dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xd00000000000000) [ 327.575811][T21382] binder: 21380:21382 got transaction to invalid handle 15:41:40 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x01', 0x0, 0x0) 15:41:40 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0ed0000, 0x0) 15:41:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 327.680207][T21414] binder_alloc_mmap_handler: 3 callbacks suppressed [ 327.680226][T21414] binder_alloc: binder_alloc_mmap_handler: 21380 20001000-20004000 already mapped failed -16 15:41:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xc00000000000000) 15:41:40 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 327.775194][T21382] binder: BINDER_SET_CONTEXT_MGR already set [ 327.806395][T21382] binder: 21380:21382 ioctl 40046207 0 returned -16 [ 327.814881][T21427] binder_alloc: 21380: binder_alloc_buf, no vma [ 327.835106][ T7767] binder: release 21380:21382 transaction 741 out, still active [ 327.850923][ T7767] binder: unexpected work type, 4, not freed [ 327.874702][ T7767] binder_release_work: 2 callbacks suppressed 15:41:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 327.874706][ T7767] binder: undelivered TRANSACTION_COMPLETE [ 327.891092][ T7767] binder: send failed reply for transaction 741, target dead [ 328.010802][T21441] binder: 21435:21441 got transaction to invalid handle 15:41:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000) [ 328.051412][T21502] binder_alloc: binder_alloc_mmap_handler: 21435 20001000-20004000 already mapped failed -16 [ 328.051662][T21469] binder: BINDER_SET_CONTEXT_MGR already set [ 328.068506][T21469] binder: 21460:21469 ioctl 40046207 0 returned -16 15:41:41 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff, 0x0) [ 328.124184][T21441] binder: BINDER_SET_CONTEXT_MGR already set [ 328.162206][T21441] binder: 21435:21441 ioctl 40046207 0 returned -16 [ 328.179657][ T7752] binder: send failed reply for transaction 747 to 21435:21441 [ 328.210297][ T7752] binder: undelivered TRANSACTION_COMPLETE 15:41:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x18000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000) 15:41:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 328.340599][T21729] binder: 21725:21729 got transaction to invalid handle 15:41:41 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff, 0x0) [ 328.401768][T21767] binder_alloc: binder_alloc_mmap_handler: 21725 20001000-20004000 already mapped failed -16 [ 328.458118][T21765] binder: BINDER_SET_CONTEXT_MGR already set [ 328.486798][T21765] binder: 21764:21765 ioctl 40046207 0 returned -16 [ 328.531368][T21729] binder_alloc: 21725: binder_alloc_buf, no vma [ 328.569191][T21815] binder: BINDER_SET_CONTEXT_MGR already set 15:41:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xf00000000000000) [ 328.634516][T21815] binder: 21725:21815 ioctl 40046207 0 returned -16 [ 328.634721][ T7752] binder: release 21725:21729 transaction 752 out, still active 15:41:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) 15:41:41 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffff000, 0x0) 15:41:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 15:41:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 328.782396][ T7752] binder: unexpected work type, 4, not freed [ 328.788428][ T7752] binder: undelivered TRANSACTION_COMPLETE [ 328.814729][T21990] binder: BINDER_SET_CONTEXT_MGR already set 15:41:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x02', 0x0, 0x0) [ 328.853044][T21990] binder: 21989:21990 ioctl 40046207 0 returned -16 [ 328.854248][ T7752] binder: send failed reply for transaction 752, target dead 15:41:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xd00000000000000) [ 328.910059][T22026] binder: 21997:22026 got transaction to invalid handle 15:41:41 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffdf9, 0x0) 15:41:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) [ 328.990278][T22186] binder_alloc: binder_alloc_mmap_handler: 21997 20001000-20004000 already mapped failed -16 15:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 15:41:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1000000000000000) [ 329.083071][T22026] binder: BINDER_SET_CONTEXT_MGR already set [ 329.119203][T22209] binder_alloc: 21997: binder_alloc_buf, no vma [ 329.150114][ T2597] binder: send failed reply for transaction 758 to 21997:22026 [ 329.170267][T22265] binder: 22229:22265 got new transaction with bad transaction stack, transaction 764 has target 22229:0 [ 329.175945][T22026] binder: 21997:22026 ioctl 40046207 0 returned -16 [ 329.185287][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 15:41:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfffffdfd, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) [ 329.244007][ T2597] binder: release 22229:22265 transaction 764 out, still active [ 329.265176][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 329.281785][ T2597] binder: send failed reply for transaction 764, target dead 15:41:42 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f, 0x0) 15:41:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000) [ 329.381905][ T7752] binder: release 22331:22332 transaction 767 out, still active [ 329.394997][ T7752] binder: undelivered TRANSACTION_COMPLETE 15:41:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 329.508938][ T7752] binder: send failed reply for transaction 767, target dead [ 329.513409][T22372] binder: 22353:22372 got transaction to invalid handle [ 329.576669][T22449] binder: BINDER_SET_CONTEXT_MGR already set 15:41:42 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff8c, 0x0) [ 329.623288][T22449] binder: 22448:22449 ioctl 40046207 0 returned -16 [ 329.642894][T22452] binder_alloc: binder_alloc_mmap_handler: 22353 20001000-20004000 already mapped failed -16 15:41:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xf00000000000000) 15:41:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1100000000000000) [ 329.687644][T22372] binder: BINDER_SET_CONTEXT_MGR already set [ 329.713046][T22372] binder: 22353:22372 ioctl 40046207 0 returned -16 [ 329.715468][T22525] binder_alloc: 22353: binder_alloc_buf, no vma [ 329.784310][ T7752] binder: send failed reply for transaction 769 to 22353:22372 [ 329.803034][ T7752] binder: undelivered TRANSACTION_COMPLETE 15:41:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) 15:41:42 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffff6, 0x0) 15:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 15:41:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) [ 330.022121][ T7757] binder: release 22697:22712 transaction 775 out, still active [ 330.039651][T22722] binder: BINDER_SET_CONTEXT_MGR already set [ 330.052080][ T7757] binder: undelivered TRANSACTION_COMPLETE 15:41:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1200000000000000) [ 330.073164][T22722] binder: 22710:22722 ioctl 40046207 0 returned -16 15:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 330.113924][T22780] binder_alloc: binder_alloc_mmap_handler: 22710 20001000-20004000 already mapped failed -16 [ 330.135224][ T7757] binder: send failed reply for transaction 775, target dead [ 330.148189][ T7757] binder: send failed reply for transaction 776 to 22710:22780 15:41:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1000000000000000) 15:41:43 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc000000000, 0x0) [ 330.174026][T22790] binder_alloc: 22710: binder_alloc_buf, no vma [ 330.208761][ T7757] binder: undelivered transaction 779, process died. 15:41:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xc0', 0x0, 0x0) 15:41:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 330.235736][ T7757] binder: undelivered TRANSACTION_COMPLETE [ 330.254303][T22793] binder: 22792:22793 ioctl c0306201 0 returned -14 [ 330.268990][ T7757] binder: undelivered TRANSACTION_COMPLETE [ 330.309770][ T7757] binder: release 22792:22793 transaction 783 out, still active 15:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 15:41:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 330.387259][T22810] binder: BINDER_SET_CONTEXT_MGR already set [ 330.396331][ T7757] binder: send failed reply for transaction 783, target dead [ 330.419149][T22810] binder: 22809:22810 ioctl 40046207 0 returned -16 [ 330.478712][T22814] binder_alloc: binder_alloc_mmap_handler: 22809 20001000-20004000 already mapped failed -16 [ 330.501775][T22815] binder: 22813:22815 ioctl c0306201 0 returned -14 15:41:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1300000000000000) 15:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 330.558786][ T7757] binder: release 22813:22815 transaction 787 out, still active [ 330.593571][ T7757] binder: release 22809:22814 transaction 788 out, still active 15:41:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1800000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 330.636901][ T7757] binder: unexpected work type, 4, not freed 15:41:43 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffffffffffff, 0x0) [ 330.682521][ T7757] binder: send failed reply for transaction 787, target dead [ 330.710576][T22928] binder: 22927:22928 ioctl c0306201 0 returned -14 [ 330.714663][ T7757] binder: send failed reply for transaction 788, target dead 15:41:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0) [ 330.781357][ T7757] binder: release 22927:22928 transaction 792 out, still active [ 330.802593][T22934] binder: BINDER_SET_CONTEXT_MGR already set 15:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 330.846755][T22934] binder: 22931:22934 ioctl 40046207 0 returned -16 [ 330.870354][ T7767] binder: send failed reply for transaction 792, target dead [ 330.884147][T22960] binder_alloc: binder_alloc_mmap_handler: 22931 20001000-20004000 already mapped failed -16 15:41:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1100000000000000) 15:41:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 330.885200][ T7767] binder: send failed reply for transaction 793 to 22931:22960 [ 330.944551][T22934] binder_transaction: 16 callbacks suppressed [ 330.944571][T22934] binder: 22931:22934 transaction failed 29189/-22, size 24-8 line 2994 [ 330.951024][ T7767] binder: undelivered transaction 796, process died. [ 330.978407][T23023] binder: BINDER_SET_CONTEXT_MGR already set [ 331.007512][T23023] binder: 23010:23023 ioctl 40046207 0 returned -16 [ 331.039107][ T7767] binder_release_work: 23 callbacks suppressed [ 331.039114][ T7767] binder: undelivered TRANSACTION_ERROR: 29189 15:41:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:44 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x100000000000000, 0x0) [ 331.068050][ T7767] binder: undelivered TRANSACTION_ERROR: 29189 15:41:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1400000000000000) 15:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 15:41:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x80', 0x0, 0x0) [ 331.246918][T23162] binder_alloc: binder_alloc_mmap_handler: 23155 20001000-20004000 already mapped failed -16 [ 331.298374][T23166] binder: BINDER_SET_CONTEXT_MGR already set [ 331.319983][T23166] binder: 23164:23166 ioctl 40046207 0 returned -16 [ 331.339817][T23166] binder_alloc: 23155: binder_alloc_buf, no vma [ 331.349649][T23166] binder: 23164:23166 transaction failed 29189/-3, size 0-0 line 3147 [ 331.359550][T23160] binder_alloc: 23155: binder_alloc_buf, no vma 15:41:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1200000000000000) [ 331.404021][ T7752] binder: undelivered TRANSACTION_ERROR: 29189 [ 331.413366][T23160] binder: 23155:23160 transaction failed 29189/-3, size 24-8 line 3147 [ 331.421785][ T7752] binder: send failed reply for transaction 800 to 23155:23160 15:41:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) 15:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 331.463002][ T7752] binder: undelivered transaction 803, process died. 15:41:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 331.522227][ T7752] binder: undelivered TRANSACTION_ERROR: 29189 [ 331.557524][ T7752] binder: undelivered TRANSACTION_ERROR: 29189 [ 331.610099][ T5] binder: release 23185:23216 transaction 807 out, still active 15:41:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0}) [ 331.661767][T23288] binder: BINDER_SET_CONTEXT_MGR already set 15:41:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1300000000000000) 15:41:44 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x200000000000000, 0x0) [ 331.741136][T23288] binder: 23248:23288 ioctl 40046207 0 returned -16 [ 331.748276][ T7752] binder: send failed reply for transaction 807, target dead [ 331.766451][T23296] binder: 23248:23296 transaction failed 29189/-22, size 24-8 line 2994 [ 331.786430][ T7752] binder: release 23295:23297 transaction 810 out, still active 15:41:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1500000000000000) 15:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0}) [ 331.830678][T23296] binder_alloc: binder_alloc_mmap_handler: 23248 20001000-20004000 already mapped failed -16 [ 331.851563][ T7756] binder: send failed reply for transaction 810, target dead [ 331.894671][T23300] binder_alloc: 23248: binder_alloc_buf, no vma [ 331.899036][ T7756] binder: undelivered transaction 811, process died. [ 331.932460][T23300] binder: 23248:23300 transaction failed 29189/-3, size 24-8 line 3147 [ 331.940229][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:41:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 331.976678][ T7752] binder: release 23311:23314 transaction 815 out, still active 15:41:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0}) [ 332.118475][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:41:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x18, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1600000000000000) 15:41:45 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00000000000000, 0x0) 15:41:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 332.235625][T23428] binder: BINDER_SET_CONTEXT_MGR already set [ 332.256597][T23428] binder: 23425:23428 ioctl 40046207 0 returned -16 15:41:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1400000000000000) 15:41:45 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 332.332748][T23428] binder: 23425:23428 transaction failed 29189/-22, size 24-8 line 2994 [ 332.346758][T23435] binder: 23434:23435 got new transaction with bad transaction stack, transaction 820 has target 23434:0 [ 332.395823][T23428] binder: BINDER_SET_CONTEXT_MGR already set [ 332.405709][T23435] binder: 23434:23435 transaction failed 29201/-71, size 0-0 line 3044 [ 332.416054][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 332.423865][T23428] binder: 23425:23428 ioctl 40046207 0 returned -16 [ 332.430588][ T5] binder: unexpected work type, 4, not freed 15:41:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 332.447585][ T5] binder: undelivered TRANSACTION_ERROR: 29201 15:41:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 332.541141][ T5] binder: undelivered transaction 822, process died. [ 332.563213][T23454] binder: BINDER_SET_CONTEXT_MGR already set [ 332.615594][T23454] binder: 23452:23454 ioctl 40046207 0 returned -16 [ 332.616221][T23477] binder_alloc: 23452: binder_alloc_buf, no vma [ 332.631757][ T5] binder: send failed reply for transaction 827 to 23452:23454 15:41:45 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1700000000000000) [ 332.671967][ T5] binder: undelivered transaction 830, process died. [ 332.694990][ T5] binder: unexpected work type, 4, not freed [ 332.707628][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 332.731374][T23477] binder: 23452:23477 transaction failed 29189/-3, size 24-0 line 3147 15:41:45 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000) 15:41:45 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000000, 0x0) 15:41:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 332.789127][ T5] binder: undelivered transaction 836, process died. 15:41:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1500000000000000) [ 332.937547][T23583] binder_alloc_mmap_handler: 2 callbacks suppressed [ 332.937566][T23583] binder_alloc: binder_alloc_mmap_handler: 23580 20001000-20004000 already mapped failed -16 [ 332.986988][T23581] binder: BINDER_SET_CONTEXT_MGR already set [ 333.009708][T23581] binder: 23580:23581 ioctl 40046207 0 returned -16 [ 333.030238][T23635] binder_alloc: 23580: binder_alloc_buf, no vma 15:41:45 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 333.041452][T23635] binder: 23580:23635 transaction failed 29189/-3, size 24-8 line 3147 15:41:46 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000) [ 333.131510][T23581] binder_alloc: 23580: binder_alloc_buf, no vma 15:41:46 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1800000000000000) [ 333.180375][T23581] binder: 23580:23581 transaction failed 29189/-3, size 24-0 line 3147 [ 333.189683][ T2597] binder: send failed reply for transaction 838 to 23580:23581 [ 333.225294][ T2597] binder: undelivered transaction 841, process died. 15:41:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 333.267955][ T2597] binder_release_work: 20 callbacks suppressed [ 333.267960][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:41:46 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010000000000000, 0x0) [ 333.324293][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:41:46 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 333.392625][T23807] binder_alloc: binder_alloc_mmap_handler: 23800 20001000-20004000 already mapped failed -16 15:41:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1600000000000000) [ 333.472033][T23805] binder: BINDER_SET_CONTEXT_MGR already set [ 333.493427][T23805] binder: 23800:23805 ioctl 40046207 0 returned -16 [ 333.534899][T23811] binder_alloc: 23800: binder_alloc_buf, no vma [ 333.557639][ T5] binder: unexpected work type, 4, not freed [ 333.568039][ T5] binder: undelivered TRANSACTION_COMPLETE [ 333.575852][T23807] binder_alloc: 23800: binder_alloc_buf, no vma 15:41:46 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1900000000000000) [ 333.603618][ T5] binder: undelivered TRANSACTION_COMPLETE 15:41:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x18000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 333.656145][ T5] binder: undelivered transaction 848, process died. 15:41:46 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00000000000000, 0x0) 15:41:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1700000000000000) 15:41:46 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 333.839076][T23929] binder_alloc: binder_alloc_mmap_handler: 23926 20001000-20004000 already mapped failed -16 15:41:46 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000) [ 333.886629][T23927] binder: BINDER_SET_CONTEXT_MGR already set [ 334.020211][T23927] binder: 23926:23927 ioctl 40046207 0 returned -16 [ 334.020967][T23945] binder_alloc: 23926: binder_alloc_buf, no vma [ 334.104568][ T5] binder: unexpected work type, 4, not freed [ 334.115641][ T5] binder: undelivered TRANSACTION_COMPLETE [ 334.139405][ T5] binder: undelivered TRANSACTION_COMPLETE [ 334.166661][ T5] binder_send_failed_reply: 6 callbacks suppressed [ 334.166668][ T5] binder: send failed reply for transaction 852, target dead 15:41:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 334.207070][ T5] binder: undelivered transaction 855, process died. 15:41:47 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0) 15:41:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1a00000000000000) [ 334.312433][T24054] binder_alloc: binder_alloc_mmap_handler: 24052 20001000-20004000 already mapped failed -16 15:41:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1800000000000000) [ 334.418685][T24054] binder_alloc: 24052: binder_alloc_buf, no vma [ 334.444534][T24062] binder: BINDER_SET_CONTEXT_MGR already set [ 334.463545][ T17] binder_thread_release: 6 callbacks suppressed [ 334.463555][ T17] binder: release 24052:24053 transaction 858 out, still active [ 334.483497][T24062] binder: 24052:24062 ioctl 40046207 0 returned -16 [ 334.509577][ T17] binder: unexpected work type, 4, not freed 15:41:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfffffdfd, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:47 executing program 4: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000, 0x0) 15:41:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 334.550573][ T17] binder: undelivered TRANSACTION_COMPLETE [ 334.571925][ T17] binder: undelivered TRANSACTION_COMPLETE [ 334.628732][ T17] binder: send failed reply for transaction 858, target dead [ 334.716754][T24145] binder_alloc: binder_alloc_mmap_handler: 24118 20001000-20004000 already mapped failed -16 15:41:47 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff00000000, 0x0) [ 334.767880][T24135] binder: BINDER_SET_CONTEXT_MGR already set [ 334.780771][T24135] binder: 24118:24135 ioctl 40046207 0 returned -16 [ 334.788276][ T5] binder: release 24118:24135 transaction 865 out, still active [ 334.801446][ T5] binder: unexpected work type, 4, not freed 15:41:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1900000000000000) [ 334.828914][ T5] binder: undelivered TRANSACTION_COMPLETE [ 334.838726][ T5] binder: undelivered TRANSACTION_COMPLETE [ 334.854585][ T5] binder: send failed reply for transaction 865, target dead [ 334.893135][T24196] binder_alloc: binder_alloc_mmap_handler: 24194 20001000-20004000 already mapped failed -16 15:41:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1b00000000000000) [ 334.963328][T26837] binder: send failed reply for transaction 871 to 24194:24195 15:41:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:48 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1a00000000000000) [ 335.174562][T24216] binder: 24215:24216 got reply transaction with bad transaction stack, transaction 877 has target 24215:0 [ 335.190276][T24250] binder: BINDER_SET_CONTEXT_MGR already set [ 335.227786][T24250] binder: 24248:24250 ioctl 40046207 0 returned -16 [ 335.229771][ T5] binder: release 24215:24216 transaction 877 out, still active 15:41:48 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff00000000, 0x0) 15:41:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 335.273051][ T5] binder: unexpected work type, 4, not freed [ 335.283891][T24323] binder_alloc: binder_alloc_mmap_handler: 24248 20001000-20004000 already mapped failed -16 [ 335.332758][ T5] binder: send failed reply for transaction 877, target dead 15:41:48 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1c00000000000000) 15:41:48 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 335.378062][ T5] binder: send failed reply for transaction 881 to 24248:24323 15:41:48 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 335.432995][ T5] binder_cleanup_transaction: 3 callbacks suppressed [ 335.433004][ T5] binder: undelivered transaction 884, process died. 15:41:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 335.488325][T24337] binder: BINDER_SET_CONTEXT_MGR already set [ 335.508844][T24337] binder: 24333:24337 ioctl 40046207 0 returned -16 [ 335.595469][T24346] binder_alloc: binder_alloc_mmap_handler: 24343 20001000-20004000 already mapped failed -16 [ 335.626187][T24362] binder: BINDER_SET_CONTEXT_MGR already set [ 335.660791][T24344] binder: BINDER_SET_CONTEXT_MGR already set [ 335.692253][T24362] binder: 24347:24362 ioctl 40046207 0 returned -16 15:41:48 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:48 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1d00000000000000) [ 335.712203][T24344] binder: 24343:24344 ioctl 40046207 0 returned -16 [ 335.713675][T26837] binder: release 24343:24344 transaction 889 out, still active 15:41:48 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff00000000, 0x0) 15:41:48 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 335.779173][T26837] binder: unexpected work type, 4, not freed [ 335.803931][T26837] binder: send failed reply for transaction 889, target dead 15:41:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1b00000000000000) 15:41:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 335.850168][T26837] binder: undelivered transaction 892, process died. [ 335.930960][T24571] binder_alloc: binder_alloc_mmap_handler: 24564 20001000-20004000 already mapped failed -16 [ 335.941311][T24570] binder: BINDER_SET_CONTEXT_MGR already set [ 335.941343][T24570] binder: 24569:24570 ioctl 40046207 0 returned -16 [ 335.970653][T24567] binder: BINDER_SET_CONTEXT_MGR already set 15:41:48 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000) [ 336.025239][T24567] binder: 24564:24567 ioctl 40046207 0 returned -16 [ 336.056825][ T7767] binder: send failed reply for transaction 895 to 24564:24567 [ 336.064981][T24577] binder_transaction: 12 callbacks suppressed [ 336.064999][T24577] binder: 24564:24577 transaction failed 29189/-3, size 24-8 line 3147 [ 336.082049][ T7767] binder: undelivered transaction 898, process died. [ 336.105417][ T7767] binder_release_work: 18 callbacks suppressed [ 336.105424][ T7767] binder: undelivered TRANSACTION_ERROR: 29189 15:41:49 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 336.161068][ T7767] binder: undelivered TRANSACTION_ERROR: 29189 15:41:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:49 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x1e00000000000000) 15:41:49 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f00000000, 0x0) [ 336.329243][T24794] binder_alloc: binder_alloc_mmap_handler: 24771 20001000-20004000 already mapped failed -16 [ 336.370719][T24792] binder: BINDER_SET_CONTEXT_MGR already set [ 336.377118][T24792] binder: 24771:24792 ioctl 40046207 0 returned -16 15:41:49 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000) [ 336.412997][T24794] binder_alloc_new_buf_locked: 7 callbacks suppressed [ 336.413005][T24794] binder_alloc: 24771: binder_alloc_buf, no vma 15:41:49 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1c00000000000000) [ 336.462982][T26837] binder: release 24771:24792 transaction 902 out, still active [ 336.478585][T24794] binder: 24771:24794 transaction failed 29189/-3, size 24-8 line 3147 [ 336.499230][T26837] binder: unexpected work type, 4, not freed 15:41:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x18, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 336.517940][T26837] binder: send failed reply for transaction 902, target dead [ 336.553846][T26837] binder: undelivered transaction 905, process died. 15:41:49 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 336.602200][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 336.695185][T24817] binder: BINDER_SET_CONTEXT_MGR already set [ 336.731223][T24820] binder_alloc: 24815: binder_alloc_buf, no vma 15:41:49 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x2000000000000000) [ 336.757442][T26837] binder: release 24815:24817 transaction 908 out, still active [ 336.769438][T24817] binder: 24815:24817 ioctl 40046207 0 returned -16 [ 336.782144][T26837] binder: unexpected work type, 4, not freed [ 336.816279][T24820] binder: 24815:24820 transaction failed 29189/-3, size 24-8 line 3147 [ 336.827808][T26837] binder: send failed reply for transaction 908, target dead [ 336.853915][T26837] binder: undelivered transaction 911, process died. 15:41:49 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffffffff000, 0x0) 15:41:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1800, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:49 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000) [ 336.888566][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:41:49 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1d00000000000000) [ 337.033096][T25037] binder: BINDER_SET_CONTEXT_MGR already set [ 337.113262][T25037] binder: 25036:25037 ioctl 40046207 0 returned -16 [ 337.120504][T26837] binder: send failed reply for transaction 914 to 25036:25037 [ 337.149133][T26837] binder: undelivered transaction 917, process died. 15:41:50 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x4000, 0x0) ioctl$TIOCMSET(r0, 0x5418, &(0x7f0000000080)=0xc2e7) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$VT_OPENQRY(r0, 0x5600, &(0x7f0000000040)) fremovexattr(r0, &(0x7f00000001c0)=@known='trusted.overlay.impure\x00') link(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='./file0\x00') mount(&(0x7f0000000140)=ANY=[], &(0x7f0000000200)='./file0\x00', &(0x7f0000000180)='udf\x00', 0x0, 0x0) ioctl$SG_GET_NUM_WAITING(r0, 0x227d, &(0x7f00000000c0)) 15:41:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 337.177757][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:41:50 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x8000000000) 15:41:50 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x2080140800000000) 15:41:50 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 337.341935][T25256] binder_alloc: 25253: binder_alloc_buf, no vma [ 337.409950][T25255] binder: BINDER_SET_CONTEXT_MGR already set [ 337.459275][T25255] binder: 25253:25255 ioctl 40046207 0 returned -16 [ 337.490513][T26837] binder: send failed reply for transaction 919 to 25253:25255 [ 337.499455][T25256] binder: 25253:25256 transaction failed 29189/-3, size 24-8 line 3147 15:41:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 337.518913][T26837] binder: undelivered transaction 922, process died. [ 337.536887][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 337.557218][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:41:50 executing program 1: r0 = fcntl$getown(0xffffffffffffffff, 0x9) ioprio_set$pid(0x2, r0, 0x800) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000000)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000000, 0x0) 15:41:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x1e00000000000000) [ 337.668383][T25477] binder: BINDER_SET_CONTEXT_MGR already set [ 337.697290][T25477] binder: 25475:25477 ioctl 40046207 0 returned -16 15:41:50 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000) 15:41:50 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 337.717965][T26837] binder: release 25475:25477 transaction 925 out, still active [ 337.726582][T25479] binder_alloc: 25475: binder_alloc_buf, no vma [ 337.735488][T26837] binder: unexpected work type, 4, not freed 15:41:50 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x8000000000) [ 337.785677][T25479] binder: 25475:25479 transaction failed 29189/-3, size 24-8 line 3147 [ 337.798971][T26837] binder: send failed reply for transaction 925, target dead 15:41:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x18000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 337.842144][T26837] binder: undelivered transaction 928, process died. [ 337.879534][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:41:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x4000000000000000) [ 338.020211][T25572] binder_alloc_mmap_handler: 4 callbacks suppressed [ 338.020229][T25572] binder_alloc: binder_alloc_mmap_handler: 25540 20001000-20004000 already mapped failed -16 [ 338.049296][T25558] binder: BINDER_SET_CONTEXT_MGR already set 15:41:51 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:51 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$can_bcm(0x1d, 0x2, 0x2) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b6409866fe42f5640253a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 338.106477][T26837] binder: release 25540:25558 transaction 931 out, still active [ 338.115189][T25558] binder: 25540:25558 ioctl 40046207 0 returned -16 [ 338.134501][T26837] binder: unexpected work type, 4, not freed [ 338.140613][T26837] binder: send failed reply for transaction 931, target dead 15:41:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 338.229763][T26837] binder: undelivered transaction 934, process died. [ 338.257614][T25615] ceph: device name is missing path (no : separator in [d †oä/V@%:) 15:41:51 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x4000000000000000) [ 338.356759][T25641] binder_alloc: