_FLAG_PREFER) == 1)
		return "swapon failed";
	return NULL;
}
#endif

#if SYZ_EXECUTOR || __NR_syz_pidfd_open
#include <sys/syscall.h>

// TODO: long-term we should improve our sandboxing rules since there are also
// many other opportunities for a fuzzer process to access what it shouldn't.
// Here we only shut down one of the recently discovered ways.
static long syz_pidfd_open(volatile long pid, volatile long flags)
{
	if (pid == 1) {
		// Under a PID namespace, pid=1 is the parent process.
		// We don't want a forked child to mangle parent syz-executor's fds.
		pid = 0;
	}
	return syscall(__NR_pidfd_open, pid, flags);
}

#endif

#if SYZ_EXECUTOR || __NR_syz_kfuzztest_run

#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data,
			      volatile long input_data_size, volatile long buffer)
{
	const char* test_name = (const char*)test_name_ptr;
	if (!test_name) {
		debug("syz_kfuzztest_run: test name was NULL\n");
		return -1;
	}
	if (!buffer) {
		debug("syz_kfuzztest_run: buffer was NULL\n");
		return -1;
	}

	char buf[256];
	int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name);
	if (ret < 0 || (unsigned long)ret >= sizeof(buf)) {
		debug("syz_kfuzztest_run: constructed path is too long or snprintf failed\n");
		return -1;
	}

	int fd = openat(AT_FDCWD, buf, O_WRONLY, 0);
	if (fd < 0) {
		debug("syz_kfuzztest_run: failed to open %s\n", buf);
		return -1;
	}

	ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size);
	if (bytes_written != input_data_size) {
		debug("syz_kfuzztest_run: failed to write to %s, reason: %s\n", buf, strerror(errno));
		close(fd);
		return -1;
	}

	if (close(fd) != 0) {
		debug("syz_kfuzztest_run: failed to close file\n");
		return -1;
	}

	return 0;
}

#endif