binder_alloc_mmap_handler: 25626 20001000-20004000 already mapped failed -16 [ 338.376454][T25638] binder: BINDER_SET_CONTEXT_MGR already set [ 338.384129][T25638] binder: 25626:25638 ioctl 40046207 0 returned -16 [ 338.384365][T25641] binder_alloc: 25626: binder_alloc_buf, no vma 15:41:51 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x6018230000000000) [ 338.417839][T25641] binder: 25626:25641 transaction failed 29189/-3, size 24-8 line 3147 15:41:51 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000) 15:41:51 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:51 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b003a3adcad2f6c6c623200313493d101cdec5e8481c86a8826e9e68833ec6923cd3772a806d042770859080000000000000032e89cde05b46a4abfdc3f0a33e45061d02628fb436987a45d51112c550fca0facf46e941f31cfe03a326203ddbd0910e0095fc5140264c5420b32e89513a37061f2dc0fad01d874dc349dd25b5376ca8545ac11bf045136155e43957a80cf760a1c872c573961234b04f2d8debb95eeb289f6479803d30feb04af1539c7d677d14f30"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 338.499266][T25638] binder_alloc: 25626: binder_alloc_buf, no vma [ 338.521567][ T17] binder: release 25626:25638 transaction 936 out, still active [ 338.530538][T25638] binder: 25626:25638 transaction failed 29189/-3, size 24-0 line 3147 [ 338.552408][ T17] binder: unexpected work type, 4, not freed [ 338.564260][ T17] binder_release_work: 21 callbacks suppressed [ 338.564265][ T17] binder: undelivered TRANSACTION_COMPLETE 15:41:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfffffdfd, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 338.638724][ T17] binder: undelivered TRANSACTION_COMPLETE [ 338.639061][T25740] ceph: device name is missing path (no : separator in [) [ 338.672681][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 338.680103][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 338.699837][ T17] binder: send failed reply for transaction 936, target dead [ 338.710200][ T17] binder: undelivered transaction 939, process died. [ 338.768865][T25832] binder_alloc: binder_alloc_mmap_handler: 25780 20001000-20004000 already mapped failed -16 15:41:51 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x6300000000000000) [ 338.813857][T25793] binder: BINDER_SET_CONTEXT_MGR already set 15:41:51 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x500c140800000000) 15:41:51 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x10060004, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) syz_open_dev$dmmidi(&(0x7f00000000c0)='/dev/dmmidi#\x00', 0x0, 0x2104) mount(&(0x7f0000000180)=ANY=[@ANYBLOB="4c1d4c"], &(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0004, 0x0) [ 338.866168][T25793] binder: 25780:25793 ioctl 40046207 0 returned -16 [ 338.873645][ T2597] binder: send failed reply for transaction 943 to 25780:25793 [ 338.881290][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 338.898872][T25849] binder: 25780:25849 transaction failed 29189/-22, size 24-8 line 2994 15:41:51 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) [ 338.932046][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:41:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x100000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:52 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000) 15:41:52 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b643a3a5d52562577e90b34"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:52 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 339.143112][T26068] binder_alloc: binder_alloc_mmap_handler: 26066 20001000-20004000 already mapped failed -16 [ 339.227691][T26074] ceph: device name is missing path (no : separator in [d::]RV%wé 4) [ 339.246232][T26067] binder: BINDER_SET_CONTEXT_MGR already set 15:41:52 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x8004000000000000) 15:41:52 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x6018230000000000) [ 339.278106][T26067] binder: 26066:26067 ioctl 40046207 0 returned -16 [ 339.322795][ T5] binder: send failed reply for transaction 949 to 26066:26067 [ 339.324771][T26081] binder: 26066:26081 transaction failed 29189/-22, size 24-8 line 2994 [ 339.339147][ T5] binder: undelivered TRANSACTION_COMPLETE [ 339.367393][ T5] binder: undelivered TRANSACTION_COMPLETE 15:41:52 executing program 1: r0 = shmget(0x1, 0xd000, 0x800, &(0x7f0000ff0000/0xd000)=nil) shmctl$IPC_STAT(r0, 0x2, &(0x7f0000000140)=""/175) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x80000, 0x0) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffff9c, 0x84, 0x75, &(0x7f0000000080)={0x0, 0x3}, &(0x7f00000000c0)=0x8) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f0000000240)={r2, 0xb1c6, 0x20, 0x7}, &(0x7f0000000280)=0x10) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d:2]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x200000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 339.524979][T26190] libceph: resolve 'd' (ret=-3): failed [ 339.548679][T26190] libceph: parse_ips bad ip '[d:2]' 15:41:52 executing program 4: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:52 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 339.654829][T26241] binder_alloc: binder_alloc_mmap_handler: 26209 20001000-20004000 already mapped failed -16 [ 339.699642][T26225] binder: BINDER_SET_CONTEXT_MGR already set [ 339.720506][T26225] binder: 26209:26225 ioctl 40046207 0 returned -16 [ 339.740482][T26306] binder_alloc: 26209: binder_alloc_buf, no vma 15:41:52 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x6300000000000000) 15:41:52 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000000)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c1c0054bdddaffe"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = shmget(0x0, 0x1000, 0x2, &(0x7f0000ffd000/0x1000)=nil) shmctl$SHM_STAT(r0, 0xd, &(0x7f0000000040)=""/78) r1 = syz_open_dev$admmidi(&(0x7f00000000c0)='/dev/admmidi#\x00', 0x8, 0x185000) ioctl$SG_SET_RESERVED_SIZE(r1, 0x2275, &(0x7f0000000140)=0x8) [ 339.750823][T26306] binder: 26209:26306 transaction failed 29189/-3, size 24-8 line 3147 [ 339.771200][T26225] binder_alloc: 26209: binder_alloc_buf, no vma [ 339.844392][ T2597] binder: send failed reply for transaction 955 to 26209:26225 15:41:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1800000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:52 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 339.889151][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 339.903485][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:41:52 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xe803000000000000) 15:41:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 339.972943][T26343] binder_alloc: binder_alloc_mmap_handler: 26319 20001000-20004000 already mapped failed -16 [ 340.001222][T26331] binder: BINDER_SET_CONTEXT_MGR already set [ 340.010656][T26331] binder: 26319:26331 ioctl 40046207 0 returned -16 [ 340.057276][ T5] binder: release 26319:26331 transaction 962 out, still active [ 340.065699][T26343] binder_alloc: 26319: binder_alloc_buf, no vma [ 340.079364][T26395] binder: BINDER_SET_CONTEXT_MGR already set [ 340.080757][ T5] binder: unexpected work type, 4, not freed [ 340.094379][T26395] binder: 26391:26395 ioctl 40046207 0 returned -16 15:41:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 340.125959][ T5] binder: undelivered TRANSACTION_COMPLETE [ 340.133910][T26395] binder_alloc: 26319: binder_alloc_buf, no vma [ 340.147871][ T5] binder: undelivered TRANSACTION_COMPLETE 15:41:53 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 340.192795][ T5] binder: send failed reply for transaction 962, target dead 15:41:53 executing program 4 (fault-call:5 fault-nth:0): r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:53 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2) ioctl$TUNSETNOCSUM(r0, 0x400454c8, 0x1) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:53 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x6504460800000000) [ 340.295365][T26439] binder_alloc: binder_alloc_mmap_handler: 26434 20001000-20004000 already mapped failed -16 [ 340.364422][T26436] binder: BINDER_SET_CONTEXT_MGR already set [ 340.379981][T26436] binder: 26434:26436 ioctl 40046207 0 returned -16 [ 340.387313][T26450] binder: BINDER_SET_CONTEXT_MGR already set [ 340.398764][T26450] binder: 26448:26450 ioctl 40046207 0 returned -16 [ 340.410441][ T17] binder: release 26434:26436 transaction 969 out, still active 15:41:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 340.435486][ T17] binder: unexpected work type, 4, not freed [ 340.469625][ T17] binder: send failed reply for transaction 969, target dead [ 340.503920][ T17] binder_cleanup_transaction: 4 callbacks suppressed [ 340.503928][ T17] binder: undelivered transaction 972, process died. [ 340.554401][T26548] binder_alloc: binder_alloc_mmap_handler: 26541 20001000-20004000 already mapped failed -16 [ 340.584040][T26545] binder: BINDER_SET_CONTEXT_MGR already set 15:41:53 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:53 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0xffffffff00000000) [ 340.601531][ T2597] binder: release 26541:26545 transaction 975 out, still active [ 340.613961][T26545] binder: 26541:26545 ioctl 40046207 0 returned -16 [ 340.638279][ T2597] binder: unexpected work type, 4, not freed 15:41:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 340.668111][ T2597] binder: send failed reply for transaction 975, target dead 15:41:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x18, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 340.719133][ T2597] binder: undelivered transaction 978, process died. 15:41:53 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@sr0='/dev/sr0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0) [ 340.781621][T26674] binder: 26670:26674 got new transaction with bad transaction stack, transaction 981 has target 26670:0 [ 340.838331][T26677] binder: BINDER_SET_CONTEXT_MGR already set [ 340.877901][T26677] binder: 26676:26677 ioctl 40046207 0 returned -16 15:41:53 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x8004000000000000) [ 340.888744][T26681] ceph: device name is missing path (no : separator in /dev/sr0) [ 340.906922][ T2597] binder: release 26670:26674 transaction 981 out, still active [ 340.924498][T26688] binder_alloc: binder_alloc_mmap_handler: 26676 20001000-20004000 already mapped failed -16 15:41:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 340.957053][T26677] binder: BINDER_SET_CONTEXT_MGR already set [ 340.987860][T26677] binder: 26676:26677 ioctl 40046207 0 returned -16 [ 340.988216][ T2597] binder: send failed reply for transaction 981, target dead [ 341.006668][ T2597] binder: send failed reply for transaction 983 to 26676:26688 [ 341.040271][ T2597] binder: undelivered transaction 986, process died. 15:41:54 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:54 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) socket$kcm(0x29, 0x5, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000140)={0x0, 0x4}, &(0x7f00000002c0)=0x8) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000300)={r4}, &(0x7f0000000340)=0x8) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000000040)=@sack_info={0x0, 0x8, 0x7}, &(0x7f0000000080)=0xc) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f00000000c0)={r5, 0x69, 0x100}, 0x8) 15:41:54 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff) ioctl$KDSIGACCEPT(r0, 0x4b4e, 0x21) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="1629c81f2193a8b127d1bb2c"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 341.074388][T26792] binder: 26770:26792 ioctl 2 200002c0 returned -22 15:41:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1800, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 341.224547][T26857] binder: BINDER_SET_CONTEXT_MGR already set [ 341.230586][T26857] binder: 26830:26857 ioctl 40046207 0 returned -16 [ 341.253967][T26860] ceph: device name is missing path (no : separator in )È!“¨±'Ñ»,) 15:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xa01e0489fe7e0000) [ 341.291419][T26928] binder_alloc: binder_alloc_mmap_handler: 26830 20001000-20004000 already mapped failed -16 [ 341.310472][T26857] binder: BINDER_SET_CONTEXT_MGR already set [ 341.328112][T26857] binder: 26830:26857 ioctl 40046207 0 returned -16 15:41:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x541b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 341.375776][ T7807] binder: send failed reply for transaction 989 to 26770:26792 [ 341.392750][T27022] binder_transaction: 7 callbacks suppressed [ 341.392768][T27022] binder: 26830:27022 transaction failed 29189/-22, size 24-0 line 2994 [ 341.404784][T26928] binder: 26830:26928 transaction failed 29189/-22, size 24-8 line 2994 [ 341.412527][ T7807] binder: send failed reply for transaction 990 to 26830:26928 15:41:54 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) 15:41:54 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000000240)={{{@in6=@mcast2, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@broadcast}}, &(0x7f0000000080)=0xe8) r1 = getgid() r2 = syz_open_dev$vbi(&(0x7f00000000c0)='/dev/vbi#\x00', 0x3, 0x2) getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000006c0)={{{@in6=@empty, @in6=@ipv4={[], [], @remote}}}, {{@in=@loopback}, 0x0, @in=@broadcast}}, &(0x7f0000000380)=0xe8) r3 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-vsock\x00', 0x2, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) bind$netlink(r4, &(0x7f0000000040)={0x10, 0x0, 0x0, 0x2200080}, 0xc) syz_open_dev$amidi(&(0x7f0000000180)='/dev/amidi#\x00', 0x0, 0x400000) syz_open_dev$swradio(&(0x7f0000000400)='/dev/swradio#\x00', 0x0, 0x2) ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, 0x0) ioctl$KVM_SIGNAL_MSI(0xffffffffffffffff, 0x4020aea5, &(0x7f0000000140)={0x0, 0x2000, 0x4, 0x9, 0xffffffff}) r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getresuid(0x0, 0x0, &(0x7f00000001c0)) fgetxattr(r5, &(0x7f0000000440)=ANY=[@ANYBLOB="b1df7259834b5d12801887fc823552a3794f1675cc87c298e50fc4bf124c1008cb983054769f61390c825abd6a09cde6a725ad7d43e5f5d2482ecaa2302ad989e62d13f7af6ebd01fc10cfcd747e51bc2056d6e2c6fc149a5a04013584f57a8829d7701a3761e07528ae4f9a0de790e5c57420a68f56eaa08805b5b6c19dff0e2ee89dc6a9eca45c8d3d5b08effb4eeb98000b6565c15c5ce5e3bf7af7ab01b1d84f7f52e6c0a7217645bc6837399d68e9e60e73f54a2f776b26f67671592e1b9866dca2525c12ae36028c546bb70bd93f4dccc62f83a338d8765a89d700c34d2e67b3f772672a320aed13f5a4f6518d4c1048d94b436bfdca85cd57ae32f317ba40eedcabe894ffe9f994436fe10e7ed4617384ca2d329a622ffb0ddddbfdad628d7ffa4c559de9f2ef58f5f925f9e1884ff25b53890f11fd3b309fb7747674b25b0512f46176ffcdea1afda8f862c27e9deaf5c5fc46546bca842e6713ec48c6cbc7a9164ee39ad14d71251533672e5bed00000000000000000000"], 0x0, 0x0) ioctl$sock_inet_SIOCSIFNETMASK(0xffffffffffffffff, 0x891c, 0x0) ioctl$VIDIOC_S_STD(0xffffffffffffffff, 0x40085618, 0x0) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000200)='/proc/self/net/pfkey\x00', 0x10800, 0x0) unshare(0x40000000) getsockname$netlink(r4, 0x0, &(0x7f0000000080)) ioctl$VHOST_SET_FEATURES(r3, 0x4008af00, &(0x7f0000000080)=0xbfffffd) lchown(&(0x7f0000000000)='./file0\x00', r0, r1) clone(0x8000000002000fe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f00000005c0)=ANY=[@ANYBLOB="5b64a52aee26213a5d0000004e552769ee2841cebd859def66aa15059c8209b4b615ea41af88621036ba45b31217711e333c54ef582ae61b0c6cfbf751c22ae8afdfcc52fdc1cbb15341beae741c9a31daa1fd9b9943b372b0e024f087f7dd57aa882c1807a9b76f5f33625b8e1ce61055d200709691807f8cee7f0ba49fd359f64dd241e41930270e4adf34aed91cbd111f6f96db3548bb187a767cd48260991f9bd6f094fb35a4243e074b110f45bebdde0aeb390bc4c2f87c21913e3dee701b150000008a11853749dc7f12089e65ce64e055ec"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 341.479959][T27026] binder: 27025:27026 ioctl 541b 200002c0 returned -22 [ 341.487833][ T7807] binder: undelivered transaction 993, process died. [ 341.532608][ T7807] binder_release_work: 14 callbacks suppressed [ 341.532615][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 341.559699][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 341.581687][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 15:41:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 341.607964][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 15:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xde394ee1e07f0000) 15:41:54 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) [ 341.755361][T27172] binder: BINDER_SET_CONTEXT_MGR already set 15:41:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 341.805034][T27172] binder: 27165:27172 ioctl 40046207 0 returned -16 [ 341.841339][ T2597] binder: send failed reply for transaction 997 to 27025:27026 15:41:54 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) [ 341.889051][T27190] binder: 27165:27190 transaction failed 29189/-22, size 24-0 line 2994 [ 341.897188][T27033] IPVS: ftp: loaded support on port[0] = 21 [ 341.902824][ T2597] binder: send failed reply for transaction 998 to 27165:27190 [ 341.911333][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:41:54 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) getresgid(&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, &(0x7f0000000000)={0xb56, 0xfffffffffffffff9, 0x1, {0x0, 0x989680}, 0x2, 0x6}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$VIDIOC_TRY_EXT_CTRLS(r2, 0xc0185649, &(0x7f00000002c0)={0x9c0000, 0x4, 0x80000001, [], &(0x7f0000000140)={0x990964, 0x3, [], @p_u8=&(0x7f0000000080)=0x8}}) [ 341.987121][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 341.997616][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xe0ffffffffffffff) 15:41:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 342.029591][ T2597] binder: release 27165:27190 transaction 1004 out, still active [ 342.061484][ T2597] binder: unexpected work type, 4, not freed 15:41:55 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x5450, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 342.153100][ T2597] binder: send failed reply for transaction 1003 to 27233:27235 [ 342.194543][T27364] binder: BINDER_SET_CONTEXT_MGR already set [ 342.200583][T27364] binder: 27362:27364 ioctl 40046207 0 returned -16 [ 342.209990][ T2597] binder: send failed reply for transaction 1004, target dead [ 342.242082][T27373] binder: BINDER_SET_CONTEXT_MGR already set [ 342.271450][T27373] binder: 27372:27373 ioctl 40046207 0 returned -16 [ 342.272655][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 342.297113][ T2597] binder: send failed reply for transaction 1008 to 27362:27364 [ 342.306916][ T2597] binder: undelivered transaction 1011, process died. [ 342.313932][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:41:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x18000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 342.472798][T27459] binder: BINDER_SET_CONTEXT_MGR already set [ 342.478843][T27459] binder: 27456:27459 ioctl 40046207 0 returned -16 [ 342.526185][T27477] binder_alloc_new_buf_locked: 2 callbacks suppressed [ 342.526194][T27477] binder_alloc: 27456: binder_alloc_buf, no vma [ 342.545009][T27477] binder: 27456:27477 transaction failed 29189/-3, size 24-8 line 3147 [ 342.555168][ T2597] binder: release 27456:27459 transaction 1013 out, still active [ 342.567069][ T2597] binder: unexpected work type, 4, not freed [ 342.582567][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 342.588821][ T2597] binder: send failed reply for transaction 1013, target dead [ 342.602216][ T2597] binder: undelivered transaction 1016, process died. 15:41:55 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) lsetxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='trusted.overlay.upper\x00', &(0x7f0000000240)={0x0, 0xfb, 0xd8, 0x1, 0x100000000, "2a8062c3be187f7b072b329c7f8ace96", "1c54e814f27ef1b8de54ecb2ef4ee3ec5cc35e36b76a3e35366526e61f82215e8ba8f52b8a3361e02ce5487949ab4e3a758a38ed18200886b78956d10b2a67dab649fc6c640d0aa9d919fe3e6727cafb5882625e911336cfd0fc888a3b7c7984dd62c2d069f0161e0088c913d4bba768640de06c810b7c5405e934640b6374d032cdba3a9caa6a49e9119fb0b2c90e893dc9759b453d4632e17ac07dcfec69424e18e10faceedfe492707024af06619452215a4df3d159e62f23def283f73ebabc833a"}, 0xd8, 0x2) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:55 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xe803000000000000) 15:41:55 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xf9', 0x0, 0x0) 15:41:55 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:41:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 342.772856][T27495] binder: BINDER_SET_CONTEXT_MGR already set [ 342.778908][T27495] binder: 27494:27495 ioctl 40046207 0 returned -16 15:41:55 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x7f', 0x0, 0x0) [ 342.826092][T27495] binder: BINDER_SET_CONTEXT_MGR already set [ 342.840865][ T7767] binder: release 27494:27495 transaction 1020 out, still active 15:41:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x5460, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 342.876462][T27495] binder: 27494:27495 ioctl 40046207 0 returned -16 [ 342.932805][ T7767] binder: unexpected work type, 4, not freed [ 342.953397][ T7767] binder: send failed reply for transaction 1019 to 27489:27492 15:41:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfffffdfd, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 342.987945][ T7767] binder: send failed reply for transaction 1020, target dead [ 343.011503][ T7767] binder: undelivered transaction 1023, process died. [ 343.026731][ T7767] binder: send failed reply for transaction 1024 to 27494:27540 15:41:56 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x8c', 0x0, 0x0) [ 343.082866][T27651] binder: BINDER_SET_CONTEXT_MGR already set [ 343.107713][T27651] binder: 27646:27651 ioctl 40046207 0 returned -16 15:41:56 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getgroups(0x4, &(0x7f0000000000)=[0xffffffffffffffff, 0x0, 0xee01, 0x0]) fchownat(0xffffffffffffffff, 0x0, 0x0, r2, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x4, 0x8000) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:41:56 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xf020120800000000) [ 343.156382][T27748] binder_alloc_mmap_handler: 4 callbacks suppressed [ 343.156399][T27748] binder_alloc: binder_alloc_mmap_handler: 27646 20001000-20004000 already mapped failed -16 [ 343.208167][ T7752] binder: release 27614:27615 transaction 1028 out, still active [ 343.238103][T27651] binder: BINDER_SET_CONTEXT_MGR already set [ 343.282039][T27651] binder: 27646:27651 ioctl 40046207 0 returned -16 [ 343.282635][ T7752] binder: send failed reply for transaction 1028, target dead [ 343.299239][T27827] binder: 27646:27827 transaction failed 29189/-22, size 24-8 line 2994 [ 343.317588][ T7752] binder: send failed reply for transaction 1029 to 27646:27651 15:41:56 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0xca7f74cdf2ec47f0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:56 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xf6', 0x0, 0x0) 15:41:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x100000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 343.331599][ T7752] binder: undelivered transaction 1032, process died. 15:41:56 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xfe', 0x0, 0x0) [ 343.448309][T27847] binder: BINDER_SET_CONTEXT_MGR already set [ 343.477006][T27847] binder: 27840:27847 ioctl 40046207 0 returned -16 [ 343.509053][T27909] binder_alloc: binder_alloc_mmap_handler: 27840 20001000-20004000 already mapped failed -16 [ 343.555897][T27847] binder: BINDER_SET_CONTEXT_MGR already set [ 343.580967][T27847] binder: 27840:27847 ioctl 40046207 0 returned -16 [ 343.597381][ T7752] binder: undelivered transaction 1039, process died. 15:41:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x40046207, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:56 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='cephR', 0x0, 0x0) [ 343.605671][ T7752] binder_release_work: 25 callbacks suppressed [ 343.605676][ T7752] binder: undelivered TRANSACTION_COMPLETE [ 343.619317][T27951] binder: 27840:27951 transaction failed 29189/-22, size 24-8 line 2994 [ 343.639628][T27909] binder: 27840:27909 transaction failed 29189/-22, size 24-0 line 2994 [ 343.701468][ T7752] binder: undelivered TRANSACTION_COMPLETE [ 343.724372][T27958] binder: BINDER_SET_CONTEXT_MGR already set [ 343.741448][ T7752] binder: undelivered TRANSACTION_COMPLETE 15:41:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x200000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 343.752845][T27958] binder: 27956:27958 ioctl 40046207 200002c0 returned -16 15:41:56 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$VIDIOC_S_PRIORITY(r2, 0x40045644, 0x3) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$PPPIOCGFLAGS1(r2, 0x8004745a, &(0x7f0000000000)) 15:41:56 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\"', 0x0, 0x0) 15:41:56 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xffffffff00000000) 15:41:56 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x3, 0x400) connect(r0, &(0x7f0000000080)=@ipx={0x4, 0x3, 0x4, "b3fb0089448e", 0x7}, 0x80) clone(0x800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[dN:]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 343.883504][T28108] binder: BINDER_SET_CONTEXT_MGR already set [ 343.918771][T28108] binder: 28093:28108 ioctl 40046207 0 returned -16 15:41:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 343.985708][T28181] binder_alloc: binder_alloc_mmap_handler: 28093 20001000-20004000 already mapped failed -16 [ 344.022818][ T17] binder: undelivered transaction 1047, process died. [ 344.043714][ T17] binder: undelivered TRANSACTION_COMPLETE 15:41:57 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 344.085744][T28186] libceph: resolve 'dN' (ret=-3): failed [ 344.091436][T28186] libceph: parse_ips bad ip '[dN:]' [ 344.111054][T28108] binder_alloc: 28093: binder_alloc_buf, no vma [ 344.141147][T28108] binder: 28093:28108 transaction failed 29189/-3, size 24-8 line 3147 [ 344.160204][T28191] binder: BINDER_SET_CONTEXT_MGR already set [ 344.193427][T28191] binder: 28190:28191 ioctl 40046207 0 returned -16 [ 344.200266][ T7767] binder: undelivered TRANSACTION_COMPLETE [ 344.206948][T28181] binder_alloc: 28093: binder_alloc_buf, no vma [ 344.213361][ T7767] binder: undelivered TRANSACTION_COMPLETE [ 344.235856][T28181] binder: 28093:28181 transaction failed 29189/-3, size 24-0 line 3147 15:41:57 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0xffffffffffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:41:57 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1800000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:57 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x80000000, 0x4000) write$P9_ROPEN(r0, &(0x7f0000000080)={0x18, 0x71, 0x1, {{0x40, 0x3, 0x7}, 0x2}}, 0x18) 15:41:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:57 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 344.424623][T28409] binder_alloc: binder_alloc_mmap_handler: 28407 20001000-20004000 already mapped failed -16 [ 344.511090][T28419] binder: BINDER_SET_CONTEXT_MGR already set 15:41:57 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0xffffffffffffffe0) [ 344.557770][T28419] binder: 28418:28419 ioctl 40046207 0 returned -16 [ 344.557910][T28408] binder: BINDER_SET_CONTEXT_MGR already set 15:41:57 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$RTC_PLL_GET(r2, 0x801c7011, &(0x7f0000000000)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 344.603800][ T7767] binder: release 28407:28408 transaction 1052 out, still active [ 344.614205][T28433] binder_alloc: 28407: binder_alloc_buf, no vma [ 344.630582][ T7767] binder: unexpected work type, 4, not freed [ 344.652525][T28408] binder: 28407:28408 ioctl 40046207 0 returned -16 [ 344.656080][T28433] binder: 28407:28433 transaction failed 29189/-3, size 24-8 line 3147 [ 344.675500][ T7767] binder: undelivered TRANSACTION_COMPLETE 15:41:57 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x2000, 0x0) ioctl$RTC_ALM_READ(r0, 0x80247008, &(0x7f0000000080)) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 344.705217][ T7767] binder: undelivered TRANSACTION_COMPLETE [ 344.733587][ T7767] binder: send failed reply for transaction 1052, target dead 15:41:57 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:57 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 344.884978][T28639] binder: BINDER_SET_CONTEXT_MGR already set [ 344.914174][T28643] binder: BINDER_SET_CONTEXT_MGR already set [ 344.920942][T28639] binder: 28636:28639 ioctl 4018620d 200002c0 returned -16 15:41:57 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getresuid(&(0x7f0000000140), &(0x7f00000002c0), &(0x7f0000000300)=0x0) getresgid(&(0x7f0000000340), &(0x7f0000000380)=0x0, &(0x7f00000003c0)) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='fuse\x00', 0x0, &(0x7f0000000400)={{'fd', 0x3d, r2}, 0x2c, {'rootmode', 0x3d, 0x1000}, 0x2c, {'user_id', 0x3d, r4}, 0x2c, {'group_id', 0x3d, r5}, 0x2c, {[{@default_permissions='default_permissions'}, {@blksize={'blksize', 0x3d, 0x1c00}}, {@default_permissions='default_permissions'}, {@max_read={'max_read', 0x3d, 0x5}}, {@max_read={'max_read', 0x3d, 0x539a}}], [{@smackfstransmute={'smackfstransmute', 0x3d, '/dev/kvm\x00'}}]}}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 344.934985][T28643] binder: 28638:28643 ioctl 40046207 0 returned -16 [ 344.975131][T28662] binder_alloc: binder_alloc_mmap_handler: 28638 20001000-20004000 already mapped failed -16 [ 345.023656][T28643] binder: BINDER_SET_CONTEXT_MGR already set 15:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:58 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KDGKBMODE(r2, 0x4b44, &(0x7f0000000000)) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 345.075519][T28643] binder: 28638:28643 ioctl 40046207 0 returned -16 [ 345.094415][ T5] binder: undelivered TRANSACTION_COMPLETE 15:41:58 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0) [ 345.151759][ T5] binder: undelivered TRANSACTION_COMPLETE 15:41:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:58 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000100)=ANY=[@ANYBLOB="2f6465762f6e62643000d4bae0daeda51e652a5880551bc2698ec487c262e82ac02c962d57357f5a84332de5b9225371fd32d9d8599d2c09fbbf57e8012d7e2d51dcd2d3cf3dba7725424c5857452e3af2babb68981bd5810eb66086cea2e2d412"], &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='mynix\x00', 0xfffffffffffffff9, 0x0) [ 345.298092][T28905] binder: BINDER_SET_CONTEXT_MGR already set [ 345.327923][T28905] binder: 28901:28905 ioctl 40046207 0 returned -16 15:41:58 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 345.360595][T28959] binder: 28901:28959 got new transaction with bad transaction stack, transaction 1069 has target 28862:0 15:41:58 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x200, 0x0, 0x0, 0x8, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x402c5828, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 345.531775][T28959] binder_alloc: binder_alloc_mmap_handler: 28901 20001000-20004000 already mapped failed -16 15:41:58 executing program 1: mkdir(&(0x7f0000000180)='./file0/file0\x00', 0x20) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) write$P9_RRENAMEAT(r0, &(0x7f0000000080)={0x7, 0x4b, 0x1}, 0x7) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 345.616291][T29144] binder: BINDER_SET_CONTEXT_MGR already set 15:41:58 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x4400, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f00000002c0)={{{@in=@multicast1, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@initdev}, 0x0, @in=@initdev}}, &(0x7f0000000040)=0xe8) ioctl$TUNSETIFINDEX(r1, 0x400454da, &(0x7f0000000080)=r2) openat$dsp(0xffffffffffffff9c, 0x0, 0x42000, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 345.691218][T29144] binder: 28901:29144 ioctl 40046207 0 returned -16 [ 345.691245][ T5] binder: release 28901:28905 transaction 1075 out, still active [ 345.691265][ T5] binder: unexpected work type, 4, not freed 15:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0x402c582a, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:58 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000000)='/dev/kvm\x00') r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_GET_DEVICE_ATTR(r2, 0x4018aee2, &(0x7f0000000140)={0x0, 0x10000, 0x4c, &(0x7f0000000080)=0xc1cb}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) setsockopt$inet_dccp_buf(r2, 0x21, 0xc, &(0x7f00000002c0)="6f93a1095cbfe350f8511788b32746390acb9229a67c36fda6adb097e1e92fa2be47611e1a5ff5cd215d49d57c4ae13e7167c2b3b9ae2d7687be6fb8500f6ff57922658c1d25ddef610aa00fd6a94fc147e36b610f0047406ff7680a94df89005c5dadd74826a8295111d67707cca7098f5326855c66b9d5827f4da56b6beac5273fbe95c2423c614bb5b94ea0b5e7aa2334f9978770602022610c895eafe9f3f032eb7cd6e13c27464be96da4eead6e0b6ccf9ebf96e7518314c2337584a1cb9af04771bbfb17f8a347e8400173aa43c108de6b06c6928318d967df994ad8b2d59a2abd7003a387b9e7aba8cee522f5caa9683d10af1e4d88390512cfd8c2434d35d6858da1f19d7c6b636d15c74bb9c0b1b5cd8c5c84a8146276001ea3317e9cd7f155eb7f28cc501618eb12db69094cea1c08b9f5e80b4ecea71f05c194ceb642144d5d1b6b1a84f39c5127b1c3d232bfbde7e115e5ab3840a22b0e11f15ea56fad9db86c481424608164dcdbd0919f585c6b8c44a60c9385073406768fa4c13cdd2a7978d340e28e12ba607dda3496006f309e216e6755ce5473c266f37dc9c61dea4a8ac1ac97d712822b97138f75b5cf2e90de33184a95b945e34ed5bda694bb36d7bf8cf613f041c841bd7a99840b8c2814826a977dd38882cc8a6d7b054f022a2f2111af357793f11f4df2b282de55e0f426243c281db2c092bf9a69f8ea6acfda3561fee2634f7639f10520aa3af60a1e055f79c16861fb5057c0d3d0c35980f71c252ecfa8548d56af6d88279b28dfcdafbe3943ed9d00ac08f177ff9ce851e5ef3c3301e75f23f1001983368c8afe3ab423029093c1253536323266d4c91aa6c466ddfc50c95653554bfb293899541aee6aefc1d4f7624d0c7e8fd9007676ca8211c869dd5b847fe8b5000b84f096d9a7ef5aff524762cad0735457fc8c8d567b10d071f5de2a1c11283b6134272cea91ca31a4ffe1a761b59770ed238d18553808842a200dc1128b586511cc1a179d91950f756195ac342b82a1d842a14e6b50e4b54d36212937b33491b0fee7899a904134114100f1a00941e3e46d5b2bc1314d6a88128a56af402ea6d5c7892965c187e412a497c4fbdabc9f10f2abb20636fe03c0aaa8636efb9b81dcaf2e60468aa03d073787eed82f624222525999e370377820ef956be5cffebb2168daf901043dc46d07f92efbb34467b90d1217a02b519f6df300d7ec80f0f2e41ba155772a6c7a3f7250e7f984d3e8d31a8d84d342baba05dabf093db716ca79f609306cb28e5f9711fd604613b66b431fd14db245c1734e9ca36e148da2a51414e36ea23b2649101421ec3c0d6fceab0fd2e09932a5ee912564be83314637c84a8e1a5cfb459b0a32551337a12f1aa1eef7939070d1779e881cf62a0e5f19a247733f6fd9b73984a1a9e3902b31fe57cde931145c3dd80b23c32c88b499b699b49beb0af54a980041576ea485fdd43a91fe61e9f2b79bd5536dd882757341ab9c1bc03470ce7bd6492c75eedc76a0d1ded95d815839d6b49b28a73bcae1e42177324ebf07ac6095d3af282b8038f7a68b38b42f62021f27bc7d331f01d3efa2af18301d00a51207cfee512eac54c1b53d9b99729c593c239400a697660cfa84fbfa5a34927cfea7a2da6c122f2e15676247ef1fa8e69047f634ee615f97edf8cd1e0b02d54752060fc1d9a546c0097add2f8a3209192399d96b7442870999064463ecce032167c38987b1cb01c020373ec1589d6ec3ae7965b7d4fbeca23a9e9285d13a7fcbd0cae5eae6c69d63b7152fd4cabb80a9292f62cbc6f5b86692337ffad3c2df8de1d8edca25e1202486d926ccf024127974b90e0369f9fdea0fa154a89cf27e022dfc6a00a10304174c844dea861118251bb2f8736428236d269fb86874edc28c4a17b58cc9b17daec6527ca3f47f0d72347220295f6959260dbf30b59e75b64614c3be81780ddca1e3e24e611e671b0366bdb0325d4cc92e3070e49de22313da6074ab83d8d6f9a92e4cdd95ddcb6c0a9ced3d0ebf3b11ea507e415c48f35c6d5397412430a1a5c751fa0ae5be375374b54607e6ae5a9539a4241b33a6b59f835995eac165f81570dcb493c8372f89bd27418392c568e1cc3a16416e2d0a2bce5bc076c5fde8b258e5596fe03716fcf3196d6e53ff74694377cbf99d7706e2caba3d504f07d3648711a1065f930667cd1f063cab4d572857edd1674129ec69ae83a60e213a0b29188cfd98e7390cc3f6a0b518602ab0621db994f88d5a5fc851aabc5bdb038f5a21c5f488e97cd02b9b976edbe1147e4a33477bed67ade9c9a57276ca8ecee4672e609ebd919e912d511b68309704ee811d4c80fd0e968e3597dab0e925213ac369ff0f49411e3a5de98efb9d52bfa3b7decaa67f2b55e478cc9f709d663a40730891dbb7f58baaf57b95101474433274956901133b02bfdd667c843559155baf57efe2c0b5a6430edca7ee969158cc0510f4d8aeeefdc9ab8865ca1cefa5f497f7349c5d308ed5f0bc1651f464265c80a050b2777be20d5e4efa282e47f9463472bd55fb83d08020056494a8c5918fddfd8e5605f22e9628ce91a88eee774f18488f2b92bfde98b01827e85de31d27ad63b61e836922b9d794c085a0ff27c7131933e869c248da09f1800c8821d1bcf6ed5544ee5cab5b5e0c74843801c335a2d10d6d48de8cbf633d5e80793488cbcf76cfb4475a831d935a4e8668d19a0805cea1996b831fafb45049d2234d4e44a8e909b777bd2fe1c7a800448866033c517e30464974aa6356ad3fbf99fccf936680c7c190556b42f1093f54928d821fd35877b76331a21ec343232cb792a5de89e0c7d380a3d8b91d6f5052726e675175345dd16e8bba69d44875a3d8db2bb6dee77575f8a623ea43445358762506cc24d29b5b9736b335821395010fdda28f80d997d889a1386f047a9b4e550dbea7ffbab2221f3c21b7544f10143b5356581c525ed09abfca0a670bd89eae5accd07f92bd26feba801eadf1022ed9a073900a8be52c86e0c92aa5c32fd15b90f53544088f5ba3826213297e13b0308658ec8c90a275af71cbf56de7e46da2b43fb1e45b74679c81664713341067e79282fd26bf629926c5e3e8015e0da4ae27dda8656dde91a1f48e5a7d5f16dc259de44d7098f91eaef75e7408c924094e67e036c1c61f85522fe698940d726feb967b043d20d974c6f9bfd8b59df40c51d8cd684889ef11159fde36a2ac6aeda431111f303fdaddfcc370323674b81309121c9ebe70c32d6b84511866d85468cdba577b618dd3ae969af5909bfe98ca5b243851e66fbc588d2fe4474cab6831dfadd9c3b8f39260101c05cd40ba192c04e147ee4f50efbc012895bbc67d5dcd02d5b74c71d04434a1e0c8de6da71a3176d2e6a803c7e1e1b05661e92f0957d796ed20d233d25e944dd2188be2ba26a19fa7d570341cbc34358d0a7b0e94d04251c0dcec159a7af7d1bf3a3edcd4b9b0660e5a96175aa8cb5c6fa0ecda826b95c67fe4d495bab2cced4d4fec67f1e34fdde9d2871e7d0641fd3ab6c1b2674a9d3dd733afad907b66dfd64c7af3e293da41859f81d2dfb944f8e5a97429fe6f185a9f1c7552514167cf4481a5dea3f0f354a86d629d61852451a726c7e07534510fd9a6821f86315382d7c64222a52ce7f550da2ad4d94537e039b8b8d4be2a505d0103c232ad433cfb66e802b69cfeda9f47ff4ef715c500eccb86da15b55df208309726d5c5c6e8632413d8ff1ad5d3f209a1dc1f0d2bdc6a55164af202a9290e196166819aa06a83e9c66664ca58ace554941f8de5f47ed06f8a6ddaf3cf62f4f500f1c293ed56f4ff987187e6337e9d1d915c7ed2c079b251dee72fde039350d99f6421fc862eab269a45b00953c626bbb528dd2516564f5061786b7aa214d536d55f17c1f2b5b3c83024a896d5ec527d88170b21f818e8461d60ae034a7b6dc482c5403478e00adbceaad237a31e40384882e330e3e25b5d9ffe04f580169039f6ddfb9780341bb01b2f90047e82b9f00f68493f0b8483696f5b4f9515187d7054174aad4e0b319f126d55c9cb7c292a694c4c22be58dbd99d8aae218aa30cb066308ed2f3c2c45cfebc4ecdc8660524cf569698f2326cb43d79b15482a28d49840369f2bbc27660e5b1488bcc044e476a48d63df22e9968301212ccfb375abf184c131f46059ad63cca27f41fd4433ce44f42b250ee7f89bb5eefe4b33553556a022cc30662597a304b8f4a0f79653782a22c03de37850d0fca4f08e1eab3468ee8fa3bb9632867db4333921c42bcaba60a7bd4f52843be443eb978d926ad2e699db28519c9d72285fa3568b4b089c75a9920e8ffd550abc8a82c3dcd699d240cde3d95fdd030ab4a07f0e8445e0062c1155b01d97d6ed171cd97dba2bc5aeda0bdf9c5a6ea5bcfe4623ee36f579d1cf127f604f246f1da133b6bc5e1261c46a0bc9e8d898d9d5c7f7c2e9f14df4b7a13039114f6456aeb23de31821fd83faba7eedcc8ec750933f6601ede3b77f2677358dcae299bfc2e18ba7073db290552099df51a7aee95826ae6af10a79b7e590e0f62d92032d021b1517f84e72704db62b915089ab3139262ba78c4b7a63ff531890f589f71b770c4234e38731d93c79e043dcc6e61204b747494a7b5c73f48661bceefba8ad3b2d5b63603f41138bc9d699d682ae927db2fcb25ecf776433e8ae76f73fecc1bb50ab4d838fb058a292b7c96a617abfbeaf179b28004f325524de90353ec4c219123b58193fd1a94d5c1d9d64eb68d469ff61a646cc7f539e205abdff1de8e3078309365885edd1b20e2325c6fe5fc22bf84e6730fe3215e64c884ed8170e5eb3d5b8471aeb5a41942580e9b114812f5851ab4e3b005d8c84f14f02ee74d6fdf788e45f534f6b9e8477ebe062ab95a3b0e9c6e833cef04546f9e56bfb47255c8320d19073ab3b34ce5899ce2559be48fcfddff1f48ebec4cd331f952083a0667510c130ffa6745efc3f89b7bcb1b16d29d220dae1b3cc265fd10744230fb08c9515e864090df0f8657957a3b15f45461107cfdab56d7384d1c0cdf1bee57aa72e33a1eafd9224bccad41b7aa76d558464b019affe8b2613c0ccc587f74de9cb90bb44081936ab839b43b4825bcb714b4fdd557479ed5b9c53adf3cadcc76fa4b8addaf933e927523a380b731f9bbb5b1b57365fb1938e8a475ba021a5b4535a7eb68b124407880466b430619eb52a19035444c6cb60cb506da57b310758fb7e46753b28f866d5fc6690c0db6d4d2a83fc4dbcc29658b94d6da6e75c2f871ab354f4a083465620b4af42b3ce3484210b247ae3bb81c1aff2d5fe91bb1d89b05d0b2ad0f823e212a98f3c20dc23f7e433a5db22af14b725aac621cd549a5671744eb5892808a4542146f9b058ebc1e908a33380e97e82c5e699467f7535b47c5751262fc82937edc13b0d621e8b5a16b3cd59eb3e3677f6140fd3650104ae88dc90b6e50d272064529da110a25edd6ffe72d7f49e7365aaa01a0d00a37df478bc78ab30c5a3caf0d7662a47da5d7b59ed57a56039b8ab5d5b3ae8bf02a30c5d66bbc6a4c9df71fc311d0f151a93207412098641a3128339ed39355465a06387332b3ebc6df69d0a08bc7b32e02c602d656da82b81e577ba742cb14ecfe946202216f5740548743a6b4b80ccae5a7f5936aba36bd171787c170137819bd542d2d4d0dcb20e96ec03341856e842df9eb908beb6791bf8717e97aace4f0f40faf", 0x1000) 15:41:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xffffff1f, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 345.762963][ T5] binder: send failed reply for transaction 1075, target dead 15:41:58 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 345.893587][T29252] binder: BINDER_SET_CONTEXT_MGR already set [ 345.920764][T29252] binder: 29229:29252 ioctl 40046207 0 returned -16 15:41:58 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in=@multicast2, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6}}, &(0x7f0000000000)=0xe8) r4 = getegid() fchownat(0xffffffffffffffff, 0x0, r3, r4, 0x2) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r1, 0xc0045516, &(0x7f0000000040)=0xe09c) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 345.948310][T29375] binder_alloc: binder_alloc_mmap_handler: 29229 20001000-20004000 already mapped failed -16 [ 345.965622][T29252] binder: BINDER_SET_CONTEXT_MGR already set 15:41:58 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) getsockname(0xffffffffffffffff, &(0x7f0000000080)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}}}, &(0x7f0000000140)=0x80) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f00000001c0)={0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000240)=0x18) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000280)={r1, 0x3}, 0x8) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setsockopt$IP_VS_SO_SET_EDITDEST(r0, 0x0, 0x489, &(0x7f0000000380)={{0xff, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e21, 0x3, 'none\x00', 0x2, 0x0, 0x36}, {@loopback, 0x4e20, 0x0, 0x3, 0x1, 0x4}}, 0x44) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r0, 0x84, 0x8, &(0x7f0000000000), &(0x7f0000000180)=0x4) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="3d802410010000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f00000002c0)={0x9de, 0x7, 0x8000}, 0x4) [ 345.992450][ T5] binder: release 29229:29375 transaction 1080 out, still active [ 346.001277][T29252] binder: 29229:29252 ioctl 40046207 0 returned -16 [ 346.009812][ T5] binder: unexpected work type, 4, not freed 15:41:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:41:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 346.038664][ T5] binder: release 29229:29375 transaction 1084 out, still active [ 346.058503][T29429] ceph: device name is missing path (no : separator in =€$) [ 346.079723][ T5] binder: unexpected work type, 4, not freed [ 346.113104][ T5] binder_send_failed_reply: 10 callbacks suppressed [ 346.113113][ T5] binder: send failed reply for transaction 1079 to 29247:29248 15:41:59 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 346.184851][T29450] binder: BINDER_SET_CONTEXT_MGR already set [ 346.199954][ T5] binder: send failed reply for transaction 1080, target dead [ 346.222897][T29450] binder: 29447:29450 ioctl 40046207 0 returned -16 15:41:59 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1b, 0x6, 0xa73d, &(0x7f0000000000)) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 346.245346][ T5] binder_cleanup_transaction: 2 callbacks suppressed [ 346.245354][ T5] binder: undelivered transaction 1083, process died. [ 346.269637][T29589] binder_alloc: binder_alloc_mmap_handler: 29447 20001000-20004000 already mapped failed -16 15:41:59 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="00000000008b3a0000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffffffffffffff, 0x0) [ 346.303439][ T5] binder: send failed reply for transaction 1084, target dead [ 346.318275][T29450] binder: BINDER_SET_CONTEXT_MGR already set [ 346.346585][T29450] binder: 29447:29450 ioctl 40046207 0 returned -16 [ 346.384660][ T7756] binder: send failed reply for transaction 1088 to 29441:29442 15:41:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 346.397378][ T7756] binder: send failed reply for transaction 1089 to 29447:29589 [ 346.427563][ T7756] binder: undelivered transaction 1092, process died. 15:41:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x18, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:41:59 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_open_dev$sndpcmp(&(0x7f00000002c0)='/dev/snd/pcmC#D#p\x00', 0x3, 0x400000) setsockopt$CAIFSO_LINK_SELECT(r2, 0x116, 0x7f, &(0x7f0000000300)=0x2, 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = accept4(r1, &(0x7f0000000000)=@xdp, &(0x7f0000000080)=0x80, 0x80800) sendmsg$key(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x4000) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:41:59 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:59 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[N::]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x800, 0x0) ioctl$PPPIOCGUNIT(r0, 0x80047456, &(0x7f0000000080)) [ 346.593649][T29831] binder: BINDER_SET_CONTEXT_MGR already set 15:41:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 346.647899][T29831] binder: 29830:29831 ioctl 40046207 0 returned -16 [ 346.710249][ T7756] binder: send failed reply for transaction 1094 to 29719:29721 [ 346.718304][T29868] binder_alloc: binder_alloc_mmap_handler: 29830 20001000-20004000 already mapped failed -16 [ 346.734990][T29887] libceph: resolve 'N' (ret=-3): failed [ 346.745303][ T7756] binder: send failed reply for transaction 1095 to 29830:29868 [ 346.768429][T29831] binder_transaction: 2 callbacks suppressed [ 346.768445][T29831] binder: 29830:29831 transaction failed 29189/-22, size 24-8 line 2994 [ 346.773519][T29887] libceph: parse_ips bad ip '[N::]' [ 346.790174][ T7756] binder: undelivered transaction 1098, process died. [ 346.803667][T29893] binder: BINDER_SET_CONTEXT_MGR already set 15:41:59 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff81, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x400400, 0x0) setsockopt$inet_sctp_SCTP_AUTOCLOSE(r2, 0x84, 0x4, &(0x7f0000000000)=0x7ff, 0x39b) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getpeername(r2, &(0x7f00000002c0)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @loopback}}}, &(0x7f0000000080)=0x80) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:41:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1800, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 346.864428][T29893] binder: 29892:29893 ioctl 40046207 0 returned -16 [ 346.864449][ T7756] binder_release_work: 24 callbacks suppressed [ 346.864455][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:41:59 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:41:59 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000000)={0x0}, &(0x7f0000000040)=0xc) sched_getscheduler(r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0xb1aeb5b273ae2f2e, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:41:59 executing program 1: clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000140)=ANY=[@ANYBLOB="38643a020000008488c16ae73a0b41e95e72a7efd1e9e6ef510c346cc669341cb611ccfc89b3649c41572c5ba12fc492dbae0765a74cb343bd353898bb7293f73915ba3e81f597cfd761e102809ff4c5f60dde1a334505138923d78e9912b6ca23e3948b0e0c2f5d2a01aeb40665a20fb063aba698e1dee7a446e9dda1f9621cee48481003f7e1"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x20002, 0x0) ioctl$KVM_PPC_ALLOCATE_HTAB(r0, 0xc004aea7, &(0x7f0000000040)=0x7) ioctl$VT_SETMODE(r0, 0x5602, &(0x7f0000000080)={0x6, 0x6, 0x4, 0x3, 0x7fff}) [ 346.964109][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.011101][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.031096][T30083] binder_alloc: binder_alloc_mmap_handler: 30073 20001000-20004000 already mapped failed -16 15:42:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 347.076984][T30081] binder: BINDER_SET_CONTEXT_MGR already set [ 347.083291][T30081] binder: 30073:30081 ioctl 40046207 0 returned -16 [ 347.090120][T30083] binder_alloc: 30073: binder_alloc_buf, no vma [ 347.168987][T30083] binder: 30073:30083 transaction failed 29189/-3, size 24-8 line 3147 [ 347.179245][T30147] binder: BINDER_SET_CONTEXT_MGR already set 15:42:00 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getsockname$packet(0xffffffffffffff9c, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000080)=0x14) setsockopt$inet_mreqn(r2, 0x0, 0x27, &(0x7f0000000140)={@local, @broadcast, r4}, 0xc) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 347.223963][T30147] binder: 30146:30147 ioctl 40046207 0 returned -16 [ 347.224002][ T7807] binder: send failed reply for transaction 1102 to 30073:30081 15:42:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 347.297054][ T7807] binder: undelivered transaction 1105, process died. 15:42:00 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="6c6c621a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:00 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 347.367768][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.410484][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 15:42:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 347.475995][T30330] binder: BINDER_SET_CONTEXT_MGR already set [ 347.485530][T30331] ceph: device name is missing path (no : separator in llb) [ 347.511853][T30330] binder: 30302:30330 ioctl 40046207 0 returned -16 [ 347.511915][T30333] binder_alloc: 30302: binder_alloc_buf, no vma [ 347.591047][T30333] binder: 30302:30333 transaction failed 29189/-3, size 24-8 line 3147 [ 347.592474][T30366] binder: BINDER_SET_CONTEXT_MGR already set [ 347.622258][T30366] binder: 30365:30366 ioctl 40046207 0 returned -16 [ 347.629368][T30329] binder_alloc: 30302: binder_alloc_buf, no vma [ 347.635921][T26837] binder: release 30302:30329 transaction 1108 out, still active [ 347.653711][T26837] binder: unexpected work type, 4, not freed [ 347.662192][T26837] binder: send failed reply for transaction 1108, target dead [ 347.672974][T30329] binder: 30302:30329 transaction failed 29189/-3, size 24-0 line 3147 [ 347.681750][T26837] binder: undelivered transaction 1111, process died. 15:42:00 executing program 1: r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/cachefiles\x00', 0x200000, 0x0) write$UHID_DESTROY(r0, &(0x7f0000000240), 0x4) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x1000040000, 0x0) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000600)='TIPCv2\x00') sendmsg$TIPC_NL_SOCK_GET(r1, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80800}, 0xc, &(0x7f0000000140)={&(0x7f0000000380)={0x200, r2, 0xb01, 0x70bd29, 0x25dfdbfb, {}, [@TIPC_NLA_LINK={0xd8, 0x4, [@TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffae2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7155}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}]}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd728}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40000000000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xc}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xbb}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1b}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x80000000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7f}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}]}, @TIPC_NLA_NET={0x34, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x4}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x344}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x1}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x3}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x2}]}, @TIPC_NLA_NODE={0x24, 0x6, [@TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x5}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x5}, @TIPC_NLA_NODE_UP={0x4}]}, @TIPC_NLA_SOCK={0x20, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x81}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0xfffffffffffffffc}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}]}, @TIPC_NLA_MEDIA={0x3c, 0x5, [@TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x80}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7fff}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7d7}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}]}]}, @TIPC_NLA_MEDIA={0x20, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}]}]}, @TIPC_NLA_BEARER={0x40, 0x1, [@TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffff7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}]}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'team0\x00'}}]}]}, 0x200}}, 0x4000) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="26429700003a406c6c623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 347.726819][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.738721][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:42:00 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchmodat(r2, &(0x7f0000000000)='./file0\x00', 0x4) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:00 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 347.826603][T30547] ceph: device name is missing path (no : separator in &B—) 15:42:00 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_SET_GSI_ROUTING(r2, 0x4008ae6a, &(0x7f0000000000)={0x3, 0x0, [{0xa0d, 0x5, 0x0, 0x0, @msi={0x8, 0xd8, 0x2}}, {0x81, 0x7, 0x0, 0x0, @irqchip={0xc52, 0x3}}, {0x8, 0x3, 0x0, 0x0, @sint={0x3, 0x287}}]}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306225, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 347.921555][T30567] binder: BINDER_SET_CONTEXT_MGR already set [ 347.961427][T30567] binder: 30566:30567 ioctl 40046207 0 returned -16 [ 347.961487][T30582] binder: BINDER_SET_CONTEXT_MGR already set 15:42:01 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$inet6_sctp(0xa, 0x5, 0x84) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 348.030585][T30582] binder: 30580:30582 ioctl 40046207 0 returned -16 [ 348.032281][T30578] binder_alloc: 30566: binder_alloc_buf, no vma [ 348.037498][ T7752] binder: release 30566:30567 transaction 1115 out, still active 15:42:01 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 348.090223][ T7752] binder: unexpected work type, 4, not freed [ 348.120820][ T7752] binder: send failed reply for transaction 1115, target dead [ 348.136454][T30578] binder: 30566:30578 transaction failed 29189/-3, size 24-8 line 3147 15:42:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x18000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 348.164505][ T7752] binder: undelivered transaction 1118, process died. [ 348.197155][ T7752] binder: undelivered TRANSACTION_ERROR: 29189 15:42:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc030627e, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f00000002c0)={[0x0, 0xffa3, 0x0, 0x0, 0x0, 0x4000000000, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200], 0x5000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:01 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x20000, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_TRANSLATE(r2, 0xc018ae85, &(0x7f0000000000)={0x5000, 0xd000, 0x8, 0xc14, 0x492}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 348.339541][T30785] binder_alloc_mmap_handler: 2 callbacks suppressed [ 348.339560][T30785] binder_alloc: binder_alloc_mmap_handler: 30782 20001000-20004000 already mapped failed -16 [ 348.366828][T30788] binder: BINDER_SET_CONTEXT_MGR already set [ 348.392647][T30788] binder: 30786:30788 ioctl 40046207 0 returned -16 [ 348.421974][T30783] binder: BINDER_SET_CONTEXT_MGR already set 15:42:01 executing program 1: clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$vcsa(&(0x7f00000000c0)='/dev/vcsa#\x00', 0x12, 0x400) openat$random(0xffffffffffffff9c, &(0x7f0000000240)='/dev/urandom\x00', 0x200000, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x224002, 0x0) ioctl$sock_bt_bnep_BNEPCONNADD(r0, 0x400442c8, &(0x7f0000000180)={r1, 0x401, 0x7, "885b566b4c899526304ee66e9462985874b447e79001379186dd5bd1165aa8e31a94011dba11208f70686f8c5b757512d0e69565bb02e8c399ff93ac132d072662bd06e8b7a2bb2b3269ad97a50e4f2e17ddf836eff5304d67cb7f8e73dbf94d14dbac8b810fd98c4a"}) r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x100000000, 0x0) ioctl$DRM_IOCTL_MARK_BUFS(r2, 0x40186417, &(0x7f0000000080)={0x1f, 0x4, 0x6, 0x20, 0x1, 0x5}) 15:42:01 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 348.467145][T30783] binder: 30782:30783 ioctl 40046207 0 returned -16 [ 348.467268][T30894] binder_alloc: 30782: binder_alloc_buf, no vma [ 348.543239][T30894] binder: 30782:30894 transaction failed 29189/-3, size 24-8 line 3147 [ 348.562930][ T5] binder: send failed reply for transaction 1121 to 30782:30783 [ 348.584501][ T5] binder: undelivered transaction 1124, process died. [ 348.599313][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 348.614928][ T5] binder_release_work: 22 callbacks suppressed [ 348.614933][ T5] binder: undelivered TRANSACTION_COMPLETE [ 348.632019][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x7e, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfdfdffff, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 348.675740][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_S390_UCAS_UNMAP(r2, 0x4018ae51, &(0x7f0000000000)={0xfffffffffffffffd, 0x4, 0xfffffffffffffff9}) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:01 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_DEASSIGN_DEV_IRQ(r1, 0x4040ae75, &(0x7f0000000000)={0x1, 0x8001, 0x7}) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) fcntl$setlease(r2, 0x400, 0x0) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x65d) 15:42:01 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x0, 0x0) write$binfmt_script(r0, &(0x7f00000004c0)=ANY=[@ANYBLOB="2321202e2f66696c6530206367726f757027e55d2c202f6465762f696e7075742f6576656e742300202f6465762f6d69646923000a722ff973a07cf7a837b1e8a6dffdbdee66a57afeac908a66237df79c58ea2dd2aa60306cdd8fa30d1ab097519bdfca209c5242060f54256ad05d4742f6569dfca7ed8bf488394294bf0adae85efc5ec0e5d836fd888ba5e9f00899b20d4942d4425f368e835cd87a751e1c8896cce35fbca730d9796dc464a3846f0127fbdad9291174b908ad3645ada81a93e45bacab7f60"], 0x9e) r1 = syz_open_dev$evdev(&(0x7f0000000080)='/dev/input/event#\x00', 0xe0, 0x101200) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000240)={'team0\x00', 0x0}) ioctl$EVIOCSABS2F(r0, 0x401845ef, &(0x7f00000002c0)={0x647c, 0x8, 0x5, 0x6cd1, 0x100000000, 0x1fdc}) ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000280)={@loopback, 0x20, r2}) sendfile(r0, r1, &(0x7f00000000c0), 0xa475) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000300)='/dev/cachefiles\x00', 0x200000, 0x0) r3 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0xf8b8, 0x408000) ioctl$TUNGETIFF(r0, 0x800454d2, &(0x7f0000000480)) ioctl$SCSI_IOCTL_DOORUNLOCK(r3, 0x5381) mount(&(0x7f0000000380)=ANY=[@ANYBLOB="5b643a098e9df66c6c623a007817f318d9c974248dcf2157534f3b1e99eb6b2bc083389388cf45195eef19f0807171792e9ce34e44a91ff13f3f26244eed76386bd7c836b9fc33086f6810a1a28830db1237df2d7c9b347fe9e36740e95c89452dfca4d34b485cc0e18a446457d71058ffdd336e9fbc0a10f0f7e5e8544e61ac61176146a5cc891f23270e2d38e87093e2d89ec0298a14b99a3be5078addb8f995d4b57fa9d08e38c48c0d1cc60afbd90c28a07bb3293d4f43a7955caafc1fcad63e84807c5fc99bbb6a0ca04ecc4c85f49ae3f40efc9e455db817e8392d9e3f5497f9c9bb2412a2701541b0984526a40b1fe9b7d124cd7e03c43fc05d29"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:01 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 348.762932][T31109] binder: 31108:31109 got new transaction with bad transaction stack, transaction 1127 has target 31108:0 [ 348.828542][T31113] binder: BINDER_SET_CONTEXT_MGR already set [ 348.842702][T31109] binder: 31108:31109 transaction failed 29201/-71, size 0-0 line 3044 [ 348.862516][T31113] binder: 31112:31113 ioctl 40046207 0 returned -16 [ 348.900642][T31126] binder_alloc: binder_alloc_mmap_handler: 31112 20001000-20004000 already mapped failed -16 [ 348.931631][T31113] binder: BINDER_SET_CONTEXT_MGR already set [ 348.959876][T31113] binder: 31112:31113 ioctl 40046207 0 returned -16 [ 349.032993][ T5] binder: release 31112:31113 transaction 1129 out, still active [ 349.055792][ T5] binder: unexpected work type, 4, not freed 15:42:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfffffdfd, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$GIO_CMAP(r2, 0x4b70, &(0x7f0000000080)) ioctl$TIOCGPGRP(r2, 0x540f, &(0x7f0000000000)=0x0) ioctl$sock_FIOSETOWN(r2, 0x8901, &(0x7f0000000040)=r3) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) sendto$rxrpc(r2, &(0x7f0000000140)="78f76791269d0a88583d6a8d6de912", 0xf, 0x20000010, &(0x7f00000002c0)=@in6={0x21, 0x2, 0x2, 0x1c, {0xa, 0x4e22, 0x3fff80000000000, @remote, 0x400}}, 0x24) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:02 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 349.084182][ T5] binder: undelivered TRANSACTION_COMPLETE [ 349.121142][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:02 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x186) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x0, 0x0) ioctl$IOC_PR_PREEMPT(r0, 0x401870cb, &(0x7f00000000c0)={0x4800000, 0x101, 0x1ff}) [ 349.171170][ T5] binder: send failed reply for transaction 1127 to 31108:31109 15:42:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_REINJECT_CONTROL(r2, 0xae71, &(0x7f0000000080)={0x7}) time(&(0x7f0000000140)) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1) r3 = openat$cgroup_ro(r2, &(0x7f0000000000)='memory.eves\x00\x00\x00', 0x0, 0x0) setsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r2, 0x84, 0xc, &(0x7f00000002c0)=0x6, 0x4) fchownat(0xffffffffffffffff, &(0x7f0000000300)='./file0\x00', 0x0, 0x0, 0x0) connect$netlink(r3, &(0x7f00000003c0)=@kern={0x10, 0x0, 0x0, 0x8000000}, 0xc) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) unlinkat(r2, &(0x7f0000000400)='./file0\x00', 0x200) ioctl$DRM_IOCTL_GET_STATS(r4, 0x807c6406, &(0x7f0000000340)=""/105) ioctl$PPPIOCSMRU(r2, 0x40047452, &(0x7f0000000040)=0x7fff) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 349.222113][ T5] binder: send failed reply for transaction 1129, target dead [ 349.224690][T31345] binder_alloc: binder_alloc_mmap_handler: 31339 20001000-20004000 already mapped failed -16 [ 349.255558][T31347] binder: BINDER_SET_CONTEXT_MGR already set [ 349.267090][ T5] binder: undelivered transaction 1132, process died. [ 349.289564][T31347] binder: 31338:31347 ioctl 40046207 0 returned -16 [ 349.299895][T31340] binder: BINDER_SET_CONTEXT_MGR already set [ 349.305922][ T5] binder: send failed reply for transaction 1133 to 31112:31126 [ 349.325756][T31340] binder: 31339:31340 ioctl 40046207 0 returned -16 [ 349.325782][ T5] binder: undelivered TRANSACTION_COMPLETE [ 349.332671][T31347] binder_alloc: 31339: binder_alloc_buf, no vma [ 349.332708][T31347] binder: 31338:31347 transaction failed 29189/-3, size 0-0 line 3147 [ 349.353933][T31357] binder_alloc: 31339: binder_alloc_buf, no vma [ 349.358900][ T5] binder: undelivered TRANSACTION_COMPLETE [ 349.385236][ T17] binder: release 31339:31340 transaction 1137 out, still active [ 349.410522][T31340] binder_alloc: 31339: binder_alloc_buf, no vma [ 349.426910][ T17] binder: unexpected work type, 4, not freed [ 349.450012][ T17] binder: undelivered TRANSACTION_COMPLETE [ 349.458078][T31357] binder: 31339:31357 transaction failed 29189/-3, size 24-8 line 3147 [ 349.487927][ T17] binder: undelivered TRANSACTION_COMPLETE 15:42:02 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 349.497612][T31340] binder: 31339:31340 transaction failed 29189/-3, size 24-0 line 3147 [ 349.514396][ T17] binder: send failed reply for transaction 1137, target dead 15:42:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x3, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:02 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x400000, 0x0) ioctl$SG_EMULATED_HOST(r0, 0x2203, &(0x7f00000000c0)) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 349.561335][ T17] binder: undelivered transaction 1140, process died. 15:42:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x100000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$VIDIOC_SUBDEV_ENUM_DV_TIMINGS(r2, 0xc0945662, &(0x7f0000000000)={0x3, 0x0, [], {0x0, @bt={0x4, 0x7, 0x0, 0x3, 0x7, 0xfffffffffffffffa, 0xff, 0x0, 0xffffffff, 0xce, 0x71d, 0x3a, 0x9, 0x7fffffff, 0x0, 0xf}}}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x4) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 349.664961][T31569] binder: 31566:31569 unknown command 64 [ 349.692130][T31569] binder: 31566:31569 ioctl c0306201 200002c0 returned -22 15:42:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fstat(r2, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0, 0x0}, &(0x7f00000003c0)=0xc) chown(&(0x7f0000000080)='./file0\x00', r3, r4) r5 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) getsockopt$packet_buf(r5, 0x107, 0xf, &(0x7f00000002c0)=""/128, &(0x7f0000000000)=0x80) ioctl$KVM_RUN(r6, 0xae80, 0x0) [ 349.716760][T31573] binder: BINDER_SET_CONTEXT_MGR already set [ 349.726766][T31573] binder: 31572:31573 ioctl 40046207 0 returned -16 [ 349.738551][T31580] binder_alloc: binder_alloc_mmap_handler: 31572 20001000-20004000 already mapped failed -16 [ 349.749660][T31573] binder: BINDER_SET_CONTEXT_MGR already set [ 349.778543][T31573] binder: 31572:31573 ioctl 40046207 0 returned -16 [ 349.806252][ T5] binder: release 31572:31573 transaction 1146 out, still active [ 349.828041][ T5] binder: unexpected work type, 4, not freed 15:42:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x200000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 349.854715][ T5] binder: undelivered TRANSACTION_COMPLETE [ 349.878699][ T5] binder: undelivered TRANSACTION_COMPLETE [ 349.888645][ T5] binder: release 31572:31580 transaction 1150 out, still active 15:42:02 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 349.928435][ T5] binder: unexpected work type, 4, not freed [ 349.970220][T31711] binder: BINDER_SET_CONTEXT_MGR already set [ 349.999274][T31711] binder: 31690:31711 ioctl 40046207 0 returned -16 [ 350.000675][ T5] binder: send failed reply for transaction 1145 to 31566:31569 [ 350.007925][T31720] binder: 31719:31720 unknown command 0 [ 350.030242][T31720] binder: 31719:31720 ioctl c0306201 200002c0 returned -22 [ 350.039596][T31752] binder_alloc: binder_alloc_mmap_handler: 31690 20001000-20004000 already mapped failed -16 [ 350.058911][T31711] binder: BINDER_SET_CONTEXT_MGR already set [ 350.061711][ T5] binder: send failed reply for transaction 1146, target dead [ 350.069998][T31711] binder: 31690:31711 ioctl 40046207 0 returned -16 15:42:03 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x4000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1800000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 350.108822][ T5] binder: undelivered transaction 1149, process died. [ 350.123054][ T5] binder: send failed reply for transaction 1150, target dead [ 350.158639][ T5] binder: release 31690:31752 transaction 1159 out, still active [ 350.178182][ T5] binder: unexpected work type, 4, not freed [ 350.187069][T31909] binder: BINDER_SET_CONTEXT_MGR already set [ 350.217882][ T5] binder: unexpected work type, 4, not freed [ 350.233053][T31909] binder: 31900:31909 ioctl 40046207 0 returned -16 15:42:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x5, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 350.266782][T31920] binder_alloc: binder_alloc_mmap_handler: 31900 20001000-20004000 already mapped failed -16 [ 350.269564][ T17] binder: send failed reply for transaction 1155, target dead 15:42:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000009c0)='io.stat\x00', 0x0, 0x0) r3 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000a40)='IPVS\x00') sendmsg$IPVS_CMD_SET_DEST(r2, &(0x7f0000000b80)={&(0x7f0000000a00)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000b40)={&(0x7f0000000a80)={0xc0, r3, 0x820, 0x70bd26, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_DEST={0x44, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x8ab}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x6}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xffff}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x7}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xff80}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x83c0}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x9}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x2}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x3}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}]}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e23}]}, @IPVS_CMD_ATTR_SERVICE={0x14, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x1f}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}]}, @IPVS_CMD_ATTR_DAEMON={0x14, 0x3, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x200}]}]}, 0xc0}, 0x1, 0x0, 0x0, 0x800}, 0x40011) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) stat(&(0x7f00000008c0)='./file0\x00', &(0x7f0000000900)={0x0, 0x0, 0x0, 0x0, 0x0}) splice(r0, &(0x7f0000000040), r4, &(0x7f0000000980), 0x800, 0x1) fchownat(0xffffffffffffffff, &(0x7f0000000880)='./file0\x00', r5, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f00000006c0)={[0x400, 0x5, 0x19, 0xff, 0xd1, 0x7fff, 0x2, 0x4, 0x4, 0x10000, 0x7, 0x100000001, 0x4, 0x3, 0x0, 0xfeb], 0xd000, 0x5200}) ioctl$KVM_GET_XSAVE(r4, 0x9000aea4, &(0x7f00000002c0)) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r4, 0x84, 0x6, &(0x7f0000000780)={0x0, @in6={{0xa, 0x4e21, 0x7, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x9}}}, &(0x7f0000000080)=0x84) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r4, 0x84, 0x75, &(0x7f0000000140)={r7, 0x9}, &(0x7f0000000840)=0x8) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) prctl$PR_MPX_ENABLE_MANAGEMENT(0x2b) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4cb, 0x0, 0xfff, 0x3ffffc, 0x1, 0x0, 0x0, 0x0, 0x80000, 0x1000000], 0x1f000}) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER(r4, 0xc0605345, &(0x7f0000000bc0)={0x3f, 0x1, {0xffffffffffffffff, 0x3, 0x8000, 0x3, 0x2}}) bind$netlink(r4, &(0x7f0000000000)={0x10, 0x0, 0x25dfdbfb, 0x802}, 0xc) ioctl$KVM_RUN(r6, 0xae80, 0x0) 15:42:03 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 350.354752][T31975] binder: 31956:31975 unknown command 0 [ 350.360362][T31975] binder: 31956:31975 ioctl c0306201 200002c0 returned -22 [ 350.364227][T31909] binder: BINDER_SET_CONTEXT_MGR already set 15:42:03 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = dup3(0xffffffffffffff9c, 0xffffffffffffff9c, 0x0) r1 = open(&(0x7f0000000080)='./file0\x00', 0x200, 0x4) renameat2(r0, &(0x7f0000000000)='./file0\x00', r1, &(0x7f00000000c0)='./file0\x00', 0x5) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000140)={0x0, 0x3}, &(0x7f0000000180)=0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f00000001c0)={0x4, 0x1, 0x0, 0x6, r2}, &(0x7f0000000240)=0x10) [ 350.422609][T31909] binder: 31900:31909 ioctl 40046207 0 returned -16 15:42:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfdfdffff00000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setsockopt$inet_tcp_TLS_RX(r2, 0x6, 0x2, &(0x7f0000000140), 0x4) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x101000, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$TUNGETFEATURES(r2, 0x800454cf, &(0x7f0000000080)) write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x2, 0x3}, 0x8) 15:42:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 350.569862][T32134] binder: BINDER_SET_CONTEXT_MGR already set [ 350.607092][T32134] binder: 32133:32134 ioctl 40046207 0 returned -16 15:42:03 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 350.637333][T32207] binder_alloc: binder_alloc_mmap_handler: 32133 20001000-20004000 already mapped failed -16 15:42:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x0, 0x0, 0x100000, 0x2000, &(0x7f0000013000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 350.715871][T32242] binder: BINDER_SET_CONTEXT_MGR already set [ 350.733286][T32242] binder: 32241:32242 ioctl 40046207 0 returned -16 [ 350.741991][T32242] binder_alloc: 32133: binder_alloc_buf, no vma 15:42:03 executing program 1: mkdir(&(0x7f00000002c0)='./file0\x00', 0xfffffffffffffffc) clone(0x4000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x101000, 0x0) recvmsg(r0, &(0x7f0000000280)={&(0x7f0000000080)=@nfc_llcp, 0x80, &(0x7f0000000240)=[{&(0x7f0000000140)=""/139, 0x8b}], 0x1}, 0x10000) [ 350.781474][T32247] binder_alloc: 32133: binder_alloc_buf, no vma 15:42:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$rfkill(r2, &(0x7f0000000040), 0x8) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000], 0x1f000, 0x10000}) connect$tipc(r2, &(0x7f0000000000)=@nameseq={0x1e, 0x1, 0x3, {0x0, 0x4, 0x2}}, 0x10) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) keyctl$join(0x1, 0x0) ioctl$KVM_SET_CPUID(r2, 0x4008ae8a, &(0x7f0000000080)={0x2, 0x0, [{0x80000007, 0x463b, 0x5, 0x8, 0x101}, {0x1, 0xffffffff00000001, 0x3, 0x2d5, 0x4}]}) [ 350.991485][T32387] binder_alloc: binder_alloc_mmap_handler: 32374 20001000-20004000 already mapped failed -16 15:42:03 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 351.036564][T32375] binder: BINDER_SET_CONTEXT_MGR already set [ 351.065044][T32375] binder: 32374:32375 ioctl 40046207 0 returned -16 15:42:04 executing program 5: r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x20000, 0x0) getsockopt$inet_tcp_buf(r0, 0x6, 0x1c, &(0x7f00000002c0)=""/227, &(0x7f0000000080)=0xe3) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 351.089289][T32418] binder: BINDER_SET_CONTEXT_MGR already set [ 351.149456][T32418] binder: 32403:32418 ioctl 40046207 0 returned -16 [ 351.149487][T32460] binder_alloc: 32374: binder_alloc_buf, no vma 15:42:04 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = add_key(&(0x7f0000000000)='asymmetric\x00', &(0x7f0000000080)={'syz', 0x2}, 0x0, 0x0, 0x0) keyctl$revoke(0x3, r0) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/]lb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 351.190727][ T7807] binder_thread_release: 2 callbacks suppressed [ 351.190740][ T7807] binder: release 32374:32375 transaction 1173 out, still active [ 351.206946][T32375] binder_alloc: 32374: binder_alloc_buf, no vma [ 351.229550][ T7807] binder: unexpected work type, 4, not freed 15:42:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x18, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 351.262658][ T7807] binder_send_failed_reply: 2 callbacks suppressed [ 351.262665][ T7807] binder: send failed reply for transaction 1173, target dead [ 351.290694][ T7807] binder_cleanup_transaction: 2 callbacks suppressed [ 351.290702][ T7807] binder: undelivered transaction 1176, process died. 15:42:04 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 351.372566][T32591] binder_alloc: binder_alloc_mmap_handler: 32589 20001000-20004000 already mapped failed -16 15:42:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 351.422940][T32590] binder: BINDER_SET_CONTEXT_MGR already set 15:42:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x400000, 0x0) r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000400)='m\x00\x01o\x18\x8a\xb9e\xa9\xe5\x89[z\x98m\xc5\xb8o\xb0\xfa\xe2\x9b\xe3[1%;\x95\xe9d\xf1\xe8\xf1\xc0\xad4O\x9f\x8a\xd3d\xcb\xe0\xbb\xceK\b\t\x02?mB\xe2a\xd1\n\xc0\x9c\xbc\x11\x1ffl\xeav\xac#){;@\x87X\x9b\xfemBh\xcd\xea8K*}\xd7TP\xeej\x8b\xd6\xaci\x8e9\xa5E\xf8\xa6\x83\x99\xdc\xf4\xd9\x8erm\x96W\xdc\xa8\x06f\x12\xf8\xc9\xfc|KK\x17\xb8\xd8\xca9\xc0\xf6\x03\xb0\xf4$4M\xc9I\xe5\x10\xd7v\xe9\xdc\xf8{\xe5\xc0\x06m\xad+qH\xe7\a^\xecz\xeb\x93\"\xa7\x11\x11%>\xa2\x8e;\xd7\xe7\xbc\xf6\x91 \x1c\xab\xff\x94\xf691\x15\xc0\xcbY\x90%\xc6z\x88\xfb3\x7f\x9e\xb3\xc0\xe0\x8e\xed\xea\x03\x16\t\x13\xc7\xfeX\'\xc5\x19\x19\xb3\xb1\xa9\xf8\x84\xadgD\xe6 E\xae\x06/B\x11\xa9\xc3\xb4\xeb.:\xb7d\xdfh\xac\x14\x94\x01\xc9=\x83r\x81', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@text32={0x20, &(0x7f00000002c0)="c4e17b70613f0bb94f090000b838000000ba000000000f30672e0fc75904c4c1a1efcf0f2329640f81000000000ff7d598b9800000c00f3235002000000f306464660f3882927a5e0000"}], 0xa3, 0x0, 0x0, 0xffe2) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0xfffffffffffffffe, 0x0) write$P9_RAUTH(r3, &(0x7f00000000c0)={0x14, 0x67, 0x1, {0x20, 0x1, 0x2}}, 0x14) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 351.476802][ T7807] binder: release 32589:32590 transaction 1180 out, still active [ 351.489757][T32601] binder: BINDER_SET_CONTEXT_MGR already set [ 351.497238][T32590] binder: 32589:32590 ioctl 40046207 0 returned -16 [ 351.506684][ T7807] binder: unexpected work type, 4, not freed [ 351.529616][T32601] binder: 32598:32601 ioctl 40046207 0 returned -16 [ 351.530270][ T7807] binder: send failed reply for transaction 1180, target dead 15:42:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1800, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 351.579532][ T7807] binder: undelivered transaction 1183, process died. 15:42:04 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x20000, 0x0) getsockopt$IP6T_SO_GET_REVISION_MATCH(r0, 0x29, 0x44, &(0x7f0000000080)={'ipvs\x00'}, &(0x7f00000000c0)=0x1e) ioctl$VIDIOC_SUBDEV_S_CROP(r0, 0xc038563c, &(0x7f0000000140)={0x1, 0x0, {0x2, 0x4e1dc5e3, 0x1, 0x5}}) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:04 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) openat$smack_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:04 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x10004, 0x0) stat(&(0x7f0000000000)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, r3, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r2, 0x84, 0x4, &(0x7f0000000080)=0x6, 0x4) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x48, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 351.726250][ T343] binder_alloc: binder_alloc_mmap_handler: 315 20001000-20004000 already mapped failed -16 [ 351.820198][ T342] binder: BINDER_SET_CONTEXT_MGR already set [ 351.876607][ T342] binder: 315:342 ioctl 40046207 0 returned -16 [ 351.882185][ T361] binder: BINDER_SET_CONTEXT_MGR already set [ 351.889383][ T361] binder: 360:361 ioctl 40046207 0 returned -16 [ 351.904856][ T363] binder_transaction: 5 callbacks suppressed [ 351.904899][ T363] binder: 315:363 transaction failed 29189/-3, size 24-8 line 3147 [ 351.929937][ T17] binder: release 315:342 transaction 1185 out, still active [ 351.937913][ T342] binder: 315:342 transaction failed 29189/-3, size 24-0 line 3147 [ 351.952239][ T17] binder: unexpected work type, 4, not freed [ 351.960080][ T17] binder: send failed reply for transaction 1185, target dead [ 351.998071][ T17] binder: undelivered transaction 1188, process died. 15:42:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:05 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 352.042801][ T17] binder_release_work: 14 callbacks suppressed [ 352.042840][ T17] binder: undelivered TRANSACTION_ERROR: 29189 15:42:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 352.117780][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 352.146798][ T545] binder: BINDER_SET_CONTEXT_MGR already set 15:42:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$VIDIOC_STREAMON(r2, 0x40045612, &(0x7f0000000600)=0x10000) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) write$P9_RFLUSH(r2, &(0x7f0000000000)={0x7, 0x6d, 0x1}, 0x7) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$PPPIOCSPASS(r2, 0x40087447, &(0x7f0000000080)={0x4, &(0x7f0000000040)=[{0x4, 0xff, 0x81, 0x6}, {0x1, 0x5, 0x2, 0x1}, {0x4, 0x8b3, 0x4, 0x7fff}, {0x20, 0x0, 0x6, 0x401}]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000640)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r2, 0x84, 0x70, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e22, 0xfffffffffffffff9, @empty, 0x7}}, [0x1ff, 0x7, 0x1ea5, 0xa2, 0x3ff, 0x3, 0xff, 0x9, 0x0, 0x5, 0x16d, 0x6, 0x6, 0x3, 0x5]}, &(0x7f0000000580)=0x100) setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f00000005c0)={0x3ff, 0x200, 0xfffffffffffff8de, 0x5, r4}, 0x10) recvmsg(r2, &(0x7f0000000440)={&(0x7f00000002c0)=@rc, 0x80, &(0x7f0000000140)=[{&(0x7f0000000340)=""/198, 0xc6}], 0x1}, 0x2000) 15:42:05 executing program 1: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9c, 0x2c8002) ioctl$sock_inet_SIOCDARP(r0, 0x8953, &(0x7f0000000080)={{0x2, 0x4e24, @multicast2}, {0x307, @local}, 0x20, {0x2, 0x4e21, @multicast2}, 'bcsf0\x00'}) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 352.195667][ T17] binder_send_failed_reply: 2 callbacks suppressed [ 352.195676][ T17] binder: send failed reply for transaction 1192 to 513:545 [ 352.212410][ T545] binder: 513:545 ioctl 40046207 0 returned -16 15:42:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 352.239573][ T17] binder: undelivered transaction 1195, process died. [ 352.269026][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 352.363416][ T673] binder: BINDER_SET_CONTEXT_MGR already set 15:42:05 executing program 5: r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x0, 0x0) ioctl$KVM_GET_DEBUGREGS(r0, 0x8080aea1, &(0x7f00000002c0)) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$IOC_PR_PREEMPT_ABORT(r3, 0x401870cc, &(0x7f0000000000)={0x80, 0x7fffffff, 0x4, 0x4dcc}) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x1], 0x1f000}) r5 = add_key(0x0, 0x0, 0x0, 0x1ab, 0xffffffffffffffff) keyctl$negate(0xd, 0x0, 0x1000, r5) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$EVIOCSREP(r0, 0x40084503, &(0x7f0000000340)=[0xfffffffffffffff9, 0x6]) add_key(&(0x7f0000000040)='dns_resolver\x00', 0x0, &(0x7f0000000100)="f1adeb1af858baacf3badb1d79cae63160297c5622f1bd4355db6251ba98a1e2907b45d18f94a48704000000222a0027dec36a9f5f10be85cdfbb42864d37ef802ac13632e6787578d000000d38f350b8b23000000000000000000", 0x5b, 0xfffffffffffffffb) ioctl$KVM_RUN(r1, 0xae80, 0x0) socket$key(0xf, 0x3, 0x2) 15:42:05 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 352.409023][ T673] binder: 669:673 ioctl 40046207 0 returned -16 [ 352.442868][ T694] binder: 669:694 transaction failed 29189/-3, size 24-0 line 3147 15:42:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x60, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 352.484741][ T673] binder: BINDER_SET_CONTEXT_MGR already set [ 352.529082][ T7756] binder: send failed reply for transaction 1197 to 579:581 [ 352.541630][ T726] binder: 669:726 transaction failed 29189/-22, size 24-0 line 2994 [ 352.541874][ T694] binder: 669:694 transaction failed 29189/-22, size 24-8 line 2994 [ 352.571866][ T7756] binder: send failed reply for transaction 1198 to 669:694 [ 352.595910][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 352.615873][ T706] Option ' ' to dns_resolver key: bad/missing value [ 352.630421][ T673] binder: 669:673 ioctl 40046207 0 returned -16 [ 352.630757][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = add_key(&(0x7f0000000000)='user\x00', &(0x7f0000000080)={'syz', 0x2}, &(0x7f00000002c0)="afb2e7387bf85240c2078129914277bf05266aebdfad8fdc9e5a1931e5b6b6cfe42edbdb1fb8c06ed4dae53fe5de904efeffacefd7d5f86a8fc5e332900428cc3de24654c0ac34e0d1ce229017c032297c0f13ddf671080b71fea7ba772ccad3caf1280763503dcb7e81184da2a2f5faf6423ce9b46a8222cd974ed1f0e330f50f59edf016910948479be7ecd7f3bef25952392317f11fdb9e19a038634ed50ccdf1b3f826c293f737e724fbcd0c09195b48f95a045c5c36afcec77e208f8bc59dd32ebf84804172c7bacd98b381aa5e9b45d4e0651e835ac07a036220cc8aa48ee2bd04b9e43ce7fdabda28b0126f16291d306aa202c70e44e214", 0xfb, 0xfffffffffffffffb) keyctl$describe(0x6, r3, &(0x7f00000003c0)=""/230, 0xe6) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:05 executing program 1: mkdir(&(0x7f0000000180)='./file0\x00', 0x8000100) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x2, 0x0) ioctl$PPPIOCDISCONN(r0, 0x7439) 15:42:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x18000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 352.693141][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 352.726856][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x68, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 352.778797][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 352.799783][ T919] binder: BINDER_SET_CONTEXT_MGR already set 15:42:05 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 352.842549][ T919] binder: 916:919 ioctl 40046207 0 returned -16 [ 352.849163][ T7756] binder: send failed reply for transaction 1205 to 734:735 [ 352.849253][ T923] binder: 916:923 transaction failed 29189/-22, size 24-8 line 2994 [ 352.886731][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_IOEVENTFD(r2, 0x4040ae79, &(0x7f0000000040)={0x4000, &(0x7f0000000000), 0x8, r2, 0x5}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 352.969127][ T919] binder: BINDER_SET_CONTEXT_MGR already set [ 352.993901][ T919] binder: 916:919 ioctl 40046207 0 returned -16 15:42:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 353.021449][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 353.032906][ T7756] binder: release 916:923 transaction 1210 out, still active 15:42:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfdfdffff, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:06 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x40) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 353.081585][ T7756] binder: unexpected work type, 4, not freed 15:42:06 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 353.133175][ T7756] binder: send failed reply for transaction 1208 to 950:960 [ 353.174635][ T7756] binder: undelivered transaction 1209, process died. [ 353.205694][ T7756] binder: send failed reply for transaction 1210, target dead [ 353.212087][ T1170] binder: BINDER_SET_CONTEXT_MGR already set [ 353.225708][ T1170] binder: 1169:1170 ioctl 40046207 0 returned -16 [ 353.304556][ T1170] binder: BINDER_SET_CONTEXT_MGR already set [ 353.336273][ T5] binder: release 1169:1251 transaction 1215 out, still active [ 353.344646][ T1170] binder: 1169:1170 ioctl 40046207 0 returned -16 15:42:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x74, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) getsockopt$bt_BT_SECURITY(r2, 0x112, 0x4, &(0x7f0000000000), 0x2) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x2, 0x1, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 353.360573][ T5] binder: unexpected work type, 4, not freed [ 353.388387][ T5] binder: send failed reply for transaction 1214 to 1155:1156 15:42:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) bind$bt_rfcomm(r2, &(0x7f0000000000)={0x1f, {0x6892, 0x2, 0x48, 0x100000001, 0x0, 0x3}, 0x100}, 0xa) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 353.432632][ T5] binder: send failed reply for transaction 1215, target dead 15:42:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfffffdfd, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 353.477596][ T5] binder: undelivered transaction 1218, process died. [ 353.499289][ T5] binder: send failed reply for transaction 1219 to 1169:1251 15:42:06 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:06 executing program 1: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0xeb, 0x300) ioctl$SG_GET_REQUEST_TABLE(r0, 0x2286, &(0x7f0000000240)) mkdir(&(0x7f0000000180)='./file0\x00', 0x40) getsockopt$inet_int(r0, 0x0, 0x1f, &(0x7f0000000040), &(0x7f00000000c0)=0x4) ioctl$BLKRESETZONE(r0, 0x40101283, &(0x7f0000000140)={0x100000001, 0x1}) mount(&(0x7f0000000080)=ANY=[@ANYBLOB="5b64fc1a2ab9d5eb5374e17bc5720cd59776730ef88bbe21000000000000000000000000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 353.607359][ T1496] binder: BINDER_SET_CONTEXT_MGR already set [ 353.671594][ T1505] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 353.671604][ T5] binder: release 1286:1302 transaction 1223 out, still active [ 353.671609][ T1505] binder_alloc: 1286: binder_alloc_buf, no vma [ 353.671639][ T1505] binder: 1495:1505 transaction failed 29189/-3, size 24-8 line 3147 [ 353.679848][ T1496] binder: 1495:1496 ioctl 40046207 0 returned -16 [ 353.688355][ T1504] ceph: device name is missing path (no : separator in [dü*¹ÕëStá{År Õ—vsø‹¾!) 15:42:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000440)='/proc/capi/capi20\x00', 0x1, 0x0) bind$vsock_stream(r2, &(0x7f0000000480)={0x28, 0x0, 0x2711, @hyper}, 0x10) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r5 = pkey_alloc(0x0, 0x1) pkey_mprotect(&(0x7f0000018000/0x3000)=nil, 0x3000, 0x0, r5) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x2], 0x1f000}) ioctl$TIOCGSID(r3, 0x5429, &(0x7f0000000000)=0x0) perf_event_open(&(0x7f00000002c0)={0x0, 0x70, 0x5, 0x56b, 0x1ff, 0x641, 0x0, 0x8000, 0x290, 0x4, 0x7f, 0xfb33, 0x3, 0x3, 0xff, 0x2, 0x6, 0x40, 0x2c9, 0x9, 0x19b880d5, 0x7fffffff, 0x8, 0x2, 0xffffffffffffff5a, 0x5, 0x6, 0x100, 0x3, 0x8001, 0x8000000, 0x7, 0x81, 0x1, 0x0, 0x94f7, 0x4, 0x0, 0x0, 0x3, 0x6, @perf_config_ext={0x0, 0x4}, 0x400, 0x8, 0x6e, 0xf, 0xb919, 0x7, 0x8}, r6, 0xd, r3, 0x2) ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r3, 0x80dc5521, &(0x7f0000000340)=""/229) ioctl$KVM_RUN(r4, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000000080)=@assoc_value, &(0x7f0000000140)=0x8) [ 353.695312][ T5] binder_release_work: 27 callbacks suppressed [ 353.695319][ T5] binder: undelivered TRANSACTION_COMPLETE [ 353.761030][ T1511] binder: BINDER_SET_CONTEXT_MGR already set [ 353.782451][ T1511] binder: 1510:1511 ioctl 40046207 0 returned -16 [ 353.806823][ T1511] binder_alloc: 1286: binder_alloc_buf, no vma [ 353.826185][ T5] binder: send failed reply for transaction 1223, target dead [ 353.836056][ T1496] binder: 1495:1496 transaction failed 29189/-22, size 24-0 line 2994 [ 353.838225][ T1511] binder: 1510:1511 transaction failed 29189/-3, size 0-0 line 3147 [ 353.890283][ T1505] binder_alloc_mmap_handler: 4 callbacks suppressed [ 353.890309][ T1505] binder_alloc: binder_alloc_mmap_handler: 1495 20001000-20004000 already mapped failed -16 [ 353.912166][ T1505] binder_alloc: 1495: binder_alloc_buf, no vma 15:42:06 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x1f, 0x800) setsockopt$inet_sctp_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000080)=0x9, 0x4) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x4, 0x4c00) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000011000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:06 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 353.942861][ T1505] binder: 1495:1505 transaction failed 29189/-3, size 24-8 line 3147 [ 353.967437][ T1496] binder_alloc: 1495: binder_alloc_buf, no vma 15:42:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x100000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x300, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 354.177131][ T1748] binder_alloc: binder_alloc_mmap_handler: 1746 20001000-20004000 already mapped failed -16 [ 354.219590][ T1750] binder: BINDER_SET_CONTEXT_MGR already set [ 354.237159][ T1750] binder: 1749:1750 ioctl 40046207 0 returned -16 [ 354.245821][ T1747] binder: BINDER_SET_CONTEXT_MGR already set [ 354.253721][ T1747] binder: 1746:1747 ioctl 40046207 0 returned -16 [ 354.264349][ T1751] binder_alloc: 1746: binder_alloc_buf, no vma [ 354.277121][ T5] binder: release 1746:1747 transaction 1231 out, still active [ 354.288939][ T5] binder: unexpected work type, 4, not freed 15:42:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x200000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:07 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 354.315604][ T5] binder: undelivered TRANSACTION_COMPLETE [ 354.358204][ T5] binder: undelivered TRANSACTION_COMPLETE [ 354.394270][ T1881] binder: BINDER_SET_CONTEXT_MGR already set [ 354.421294][ T5] binder: send failed reply for transaction 1231, target dead [ 354.432471][ T1881] binder: 1872:1881 ioctl 40046207 0 returned -16 [ 354.451816][ T5] binder: undelivered transaction 1234, process died. 15:42:07 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) openat$tun(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 354.471106][ T1956] binder_alloc: binder_alloc_mmap_handler: 1872 20001000-20004000 already mapped failed -16 15:42:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$capi20(r2, &(0x7f0000000340)={0x10, 0x3f, 0x86, 0x83, 0x80, 0x101}, 0x10) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4068aea3, &(0x7f0000000380)={0x7b, 0x0, [0x7, 0x200, 0x8, 0x1ff]}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000500)={0x0}, &(0x7f00000004c0)=0xc) write$cgroup_pid(r2, &(0x7f0000000480)=r4, 0x12) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r2, 0xc00c642e, &(0x7f0000000000)={0x0, 0x0, r2}) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r2, 0xc00c642d, &(0x7f0000000080)={r5, 0x80000, r1}) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4068aea3, &(0x7f00000002c0)={0x7b, 0x0, [0xffffffffffff8000, 0x7ff, 0x4]}) pkey_mprotect(&(0x7f000010e000/0x3000)=nil, 0x3000, 0x0, 0xffffffffffffffff) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x8) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x500, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 354.540936][ T1971] binder_alloc: 1872: binder_alloc_buf, no vma [ 354.615758][ T1881] binder_alloc: 1872: binder_alloc_buf, no vma 15:42:07 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:07 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = add_key$user(&(0x7f0000000080)='user\x00', &(0x7f0000000140)={'syz', 0x1}, &(0x7f00000002c0), 0x0, 0xfffffffffffffffe) keyctl$assume_authority(0x10, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$VIDIOC_SUBDEV_G_EDID(r3, 0xc0245628, &(0x7f0000000040)={0x0, 0x8, 0x5, [], &(0x7f0000000000)=0x8}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1800000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 354.890193][ T2158] binder: BINDER_SET_CONTEXT_MGR already set 15:42:07 executing program 1: mkdir(&(0x7f0000000180)='./file0\x00', 0x20) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x8, 0x101000) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vga_arbiter\x00', 0x420ff, 0x0) linkat(r0, &(0x7f0000000080)='./file0\x00', r1, &(0x7f0000000140)='./file0\x00', 0x1000) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x600, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 354.945877][ T2158] binder: 2122:2158 ioctl 40046207 0 returned -16 15:42:07 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 355.011496][ T2597] binder: send failed reply for transaction 1242 to 1978:1979 [ 355.034214][ T2194] binder_alloc: binder_alloc_mmap_handler: 2122 20001000-20004000 already mapped failed -16 [ 355.065646][ T2597] binder: send failed reply for transaction 1243 to 2122:2194 [ 355.096723][ T2202] binder_alloc: 2122: binder_alloc_buf, no vma [ 355.113015][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)) getresuid(&(0x7f0000000140), &(0x7f00000002c0)=0x0, &(0x7f0000000300)) stat(&(0x7f0000000340)='./file0\x00', &(0x7f0000000380)) getresgid(&(0x7f0000000640), &(0x7f0000000540)=0x0, &(0x7f0000000600)) fchownat(r2, 0x0, r3, r4, 0xffffffffffffffff) ioctl$VIDIOC_ENUMOUTPUT(r2, 0xc0485630, &(0x7f00000004c0)={0xfffffffffffffff8, "5fd36f7894c3bf5658f5076955e20f728b6e9188ac867dac9eba32378d77ab0b", 0x2, 0x3, 0x10001, 0x3a0000, 0x8}) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 355.138278][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfdfdffff00000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_SET_BPF(r2, 0x40042408, r2) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 355.276792][ T2286] binder: BINDER_SET_CONTEXT_MGR already set 15:42:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x700, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 355.322578][ T2286] binder: 2278:2286 ioctl 40046207 0 returned -16 [ 355.353265][ T2286] binder_alloc: 2208: binder_alloc_buf, no vma [ 355.355189][ T7756] binder: send failed reply for transaction 1250 to 2208:2209 [ 355.405858][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 355.419141][ T2319] binder_alloc: binder_alloc_mmap_handler: 2278 20001000-20004000 already mapped failed -16 15:42:08 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 355.468308][ T2286] binder: BINDER_SET_CONTEXT_MGR already set 15:42:08 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) prctl$PR_SET_FP_MODE(0x2d, 0x2) r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x4a0600, 0x0) recvmmsg(r0, &(0x7f0000007600)=[{{&(0x7f0000000080)=@nfc_llcp, 0x80, &(0x7f0000000180)=[{&(0x7f0000000140)=""/63, 0x3f}, {&(0x7f0000000380)=""/4096, 0x1000}, {&(0x7f0000000240)=""/168, 0xa8}], 0x3, &(0x7f0000001380)=""/93, 0x5d}, 0x80}, {{&(0x7f0000001400)=@alg, 0x80, &(0x7f0000001a40)=[{&(0x7f0000001480)=""/66, 0x42}, {&(0x7f0000001500)=""/105, 0x69}, {&(0x7f0000001580)=""/128, 0x80}, {&(0x7f0000001600)=""/121, 0x79}, {&(0x7f0000001680)=""/71, 0x47}, {&(0x7f0000001700)=""/122, 0x7a}, {&(0x7f0000001780)=""/242, 0xf2}, {&(0x7f0000001880)=""/231, 0xe7}, {&(0x7f0000001980)=""/155, 0x9b}], 0x9, &(0x7f0000001ac0)=""/4096, 0x1000}, 0x1ff}, {{0x0, 0x0, &(0x7f0000002bc0)=[{&(0x7f00000001c0)=""/12, 0xc}, {&(0x7f0000002ac0)=""/79, 0x4f}, {&(0x7f0000002b40)=""/89, 0x59}, {&(0x7f0000000300)=""/51, 0x33}], 0x4, &(0x7f0000002c00)=""/121, 0x79}, 0xffffffff}, {{&(0x7f0000002c80)=@alg, 0x80, &(0x7f0000002d00)}}, {{&(0x7f0000002d40)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, 0x80, &(0x7f0000004000)=[{&(0x7f0000002dc0)=""/178, 0xb2}, {&(0x7f0000002e80)=""/47, 0x2f}, {&(0x7f0000002ec0)=""/4096, 0x1000}, {&(0x7f0000003ec0)=""/180, 0xb4}, {&(0x7f0000003f80)=""/17, 0x11}, {&(0x7f0000003fc0)=""/14, 0xe}], 0x6, &(0x7f0000004040)=""/44, 0x2c}, 0x1b}, {{&(0x7f0000004080)=@in6={0xa, 0x0, 0x0, @mcast2}, 0x80, &(0x7f00000043c0)=[{&(0x7f0000004100)=""/231, 0xe7}, {&(0x7f0000004200)=""/221, 0xdd}, {&(0x7f0000004300)=""/18, 0x12}, {&(0x7f0000004340)=""/92, 0x5c}], 0x4, &(0x7f0000004400)=""/170, 0xaa}, 0x8}, {{&(0x7f00000044c0)=@pptp={0x18, 0x2, {0x0, @multicast2}}, 0x80, &(0x7f00000069c0)=[{&(0x7f0000004540)=""/226, 0xe2}, {&(0x7f0000004640)=""/179, 0xb3}, {&(0x7f0000004700)=""/31, 0x1f}, {&(0x7f0000004740)=""/4096, 0x1000}, {&(0x7f0000005740)=""/120, 0x78}, {&(0x7f00000057c0)=""/4096, 0x1000}, {&(0x7f00000067c0)=""/175, 0xaf}, {&(0x7f0000006880)=""/182, 0xb6}, {&(0x7f0000006940)=""/122, 0x7a}], 0x9}, 0x6}, {{&(0x7f0000006a40)=@alg, 0x80, &(0x7f0000006bc0)=[{&(0x7f0000006ac0)=""/113, 0x71}, {&(0x7f0000006b40)=""/112, 0x70}], 0x2, &(0x7f0000006c00)=""/201, 0xc9}, 0x6}, {{&(0x7f0000006d00)=@rc, 0x80, &(0x7f00000073c0)=[{&(0x7f0000006d80)=""/197, 0xc5}, {&(0x7f0000006e80)=""/9, 0x9}, {&(0x7f0000006ec0)=""/141, 0x8d}, {&(0x7f0000006f80)=""/204, 0xcc}, {&(0x7f0000007080)=""/169, 0xa9}, {&(0x7f0000007140)=""/48, 0x30}, {&(0x7f0000007180)=""/221, 0xdd}, {&(0x7f0000007280)=""/247, 0xf7}, {&(0x7f0000007380)=""/21, 0x15}], 0x9, &(0x7f0000007440)=""/81, 0x51}, 0x6}, {{&(0x7f00000074c0)=@pptp={0x18, 0x2, {0x0, @broadcast}}, 0x80, &(0x7f00000075c0)=[{&(0x7f0000007540)=""/119, 0x77}], 0x1}, 0x3}], 0xa, 0x40000140, 0x0) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="1281245ee83a2f7c077b39ec"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000002c0)={0x4000000000000, 0x0, 0x0, 0x1000, &(0x7f0000014000/0x1000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000080)={0x1000, 0x2000}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x3, 0x1, 0x100000, 0x1000, &(0x7f000000f000/0x1000)=nil}) [ 355.529391][ T2286] binder: 2278:2286 ioctl 40046207 0 returned -16 [ 355.599522][ T5] binder: undelivered TRANSACTION_COMPLETE [ 355.621864][ T2544] libceph: resolve '$^è' (ret=-3): failed [ 355.631730][ T2544] libceph: parse_ips bad ip '$^è' 15:42:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 355.644216][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2fc8, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:08 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 355.816657][ T2739] binder: BINDER_SET_CONTEXT_MGR already set 15:42:08 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$swradio(&(0x7f0000000240)='/dev/swradio#\x00', 0x1, 0x2) setsockopt$packet_rx_ring(r0, 0x107, 0x5, &(0x7f0000000280)=@req3={0xb6, 0xce5, 0x0, 0xfffffffffffffe44, 0x2, 0x8, 0x10001}, 0x1c) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x0, 0x0) r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000180)='/dev/mixer\x00', 0x1, 0x0) write$USERIO_CMD_SEND_INTERRUPT(r1, &(0x7f00000001c0)={0x2, 0x5}, 0x2) perf_event_open$cgroup(&(0x7f0000000080)={0x7, 0x70, 0x6, 0x5, 0x401, 0x7, 0x0, 0x4, 0x8014, 0x1, 0x101, 0x7, 0x100, 0x71df, 0x0, 0x1000, 0xff, 0x9, 0x7fffffff, 0x9, 0xcf80000000000000, 0x3ff, 0x3, 0xfffffffffffffffa, 0x0, 0x8, 0x5, 0x4, 0x4b, 0x0, 0x80000000, 0xffffffff, 0x7f, 0x6, 0x0, 0xe, 0x82, 0xfb65, 0x0, 0x4, 0x86c8ee8baedf1db7, @perf_bp={&(0x7f0000000000), 0x2}, 0x2, 0x4, 0x1, 0x0, 0x3, 0x8000, 0x20}, r1, 0x3, r2, 0x5) [ 355.867638][ T2739] binder: 2626:2739 ioctl 40046207 0 returned -16 15:42:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$IOC_PR_PREEMPT(r2, 0x401870cb, &(0x7f0000000000)={0x1, 0x100000001, 0x6, 0x9}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 355.916805][ T5] binder: undelivered TRANSACTION_COMPLETE [ 355.954762][ T2767] binder_alloc: binder_alloc_mmap_handler: 2626 20001000-20004000 already mapped failed -16 [ 356.018795][ T2783] binder_alloc: 2626: binder_alloc_buf, no vma [ 356.029248][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2fe0, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 356.140939][ T2878] binder: BINDER_SET_CONTEXT_MGR already set [ 356.168823][ T2878] binder: 2871:2878 ioctl 40046207 0 returned -16 15:42:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$VT_GETMODE(r2, 0x5601, &(0x7f0000000000)) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4800, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:09 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 356.196699][ T2978] binder_alloc: binder_alloc_mmap_handler: 2871 20001000-20004000 already mapped failed -16 15:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0xffffffffffffeffd, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x284000, 0x0) write$P9_RCLUNK(r1, &(0x7f00000000c0)={0x7, 0x79, 0x2}, 0x7) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xfffffffffffffffe, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x3ffffffffffc, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:09 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) chroot(&(0x7f0000000000)='./file0\x00') clone(0x2102001bf9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7800, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x301100, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 356.432132][ T3134] binder_alloc: binder_alloc_mmap_handler: 3125 20001000-20004000 already mapped failed -16 [ 356.493711][ T3143] binder: BINDER_SET_CONTEXT_MGR already set [ 356.527474][ T3126] binder: BINDER_SET_CONTEXT_MGR already set 15:42:09 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 356.544541][ T3143] binder: 3138:3143 ioctl 40046207 0 returned -16 [ 356.560247][ T3126] binder: 3125:3126 ioctl 40046207 0 returned -16 15:42:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) fdatasync(r3) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) setsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000000), 0x4) r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000002c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r2, &(0x7f0000000380)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x90001000}, 0xc, &(0x7f0000000340)={&(0x7f0000000300)={0x1c, r4, 0x400, 0x70bd25, 0x25dfdbfc, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x44080}, 0x4000) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r2, 0xc0505350, &(0x7f0000000040)={{0x0, 0xffffffffffffffff}, {0x1, 0x7f}, 0x6, 0x6, 0x7}) 15:42:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x20000498, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 356.788900][ T3345] binder_alloc: binder_alloc_mmap_handler: 3330 20001000-20004000 already mapped failed -16 [ 356.833050][ T3331] binder: BINDER_SET_CONTEXT_MGR already set [ 356.839929][ T3331] binder: 3330:3331 ioctl 40046207 0 returned -16 15:42:09 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x8a020200, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:09 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$BLKGETSIZE(r2, 0x1260, &(0x7f0000000000)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 356.947263][ T3405] binder: BINDER_SET_CONTEXT_MGR already set [ 356.979622][ T3407] binder_transaction: 17 callbacks suppressed [ 356.979640][ T3407] binder: 3330:3407 transaction failed 29189/-3, size 24-8 line 3147 15:42:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 357.001777][ T3405] binder: 3404:3405 ioctl 40046207 0 returned -16 15:42:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x2, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 357.136887][ T3524] binder: 3523:3524 got transaction with invalid offsets ptr 15:42:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6800, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 357.180551][ T3524] binder: 3523:3524 transaction failed 29201/-14, size 24-2 line 3193 15:42:10 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 357.231124][ T3527] binder_alloc: binder_alloc_mmap_handler: 3523 20001000-20004000 already mapped failed -16 [ 357.257337][ T3556] binder: BINDER_SET_CONTEXT_MGR already set 15:42:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) r3 = add_key(&(0x7f0000000000)='cifs.idmap\x00', &(0x7f0000000040)={'syz', 0x2}, &(0x7f00000002c0)="a83dea0be32cdc1454e2e5b54c4ead0948682e9dd8d023f459ecad8a8933411554eb1cd4b8184db9c205c362d3ee590ff2f7cb8026eddda62bc5e64381b761372ddf61b0bd57f4d83dab5bd9e3aa686b397f2f1b15fa4aeb71033c98831efa57351acb4f6587f066e658db0988d27e794de287dceb89f61f2c25a50331e5ff010183da9dffe87d4dfb2c510b6af3c5635a4fc81af01db2f1429f0b2baa1d433510f7ec394a3bbef350e56ca4f4eecbb91066dd27b31d56c68ed6b9", 0xbb, 0xffffffffffffffff) keyctl$get_security(0x11, r3, &(0x7f0000000380)=""/231, 0xe7) [ 357.310203][ T3556] binder: 3553:3556 ioctl 40046207 0 returned -16 [ 357.323116][ T3635] binder: 3523:3635 transaction failed 29189/-3, size 24-8 line 3147 [ 357.338817][ T3524] binder: BINDER_SET_CONTEXT_MGR already set 15:42:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x14d100, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:10 executing program 1: mkdir(&(0x7f0000000080)='./file0\x00', 0x0) chmod(&(0x7f0000000000)='./file0\x00', 0x104) r0 = creat(&(0x7f0000000140)='./file0\x00', 0x42) setns(r0, 0x20000000) ioctl$SNDRV_TIMER_IOCTL_GINFO(r0, 0xc0e05403, &(0x7f0000000240)={{0xffffffffffffffff, 0x0, 0x3ff, 0x0, 0x3}, 0x3, 0x7ff, 'id0\x00', 'timer1\x00', 0x0, 0x9, 0x1, 0x2, 0x40}) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r1 = syz_genetlink_get_family_id$net_dm(&(0x7f0000000180)='NET_DM\x00') sendmsg$NET_DM_CMD_START(r0, &(0x7f0000000380)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x8000008}, 0xc, &(0x7f0000000340)={&(0x7f00000001c0)={0x14, r1, 0x311, 0x70bd29, 0x25dfdbfe, {}, ["", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4004000}, 0x8000) [ 357.399542][ T3524] binder: 3523:3524 ioctl 40046207 0 returned -16 [ 357.399565][ T17] binder: release 3523:3524 transaction 1289 out, still active [ 357.406200][ T3527] binder: 3523:3527 transaction failed 29189/-3, size 24-2 line 3147 [ 357.428089][ T17] binder: unexpected work type, 4, not freed 15:42:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x18, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 357.474585][ T17] binder_release_work: 37 callbacks suppressed [ 357.474592][ T17] binder: undelivered TRANSACTION_ERROR: 29201 15:42:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) sched_yield() ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 357.553243][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 357.566560][ T3762] binder: BINDER_SET_CONTEXT_MGR already set [ 357.577238][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 357.637976][ T3773] binder: BINDER_SET_CONTEXT_MGR already set [ 357.645057][ T3762] binder: 3759:3762 ioctl 40046207 0 returned -16 [ 357.675020][ T3813] binder: 3759:3813 transaction failed 29189/-22, size 24-24 line 2994 15:42:10 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 357.675056][ T17] binder: send failed reply for transaction 1289, target dead [ 357.692025][ T3773] binder: 3768:3773 ioctl 40046207 0 returned -16 [ 357.710534][ T3796] binder: 3759:3796 transaction failed 29189/-22, size 24-8 line 2994 15:42:10 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) lgetxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)=@known='system.posix_acl_default\x00', &(0x7f0000000140)=""/136, 0x88) [ 357.815511][ T3796] binder: 3759:3796 transaction failed 29189/-3, size 24-8 line 3147 [ 357.860392][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 357.869428][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0xf7ffffffffefff7c, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7400, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 357.901400][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1800, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 358.052233][ T4099] binder: BINDER_SET_CONTEXT_MGR already set [ 358.064822][ T4099] binder: 4085:4099 ioctl 40046207 0 returned -16 15:42:11 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2, 0x0) [ 358.106902][ T4099] binder: 4085:4099 transaction failed 29201/-28, size 24-6144 line 3147 15:42:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:11 executing program 5: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9, 0x40) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 358.182905][ T5] binder_send_failed_reply: 9 callbacks suppressed [ 358.182915][ T5] binder: send failed reply for transaction 1300 to 3986:3987 [ 358.228421][ T4197] binder: 4085:4197 transaction failed 29189/-3, size 24-8 line 3147 [ 358.230765][ T4201] binder: BINDER_SET_CONTEXT_MGR already set [ 358.247492][ T5] binder: send failed reply for transaction 1301 to 4085:4192 15:42:11 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x4000, 0x0) recvmsg(r0, &(0x7f00000000c0)={&(0x7f0000000140)=@xdp, 0x80, &(0x7f00000001c0)=[{&(0x7f00000000c0), 0x275}], 0x1, &(0x7f0000000240)=""/254, 0xffffffffffffff48}, 0x10102) clone(0x80000800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:11 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3, 0x0) [ 358.274317][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 358.281471][ T4201] binder: 4198:4201 ioctl 40046207 0 returned -16 [ 358.303251][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 358.312129][ T5] binder: undelivered TRANSACTION_ERROR: 29201 [ 358.342778][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x1000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 358.491622][ T4322] binder: 4321:4322 transaction failed 29201/-28, size 24-16777216 line 3147 [ 358.529768][ T4324] binder: BINDER_SET_CONTEXT_MGR already set 15:42:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm-monitor\x00', 0x8c002, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f000000f000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x155559d7, 0xffffffe, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_TCP_REPAIR(r1, 0x6, 0x13, &(0x7f0000000400), 0x4) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f00000002c0)={0x0, 0x80000000, 0x30}, &(0x7f0000000300)=0xc) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r1, 0x84, 0x5, &(0x7f0000000340)={r3, @in={{0x2, 0x4e20, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x84) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x40083, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) lsetxattr$security_smack_transmute(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000080)='TRUE', 0x4, 0x1) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x4cd, 0x0, 0x0, 0x0, 0x0, 0x2000002, 0x0, 0x0, 0x2], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 358.538701][ T4324] binder: 4323:4324 ioctl 40046207 0 returned -16 15:42:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) prctl$PR_GET_SECCOMP(0x15) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 358.568194][ T5] binder: release 4321:4322 transaction 1308 out, still active [ 358.588216][ T5] binder: unexpected work type, 4, not freed [ 358.611019][ T5] binder: send failed reply for transaction 1308, target dead 15:42:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x2000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 358.676007][ T5] binder: send failed reply for transaction 1312 to 4323:4324 15:42:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:11 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4, 0x0) [ 358.724913][ T5] binder_release_work: 9 callbacks suppressed [ 358.724920][ T5] binder: undelivered TRANSACTION_COMPLETE [ 358.755559][ T4455] binder: BINDER_SET_CONTEXT_MGR already set [ 358.791394][ T4481] binder_alloc_new_buf_locked: 8 callbacks suppressed [ 358.791402][ T4481] binder_alloc: 4452: binder_alloc_buf, no vma 15:42:11 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) uselib(&(0x7f0000000140)='./file0\x00') mount(&(0x7f0000000240)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623a003cb589a2701ddceaa8e96eb7405d753761b171bc70cdb3e7212a58bec2aa6efae1f322e23d30a357c1b5ab9550a7eb5f22f7fe975cee00d1bc582da18dad595ee2ea6527f57cf570dc1108d2fe02dd5933252f3d063bb0a12f35e83a7dd411efa9e41911106c2d10157e29eb9597e9b1bf5872b06846f95eef83e1443ea3eda5ab8b8484d7c24ef7842ce15801f511a888325d3a3006ad7c0f03000000d2840193e32cb5f74b24d88a7130f7df26bebbb54ecd73a9ef354f15ac7c4ee7f20644ed"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 358.870308][ T17] binder: release 4452:4455 transaction 1315 out, still active [ 358.879553][ T4455] binder: 4452:4455 ioctl 40046207 0 returned -16 [ 358.889487][ T17] binder: unexpected work type, 4, not freed 15:42:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x18000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x1, 0x0) inotify_add_watch(r2, &(0x7f0000000040)='./file0\x00', 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 358.911086][ T17] binder: undelivered TRANSACTION_COMPLETE [ 358.940669][ T17] binder: send failed reply for transaction 1315, target dead [ 359.090573][ T4566] binder: BINDER_SET_CONTEXT_MGR already set [ 359.109379][ T4566] binder: 4552:4566 ioctl 40046207 0 returned -16 [ 359.124797][ T4601] binder_alloc_mmap_handler: 4 callbacks suppressed [ 359.124815][ T4601] binder_alloc: binder_alloc_mmap_handler: 4552 20001000-20004000 already mapped failed -16 [ 359.151159][ T4566] binder: BINDER_SET_CONTEXT_MGR already set [ 359.157697][ T4566] binder: 4552:4566 ioctl 40046207 0 returned -16 [ 359.170435][ T17] binder: release 4552:4566 transaction 1322 out, still active [ 359.181270][ T17] binder: unexpected work type, 4, not freed 15:42:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfdfdffff, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 359.201392][ T17] binder: undelivered TRANSACTION_COMPLETE [ 359.222269][ T17] binder: release 4552:4601 transaction 1326 out, still active 15:42:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x3000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:12 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x5, 0x0) 15:42:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$KVM_CHECK_EXTENSION(r0, 0xae03, 0x7ff) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x400001, 0x0) ioctl$CAPI_NCCI_GETUNIT(r2, 0x80044327, &(0x7f0000000340)=0x100000000) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) openat$fuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/fuse\x00', 0x2, 0x0) ioctl$TIOCGPTPEER(r3, 0x5441, 0x86c8) getpeername$unix(r3, &(0x7f00000002c0)=@abs, &(0x7f0000000080)=0x6e) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 359.267458][ T17] binder: unexpected work type, 4, not freed [ 359.291265][ T17] binder: undelivered TRANSACTION_COMPLETE [ 359.300593][ T4667] binder: BINDER_SET_CONTEXT_MGR already set [ 359.347726][ T17] binder: send failed reply for transaction 1321 to 4544:4546 [ 359.358966][ T4667] binder: 4666:4667 ioctl 40046207 0 returned -16 [ 359.379602][ T17] binder: send failed reply for transaction 1322, target dead [ 359.411351][ T4693] binder_alloc: binder_alloc_mmap_handler: 4666 20001000-20004000 already mapped failed -16 [ 359.429769][ T17] binder: send failed reply for transaction 1326, target dead [ 359.447845][ T17] binder: undelivered TRANSACTION_COMPLETE [ 359.458470][ T4738] binder: BINDER_SET_CONTEXT_MGR already set 15:42:12 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) lsetxattr$trusted_overlay_opaque(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='trusted.overlay.opaque\x00', &(0x7f00000000c0)='y\x00', 0x2, 0x1) [ 359.491801][ T4738] binder: 4666:4738 ioctl 40046207 0 returned -16 15:42:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfffffdfd, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 359.547727][ T17] binder: release 4666:4693 transaction 1331 out, still active [ 359.578373][ T17] binder: unexpected work type, 4, not freed 15:42:12 executing program 0: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000440)='/dev/nullb0\x00', 0x2000, 0x0) r1 = dup(r0) ioctl$CAPI_GET_FLAGS(r1, 0x80044323, &(0x7f0000000780)) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000480)='/proc/capi/capi20ncci\x00', 0x14800, 0x0) r3 = socket$inet_smc(0x2b, 0x1, 0x0) r4 = syz_open_dev$dmmidi(&(0x7f00000004c0)='/dev/dmmidi#\x00', 0x1, 0x8000) r5 = dup3(r4, r3, 0x80000) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r4, 0x84, 0x1f, &(0x7f0000000580)={0x0, @in={{0x2, 0x4e22, @broadcast}}, 0x7, 0x6}, &(0x7f0000000640)=0x88) write$FUSE_NOTIFY_POLL(r2, &(0x7f0000000740)={0x18, 0x1, 0x0, {0x5}}, 0x18) getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f00000006c0)={r6, 0x20, &(0x7f0000000680)=[@in={0x2, 0x4e22, @local}, @in={0x2, 0x4e22, @rand_addr=0x9}]}, &(0x7f0000000700)=0xc) ioctl$SG_GET_ACCESS_COUNT(r5, 0x2289, &(0x7f0000000400)) ioctl$VHOST_SET_LOG_BASE(r4, 0x4008af04, &(0x7f0000000540)=&(0x7f0000000500)) r7 = openat$capi20(0xffffffffffffff9c, &(0x7f0000000000)='/dev/capi20\x00', 0x800, 0x0) ioctl$FS_IOC_FSSETXATTR(r7, 0x401c5820, &(0x7f0000000040)={0x7fd00b3f, 0x830, 0x6c, 0x1, 0x1}) r8 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x40a00, 0x0) r9 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20\x00', 0x2, 0x0) ioctl$UFFDIO_REGISTER(r9, 0xc020aa00, &(0x7f00000002c0)={{&(0x7f0000018000/0x2000)=nil, 0x2000}, 0x3}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r10 = ioctl$KVM_CREATE_VM(r8, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r11 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r12 = ioctl$KVM_CREATE_VCPU(r10, 0xae41, 0x0) ioctl$KVM_S390_INTERRUPT_CPU(r11, 0x4010ae94, &(0x7f0000000080)={0x7ff, 0x8, 0x81}) setsockopt$inet6_tcp_TCP_MD5SIG(r11, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x4e20, 0x80000001, @mcast2, 0xfffffffffffffffa}}, 0x0, 0x22a9, 0x0, "9b58a5f807b1c0f706ad20c108a508765bab871aeb9847d30a9dc14829ff246207ca6581627810d04d4c30a840e607251244d69fa0c8ac4adf7ab7ba201f18cfd8044855294875097f549070e03f62de"}, 0xd8) ioctl$KVM_SET_USER_MEMORY_REGION(r10, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r12, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r12, 0xae80, 0x0) [ 359.611238][ T17] binder: undelivered TRANSACTION_COMPLETE [ 359.635988][ T17] binder: send failed reply for transaction 1330 to 4718:4725 15:42:12 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x6, 0x0) [ 359.669778][ T4898] binder: BINDER_SET_CONTEXT_MGR already set [ 359.682564][ T17] binder: send failed reply for transaction 1331, target dead [ 359.702131][ T4898] binder: 4891:4898 ioctl 40046207 0 returned -16 [ 359.719252][ T17] binder: undelivered TRANSACTION_COMPLETE [ 359.745249][ T5020] binder_alloc: binder_alloc_mmap_handler: 4891 20001000-20004000 already mapped failed -16 15:42:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x5000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x46a440, 0x0) r3 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000300)='/proc/capi/capi20ncci\x00', 0x200, 0x0) ioctl$TIOCGPGRP(r3, 0x540f, &(0x7f0000000140)=0x0) r5 = mmap$binder(&(0x7f000001d000/0x4000)=nil, 0x4000, 0x2000000, 0x10, r2, 0x0) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000680)='IPVS\x00') sendmsg$IPVS_CMD_GET_INFO(r2, &(0x7f00000007c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000780)={&(0x7f00000006c0)={0x88, r6, 0x10, 0x70bd2c, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xa000000000000}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x3}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x200}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x7f}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x6}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x2}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}]}, @IPVS_CMD_ATTR_DEST={0x14, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x8000}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}]}, @IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_AF={0x8, 0x1, 0x2}]}]}, 0x88}, 0x1, 0x0, 0x0, 0x44040}, 0x40) r7 = mmap$binder(&(0x7f0000008000/0x3000)=nil, 0x3000, 0x0, 0x10010, r2, 0x0) r8 = mmap$binder(&(0x7f0000018000/0x1000)=nil, 0x1000, 0x2, 0x28030, r2, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000640)={0xe8, 0x0, &(0x7f0000000480)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000000), &(0x7f0000000080)=[0x38]}, 0xfffffffffffffe01}}, @transaction_sg={0x40486311, {{0x4, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x30, 0x8, &(0x7f0000000340)=[@flat={0x77682a85, 0x100, r5, 0x3}, @flat={0x77682a85, 0xb, r7, 0x1}], &(0x7f0000000380)=[0x20]}, 0x40}}, @exit_looper, @reply_sg={0x40486312, {{0x4, 0x0, 0x2, 0x0, 0x10, 0x0, 0x0, 0x50, 0x30, &(0x7f00000003c0)=[@fd={0x66642a85, 0x0, r2}, @flat={0x77622a85, 0xa, r8, 0x1}, @fda={0x66646185, 0x1, 0x1, 0x1c}], &(0x7f0000000440)=[0x78, 0x18, 0x78, 0x38, 0x68, 0x0]}, 0x2}}], 0xb6, 0x0, &(0x7f0000000580)="ba92e758cb882bd52dec03369169efeb92b82c4be38d63bf1818261d697078350021198058b36a480d1326c09e5845dbdd69d16a226d581d5a1dc0fc8651f61bbcc78422501618d88e8d7e83350ac715ca6c3655c3ab179ee1c6bcc3e78d085b29e5f1fe3c7ebce653b841eb9f17d3197db5f52e17972ba25f5cd225a570801fa0f1eed9962393dec4dd1e1ed1a29af2e015d038a9993a979ee7b6ea0c058e93fac38e1a32963fcabfd4b4258af914c4fc7f66940c62"}) r9 = gettid() setpgid(r4, r9) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r10 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r10, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r10, 0xae80, 0x0) [ 359.825857][ T5] binder: release 4891:5020 transaction 1337 out, still active [ 359.834002][ T5] binder: unexpected work type, 4, not freed 15:42:12 executing program 1: r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x400, 0x0) ioctl$KVM_X86_SETUP_MCE(r0, 0x4008ae9c, &(0x7f0000000080)={0x9, 0x3, 0xb0d}) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) ioctl$VIDIOC_STREAMON(r0, 0x40045612, &(0x7f0000000040)=0x4) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000100)=ANY=[@ANYBLOB="5b643a3c5de574300d892307d9527f3a2f6c6c623a00"], &(0x7f00000000c0)='./file0\x00', &(0x7f0000000180)='anon_inodefs\x00', 0x240008, 0x0) [ 359.873854][ T5] binder: undelivered TRANSACTION_COMPLETE [ 359.905905][ T5] binder: send failed reply for transaction 1336 to 4893:4895 15:42:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x100000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:12 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7, 0x0) [ 359.979436][ T5] binder: send failed reply for transaction 1337, target dead [ 360.004049][ T5119] binder: BINDER_SET_CONTEXT_MGR already set [ 360.010846][ T5] binder: send failed reply for transaction 1341 to 4891:5020 [ 360.041895][ T5119] binder: 5118:5119 ioctl 40046207 0 returned -16 [ 360.042269][ T5] binder: undelivered TRANSACTION_COMPLETE [ 360.086467][ T5243] binder_alloc: binder_alloc_mmap_handler: 5118 20001000-20004000 already mapped failed -16 [ 360.100592][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:13 executing program 1: lsetxattr$trusted_overlay_origin(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)='trusted.overlay.origin\x00', &(0x7f0000000240)='y\x00', 0x2, 0x1) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102000ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_pts(0xffffffffffffffff, 0x200) ioctl$TCSBRKP(r0, 0x5425, 0xa19) mount(&(0x7f0000000000)=ANY=[@ANYBLOB="880000005d3a2f6cba4a3a5d9e2a2a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/dlm-monitor\x00', 0x8000, 0x0) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000300)='TIPC\x00') sendmsg$TIPC_CMD_GET_REMOTE_MNG(r1, &(0x7f0000000400)={&(0x7f00000002c0), 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x1c, r2, 0x410, 0x70bd2d, 0x25dfdbff, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000000}, 0x40000) mount(&(0x7f0000000280)=ANY=[@ANYBLOB="2f6465762f6e756c6c621800e9561b4b3255d78c9f69e509f9b35ea8da0617f65bf94b2a553bf4ff46225a87e23477d2c4e3c50becc7b7078828b3faca"], &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='udf\x00', 0x0, &(0x7f0000000140)='ppp0{\x00') [ 360.139842][ T7756] binder: send failed reply for transaction 1345 to 5106:5110 [ 360.153671][ T5321] binder_alloc: 5118: binder_alloc_buf, no vma [ 360.158821][ T7756] binder: send failed reply for transaction 1346 to 5118:5243 15:42:13 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) fcntl$getownex(r2, 0x10, &(0x7f0000000000)={0x0, 0x0}) prlimit64(r3, 0x1, &(0x7f0000000040)={0x7, 0x3f}, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x200000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 360.251213][ T5352] ceph: device name is missing path (no : separator in ˆ) 15:42:13 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8, 0x0) 15:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 360.362083][ T7756] binder: send failed reply for transaction 1353 to 5323:5324 [ 360.409765][ T5538] binder_alloc: binder_alloc_mmap_handler: 5507 20001000-20004000 already mapped failed -16 15:42:13 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getresuid(&(0x7f0000000240)=0x0, &(0x7f0000000280)=0x0, &(0x7f00000002c0)=0x0) getgroups(0x2, &(0x7f0000000300)=[0x0, 0x0]) getxattr(&(0x7f0000000640)='./file0\x00', &(0x7f0000000900)=ANY=[@ANYRES32=r0], &(0x7f00000006c0)=""/170, 0xaa) getgroups(0x7, &(0x7f0000000380)=[0xffffffffffffffff, 0xee00, 0x0, 0x0, 0x0, 0xee01, 0xffffffffffffffff]) fstat(0xffffffffffffff9c, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000000440), &(0x7f0000000480)=0x0, &(0x7f00000004c0)) stat(&(0x7f0000000500)='./file0\x00', &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0}) setxattr$system_posix_acl(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='system.posix_acl_access\x00', &(0x7f0000000780)={{}, {0x1, 0x4}, [{0x2, 0x1, r0}, {0x2, 0x3, r2}, {0x2, 0x2, r6}, {0x2, 0x6, r0}, {0x2, 0x2, r6}, {0x2, 0x2, r9}, {0x2, 0x4, r1}, {0x2, 0x2, r0}, {0x2, 0x1, r6}, {0x2, 0x2, r0}], {0x4, 0x5}, [{0x8, 0x2, r3}, {0x8, 0x1, r5}, {0x8, 0x4, r7}, {0x8, 0x5, r8}, {0x8, 0x2, r4}], {0x10, 0x4}, {0x20, 0x1}}, 0x9c, 0x2) r10 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000005c0)='/dev/dlm-control\x00', 0x200, 0x0) r11 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) ioctl$LOOP_CTL_REMOVE(r10, 0x4c81, r11) r12 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x800, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r12, 0x84, 0x64, &(0x7f0000000140)=[@in={0x2, 0x4e22, @local}, @in6={0xa, 0x4e22, 0x9, @loopback}, @in6={0xa, 0x4e20, 0x3, @local, 0x2}, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x12}}, @in={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x24}}, @in6={0xa, 0x4e20, 0x80, @ipv4={[], [], @multicast1}, 0x5}], 0x84) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 360.467465][ T5510] binder: BINDER_SET_CONTEXT_MGR already set [ 360.488883][ T5510] binder: 5507:5510 ioctl 40046207 0 returned -16 [ 360.494660][ T5542] binder: BINDER_SET_CONTEXT_MGR already set 15:42:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) clock_adjtime(0x1, &(0x7f00000002c0)={0x3000000000, 0x1000, 0x40, 0x1, 0x2, 0x5, 0x1, 0x100000001, 0x7, 0x100000000, 0x66, 0x4, 0x5, 0x6, 0x3, 0x3ff, 0x7ff, 0x4, 0x9, 0x8000, 0x1ff, 0x20, 0x1b15, 0x7ff, 0x0, 0x3}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$SNDRV_CTL_IOCTL_ELEM_REMOVE(r2, 0xc0405519, &(0x7f0000000080)={0x7, 0x7, 0x4, 0x6, '\x00', 0x9}) syz_open_dev$ndb(&(0x7f0000000000)='/dev/nbd#\x00', 0x0, 0x4000) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 360.529665][ T5542] binder: 5541:5542 ioctl 40046207 0 returned -16 [ 360.537137][ T5545] binder_alloc: 5507: binder_alloc_buf, no vma 15:42:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1800000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:13 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa, 0x0) 15:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 360.697296][ T5658] binder_alloc: binder_alloc_mmap_handler: 5656 20001000-20004000 already mapped failed -16 [ 360.788860][ T5657] binder: BINDER_SET_CONTEXT_MGR already set [ 360.828525][ T5657] binder: 5656:5657 ioctl 40046207 0 returned -16 [ 360.836099][ T5693] binder: BINDER_SET_CONTEXT_MGR already set [ 360.851417][ T5693] binder: 5691:5693 ioctl 40046207 0 returned -16 [ 360.851730][ T5658] binder_alloc: 5656: binder_alloc_buf, no vma [ 360.865092][ T7756] binder: release 5656:5657 transaction 1362 out, still active [ 360.875013][ T7756] binder: unexpected work type, 4, not freed 15:42:13 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x1, 0x3}, 0x8) 15:42:13 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0xc0, 0x0) ioctl$KVM_SET_VAPIC_ADDR(r0, 0x4008ae93, &(0x7f0000000080)=0x100000) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 360.881987][ T7756] binder: send failed reply for transaction 1362, target dead [ 360.901979][ T5737] binder_alloc: 5656: binder_alloc_buf, no vma 15:42:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfdfdffff00000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x20000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x200, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:14 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca, 0x0) [ 361.088464][ T5889] binder_alloc: binder_alloc_mmap_handler: 5875 20001000-20004000 already mapped failed -16 15:42:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) syz_extract_tcp_res(&(0x7f0000000040), 0xffffffffffffffff, 0x80000001) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getsockopt$bt_BT_POWER(r2, 0x112, 0x9, &(0x7f0000000080)=0x2, &(0x7f0000000140)=0x1) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x4) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_ASSIGN_SET_INTX_MASK(r1, 0x4040aea4, &(0x7f0000000000)={0x9b, 0x21f5, 0x81, 0x2, 0x200}) [ 361.155155][ T5892] binder: BINDER_SET_CONTEXT_MGR already set [ 361.168228][ T5892] binder: 5891:5892 ioctl 40046207 0 returned -16 [ 361.175008][ T5886] binder: BINDER_SET_CONTEXT_MGR already set [ 361.192002][ T5886] binder: 5875:5886 ioctl 40046207 0 returned -16 15:42:14 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0, 0x0) [ 361.200579][ T5892] binder_alloc: 5875: binder_alloc_buf, no vma [ 361.211846][ T5897] binder_alloc: 5875: binder_alloc_buf, no vma 15:42:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x2}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x48000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 361.423476][ T6102] binder_alloc: binder_alloc_mmap_handler: 6091 20001000-20004000 already mapped failed -16 15:42:14 executing program 1: r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0) getpeername$packet(0xffffffffffffffff, &(0x7f0000002680)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000026c0)=0x14) ioctl$TUNSETIFINDEX(r0, 0x400454da, &(0x7f0000002700)=r1) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[@\x00\x00\x00\x00\x00\x00\x00b:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:14 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x124, 0x0) 15:42:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x4) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r2, 0x400c6615, &(0x7f0000000000)) bind$vsock_stream(r3, &(0x7f0000000080)={0x28, 0x0, 0x2710, @host}, 0x10) openat$smack_task_current(0xffffffffffffff9c, &(0x7f0000000140)='/proc/self/attr/current\x00', 0x2, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_PPC_GET_SMMU_INFO(r1, 0x8250aea6, &(0x7f0000000040)=""/25) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) setsockopt$ARPT_SO_SET_REPLACE(r3, 0x0, 0x60, &(0x7f0000000300)={'filter\x00', 0x7, 0x4, 0x488, 0x134, 0x0, 0x0, 0x3a4, 0x3a4, 0x3a4, 0x4, &(0x7f00000002c0), {[{{@uncond, 0xf0, 0x134}, @unspec=@IDLETIMER={0x44, 'IDLETIMER\x00', 0x0, {0x3f, 'syz1\x00', 0x4}}}, {{@arp={@loopback, @remote, 0xff000000, 0xffffff00, @mac, {[0x0, 0xff, 0xff, 0x0, 0xff, 0xff]}, @empty, {[0x0, 0xff, 0xff]}, 0xa55, 0x40, 0x120000, 0x78e519b8, 0x55, 0xffffffffffff0000, 'veth0_to_hsr\x00', 'veth0_to_bond\x00', {0xff}, {0xff}}, 0xf0, 0x15c}, @unspec=@NFLOG={0x6c, 'NFLOG\x00', 0x0, {0x2000000020, 0x401, 0x9, 0x0, 0x0, "f0b29ee1b6349cc47d47a5d06ef5d55d0d229e119c6c1dc71754fa2c8d4d44a3465f9dbf1906dda57b18c238879e4b2a8257afe53ec710f4ae5b541dbbb8c8e7"}}}, {{@arp={@initdev={0xac, 0x1e, 0x0, 0x0}, @remote, 0xffffffff, 0xff000000, @empty, {[0xff, 0x0, 0x0, 0x0, 0xff, 0xff]}, @empty, {[0x0, 0x0, 0x0, 0x0, 0x0, 0xff]}, 0x0, 0x204, 0x6, 0x200, 0xfffffffffffffff7, 0x3f, 'eql\x00', 'hwsim0\x00', {0xff}, {0xff}}, 0xf0, 0x114}, @unspec=@AUDIT={0x24, 'AUDIT\x00'}}], {{[], 0xc0, 0xe4}, {0x24}}}}, 0x4d4) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 361.507294][ T6112] binder: BINDER_SET_CONTEXT_MGR already set [ 361.542534][ T6112] binder: 6110:6112 ioctl 40046207 0 returned -16 [ 361.549218][ T6092] binder_alloc: 6091: binder_alloc_buf, no vma [ 361.571001][ T6117] ceph: device name is missing path (no : separator in [@) [ 361.574514][ T17] binder: release 6091:6092 transaction 1376 out, still active 15:42:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 361.612103][ T6114] binder: BINDER_SET_CONTEXT_MGR already set [ 361.632933][ T6114] binder: 6091:6114 ioctl 40046207 0 returned -16 [ 361.635511][ T17] binder: unexpected work type, 4, not freed 15:42:14 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x180, 0x0) 15:42:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x18}], 0x0}}}], 0x0, 0x0, 0x0}) [ 361.681181][ T17] binder: send failed reply for transaction 1376, target dead [ 361.701585][ T17] binder: undelivered transaction 1379, process died. 15:42:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:14 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b6403000000000000003a00e1742cec07645d60069b10a83058a8bc44d6c61172baf6f923a3d3212af30d4a9d1e2898d798e71aacf43bf079fb5c63c81512dd2e6b68254bd29bd132b0edfd8fae5c76ed2043c02a0e1ddf085179c757a6d30e0e"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x1, &(0x7f0000000140)=[0xee01]) fchownat(r2, 0x0, r3, r4, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 361.847878][ T6336] binder_alloc: binder_alloc_mmap_handler: 6315 20001000-20004000 already mapped failed -16 [ 361.874659][ T6335] binder: BINDER_SET_CONTEXT_MGR already set [ 361.884810][ T6335] binder: 6315:6335 ioctl 40046207 0 returned -16 15:42:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$TCGETA(r1, 0x5405, &(0x7f0000000000)) ioctl$SG_GET_VERSION_NUM(r1, 0x2282, &(0x7f0000000140)) ioctl$VIDIOC_G_AUDIO(r0, 0x80345621, &(0x7f0000000380)) r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000080)={r1, &(0x7f00000002c0)="4c37e1d8c245283ec8d7d80699ecb9b5cf881a2ed043797926b1162ded62453217be0859f125322072295d60a0663c63bd66a5162caedbc80d98e50d59fc5d355688670b45e557b7864776e22a08f66d306857f0b8b864d3aaee36ac36c501da19ae273afc82f429de3697755eca2468abc2c03b39543a19c7f75dc49c116bc7d2a913f71e59cbf072fc955e75dd2536aacd1244f68299e128df"}, 0x10) [ 361.922770][ T6336] binder_alloc: 6315: binder_alloc_buf, no vma [ 361.940529][ T6341] binder: BINDER_SET_CONTEXT_MGR already set [ 361.948662][ T6342] ceph: device name is missing path (no : separator in [d) [ 361.970803][ T6341] binder: 6339:6341 ioctl 40046207 0 returned -16 [ 361.974913][ T17] binder: undelivered transaction 1385, process died. 15:42:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1800}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:15 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x27a, 0x0) 15:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x202000, 0x0) ioctl$VIDIOC_ENUMSTD(r2, 0xc0405619, &(0x7f0000000080)={0x8, 0x10, "d567d5d524fd2f91f71d5c3e33b456576efac2ece5521825", {0x8, 0x4}, 0x1000}) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x60000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 362.153027][ T6525] binder_alloc: binder_alloc_mmap_handler: 6500 20001000-20004000 already mapped failed -16 15:42:15 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) recvfrom$unix(r0, &(0x7f0000000240)=""/247, 0xf7, 0x2000, &(0x7f0000000140)=@file={0x1, './file0\x00'}, 0x6e) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = openat$uhid(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uhid\x00', 0x4, 0x0) r2 = shmget$private(0x0, 0x4000, 0x200, &(0x7f0000ff9000/0x4000)=nil) shmctl$IPC_INFO(r2, 0x3, &(0x7f00000005c0)=""/154) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, 0x0, &(0x7f00000002c0)) setsockopt$inet6_int(0xffffffffffffffff, 0x29, 0xfb, &(0x7f00000001c0), 0x4) prctl$PR_TASK_PERF_EVENTS_ENABLE(0x20) mount(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0) capset(&(0x7f0000000040)={0x24020019980330}, &(0x7f0000000140)) clone(0x1ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000280), 0xffffffffffffffff) setpriority(0x2, 0x0, 0x8) write$UHID_INPUT2(r1, &(0x7f0000000280)={0xc, 0x1e, "1a4b2312b4f6ebb3b0dd3c9b30368772e44596e94a002697a98c91154aa7"}, 0x24) readv(r1, &(0x7f0000000840)=[{&(0x7f0000000380)=""/90, 0x5a}, {&(0x7f0000000400)=""/77, 0x4d}], 0x2) write$UHID_CREATE(r1, &(0x7f0000000480)={0x0, 'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000000)=""/11, 0xfffffffffffffed0}, 0x11c) write$UHID_DESTROY(r1, &(0x7f0000000080), 0x4) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000100)={0x0, 0xffffffffffffffff, 0x0, 0xe, &(0x7f0000000040)='l${proc^eth1&\x00'}, 0x30) fcntl$F_GET_FILE_RW_HINT(r1, 0x40d, &(0x7f0000000180)) ioprio_set$pid(0x3, r3, 0x8) r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x80, 0x0) setsockopt$inet_tcp_int(r4, 0x6, 0xe, &(0x7f0000000040)=0x36, 0x399af204b16b906f) mount(&(0x7f00000000c0)=ANY=[@ANYBLOB="5bd98ffa813a2f6c6c623a0085ea12ebe8a34f5a9cac607e46dcfd3df14809e007b96e52421e908fff8f16eb63170ea20800000000000000c6f965272cb1"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 362.225886][ T6514] binder: BINDER_SET_CONTEXT_MGR already set [ 362.249498][ T6514] binder: 6500:6514 ioctl 40046207 0 returned -16 [ 362.250265][ T6564] binder_alloc: 6500: binder_alloc_buf, no vma [ 362.264200][ T6563] binder: BINDER_SET_CONTEXT_MGR already set 15:42:15 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x300, 0x0) [ 362.289134][ T6563] binder: 6562:6563 ioctl 40046207 0 returned -16 [ 362.298566][ T7807] binder: undelivered transaction 1391, process died. 15:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000000)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_SIGNAL_MSI(r1, 0x4020aea5, &(0x7f0000000080)={0xf000, 0x1000, 0xffff, 0x8, 0x5eb}) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x68000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 362.427521][ T6564] binder_transaction: 19 callbacks suppressed [ 362.427536][ T6564] binder: 6500:6564 transaction failed 29189/-3, size 24-8 line 3147 15:42:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e23, @rand_addr=0x80000001}}, 0x0, 0x0, 0x5, 0x101, 0x18}, &(0x7f0000000040)=0x98) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r2, 0x84, 0x70, &(0x7f0000000380)={r3, @in={{0x2, 0x4e20, @broadcast}}, [0x6, 0x3, 0x39f394ad, 0x3, 0x3, 0x6, 0x5, 0x5, 0x3ff, 0xffffffff, 0x200, 0x6, 0x0, 0x3, 0x3]}, &(0x7f0000000080)=0x100) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) connect$rxrpc(r4, &(0x7f0000000880)=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0xd}}}, 0x24) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000480)={{{@in=@initdev, @in=@remote}}, {{@in6=@dev}, 0x0, @in6=@mcast2}}, &(0x7f0000000140)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000580)={{{@in6=@empty, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @local}}, 0x0, @in=@loopback}}, &(0x7f0000000680)=0xe8) fchownat(0xffffffffffffffff, 0x0, r5, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000700)={0x0, 0x18, 0xfa00, {0x2, &(0x7f00000006c0)={0xffffffffffffffff}, 0x2, 0x7}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r4, &(0x7f0000000740)={0x15, 0x110, 0xfa00, {r7, 0x1, 0x0, 0x0, 0x0, @ib={0x1b, 0x1ff, 0x10001, {"c31fd9f3a2adb484b796378619c58081"}, 0x9, 0x98, 0x40}, @in6={0xa, 0x4e21, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x20}}, 0x80000000}}}, 0x118) ioctl$KVM_RUN(r6, 0xae80, 0x0) 15:42:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:15 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 362.568600][ T6784] binder: BINDER_SET_CONTEXT_MGR already set [ 362.591959][ T6784] binder: 6783:6784 ioctl 40046207 0 returned -16 [ 362.598788][ T6787] binder: BINDER_SET_CONTEXT_MGR already set [ 362.609845][ T6787] binder: 6786:6787 ioctl 40046207 0 returned -16 15:42:15 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x378, 0x0) [ 362.643038][ T17] binder: undelivered transaction 1397, process died. [ 362.650800][ T6785] binder: 6783:6785 transaction failed 29189/-22, size 24-8 line 2994 [ 362.668186][ T17] binder_release_work: 33 callbacks suppressed [ 362.668193][ T17] binder: undelivered TRANSACTION_ERROR: 29189 15:42:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x2000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 362.716533][ T17] binder: undelivered TRANSACTION_ERROR: 29189 15:42:15 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x37c, 0x0) 15:42:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000400)='/dev/kvm\x00', 0x20000, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_TOL(r2, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x68, r3, 0x120, 0x70bd29, 0x25dfdbfd, {{}, 0x0, 0x4107, 0x0, {0x4c, 0x18, {0x9, @media='ib\x00'}}}, ["", "", "", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) bind$pptp(r2, &(0x7f0000000000)={0x18, 0x2, {0x3, @empty}}, 0x1e) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 362.862915][ T6906] binder: BINDER_SET_CONTEXT_MGR already set 15:42:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(r2, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 362.910748][ T6906] binder: 6905:6906 ioctl 40046207 0 returned -16 [ 362.910752][ T6920] binder: BINDER_SET_CONTEXT_MGR already set [ 362.910782][ T6920] binder: 6907:6920 ioctl 40046207 0 returned -16 [ 362.936164][ T5] binder: release 6905:6906 transaction 1400 out, still active [ 362.944264][ T6918] binder: 6905:6918 transaction failed 29189/-3, size 24-8 line 3147 [ 362.952745][ T5] binder: unexpected work type, 4, not freed 15:42:15 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3b8, 0x0) 15:42:15 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) pipe2(&(0x7f0000000000)={0xffffffffffffffff}, 0x80000) getsockopt$inet_tcp_int(r0, 0x6, 0x37, &(0x7f0000000080), &(0x7f00000000c0)=0x4) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/llb;\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 362.970697][ T5] binder: send failed reply for transaction 1400, target dead [ 363.000870][ T5] binder: undelivered transaction 1403, process died. 15:42:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x18000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 363.048459][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:16 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3d0, 0x0) 15:42:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x74000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 363.163104][ T7131] binder: BINDER_SET_CONTEXT_MGR already set 15:42:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x80000, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 363.203472][ T7131] binder: 7130:7131 ioctl 40046207 0 returned -16 15:42:16 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3ea, 0x0) [ 363.257411][ T7133] binder: 7130:7133 transaction failed 29189/-3, size 24-8 line 3147 [ 363.269164][ T7141] binder: BINDER_SET_CONTEXT_MGR already set [ 363.321246][ T7141] binder: 7140:7141 ioctl 40046207 0 returned -16 [ 363.321564][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:42:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfdfdffff}], 0x0}}}], 0x0, 0x0, 0x0}) [ 363.367975][T26837] binder_send_failed_reply: 5 callbacks suppressed [ 363.367985][T26837] binder: send failed reply for transaction 1406 to 7130:7131 [ 363.406503][T26837] binder: undelivered transaction 1409, process died. 15:42:16 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f6, 0x0) [ 363.435003][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 363.454475][ T7263] binder: BINDER_SET_CONTEXT_MGR already set 15:42:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) getpeername$netlink(r2, &(0x7f0000000000), &(0x7f0000000040)=0xc) prctl$PR_GET_CHILD_SUBREAPER(0x25) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 363.484916][ T7279] binder: 7233:7279 transaction failed 29189/-3, size 24-8 line 3147 [ 363.521308][T26837] binder: release 7233:7263 transaction 1412 out, still active 15:42:16 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="000000003f00000002000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 363.534870][ T7263] binder: 7233:7263 ioctl 40046207 0 returned -16 [ 363.544825][T26837] binder: unexpected work type, 4, not freed 15:42:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 363.580123][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:42:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfffffdfd}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:16 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x500, 0x0) [ 363.638753][T26837] binder: send failed reply for transaction 1412, target dead [ 363.676262][T26837] binder: undelivered transaction 1415, process died. [ 363.764902][ T7441] binder: BINDER_SET_CONTEXT_MGR already set [ 363.786746][ T7441] binder: 7412:7441 ioctl 40046207 0 returned -16 [ 363.808537][ T7441] binder: BINDER_SET_CONTEXT_MGR already set 15:42:16 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getrandom(&(0x7f0000000240)=""/196, 0xc4, 0x2) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/l|b:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x1, 0x3, 0x4000000000, 0x2000, &(0x7f0000015000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfdfdffff, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 363.826433][T26837] binder: release 7412:7441 transaction 1419 out, still active [ 363.840947][ T7441] binder: 7412:7441 ioctl 40046207 0 returned -16 [ 363.847675][T26837] binder: unexpected work type, 4, not freed 15:42:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x100000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 363.879487][T26837] binder_release_work: 20 callbacks suppressed [ 363.879492][T26837] binder: undelivered TRANSACTION_COMPLETE [ 363.916381][T26837] binder: undelivered TRANSACTION_COMPLETE 15:42:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 363.951864][T26837] binder: send failed reply for transaction 1418 to 7362:7363 [ 363.996169][T26837] binder: send failed reply for transaction 1419, target dead [ 364.033717][ T7736] binder: BINDER_SET_CONTEXT_MGR already set [ 364.034308][T26837] binder: undelivered transaction 1422, process died. 15:42:17 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x600, 0x0) 15:42:17 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000240)=ANY=[@ANYBLOB="1b00623a9f7fc259ec4452aa3cd4b89bdf53e1a572ae0129d8f17f5415ebce05557fb37e344b8fa4fd5d55c0eff83e90c97069e5be8eb63d5ab6c2d6b7dcbab6a3ed447f68d23d7c2f8d170fb77f84c77c50faa7713fa2fff4a9eb678db03b5d8e6c03c0e9baa692a1bb419bb726d018bdbae3b6489ec6a0fc9f55f37b6b88aec2d470f8bcddeb6e6f727849d20b7c73c69e1b1f547942856d7a177812f30154aa1ac971f554f976083d48bc7af024c7df416e98a6e117cceb548f9f925f39cf6d8ef3c99311c98be6b088456fe01f80f19697efe1680fd08eae38af"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/amemthresh\x00', 0x2, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'team0\x00', 0x0}) setsockopt$RDS_GET_MR_FOR_DEST(r0, 0x114, 0x7, &(0x7f0000000140)={@ll={0x11, 0xff, r1, 0x1, 0x2, 0x6, @local}, {&(0x7f0000000380)=""/255, 0xff}, &(0x7f0000000080), 0x50}, 0x9c) [ 364.039749][ T7736] binder: 7675:7736 ioctl 40046207 0 returned -16 [ 364.119496][T26837] binder: send failed reply for transaction 1423 to 7412:7580 [ 364.134931][ T7828] binder: BINDER_SET_CONTEXT_MGR already set [ 364.163454][ T7828] binder: 7675:7828 ioctl 40046207 0 returned -16 [ 364.174478][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.190124][ T7858] ceph: device name is missing path (no : separator in ) [ 364.205452][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:42:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfffffdfd, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x200000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 364.219377][T26837] binder: release 7675:7835 transaction 1432 out, still active [ 364.250240][T26837] binder: unexpected work type, 4, not freed 15:42:17 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r5 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00') sendmsg$SEG6_CMD_DUMPHMAC(r3, &(0x7f0000000440)={&(0x7f0000000080), 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x3c, r5, 0x110, 0x70bd29, 0x25dfdbfb, {}, [@SEG6_ATTR_SECRET={0x18, 0x4, [0x7, 0x7, 0x0, 0x6, 0x10000]}, @SEG6_ATTR_SECRET={0x10, 0x4, [0x5, 0xff, 0x0]}]}, 0x3c}, 0x1, 0x0, 0x0, 0x844}, 0x40) ioctl$KVM_CREATE_PIT2(r3, 0x4040ae77, &(0x7f0000000000)={0xfffffffffffeffff}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) pread64(r2, &(0x7f00000002c0)=""/236, 0xec, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE(r3, 0x80045530, &(0x7f0000000480)=""/97) [ 364.276515][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.304174][ T7883] binder: BINDER_SET_CONTEXT_MGR already set [ 364.322754][ T7883] binder: 7882:7883 ioctl 40046207 0 returned -16 [ 364.329819][T26837] binder: send failed reply for transaction 1427 to 7589:7590 15:42:17 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$BLKPBSZGET(r0, 0x127b, &(0x7f0000000080)) [ 364.370580][T26837] binder: send failed reply for transaction 1428 to 7675:7736 [ 364.404294][T26837] binder: undelivered transaction 1431, process died. [ 364.412118][ T8010] binder_alloc_mmap_handler: 6 callbacks suppressed 15:42:17 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x700, 0x0) [ 364.412136][ T8010] binder_alloc: binder_alloc_mmap_handler: 7968 20001000-20004000 already mapped failed -16 [ 364.443143][ T7969] binder: BINDER_SET_CONTEXT_MGR already set [ 364.454977][ T7969] binder: 7968:7969 ioctl 40046207 0 returned -16 [ 364.475168][T26837] binder: send failed reply for transaction 1432, target dead 15:42:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1800000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x100000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 364.523481][T26837] binder: send failed reply for transaction 1436 to 7968:7969 [ 364.531008][T26837] binder: undelivered transaction 1439, process died. [ 364.553173][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.582086][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.608549][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 364.635232][ T8151] binder: BINDER_SET_CONTEXT_MGR already set [ 364.662257][ T8151] binder: 8150:8151 ioctl 40046207 0 returned -16 [ 364.666341][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.685069][ T8186] binder_alloc: binder_alloc_mmap_handler: 8150 20001000-20004000 already mapped failed -16 [ 364.700598][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 364.709796][ T8151] binder: BINDER_SET_CONTEXT_MGR already set [ 364.729723][ T8151] binder: 8150:8151 ioctl 40046207 0 returned -16 15:42:17 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x80800, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, &(0x7f0000000000)={0x3ff, 0x80000000, 0x6, {}, 0x4, 0x4a}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:17 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="65643a3a5d3a2f6cea4e6c62"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 364.730561][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.757734][T26837] binder: undelivered TRANSACTION_COMPLETE [ 364.768818][T26837] binder: undelivered TRANSACTION_ERROR: 29189 15:42:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfdfdffff00000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 364.795204][T26837] binder: release 8150:8186 transaction 1446 out, still active [ 364.812543][ T8288] libceph: resolve 'ed' (ret=-3): failed 15:42:17 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = dup(r0) getsockopt$IP_VS_SO_GET_DESTS(r2, 0x0, 0x484, &(0x7f00000002c0)=""/4096, &(0x7f0000000140)=0x1000) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x80000, 0x0) ioctl$TIOCLINUX5(r3, 0x541c, &(0x7f0000000080)={0x5, 0x9, 0x2095f454, 0x3, 0x6}) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:17 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00, 0x0) [ 364.851411][T26837] binder: unexpected work type, 4, not freed [ 364.872138][ T8288] libceph: parse_ips bad ip 'ed::]' [ 364.895518][T26837] binder: undelivered TRANSACTION_COMPLETE 15:42:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x200000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 364.901480][T26837] binder: release 8150:8186 transaction 1442 out, still active [ 364.962110][T26837] binder: unexpected work type, 4, not freed [ 364.988822][T26837] binder: send failed reply for transaction 1441 to 8132:8143 [ 364.998918][ T8434] binder_alloc: binder_alloc_mmap_handler: 8358 20001000-20004000 already mapped failed -16 15:42:17 executing program 1: r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) r1 = accept4$unix(r0, &(0x7f0000000080), &(0x7f0000000180)=0x6e, 0x80000) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0, 0x0}, &(0x7f00000001c0)=0xc) fstat(r1, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000002c0)={0x0, 0x0, 0x0}, &(0x7f0000000300)=0xc) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, 0x0}, &(0x7f00000003c0)=0xc) lstat(&(0x7f0000000400)='./file0\x00', &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x5, &(0x7f00000004c0)=[r2, r3, r4, r5, r6]) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) ioctl$DRM_IOCTL_SET_MASTER(r0, 0x641e) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000500), &(0x7f0000000540)=0xb) mount(&(0x7f0000000580)=ANY=[@ANYBLOB="5b643a3a000003009e32bdfff12db05c3d6e96bd42bce200000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 365.012944][ T8420] binder: BINDER_SET_CONTEXT_MGR already set [ 365.028222][ T8420] binder: 8396:8420 ioctl 40046207 0 returned -16 [ 365.035272][T26837] binder: send failed reply for transaction 1442, target dead [ 365.044545][ T8401] binder: BINDER_SET_CONTEXT_MGR already set [ 365.060276][T26837] binder: send failed reply for transaction 1446, target dead [ 365.060676][ T8401] binder: 8358:8401 ioctl 40046207 0 returned -16 [ 365.074694][ T8420] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 365.074705][ T8420] binder_alloc: 8358: binder_alloc_buf, no vma [ 365.119080][ T8420] binder: 8396:8420 transaction failed 29189/-3, size 0-0 line 3147 [ 365.122883][ T8442] libceph: resolve 'd' (ret=-3): failed [ 365.129027][ T8462] binder_alloc: 8358: binder_alloc_buf, no vma [ 365.144449][ T8462] binder: 8358:8462 transaction failed 29189/-3, size 24-8 line 3147 [ 365.153302][ T8442] libceph: parse_ips bad ip '[d:' 15:42:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x1f, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8000000000000000, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x20100, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:18 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1020, 0x0) [ 365.206279][T26837] binder: send failed reply for transaction 1450 to 8358:8401 15:42:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000140)='/dev/full\x00', 0x101000, 0x0) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x4000, 0x0) ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000080)={0x2, r2}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x2}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x300000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:18 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = dup2(0xffffffffffffff9c, 0xffffffffffffff9c) ioctl$PERF_EVENT_IOC_REFRESH(r0, 0x2402, 0x8) 15:42:18 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000, 0x0) [ 365.413577][ T8672] binder: BINDER_SET_CONTEXT_MGR already set [ 365.432593][ T8672] binder: 8667:8672 ioctl 40046207 0 returned -16 [ 365.487752][ T8753] binder_alloc: binder_alloc_mmap_handler: 8667 20001000-20004000 already mapped failed -16 15:42:18 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010, 0x0) 15:42:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000000)={0x6, r2, 0x1}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = getuid() r5 = getgid() fchownat(r2, &(0x7f0000000080)='./file0\x00', r4, r5, 0x1000) [ 365.557877][ T8672] binder: BINDER_SET_CONTEXT_MGR already set [ 365.582622][ T8672] binder: 8667:8672 ioctl 40046207 0 returned -16 [ 365.589212][T26837] binder: release 8667:8753 transaction 1462 out, still active 15:42:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x400000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 365.614463][T26837] binder: unexpected work type, 4, not freed 15:42:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x18}], 0x0}}}], 0x0, 0x0, 0x0}) [ 365.672060][ T8910] binder: BINDER_SET_CONTEXT_MGR already set 15:42:18 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b64ff0100002f6cac623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1, 0x0) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x40, 0x0) r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_MAX_PORTS(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x810, 0x70bd2a, 0x25dfdbff, {}, ["", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x800}, 0xc000) [ 365.739647][ T8910] binder: 8909:8910 ioctl 40046207 0 returned -16 [ 365.739808][T26837] binder: send failed reply for transaction 1457 to 8674:8676 15:42:18 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2401, 0x0) [ 365.813666][T26837] binder: send failed reply for transaction 1458 to 8667:8753 [ 365.832182][ T8935] ceph: device name is missing path (no : separator in [dÿ) [ 365.842251][ T8934] binder_alloc: binder_alloc_mmap_handler: 8919 20001000-20004000 already mapped failed -16 [ 365.843276][T26837] binder: send failed reply for transaction 1462, target dead [ 365.874039][ T8920] binder: BINDER_SET_CONTEXT_MGR already set [ 365.896535][ T8920] binder: 8919:8920 ioctl 40046207 0 returned -16 15:42:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x500000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x6cee], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:18 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00, 0x0) [ 365.978066][ T9079] binder_alloc: 8919: binder_alloc_buf, no vma [ 365.997005][ T9079] binder: 8919:9079 transaction failed 29189/-3, size 24-8 line 3147 15:42:19 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000000), &(0x7f0000000080)=0xc) r3 = geteuid() fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r3, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$EVIOCGABS2F(r2, 0x8018456f, &(0x7f00000002c0)=""/196) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:19 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f00000001c0)=ANY=[], &(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000, 0x0) r0 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0xdd, 0x4100) ioctl$BLKRRPART(r0, 0x125f, 0x0) prctl$PR_CAP_AMBIENT(0x2f, 0x1, 0x20) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x0, 0x0) write$P9_RLERROR(r1, &(0x7f0000000080)=ANY=[@ANYBLOB="0e00000007010005002300000000"], 0xe) 15:42:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1800}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:19 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000, 0x0) [ 366.237877][ T9188] binder: BINDER_SET_CONTEXT_MGR already set [ 366.289560][ T9188] binder: 9169:9188 ioctl 40046207 0 returned -16 [ 366.310314][ T9231] binder_alloc: binder_alloc_mmap_handler: 9169 20001000-20004000 already mapped failed -16 15:42:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x600000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 366.341470][ T9188] binder: BINDER_SET_CONTEXT_MGR already set [ 366.364409][ T12] binder: release 9138:9140 transaction 1472 out, still active [ 366.372951][ T9231] binder_alloc: 9138: binder_alloc_buf, no vma [ 366.381159][ T12] binder: send failed reply for transaction 1472, target dead 15:42:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000080)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r2, &(0x7f00000002c0)={0x3, 0x40, 0xfa00, {{0xa, 0x4e23, 0x5, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x2a9}, {0xa, 0x4e20, 0x0, @dev={0xfe, 0x80, [], 0x1b}, 0x1}, r4, 0xfffffffffffffffd}}, 0x48) keyctl$session_to_parent(0x12) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r2, 0x84, 0x12, &(0x7f0000000000), &(0x7f0000000040)=0x4) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:19 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x24008, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x319, 0x4c0100) ioctl$CAPI_NCCI_GETUNIT(r0, 0x80044327, &(0x7f0000000080)=0x9) r1 = open(&(0x7f0000000000)='./file0\x00', 0x40, 0x4) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r1, 0x84, 0x6c, &(0x7f00000000c0)={0x0}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r1, 0x84, 0x1b, &(0x7f0000000240)={r2, 0xe1, "f50690671c3d909bdea6e782400aa9f0fab197b415418dcedcaa163c0ac6aff35d260083505aea822c6dcfcdcf6f4a7ceac3a06b4db0c2e69d45a299980dacb6cf89618d78221e7c8e53f88df52fea18cbeeac72a74bd909388cb42028808c671cb5facb6920addd2445caecf95aa20f31197e9e04f779ac060ab8cc59b26741e77f518cffa06d3c50754598d7cdd29993b910d17784af3f36d0c1cec4850f6f0d75d5ca5734bc844f9141d3136158689a27d1fedd9b7eb17589f2f2e1ec243b10506a9a08e87a1ec8d0e37f0a79261b8edb0614fb28e5af63e05488ab251cec8b"}, &(0x7f0000000380)=0xe9) mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b0600ad393a2f6c6c6203000dc8f52bbb9fcdde68b019ead02e733bd604350acd3f8ca4922607836b45f27daa54e00a9d30c52068d877300893a2245a8a1ebf6324ee7182346d5e3be38dbd0fcf"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 366.393794][ T9188] binder: 9169:9188 ioctl 40046207 0 returned -16 [ 366.438545][ T9231] binder: 9169:9231 transaction failed 29189/-3, size 24-8 line 3147 15:42:19 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$EVIOCGABS3F(r2, 0x8018457f, &(0x7f00000003c0)=""/89) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x2, 0x0) pread64(r0, &(0x7f00000002c0)=""/9, 0x9, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_GET_MSR_INDEX_LIST(r3, 0xc004ae02, &(0x7f0000000300)=ANY=[@ANYBLOB="02a57ce6bc7514ff870a5b70"]) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) fsetxattr$security_smack_entry(r3, &(0x7f0000000000)='security.SMACK64IPIN\x00', &(0x7f0000000140)='/dev/hwrng\x00', 0xb, 0x3) 15:42:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:19 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7803, 0x0) [ 366.693681][ T9529] binder: BINDER_SET_CONTEXT_MGR already set [ 366.724244][ T9529] binder: 9527:9529 ioctl 40046207 0 returned -16 15:42:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x44000, 0x0) write$P9_RATTACH(r1, &(0x7f0000000040)={0x14, 0x69, 0x1, {0x4, 0x0, 0x1}}, 0x14) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:19 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) bpf$OBJ_GET_MAP(0x7, &(0x7f0000000180)={&(0x7f0000000140)='./file0\x00', 0x0, 0x18}, 0x10) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) getpeername(r0, &(0x7f0000000080)=@pppoe={0x18, 0x0, {0x0, @broadcast}}, &(0x7f00000001c0)=0x80) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 366.756253][ T9580] binder_alloc: binder_alloc_mmap_handler: 9527 20001000-20004000 already mapped failed -16 [ 366.777156][ T9529] binder: BINDER_SET_CONTEXT_MGR already set [ 366.783970][ T9529] binder: 9527:9529 ioctl 40046207 0 returned -16 [ 366.790919][ T17] binder: release 9527:9580 transaction 1480 out, still active 15:42:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x700000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 366.807776][ T17] binder: unexpected work type, 4, not freed [ 366.864343][ T17] binder: send failed reply for transaction 1480, target dead 15:42:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x2000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:19 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a02, 0x0) [ 366.919618][ T17] binder_cleanup_transaction: 5 callbacks suppressed [ 366.919625][ T17] binder: undelivered transaction 1483, process died. [ 367.017605][ T9625] binder: BINDER_SET_CONTEXT_MGR already set [ 367.073310][ T9625] binder: 9624:9625 ioctl 40046207 0 returned -16 15:42:20 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c03, 0x0) 15:42:20 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) prctl$PR_GET_KEEPCAPS(0x7) sendmmsg$unix(r2, &(0x7f0000002680)=[{&(0x7f0000000400)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000000140)=[{&(0x7f0000000480)="c208cd25d6d684046360bd23f054433b0a8865e8c9c92fa4e8f23a32b699c5a2c00c7b82e72855a2733e41a2717ac86f4e30c1f038f925e41570d5a218227f3c0c864a8b8e0f9ebe23cad79cfa8a878ad785ee7171f576e77fbe18aadfc131ea2edf4741ede5761f04046912ef82b86b1dd5add5d4d914d26682f65dff45f3c56b9da60c12630df06bbcf32ac2a66a49ddeae3a72f14edf9ae2da94af2465de25e", 0xa1}, {&(0x7f0000000000)="7d764894ccdf0d7da26298e0", 0xc}, {&(0x7f0000000540)="3224c050cc5c7aac0fda4a81fa1cad397e324bf8f855aefce6d3b8dfbb463b49c6c227c7b18ba13090e91cf4bb70bdba39bc9a0db1aed95d7eda865d58638d80786ffa4a554c0972c4549b45cafa48d31272760a810ab0c17922c4644dcbf24f2124790fbd7dd95368c8fdf7c2d11307d3566364e86d11522d8bacfa074233add3933d35cb858aac66c39683b8f70ef3bf59350637c592098cd78ee4d2ae5016260bce53633f9c707546f3a3b63e14b7299b91ee117dbb1e9d28c47c6dda2c96030f6caec063a63e9bb2c81130c52e19d57d3083adc2ba5ed2467b5fa28007b0450b641c61c363cff83f03af9d50e397ce2bfd3a4a887af93728e5df363ecb5719eed07d9d4b396ed1dbce173e5dad6ff64622475b28cdd31074a4816d43f897d4352db1723cee142040e43eda656b915e9644bedda2ac3238b99e7ba18702054b124004d8aece93146c17cc04bf3ca2417ef58d9b9c5b0bc59d32a3d93f61bc59002ad5773071e44b7455b9fd46e12604c0c0d7e9b0ba71eaf65193e39568095d11545810750e40a627c6e76dd0df09130695808085a4412ff932740486308767ba5277f98d07ae4d2e062fa7da7c76edfd90d2b6c3fcc060ca892fad3ea3fc80f2ca36d603b7eed537ed663d7a56ae7e2c650f21fea448b0167a386061861f51cfa214981d985d76f4c6b76c29cb933f55a923402b9b00ca83c78e87223e5409c3a1e5b909a125d9f859cf0d15860d45ff65ef81a1b44c5d53943934130b8244d05bf4adde1e2ad255676aec0bea04a938431e1c2e3018d6c6aa2d1cc54812c073833e6c0a4cf6247e1681dafc960f82c15ad4d0b7bb4c357605f893b8406ec601cfc2ea15486be5101e2cbf8678dfefa4f9222a262c58b7045311ff3990a7e82c8872628ae04a5a07eb0d03a14fa2c6f81e0607e9d38c1b2c851f4bfa5157780e50ebcc8af86996ca3ffd6e4c5a43f9ddc5d481a94f80d0119353fa99299d9b660d4d4f901664885dc14c00c0467752e456b3a4e855e4798231f5a870272942bc613094abab0a0c469a33306e55457887d5dad92b27243504d99866bd40f19e0da80c62dc9c1147be267dcc9bda68ef9bb2b26275283e4e9d74c7a939ac8a1cb1ae255227e050fe2665c5fe632ce100745309b7683cf0714eb50aebf3bb300f0e55a4e27ffe2857da76487eff5d173dbeadcec6e704831f0a5e4dc0a554b0fd533ef81f0a258c27038e4356402837b5e9492aeab7e858df8a918b6fb71e4d141d556c5f193a4d989c422e766bcaee3e2dea66150fbd1903f8838c9506a69ab506fcf6b4d57de7f933f989de879d92d66e9ceb882896bd06c86d183cd009b34424b33d04f38e9af426cb9099dcbf2e5e5c3ef7fd0901015bd9f0a5e169caa388a73c6629b229fc0c40699fc5887a3b2fd73ce2b638edda043ebb9eba61f5bd00cafece67e1d974533c348073e2342def2edf5ecf5f9cfcdbd0edd4bc70975a5abad189b61a63fd763c03b24100e82bb682c0d024f7709066795ec52684827eb0a389ec274fc6b3e537052234b686fa85b93195d07d80c8ac1e68fd6abc5366dbdfa367d8680cdd7c78d96b6346b299b06342bf99d45782e0bc3cc25761c36c0810def70909e1bbae47f57d965abcc886573b719a8f31101343ca5ef3bf7d8a62c16c57716105e2981a7a5d882b15295b0fdbcdad7022b25efe2b8c421ff56394a5318601d0937ccd24f52d9fb5aff8583e47dd63314b459f4837cac92983a85be6cea181de545b0846e7f446300b909ba6ad4450fc3f4429915fb59a17e0f24980c2096daea284a5433c2aea14a4ef9ac59e8078b661a986e68f2f199d7fd093fc7b2feee6c4255a9d1ced9402e8ea3fb16e76710bffdd80a731ac2268292ae818b3557bcf027cd701ac8e337bc9fa06857d62174e74fcb8bfd06bdf74a824082dc694726c8ec786d29c3598442443028d9206dc00a75b7bf14083a50fd0cf4b5e8995e7792555a945813b258442c4e15c19956045fa53096452e070528accd6dbfc1df199b889ea898b485d50d6bb480f90333e75e524ecf6673a02dddc137c9a07fbd8d3fd49b6ec4182cd6a57aa4dded01c3de92973075eb064e5bd02c415adaaa6f69d7ee4e2e176ae359418c1d6464de3b03ff757548bd27cfaedcac097989d621acee43877221b3e3c37a9b661e56c4b31046ca84d135c78faf3c8e9134e02a373065156cf5177290bd9ccde2cd2f47938f0e820ff4b42fe565fa671917c1897289a070b1dea46f6359ca4590224fb698e69aa06bb929f67ef2938cac50554e544f0c3c738ed3f444e13a19753e78b96f40f696a9773a659a5309f7ffed317482040fe1d977fa381838e3b87510c2ead8c570a8ccf070ba8bfa802f3676a4840e426f9e08b0f868697f64c0f850870cd9b716164a85386f605b1b7b19bec77689b4b53619dc662ca80b5768d76bf59a1d02f56dd06f3af99e490d660bb2bd6d9251fa5d8bbfcdc47bea185881c511f453628ae9228ac406a6eb31f7b83429dbe45b6218f72cfe85ba80f1726d073664bd23c804336a3af5d5e319b3e5b926c6d1bc58039cd4240fc2ea9ec20275a2b65d5bf4cf19e071c41538f8127c5fb7375578d4cf067e63f892e62f042183fc0699467df319d7d9fe00e158feddac52e691730ee504af7bc8a7b9418d38f6485cc9ca59a4aaec71c59e2cee33594cf177a7cb934c407b4613b5b8d1ade306c498853201d7ec4c82bc5eaadb823a00461aa7d8ed3e28d7c963e2389a30879e5cd608f5822b29f5b7b65fb3f1b543c4b9de3392a38e83744881f3a2af4b93f2df2546842a6ce52dd4a07da5184c1ecff54411bf585ff23872ed51d2755b8bcd5c0361f2073ae3c0ddd4c99496d5c63196e11deefb1981bb3f59eba446f678b1375dc332adb0d85da09eb38852294c0d86f3e1ed086372f78267cc7b5dce81d2caeaa57453888987ea725b9306e01ced101220253a42fd215b552d56b51576d12df24b44fe4a07c39633a77f92287dbb5a2da37789f5653b8bcdb18b7cbf0d34610606d84d83c63a770b77d437d2c219108f9d3edfc699c25f02832aeac10088849506a64d9330f4ab2b89a02feac5a480472235b2c3b680bbf61628e06ba489c6eef1427958e742ce386675c53690dcdca115152205a9fdfa0c9799cd66f3cc8e191f2a394d05bde9e2e4fdaa9f38d5676139566603d4df55fcd9516d9d6ce1bade198268155072e2fed7d201bbd220516a55d1800febdc3947443e658f365d4e60a833f545aeca1aafb4f71f60a54027c1127878c78d3e8a48aa1af1299531a793f6e74ad8c2ade110a0d9e169813f305d4cafc1ef38575c566c73fb98a52ed17384bb0e5ccdc137f2305f4e7d49a0bd024dad6de577065950c4a8e1ff3fb41007517b8bbd5fa03161a0db3f6278340b42b25eebda67ea4a39e606a64a5874df7ddb920de9a71b86743b7b4d5720b7bfea0ddb655411a4fd3e11b8a4416eb1bb198d9028cc9b807eccd76f27ce07f7605861f0377e08631b65f1b8030e3cd939a66b7eb9dce22bb3882975dd26a3f53435e4b27679c85bd19f9bc6ab9da5fd7dfca33b2e5240679bb497b4e3979db2fc52a706c080ed19e6d5377202994a2ef66a5fe80ca9f5a39298fb35f3a953f02b72034bb278b9f74c1e525442b36384656e553ce56de561def7fdb2671fe99a85b9534f474d11458b42e326256d26dd42925f43dab5b0162c25faf359c1da3c1fff528fd490180d1b13968755c72e80fe7044fb5e364317951ce916d22e0cb6a801f459defeb4d2080ded0e99b135331ea0b715d76562426ca5dcfcf6b32778970fa305d4fb1af260b3caf090c4384ea9fb3efc157d17b7d8a4ada3e121fcc8df6e8117959e08275e3048542e350278fd6730af83fdb87f6e834a399ac5275d58c6d54b35539f413e46b30436ddaf388a3adc3255a77e63876b4fcbb161323644903255fee4d30c5da1ed882088215491eda5205fa7d3bb525d4b0ca8937616d00b7f81fda6a7efa02a22c8acf775d2194aac3c98c83693da211bfcf37b88dae5aeb4cb30ca3d4b5eb8595b4fd3f1a468af3bbb64a7cff4446314e4d1f78d88379873ef53b681e95d70545082801f18acb82357c5736a32acc01ab5f80b07465200e8cdc2eb74cd503f27ea40676fa45a9ef93f32a1aca5e2b8d7de681af075906b4088f51fccbe98d919d885abe208ec1bbab162a2bc52f4a103196dda64e550f7a89ce19c736108ad4d9fa310e61cc030da1cd4f53e3988ff0b77c696690dbbbfb61c89ebe7f2b94499e073e34a06cb2458e334dc6f15b579c1f06b67956f1298164186675c7ba1a913f41d2022ed4fc2206b229a7551d935110546288f91bcf3dddcae580aef2144055e1ad57cafbd4b7a295edfd26b77d9900fff50ecaa17fdfd12b65124183375f7b78a9978f6c788e9e31d8121d8fff67d3cf2ed86edf70fa5fc3c51c1a6c98bd5277e1c2683e297807099496a247258b65809d6803a9aa003d5d08f6aa640ff245d695b8f7cb4a74dde2ba85d53c55df19f0a39f1f55dadee408c43e737e8d5df0d3b9ef83317efaf1b3ea525f8e483dc739a5fe801f84e9b8f517abfd7668b3868e08c6b6355a5f2f6c324a4187df1b41fcdafc78e1eb48ab90b89c73637760da5390bc987ae72d59d81ec2e4498963190a39b5bd1067e3a3dde5fdecfc9807a52b4a3a64f6a51943bce9e1f35105f4cf51609e9024bd0d9c6093ac1c38221893f4a48a18d08ed9351ca56d779726b7da0233222d5769296bf7cee2100a22aedd6ed9e8976e4e42042ca34c4ab738331a928cccfbd9709eee8c7f09d8f8add7e9dc5144228dbac3ff5a4000d140414888dcae433068f62297e2731391a4ea511535f7fb8997536ec9cae172334d75cfc17d8f226651b79628e9868f3bc0c1ea94162fbde5a94996942e84c383b9afdbab104c9272fdb8bcef2d1c09e836938e45ef3a97884ca1b966102bbbd5ca771412063f7d2bd744e63b5e247f2045795dc04873d44222d17f3bd5aa82fb9ff1f4475c0297169f2ef0bcaad4eaac71db26ec73c959437fcc12facd09aa2c370dca9e83d2999073702ee75c831ff27d26deef015fc26b93325fdaebb37745ac29da94fc5b3466d4cbefa2d3db25980be1c5be1836d48fe09cf75cb9bdc03e67a641b593e730dac0efb35b6ba16b0764497774ec94bba1f8fc77511734d4276b49be2b4b644a5ff1cb988de5dbeff2e581962a3633793f042098b785df99ca0e3eeb510b43c29c087725992fdc22f56aacf1476b151e8fdfe055c701fba31f3a2894bac2ee9e9d56a4a95a5a4a9f301b7702538dd3b5d19c75bfc684c3be500dc2f90ee3583e41324cde176e06d61fe5bcbdeba8be3648754b22c9f6e3f9bb7524924d63e8922a1c01b58800141d0189fce2c8004b85c8949a20a3a7fd3378f5aea25f92714a78c76985081278062195eb9358a74988cfead2a09b1aa6c5a7d19968dbc9fdd8a357dbddef938827dbbc0c032d24b9f3af4d0125c8c096bf6f216ffacff8cef4e5f6c440d542b6aabdd76f4c6d00ce4c267fd9326f454c94bd0d5919c9d58a24e05f0698d7e4c3500d4983dcb2d0d67d1aedcb00b433535287199d5b995e5960d0a82d8b8f8667f0a3edbc1b592af3db31eb4b7c513d7c27da2d9ec783d43811f8007dcee2460bd39bcc1211700b06102c5719a4049b5a1be0716400de02d0031dc7be0da2399855633b5fd82e05dee1d695a016a9f8e03a2395b57e3a7acb25", 0x1000}, {&(0x7f0000000080)="740b4f851eba7c60b9a87d21", 0xc}, {&(0x7f0000001540)="b396e30dc397d7b165a8f31493be8381518a4ec0b0e56a0c83f4929a29f9961981cf9633cd4ed198aafd9a9824755f14d10efebf99c60a212f59b04e9d3ffa75d617b29a1684c6ccb0535f30bccf93de3dbed09cab42314a485b6e99511173b109be0edeece3e1cba20dcf3f995ebf97aec18ef3", 0x74}, {&(0x7f00000015c0)="e3eb481a2897f6b812bee1838a5b09fc362418d90d053c51e6dd6dd48f58eb5e68de5b73d032e8406ca08a444d47a6584a2f72af415bce9c219ea7e7f2a8848c24a512b3178fda09f477cee5171b323ee58b3e5dd5566502f7efa689df8b4d0161088e36117b0f073e5f769282d26363a126b0e372c87bea4dba3a46851bd6a5d086fcea4f995b056855d37607f2a459e2111a7b971cbe24e11d0df02eadf4b24fb3b835c6ca645af841170e127e01f22c0692d7ead96b2ce3f8983e9d09ed348e5695a659cf6debab369a04e2b9553b2eb37dbd98e1c85cfc2a5f17c6b8170dc3af7854abb585642dfee165cdd02437e0eca7eddfe3cad9dd3711d187e50e79cc5ffbb419c86849923749db35b80c10ab4cc71118013b4d93efae740bb236c50939513d9301b48a530ca52e6b4fc70dce63ae5441c417df04ad75ccfbf7047dc7969c727d8d814d76540eec33876591e53d6ee73e3c6f39108c4eb3a967287cc2c23e0e33527153cef8a4dadc3212679ebca1ec8f724bb835caeffcfa72765020bc80dbd74ef96636c90c77c2adf604439709d12261915c8236381a81da8e716bf3812682a848163d8521a84b4a8d65174f91ba06c9e72b1906e351a767e13c52043598b6cbaf00ccfaa1911fd72d82e90c9010727f586df71f41e9890173d29ce75cfade661e3c0f920e6cdb5e90c8726ba28de7693906b6b74da115b23a31bbd57f4217d97ae45baccd449fd6b6a723caf993d88e277c1ba0360975fbc22d3f04fc15af58fcb024aba2498a8f7803765d9981fa639492c811dc42daae81125629d248a65338c9e8c3bb53b9ded9cf20d466dc0bdc4d18fb37e301517299487d2e57977e34f481f8f10fd90eb2645ea0db9b4c136fa457303ccd3432c8917b46fa30721f78b3b858c00f3d43a0cac17f926cc236a5ea1b05ddb0ff1f46391aa9564b2160fc6a85d3511c4f36b31973fda951577ce8aa4006e40e0133984bee6ea585a33616d1268b8f9865230bca826302e8a76032b6fcbb074027acf57dfd08e6f6e0aacd84c1c2cb9648dc2e5a56e3b663f4179d8bff591d823c19cf11df7b2ba168574bc43248cec65f2016a567374dac691b82065edcf4eb6a4e8c0a44fdb97152624679d3b2b5a518c2cb37f1e1bdc295f678b4f8da83c36901a19c3cb2efb144377fc7c291a976a912ffe561fffe17b22c702d1500fa954238c758a62e1b887fa57426e050451318b95d82449444406f98ba828871a7651a8b45786e98f1192e4dc8f9f763d56a3884fad65fdff44e72373657b765cd8c0b34481e92571c05ea4fb7f3616f13c9e48685d71e57173d895dcf367a112204c6b75f2fdc353bb884aaed3b7838abbeeb344600eaab1092151581cf06f17a8b92d89a5ceb3fe3ddbff55a99ecc6c77e02d4a2fac19512b719423b2907f7fae617236a9fc64a65dde69c60b4c8847bc5cd86a735282e0de6a8323f76dd382b1f6dc70153f76b6ce56335cb83d2587e850a427b0ff4518ec9e3d1bab371f3f49f2e1a369dd4d93db8a1fc14b4c48ae8f09ec7916a0fa7557c98ae70867e79df4b8c5c4d30a1367e402e8ba65589c2ce3e3418ef6e7b7128ae610ecdf04181864e89147b8ac2499159f0c7946aa63314f0f0aa0449eecb32731392e25bc209401845e6050d2c88b13df4c56fff407b212146e90e173e66bef910c69dd0ef9852151b571fce554caeafbcbe52512f6c21fc13791bbed0b8d187ccf44f456bb506e0f1b4c5c146e4db82b18dc83927c600b7cf33a25bdc7eaca51464e0759eca77c69e490dbca317e0331815acc1fd58144a1cca3ddd9c709bbd59ce47a0baad937df966d196a3cdb3b01cbf0366016cd09143799284b6f953144695ebc83eda98a631ffbf7917db486f73b1557b753c893c7c5d758c818b3c32cf3f87140ee10c250a6ed870e63a49bdd4e373a3ce4c3f3e6ba301b468efe3e75cb19104327dad388dc123336c34e27a11a787a0a3f7269f11554b6d6b7f0b2750687c8d452af77ef1924740fcde7c76ab9259a4ed6b80ea2a44cc670c2aa0636965f385003a1063590e42b5465aef3d9e85ed7d2034ac6ace78da6363998d1e477741dac3d6d13c8859f18a56c1d100d594ee47a941203e64ec8b24a03b334eb9e8e5809ff5530bec185235b3f88396f5cc5741e4b2945c4c24212c13bb546a90e74b27d3205dda017bfa1a13d8281f67470ac0d9666c7fb13f66bc41b360c9c69e8e0a577cf86369ddd57dc499d7130aa02ed78e05599b7bd3f9800e299361b1afdb5c737022a060e6fd3cd6e76823ce2ff3509889a7daabb1a4019ff321f2ef145a51dbfa6cad066df6f920d5d4471c2734645db002b77a08d01785fafec64ccb5af893979755b948f31f46a937ad24641c40172e1a954583fc56e8515b15251c19d81eccb60c4678756e9e8a6bceef10ba7c47ce79457c487dbd266e08514c6b762fffa783367f4a039dadf5f27de6dce1e70ed7c6c2e68da2e0558835e492b7f0b050e95965256af9b7ad5278281328e725fcc0169af5fb30919b71f2945d939c47da37c8afb36cf27679c26a1129e2397a93f41c70541d39cad2e45ff413b68c7675df465e337601ada01d3611568fd7b6d15834c8970c38b1fb703fec77eb15cda106ccf7e488909d98ef5dab775e71d8b588ba3e6b9dc499ac72a4c2f116d0aefd2c06a0407d4748ce53a43db1f37a5cbeac8baf2698f2acf274ea1bdc08ef733ff55734b73a81e8f3ce697177a247d0351dd413b22fd474aa83dc07ecac782a22245325041ef4e291320f2ff999bfe7255d0b22af482dde5d8271c8808114ecf9f4060607a07ce9f109e919f9d30b19272546958bcbb76f1cb91d42e5626a27120555b8542dcd9ebed1ffe177ec5cdd1bd0d384aaf2d205e24db5e28d07ade8600d2470a937b076eb8baf90194a11bd7b86a296288dd0550f06e1b2886abdfc516530a4ca45a7908ca3e4348902fd36b7951dab4abe9aa1e8d36beff93b1077ac256421e0e941ebaa7f0634b8cf2cfa7f3562181b06b5a459ed5aed92c38544f81363bcba66b7d772d5910b09fbd6a9146aabb7e0a73989fc2f1c6bdb40fdd2d9b60ff58cfc15b646ca87f4bb0ae07e799890d208b1bb8f1286301a2152ffbb4157bd34faaf6bab5c13a6ab37e0fc11b4c9feffd6a91f93d6b224ff4453ea9be2910b118fa5414eb432c98eefb5e5719dfcac810fd8b802e4efd035e554cc9fb1be7a00dd7eeafe19546641a702a381552d9b9b3b5183b6ef19e725fd90c47aaad2dc1afd206071904e1ca4f24883f5b6da52a1b926f5d7e5f4dcfbfc90791065ffbc21e12c2a7d4a0283c78f6a52ccd4172817316c26fc19c28876ec7ab24e1f11fa4315447648f461fb7f18e1600c37c3bf591c107bdd5d9c1363c85516073147e515850e7d2e67c4fe83d0cc3e19391584b7d9f4318abcd1c9a5c296714b885ac8df2ee154daa6324072fbb3f7ce2a0d7fa702c5ad112785b6ffe0d1d78284458f755a984f537f6f31a779922bb443fc9629d1be49171e00d598c1078efa3dbb6a3f7d1ef1eee77befd6f2beb0a8476d4132a9825234c29e4da597df282467f43064bb90c0abd04e6147d72c2401bc85d22c30b2f29581f55c53ee202dc5a5a952a0ba303415e8ff49e0bebd78ead8b5f58c622afebdf302169c2507357deabde15a413610e6e1ce0ed5cf07a9a035ac9447ec999b47366845692af99164d12ad07d44ff0ae4ce18a300624958ce1ef396a535e84a5995a9438986c6cac11a5c346891cd8667690d2d2daed913928ed3de0da355648c34487687ed8ec98f7f69ba4efc8084be2ea10653a8c0cc29e1a605139dc9833dad12223aae0b2aa3f38e2e5f9143b158902eba6fcf0dcc57b8e65eab7c103da840d95dc46afed724c7a6b8518f8996bbecb00cdf9397b1a265e9734ae6b7a7ed1d03e6cb16f091895f5763cd2ebf3999ff4a9308b0775da1bdf8c738167620d3310069839ad6e766597ab9ccdc9b5e4fa927a09333eb32e18fa4a92849dac40bc70dfe8d33a9585a7be3c78532a378b2efbc9106520b79d37a963ff032f939f5d6b103f3299ba75a5fb0ac72c6d797b59c9da9ec6bce7be7916dc60bcec8b5fafeb53ea19027c302a1fb0d93c59559daa7b24e35d10abc809b6cfdee8f86a56c5b450829bd28e978924af5c039cdd3ae8fb81006f1405a9da7a780ecba237d9e80b617f3ce5a0eec3adcea1b581411779ea9913b1c0f186267b3e84b6f0c210ff4a49282c5e614fd9f9dfbe3baf93ea46c3e5c2e90a91810394b5d9145c114528db655ce7505e33afd2dc8a12b3b924d205e76e17e0ebebc96defe6593dcd0601eb64a73da88f9e1e74c6e22d165ca9f4362a8e215c68b2b62efa48b8a25b37c4f7ebf629bc1e56f9df9e327463ac9ab86b7e3f04ce4519fc8bc16710785d83b513c6228e57a30e0c8abfbfa80f3a4094338f9db204e9d64e031dddd24b86d18abf8f0970d98942191e30d803c03dd9ef94895fc5e09119cb8968870bdc4534cdcbe4e743c0788a63e7cc73f24a06d863a691bd83167c91e242692e159d5150a16d4213b0083a42cc87724c5ebc5084bb724b77a3c26282ce0d1811f04a26da720e2321802e6d032bf9b1c7a18f6738a1c22d1405bd878a2d17eab9f381e8573ede3c64abd5938977af39a5a12ca7f42f3930afd8e422fc4e10340666aae78405f439924eda9b1b24bc53e8fa94535608fd9251a80a6e0b2c845f8ea320e0d0a79a12613e0ecea53d11b41331521e1a02c5c5d53f94c644a581043c9dfee28e7af6d82fae0dd6db1f62b8a4530401ed786e44513a0431cedd98fe31171a1c6d50aacbb93b108b5f7de9afeb978830816404c8b24823f7923c53b0c575b000ea5abf7d5c9a5b6648d80801bba14367743096dc4a07fb5db033d7d6df9395d9544373e5c4574d8c228cfd19959b8f08bb1a7c0c08c097b6b359a8e83f38da1bf0601f5c547a10028c928ee6447b55d7d15596f180423be676c9fbc89ac01bd63ced0244b8f6845500aedc73ee46c0ccd142bfee9b88a17f7df3ffbdf547d8f6800f90b86d8589d2f6aa0cb1f997a7c2517e9f17eb633050b18653310ae9cca542a04215cea0094a47f4fc428b2e370b27a49d5d0b7bcf9fd239f2fad86f529746e57822ad359dd87617821b26f05713b4945264f01089f9a0490f5911e2100a13d8dd0581f9b9a24033a47b1b5763b410a38b28ed15a3d3317e6832589df2bff579500ae27e668af171da863539224ac955c8ee822adf7552c4996f1233fec72c8806c96a91bb096a3ae3878eeecdd67d87d30197d94113da25aacaebd11260836a99858cd249e9dfd19a80fbff66b3fb94e96f12351b39ce160b05e220b09aa5ad3a8e3540cab64a5e866fcad4c6e449d38ecfc7df63164753180a897ba8116e4e84c39ea3b2f44bf5764c0cb1985da1f24b086c3fe81c90f3b22eb233be82346fa1c09809c0437cab482ae29a50f55704cd661b8c2793776fefa6361d169e3a05d0f208d10f59177173989bf51746b68016180b91689a16865b9871d1d7db19b8cdf4b3caaba52e5c9ce843b6357613016b2ead8c67b4ced493331e4c38446baac5ec66fbe4490043328b63baac0cc2cb3f254a8734ab3082761724241ba0b5c02df89c9ff1ba94c58d4db21645dc4f8acc57f36ec389e6f339249ea8fb3b3728538c4cb8549081c3c596527411a3c498235bcdb0d9ec2623825ff6ac00510eab1246097dab5401c617c6b7359834cb4c8", 0x1000}, {&(0x7f00000025c0)="0ae7afa123555f350be2b37bdb94317056b85a3347cad961884533bda4a9d94365a765de4eda574e6cd98cdc14eaf827c3274bf2fea069a180b9fe7db512202c3f0470d7873d2eafe608de25959865c9fd1383243d3ddfd06d9e7e0e9e47c7aba508d4", 0x63}], 0x7, &(0x7f0000002640)}], 0x1, 0x20000000) ioctl$TCGETA(r0, 0x5405, &(0x7f0000002640)) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setsockopt$inet6_group_source_req(r2, 0x29, 0x0, &(0x7f00000002c0)={0x7, {{0xa, 0x4e24, 0x7, @loopback, 0x5}}, {{0xa, 0x4e24, 0x10001, @local, 0x5}}}, 0x104) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 367.131985][ T9672] binder_alloc: binder_alloc_mmap_handler: 9624 20001000-20004000 already mapped failed -16 15:42:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x400000500fff, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x1, 0x1}, 0x8) [ 367.207667][ T17] binder: undelivered transaction 1492, process died. [ 367.229884][ T9672] binder_alloc: 9624: binder_alloc_buf, no vma 15:42:20 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x8) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 367.279034][ T9625] binder_alloc: 9624: binder_alloc_buf, no vma 15:42:20 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb803, 0x0) [ 367.332812][ T9672] binder: 9624:9672 transaction failed 29189/-3, size 24-8 line 3147 15:42:20 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x18000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:20 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca00, 0x0) [ 367.660470][ T9935] binder: BINDER_SET_CONTEXT_MGR already set [ 367.671825][ T9939] binder_alloc: binder_alloc_mmap_handler: 9932 20001000-20004000 already mapped failed -16 15:42:20 executing program 5: r0 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x75, 0x0) lstat(&(0x7f0000000140)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) r2 = getgid() fchownat(r0, &(0x7f0000000080)='./file0\x00', r1, r2, 0x1000) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setxattr$trusted_overlay_upper(&(0x7f0000000340)='./file0\x00', &(0x7f0000000380)='trusted.overlay.upper\x00', &(0x7f0000000540)=ANY=[@ANYBLOB="00fbed004d1f3942eaf3fd21069b51c904e51bd011b6e547c025d0bdeb25130a1e09b861ef9f62e244534071d14a305ca244bcb6df0b9c79918f6c9a6d799a460e8f30e28ab3529fab5fcb4bcc215e426513a08b5dda9b444b1373bb30acf512c582935bb4dff588eb87917bdc56fd77fee103a47e865ddb6009aba35cc275aa2b13d22598662dd8a42a593d84eb7b1e2ba5161291155cfb6289b5a4e6d49a528482675bd83103daeac72c3432c2a78d2ad99a14fa4b395a20562e641fa78eeabd898fb7968b31837a81873ac70222305b27cd3cb32b6064a4e0f99614d3b77f38165c000000000000000000008730842e97dd37276311e5b0f7edf566189030cd8f8b4bbb7fe908c62556548236b104b4ddab961cff850ce8c90b446c8b6a49eb82c86399bd9417569d8c051f6ce8ff1b7c25c49ed8d0edf7c4dd407edfba4c9bc89d4c0263462a387c3a5e8e74040924c3f892a0952f9db210beef2385d3ffc6e5406971c1970f8baf970d441dc905c4dafe1212d8859da365dda486c8"], 0xed, 0x1) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 367.743380][ T9935] binder: 9934:9935 ioctl 40046207 0 returned -16 15:42:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_dev$cec(&(0x7f0000000380)='/dev/cec#\x00', 0x1, 0x2) ioctl$VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000080)={0x100000001, 0x9, 0x2}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x2000, 0x0) setsockopt$RXRPC_SECURITY_KEYRING(r1, 0x110, 0x2, &(0x7f0000000140)='/dev/cec#\x00', 0xa) ioctl$LOOP_SET_STATUS(r3, 0x4c02, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x2, 0x7, 0x18, 0xc, "7dfe6a2958585fe958a47619a8162b2ec5e43c207905e83eb62e2f5973d6fb73c28d7f6d630e7a9d56fa27d51ed9a0a10a11d1b4b0383aa96367752b9b920fcd", "cd30ab42b0adcc0725a855921fa5c79da8033d0290c2acb8f4722cc132bf2913", [0xffffffffffffff81, 0x10001]}) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 367.792593][ T9936] binder: BINDER_SET_CONTEXT_MGR already set [ 367.800484][ T9936] binder: 9932:9936 ioctl 40046207 0 returned -16 [ 367.849872][ T7807] binder: release 9932:9936 transaction 1499 out, still active [ 367.878872][ T7807] binder: unexpected work type, 4, not freed 15:42:20 executing program 1: r0 = socket(0x19, 0x4, 0x10001) preadv(r0, &(0x7f00000001c0)=[{&(0x7f0000000080)=""/194, 0xc2}, {&(0x7f0000000180)=""/63, 0x3f}, {&(0x7f0000000240)=""/114, 0x72}, {&(0x7f0000000480)=""/222, 0xde}], 0x4, 0x0) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0xa) ioctl$TIOCLINUX4(r1, 0x541c, &(0x7f0000000040)) ioctl$VIDIOC_SUBDEV_G_FRAME_INTERVAL(r1, 0xc0305615, &(0x7f00000002c0)={0x0, {0x5, 0x5}}) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000580)=ANY=[@ANYBLOB="5b01000000000000000000006cf1ac31358a407fa6e716ca80f4b96f69e8818422c2d127ff715f48532735523a4db551eddd380e5ec822679067e5ef07ee58865cc54fab9a86de74716a060024f31467639f37ace55c714c6bd0f2799247a6a4a7eedcf8bba1b86357e2be554ff2f99a64718799e2e0f4d82850f255aa91af3cbef2740c5fa9db71892a457a9123dde6afa70b6fbb8d69c808f4a18a1d4707c6563fbfb10387065ff41d56184f4533105d96359607f088aadff0be"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000380)='\xc0K\xbd\x90I\xac\xe4\x88[\x83\x9c\xe4\xf6\x10\x93\x8c)\xf0\xb0K7\xaeS!\x98\x9bT\x06i\xb7\x80B\xd9z\xdd\xef-U)2o\x98t/j\x14,\x1b4\x18\xa5\xf9\xd8\xa2\xa6\xd4\x82^\xb0\xc7\xa2\x99 \xbe0\xf7\xf4\xf9@2uh\xe0I\xd3/\xa3\xe1\x91\xb3\x8av\xfc\xfd\xff\x91HG\xc8\x1e\x0exK\x96\x0e\xb0\xfe\x7f\xe5\xf8+\x9d,i\xe8\x19\x9f\xd8,\xa7\x13L\x15\x03%\x135w\xe8F\xea\x0ft\xac\x80Q\f\x83Q\xe8\x1e\x9d\x8c\xf2\x19y\x01\x84\x85\xd8\x16\xeeY\x9e\xd4\x18\x8a\xd8\xb9\xb2\xbf!\x01\r\x97gm\xd7-\x0e45\x92HV\xe2\f\xf4\xfd\x1a6tK\xd30\xb4\x86\x80\x87\x8b>\x01~\xf4w\x0f\x12\xfd\xc65\xff\x82*s\x85\x9f`8\xbf\xaar\xa8\xa8\xbf\x1e\xdf\xc4\x8bdAfM9-\xed\x8d\x8e\xf5bWcu\xeb', 0x0, 0x0) [ 367.901161][ T7807] binder: send failed reply for transaction 1499, target dead [ 367.934559][ T7807] binder: undelivered transaction 1502, process died. 15:42:20 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd003, 0x0) 15:42:20 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfdfdffff}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4800000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:21 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea03, 0x0) 15:42:21 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 368.217788][T10252] binder_alloc: binder_alloc_mmap_handler: 10207 20001000-20004000 already mapped failed -16 [ 368.251696][T10248] binder: BINDER_SET_CONTEXT_MGR already set 15:42:21 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff5, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000240)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x10000, 0x0) ioctl$KDGKBTYPE(r0, 0x4b33, &(0x7f00000001c0)) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000000200)={0x0, 0x0, r0}) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000000280)={r1, 0x80000, r0}) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x60102, 0x0) getsockname$unix(r2, &(0x7f0000000080)=@abs, &(0x7f0000000140)=0x6e) ioctl$SCSI_IOCTL_DOORLOCK(r2, 0x5380) 15:42:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$VIDIOC_G_DV_TIMINGS(r2, 0xc0845658, &(0x7f00000002c0)={0x0, @reserved}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) openat$vnet(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vhost-net\x00', 0x2, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$inet_udp_int(r2, 0x11, 0x65, &(0x7f0000000040), &(0x7f0000000080)=0x4) [ 368.289860][T10248] binder: 10237:10248 ioctl 40046207 0 returned -16 [ 368.289912][T10221] binder: BINDER_SET_CONTEXT_MGR already set 15:42:21 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc0, 0x0) [ 368.374209][ T12] binder: release 10207:10221 transaction 1504 out, still active [ 368.383618][T10252] binder_alloc: 10207: binder_alloc_buf, no vma [ 368.398206][ T12] binder: unexpected work type, 4, not freed [ 368.414246][ T12] binder: send failed reply for transaction 1504, target dead 15:42:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 368.432767][T10221] binder: 10207:10221 ioctl 40046207 0 returned -16 [ 368.451177][ T12] binder: undelivered transaction 1507, process died. [ 368.466804][T10252] binder_transaction: 1 callbacks suppressed [ 368.466823][T10252] binder: 10207:10252 transaction failed 29189/-3, size 24-0 line 3147 15:42:21 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf000, 0x0) 15:42:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfffffdfd}], 0x0}}}], 0x0, 0x0, 0x0}) [ 368.582635][ T12] binder_release_work: 18 callbacks suppressed [ 368.582643][ T12] binder: undelivered TRANSACTION_ERROR: 29189 15:42:21 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={r0}) getsockopt$inet_sctp6_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000080), &(0x7f00000000c0)=0x4) 15:42:21 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KDGETLED(r2, 0x4b31, &(0x7f0000000000)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000000080), &(0x7f0000000140)=0x4) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 368.729603][T10549] binder: BINDER_SET_CONTEXT_MGR already set 15:42:21 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf603, 0x0) [ 368.770638][T10549] binder: 10532:10549 ioctl 40046207 0 returned -16 [ 368.833805][T10549] binder: BINDER_SET_CONTEXT_MGR already set [ 368.867446][T10549] binder: 10532:10549 ioctl 40046207 0 returned -16 15:42:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 368.883305][ T7756] binder_send_failed_reply: 7 callbacks suppressed [ 368.883315][ T7756] binder: send failed reply for transaction 1510 to 10469:10482 [ 368.904971][T10602] binder: 10532:10602 transaction failed 29189/-22, size 24-8 line 2994 [ 368.918278][ T7756] binder: send failed reply for transaction 1511 to 10532:10602 15:42:21 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20000, 0x0) [ 368.950785][ T7756] binder: undelivered transaction 1514, process died. 15:42:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x100000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 369.004339][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.037996][ T7756] binder_release_work: 27 callbacks suppressed [ 369.038030][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.080416][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.105800][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.120447][T10793] binder: BINDER_SET_CONTEXT_MGR already set 15:42:22 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x989680, 0x0) [ 369.172793][T10793] binder: 10792:10793 ioctl 40046207 0 returned -16 [ 369.183263][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.189221][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x98, 0x0) ioctl$VT_GETMODE(r2, 0x5601, &(0x7f0000000040)) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:22 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) getsockopt$ARPT_SO_GET_REVISION_TARGET(r2, 0x0, 0x63, &(0x7f0000000400)={'ipvs\x00'}, &(0x7f0000000440)=0x1e) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f00000002c0)={0x0, 0x47, "b4a4665baf2e4cc9a477f7c4f0b99635fab9bf07ee232a6a989537b290308b01a59bc64cd1411f7398c285e82b0dd5e88825a29f4a1691b8b0f7f2fd1d8143fb1be65f6eea83cc"}, &(0x7f0000000000)=0x4f) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r2, 0x84, 0x6, &(0x7f0000000340)={r4, @in6={{0xa, 0x4e23, 0xd83c, @mcast2, 0xfffffffffffffff8}}}, &(0x7f0000000080)=0x84) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000740)={0x1f, 0x3, 0x8200, 0x4d3, 0x262, 0x5, 0x80000001, 0x3, r5}, &(0x7f0000000780)=0x20) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000140)={r5, 0x1000100800001, 0x3}, 0x8) r6 = semget(0x3, 0x3, 0x10) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000480)={{{@in=@loopback, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@empty}}, &(0x7f0000000580)=0xe8) getresgid(&(0x7f00000005c0), &(0x7f0000000600)=0x0, &(0x7f0000000640)) r9 = geteuid() fstat(r0, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) semctl$IPC_SET(r6, 0x0, 0x1, &(0x7f0000000700)={{0x7, r7, r8, r9, r10, 0x1, 0x3}, 0x7, 0x2, 0x1}) 15:42:22 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x1, 0x101040) mount(&(0x7f0000003d00)=@filename='./file0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6800000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 369.230354][ T7756] binder: send failed reply for transaction 1517 to 10634:10641 [ 369.251829][T10819] binder_alloc: 10792: binder_alloc_buf, no vma [ 369.256562][ T7756] binder: send failed reply for transaction 1518 to 10792:10819 [ 369.288401][T10825] binder: BINDER_SET_CONTEXT_MGR already set [ 369.309878][ T7756] binder: undelivered transaction 1521, process died. [ 369.317057][T10819] binder: 10792:10819 transaction failed 29189/-3, size 24-8 line 3147 [ 369.327287][T10833] ceph: device name is missing path (no : separator in ./file0) 15:42:22 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffff, 0x0) [ 369.346254][T10825] binder: 10824:10825 ioctl 40046207 0 returned -16 [ 369.367490][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x200000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 369.393779][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.429315][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.468125][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:22 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1000000, 0x0) [ 369.500539][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 369.509699][T10998] binder_alloc_mmap_handler: 2 callbacks suppressed [ 369.509721][T10998] binder_alloc: binder_alloc_mmap_handler: 10963 20001000-20004000 already mapped failed -16 [ 369.536415][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.543166][T10998] binder: BINDER_SET_CONTEXT_MGR already set 15:42:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 369.573806][T11015] binder_alloc: 10963: binder_alloc_buf, no vma 15:42:22 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b64aaa6e8c9cd81cd623ac8"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 369.620221][ T7807] binder: release 10963:10971 transaction 1525 out, still active [ 369.631009][T10998] binder: 10963:10998 ioctl 40046207 0 returned -16 [ 369.645667][ T7807] binder: unexpected work type, 4, not freed [ 369.659787][T10971] binder_alloc: 10963: binder_alloc_buf, no vma 15:42:22 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x400000, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080), 0x4}}, 0x0, 0x0, r2, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000002c0)={{{@in6=@mcast2, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6}}, &(0x7f0000000140)=0xe8) r4 = getgid() fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r3, r4, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 369.682048][T11054] binder: BINDER_SET_CONTEXT_MGR already set [ 369.683032][ T7807] binder: undelivered TRANSACTION_COMPLETE 15:42:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$CAPI_MANUFACTURER_CMD(r2, 0xc0084320, &(0x7f0000000140)={0x4, &(0x7f0000000000)="5f25e30898ec5db788593b50d04488722fb70efbe5fe45a0d12fb9ecba418c9014efd4be68059dcc6717e6196b88e633dda8fc0cd9b9a0b0bae1a604f1dc6760376a4f399b8f8da85426c1c564951a8094e1a40b4f0f7e1c90a572b4d1be3934ac8d35bcb8f25b7f2f14fe92184c8f7fcae7102905ebcf51e30f2e2bdbbcef5bf317aa813eb4c7a85bdd0ada13cdebcfaaa053ce3b7baa3949d642bc6ca82b8e46d47ca90c137a52307f11fa7e388f14f91c01a8cfd928"}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 369.727234][T11015] binder: 10963:11015 transaction failed 29189/-3, size 24-8 line 3147 [ 369.729947][T11054] binder: 11053:11054 ioctl 40046207 0 returned -16 [ 369.744493][T11058] ceph: device name is missing path (no : separator in [dª¦èÉÍÍb:È) [ 369.756786][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 369.773730][T10971] binder: 10963:10971 transaction failed 29189/-3, size 24-0 line 3147 [ 369.791035][ T7756] binder: send failed reply for transaction 1525, target dead [ 369.803359][ T7756] binder: undelivered transaction 1528, process died. 15:42:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1800000000000000}], 0x0}}}], 0x0, 0x0, 0x0}) [ 369.850055][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.881634][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 15:42:22 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000, 0x0) 15:42:22 executing program 1: r0 = syz_open_dev$media(&(0x7f0000000080)='/dev/media#\x00', 0x6, 0x0) getsockopt$inet_dccp_int(r0, 0x21, 0x1f, &(0x7f00000001c0), &(0x7f0000000140)=0x4) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::L:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0) mkdir(&(0x7f0000000180)='./file0\x00', 0x100) 15:42:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7400000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 370.009677][T11272] binder_alloc: binder_alloc_mmap_handler: 11270 20001000-20004000 already mapped failed -16 15:42:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getgroups(0x2, &(0x7f0000000080)=[0xffffffffffffffff, 0xee00]) getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@empty, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@dev}}, &(0x7f0000000140)=0xe8) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r4, r3, 0x2) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) syz_extract_tcp_res$synack(&(0x7f0000000000), 0x1, 0x0) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 370.069857][T11271] binder: BINDER_SET_CONTEXT_MGR already set [ 370.108016][T11280] binder: BINDER_SET_CONTEXT_MGR already set [ 370.119369][T11271] binder: 11270:11271 ioctl 40046207 0 returned -16 [ 370.129626][T11280] binder: 11278:11280 ioctl 40046207 0 returned -16 [ 370.130352][T11284] libceph: resolve 'd' (ret=-3): failed 15:42:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$BLKSECTGET(r2, 0x1267, &(0x7f0000000000)) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 370.172018][T11272] binder_alloc: 11270: binder_alloc_buf, no vma [ 370.178149][T11284] libceph: parse_ips bad ip '[d::L' [ 370.182566][ T7756] binder: release 11270:11271 transaction 1532 out, still active [ 370.191390][ T7756] binder: unexpected work type, 4, not freed [ 370.202540][T11272] binder: 11270:11272 transaction failed 29189/-3, size 24-8 line 3147 [ 370.211078][T11283] binder_alloc: 11270: binder_alloc_buf, no vma 15:42:23 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3000000, 0x0) [ 370.259463][T11283] binder: 11270:11283 transaction failed 29189/-3, size 24-0 line 3147 [ 370.271751][ T7756] binder: undelivered TRANSACTION_COMPLETE 15:42:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfdfdffff00000000}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 370.311282][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 370.349186][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 15:42:23 executing program 1: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 370.396605][ T7756] binder: send failed reply for transaction 1532, target dead [ 370.437381][ T7756] binder: undelivered transaction 1535, process died. [ 370.448768][T11503] binder_alloc: binder_alloc_mmap_handler: 11497 20001000-20004000 already mapped failed -16 [ 370.459577][T11502] binder: BINDER_SET_CONTEXT_MGR already set [ 370.518464][T11502] binder: 11501:11502 ioctl 40046207 0 returned -16 [ 370.525422][T11498] binder: BINDER_SET_CONTEXT_MGR already set [ 370.561405][T11498] binder: 11497:11498 ioctl 40046207 0 returned -16 [ 370.561618][T11524] binder_alloc: 11497: binder_alloc_buf, no vma 15:42:23 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000, 0x0) [ 370.603812][T11524] binder: 11497:11524 transaction failed 29189/-3, size 24-8 line 3147 [ 370.613226][ T7807] binder: send failed reply for transaction 1539 to 11497:11498 [ 370.621133][ T7807] binder: undelivered transaction 1542, process died. 15:42:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x2}}], 0x0, 0x0, 0x0}) 15:42:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000000)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$RTC_EPOCH_SET(r2, 0x4004700e, 0x101) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfdfdffff00000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$TUNSETLINK(r1, 0x400454cd, 0x320) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x1) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000002c0)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 370.784612][T11671] binder: 11662:11671 got transaction with unaligned buffers size, 2 [ 370.811874][T11692] binder: BINDER_SET_CONTEXT_MGR already set 15:42:23 executing program 1: bpf$OBJ_GET_MAP(0x7, &(0x7f0000000080)={&(0x7f0000000000)='./file0\x00'}, 0x10) r0 = syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x9, 0x80000) r1 = syz_open_dev$vcsa(&(0x7f00000001c0)='/dev/vcsa#\x00', 0x62, 0x80080) r2 = syz_genetlink_get_family_id$tipc(&(0x7f00000013c0)='TIPC\x00') sendmsg$TIPC_CMD_RESET_LINK_STATS(r1, &(0x7f0000001480)={&(0x7f0000001380)={0x10, 0x0, 0x0, 0xa0083000}, 0xc, &(0x7f0000001440)={&(0x7f0000001400)={0x30, r2, 0x100, 0x70bd2b, 0x25dfdbfc, {{}, 0x0, 0x410c, 0x0, {0x14, 0x14, 'broadcast-link\x00'}}, ["", "", ""]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x0) ioctl$EVIOCGNAME(r0, 0x80404506, &(0x7f0000000240)=""/4096) mkdir(&(0x7f0000000140)='./file0/file0\x00', 0x10) fstat(r0, &(0x7f0000001240)={0x0, 0x0, 0x0, 0x0, 0x0}) quotactl(0xba3b, &(0x7f0000000180)='./file0\x00', r3, &(0x7f00000012c0)="3e5b182b897429fcb5d6e49bfad9a957cbac14da0dc539aae1fc8f09e099bbfb0a9ab811ded3f7cb3e546050d1dc3c6014caba9a930d2962ebf0d989e27254dfe8dd74725e4d866c9173741833978a01f17075031a941cf64afa2b12f4f23d2eb9f9aed64584c1bc40afdd62fec309d4154c14c612676d27cc443cae1efbd418279160ece1d53a00") clone(0x22000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b8a537e4a3a2f6c05003a00"], &(0x7f0000000200)='./file0\x00', &(0x7f00000000c0)='ceph\x00', 0xfffffffffffffffd, 0x0) [ 370.847024][T11692] binder: 11674:11692 ioctl 40046207 0 returned -16 [ 370.857810][T11671] binder: 11662:11671 transaction failed 29201/-22, size 24-0 line 3210 [ 370.914897][T11751] binder_alloc: binder_alloc_mmap_handler: 11662 20001000-20004000 already mapped failed -16 15:42:23 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x5000000, 0x0) 15:42:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630b, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 371.053801][T11751] binder_alloc: 11662: binder_alloc_buf, no vma 15:42:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0x80047601, &(0x7f0000000000)) [ 371.100688][T11879] binder: BINDER_SET_CONTEXT_MGR already set [ 371.104813][T11751] binder: 11662:11751 transaction failed 29189/-3, size 24-8 line 3147 [ 371.123645][T26837] binder: send failed reply for transaction 1545 to 11662:11671 [ 371.131893][T11879] binder: 11878:11879 ioctl 40046207 0 returned -16 15:42:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x18}}], 0x0, 0x0, 0x0}) 15:42:24 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x8, 0x4000) r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_REMOTE_MNG(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x1008400}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x14, 0x70bd2a, 0x25dfdbff, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000000) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:24 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x6000000, 0x0) [ 371.309662][T12037] binder_alloc: binder_alloc_mmap_handler: 12015 20001000-20004000 already mapped failed -16 15:42:24 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x0, 0x0) ioctl$EVIOCREVOKE(r2, 0x40044591, &(0x7f0000000140)=0x9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630c, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 371.354375][T12028] binder: BINDER_SET_CONTEXT_MGR already set [ 371.385295][T12028] binder: 12015:12028 ioctl 40046207 0 returned -16 [ 371.442528][T26837] binder: send failed reply for transaction 1552 to 12015:12028 [ 371.450253][T26837] binder: undelivered transaction 1555, process died. 15:42:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1800}}], 0x0, 0x0, 0x0}) [ 371.500020][T12072] binder: 12071:12072 unknown command 0 [ 371.525019][T12072] binder: 12071:12072 ioctl c0306201 200002c0 returned -22 [ 371.603966][T12113] binder: BINDER_SET_CONTEXT_MGR already set [ 371.631088][T12113] binder: 12104:12113 ioctl 40046207 0 returned -16 [ 371.670224][T12255] binder_alloc: binder_alloc_mmap_handler: 12104 20001000-20004000 already mapped failed -16 15:42:24 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7000000, 0x0) 15:42:24 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) [ 371.716984][T12113] binder: BINDER_SET_CONTEXT_MGR already set 15:42:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630d, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 371.773275][T12113] binder: 12104:12113 ioctl 40046207 0 returned -16 [ 371.785046][ T7756] binder: release 12104:12288 transaction 1562 out, still active [ 371.806277][ T7756] binder: unexpected work type, 4, not freed 15:42:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1000000}}], 0x0, 0x0, 0x0}) 15:42:24 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000980)) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) preadv(r3, &(0x7f0000000940)=[{&(0x7f0000000600)=""/227, 0xe3}, {&(0x7f0000000700)=""/173, 0xad}, {&(0x7f00000007c0)=""/236, 0xec}, {&(0x7f00000008c0)=""/95, 0x5f}, {&(0x7f0000000140)=""/39, 0x27}], 0x5, 0x0) ioctl$sock_SIOCGPGRP(r3, 0x8904, &(0x7f0000000340)=0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000000380)={{{@in=@loopback, @in6=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@empty}}, &(0x7f0000000480)=0xe8) lstat(&(0x7f00000004c0)='./file0\x00', &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$unix(r3, &(0x7f00000005c0)={&(0x7f0000000000)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000000300)=[{&(0x7f0000000080)="eacaa7f5e123", 0x6}, {&(0x7f0000000140)}, {&(0x7f00000002c0)="57d11eb33c900b570575280eb61dc37ab8d7d048a8605a2171d7f2da7fbefc", 0x1f}], 0x3, &(0x7f0000000580)=[@rights={0x1c, 0x1, 0x1, [r1, r2, r0, r4]}, @cred={0x18, 0x1, 0x2, r5, r6, r7}], 0x34, 0x80}, 0x20000000) [ 371.833559][ T7756] binder: release 12104:12113 transaction 1558 out, still active [ 371.852055][T12297] binder: BINDER_SET_CONTEXT_MGR already set [ 371.857451][ T7756] binder: unexpected work type, 4, not freed 15:42:24 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x7, 0x200) setsockopt$IP_VS_SO_SET_STOPDAEMON(r1, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'dummy0\x00', 0x2}, 0x18) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) [ 371.921681][T12297] binder: 12296:12297 ioctl 40046207 0 returned -16 [ 371.921752][ T7756] binder: send failed reply for transaction 1557 to 12071:12072 [ 371.978611][ T7756] binder: send failed reply for transaction 1558, target dead [ 371.986375][T12332] binder_alloc: binder_alloc_mmap_handler: 12305 20001000-20004000 already mapped failed -16 [ 371.990643][ T7756] binder: send failed reply for transaction 1562, target dead [ 372.025537][T12314] binder: BINDER_SET_CONTEXT_MGR already set [ 372.038267][T12314] binder: 12305:12314 ioctl 40046207 0 returned -16 [ 372.038529][T12332] binder_alloc: 12305: binder_alloc_buf, no vma [ 372.062647][T12314] binder_alloc: 12305: binder_alloc_buf, no vma [ 372.069464][ T7807] binder: release 12305:12314 transaction 1566 out, still active 15:42:25 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8000000, 0x0) [ 372.082549][ T7807] binder: unexpected work type, 4, not freed [ 372.107699][ T7807] binder: send failed reply for transaction 1566, target dead 15:42:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x2000000}}], 0x0, 0x0, 0x0}) 15:42:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046302, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:25 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.evm\x00', &(0x7f0000000140)=@v1={0x2, "3af05789ad8ac46c134b0e5b65"}, 0xe, 0x1) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:25 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x47, 0x40000) ioctl$KVM_REINJECT_CONTROL(r0, 0xae71, &(0x7f0000000240)={0x2}) getxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)=@known='system.advise\x00', &(0x7f0000000140)=""/130, 0x82) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 372.311873][T12519] binder: BC_ACQUIRE_RESULT not supported [ 372.326683][T12530] binder: BINDER_SET_CONTEXT_MGR already set [ 372.341730][T12519] binder: 12500:12519 ioctl c0306201 200002c0 returned -22 [ 372.350737][T12530] binder: 12529:12530 ioctl 40046207 0 returned -16 [ 372.403602][T12533] binder_alloc: binder_alloc_mmap_handler: 12529 20001000-20004000 already mapped failed -16 15:42:25 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa000000, 0x0) [ 372.449262][T12530] binder: BINDER_SET_CONTEXT_MGR already set [ 372.463280][T12530] binder: 12529:12530 ioctl 40046207 0 returned -16 [ 372.509468][ T7756] binder: release 12529:12533 transaction 1578 out, still active 15:42:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x18000000}}], 0x0, 0x0, 0x0}) 15:42:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046304, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 372.555375][ T7756] binder: unexpected work type, 4, not freed [ 372.564669][ T7756] binder: release 12529:12533 transaction 1574 out, still active [ 372.580439][ T7756] binder: unexpected work type, 4, not freed [ 372.594491][ T7756] binder: send failed reply for transaction 1573 to 12500:12519 [ 372.611397][ T7756] binder: send failed reply for transaction 1574, target dead [ 372.640797][ T7756] binder: send failed reply for transaction 1578, target dead [ 372.665161][T12698] binder: BINDER_SET_CONTEXT_MGR already set [ 372.674051][T12700] binder_alloc: binder_alloc_mmap_handler: 12660 20001000-20004000 already mapped failed -16 [ 372.679651][T12698] binder: 12677:12698 ioctl 40046207 0 returned -16 15:42:25 executing program 5: r0 = openat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x8800, 0x10) getsockopt$inet_sctp6_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f00000002c0), &(0x7f0000000300)=0x4) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$radio(&(0x7f0000000340)='/dev/radio#\x00', 0x2, 0x2) epoll_wait(r3, &(0x7f0000000380)=[{}, {}, {}], 0x3, 0x400) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getsockname$inet6(r4, &(0x7f0000000400)={0xa, 0x0, 0x0, @empty}, &(0x7f0000000440)=0x1c) r5 = getegid() r6 = geteuid() fchownat(r4, &(0x7f0000000080)='./file0\x00', r6, r5, 0x1400) r7 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f00000003c0)=@int=0x8, 0x4) getsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r4, 0x84, 0x8, &(0x7f0000000040), &(0x7f0000000140)=0x4) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r7, 0xae80, 0x0) [ 372.712696][T12681] binder: BINDER_SET_CONTEXT_MGR already set 15:42:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x1, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000040)={0x7}) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) openat$cuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cuse\x00', 0x2, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$int_out(r1, 0x5462, &(0x7f0000000080)) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_SET_GSI_ROUTING(r2, 0x4008ae6a, &(0x7f00000003c0)=ANY=[@ANYBLOB="04000000000000000080000002000000000000000000000000000000000000800000000000000000000000000000000000000000000000000000008007002000000000000000000003000000001000000000000000ffeb0000000000000000000000000000000000000000000100000000000000000000000600000000000000040000000000000003000000000000000700000000000c0008000000020000000000000000000000b20d0000fba300000000000000000000000000000000000000000000000000008f84d55ad7ef2520e6281590455a454fe19c53603ee746ac1c742a0b3f5eb88fac4564473c68e823"]) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:25 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = syz_open_dev$dspn(&(0x7f0000000180)='/dev/dsp#\x00', 0x9, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000040)=0x0) ioctl$TIOCSPGRP(r0, 0x5410, &(0x7f00000002c0)=r1) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffff9c, 0x84, 0x6f, &(0x7f00000001c0)={0x0, 0x68, &(0x7f0000000380)=[@in6={0xa, 0x4e23, 0x40, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x1000}, @in={0x2, 0x4e21, @broadcast}, @in6={0xa, 0x4e24, 0x2, @empty, 0x8}, @in={0x2, 0x4e21, @rand_addr=0x4}, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x23}}]}, &(0x7f0000000400)=0xc) setsockopt$inet_sctp_SCTP_AUTH_DELETE_KEY(r0, 0x84, 0x19, &(0x7f0000000240)={r2, 0xfffffffffffffffb}, 0x8) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f0000000440)={r2, 0x4, 0x10, 0xffffffff, 0x1}, &(0x7f0000000480)=0x18) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000000)={0x0}, &(0x7f0000000080)=0xc) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r0, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000600)=0x4) setsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000004c0)=@sack_info={r2, 0x7}, 0xc) r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x0, 0x0) setsockopt$inet6_tcp_TCP_MD5SIG(r4, 0x6, 0xe, &(0x7f0000000500)={@in6={{0xa, 0x4e22, 0x3, @mcast1, 0x2}}, 0x0, 0x8000, 0x0, "2050b2f3d678c5185f83b758e15b34b1efc454679e5fab66f5f4939f5a225898c4b0aba5d14b57df0636f35f06cf5bd8d3746adf38c2372a1aae9cd27118156f39574503e2dca131dd2ae7049a0a5a52"}, 0x23c) sched_getattr(r3, &(0x7f00000000c0), 0x30, 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000280)=ANY=[@ANYBLOB="f63f3b214a16b23c6cdf42b1d5dc4f4e913efc92f0ac8e5064c8750983e8616c90f34e7517"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:25 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20000000, 0x0) [ 372.820374][T12681] binder: 12660:12681 ioctl 40046207 0 returned -16 15:42:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046307, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 372.862568][T12850] binder_alloc: 12660: binder_alloc_buf, no vma [ 372.883528][T12865] ceph: device name is missing path (no : separator in ö?;!J²ü’ð¬ŽPdÈu ƒèalóNu) [ 372.895748][T26837] binder: send failed reply for transaction 1582 to 12660:12681 15:42:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfdfdffff}}], 0x0, 0x0, 0x0}) [ 373.011606][T12916] binder: 12901:12916 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 373.044185][T12948] binder: BINDER_SET_CONTEXT_MGR already set [ 373.062813][T12916] binder: 12901:12916 unknown command 0 [ 373.090475][T12948] binder: 12946:12948 ioctl 40046207 0 returned -16 15:42:26 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) removexattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000380)=ANY=[@ANYBLOB="73656375726974792e2176626f786e6574302800c684b8d027cb346c88652b1e56f603d00c504f8905bedd821d0a9ffecb87707ba5c668b58a7757c4fff824f3a93b16226dec69a868077a728564df644d842f3affbad8d7c2d10bc3aa8ffce8d4f6e0a1f18894330b2c60db164b433e350c37d982ee1973bb08fbf52b259cc096ceb0846aab10cb3a943402ebf87e823c0ae556a5b941971b27800911be10e58f0747e762c68ba752012c87d4431fa9691228345da04c3f9fd350f21ea67d814e7c0923df76907a74c9ee3681969d4aff8c8dd4874a338fe20f6d50dfa822c7ad500e3808c3c33427aca3d29b2747ee2608dad85891955abf1b06834c589ea989fad63e65b32f86d83e050509000007a36cfb3423da8d87"]) [ 373.109270][T12916] binder: 12901:12916 ioctl c0306201 200002c0 returned -22 15:42:26 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20100000, 0x0) [ 373.147945][T12980] binder_alloc: binder_alloc_mmap_handler: 12946 20001000-20004000 already mapped failed -16 [ 373.187719][ T5] binder: release 12946:12948 transaction 1593 out, still active [ 373.230448][ T5] binder: unexpected work type, 4, not freed 15:42:26 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x10000, 0x0) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfffffdfd}}], 0x0, 0x0, 0x0}) [ 373.270570][ T5] binder: release 12946:12980 transaction 1589 out, still active [ 373.281230][ T5] binder: unexpected work type, 4, not freed [ 373.343878][T13141] binder: BINDER_SET_CONTEXT_MGR already set 15:42:26 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x24010000, 0x0) 15:42:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086303, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 373.389242][T13141] binder: 13140:13141 ioctl 40046207 0 returned -16 [ 373.424881][T26837] binder: send failed reply for transaction 1589, target dead [ 373.447990][T26837] binder: send failed reply for transaction 1593, target dead [ 373.475423][T13209] binder_transaction: 9 callbacks suppressed [ 373.475440][T13209] binder: 13140:13209 transaction failed 29189/-22, size 24-8 line 2994 15:42:26 executing program 1: r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x400040, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r0, 0x4010ae67, &(0x7f00000000c0)={0x0, 0x1000}) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4000) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f0000000140)={0xff, 0xdaafb0179691a77c, 'client1\x00', 0xffffffff80000000, "79debe2afae7eb0c", "d50ad35a4b8c379f601bf21bd5a0fd5f56da37ad02113fe2db8e7bef71ce28cc", 0x4, 0xac}) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r1, 0x84, 0x74, &(0x7f0000000240)=""/142, &(0x7f0000000300)=0x8e) [ 373.520207][T13141] binder: 13140:13141 transaction failed 29189/-22, size 24-0 line 2994 [ 373.544904][T13212] binder: 13211:13212 BC_FREE_BUFFER u0000000000000000 no match 15:42:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0x1f, 0x280400) r2 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080)='SEG6\x00') sendmsg$SEG6_CMD_SETHMAC(r1, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40000040}, 0xc, &(0x7f00000002c0)={&(0x7f0000000140)={0x38, r2, 0x420, 0x70bd29, 0x7, {}, [@SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x5}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x4}, @SEG6_ATTR_DST={0x14, 0x1, @initdev={0xfe, 0x88, [], 0x1, 0x0}}]}, 0x38}, 0x1, 0x0, 0x0, 0x800}, 0xc010) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000ffb000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 373.603414][T13212] binder: 13211:13212 unknown command 0 [ 373.610559][T13212] binder: 13211:13212 ioctl c0306201 200002c0 returned -22 [ 373.615116][T13209] binder: BINDER_SET_CONTEXT_MGR already set [ 373.640802][T26837] binder_release_work: 20 callbacks suppressed [ 373.640809][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 373.686200][T13209] binder: 13140:13209 ioctl 40046207 0 returned -16 [ 373.708985][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 373.740742][T26837] binder: release 13140:13221 transaction 1600 out, still active 15:42:26 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f000000, 0x0) [ 373.795957][T26837] binder: unexpected work type, 4, not freed 15:42:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x100000000000000}}], 0x0, 0x0, 0x0}) 15:42:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x4008630a, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 373.846807][T26837] binder: send failed reply for transaction 1600, target dead [ 373.908985][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 373.918463][T13429] binder: 13428:13429 transaction failed 29201/-28, size 24-0 line 3147 [ 373.934445][T13434] binder: BINDER_SET_CONTEXT_MGR already set 15:42:26 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x1000000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$inet6_tcp(0xa, 0x1, 0x0) mount(&(0x7f0000000240)=ANY=[@ANYBLOB="5b32770d0300000000000000623a008f9b84a71ed1cf505a0bad094b69fc574ff62e48ffe47f3e5ee022eab885a2ef85436260074efd15673be8b837e05a66d669f33ff61b4a27bb023edebc5f57083571ef81775fb3e37b2573245e5a9f940b70c6ce9d0f1902a2a9ed3077b8bf04f94dd23670f0aac33d83bb6e65366b6c1183899a987a34391a106715e4c4019008df4c2753625415514b04aae5f96fd3f2e19687562d86abfd26d3b2dcf8fdd508c7d4f263beb712f6ece2f04de85b98152f1f1cdfe0a715ec6a16949182b12bf52fb6c88b810a699aebf9a61b30d55ab64393de2c1a24"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 373.954201][T13434] binder: 13430:13434 ioctl 40046207 0 returned -16 [ 373.978606][T13429] binder: BINDER_SET_CONTEXT_MGR already set [ 373.998157][T13440] binder_alloc: 13428: binder_alloc_buf, no vma [ 374.005422][T13429] binder: 13428:13429 ioctl 40046207 0 returned -16 [ 374.012206][T13440] binder: 13428:13440 transaction failed 29189/-3, size 24-8 line 3147 [ 374.020937][ T17] binder: release 13428:13429 transaction 1604 out, still active [ 374.031789][ T17] binder: unexpected work type, 4, not freed [ 374.044736][ T17] binder_release_work: 18 callbacks suppressed [ 374.044742][ T17] binder: undelivered TRANSACTION_COMPLETE 15:42:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x200000000000000}}], 0x0, 0x0, 0x0}) 15:42:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$KVM_ASSIGN_SET_MSIX_NR(r1, 0x4008ae73, &(0x7f0000000140)={0x1f, 0xff}) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getgid() r4 = getgid() fchownat(0xffffffffffffffff, &(0x7f0000000340)='./file0\x00', 0x0, r4, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f00000002c0)={0x0, 0x3b, "4e94ec3ae6409498d4d1e76095fef3fc6a8798ce8953da8bfd2ce018be447714f1afb75dabe4986f4e50b39bcc4252831a4a66b28e1fa29885d2e3"}, &(0x7f0000000000)=0x43) setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r3, 0x84, 0x23, &(0x7f0000000080)={r6, 0x3}, 0x8) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$CAPI_NCCI_OPENCOUNT(r3, 0x80044326, &(0x7f0000000040)=0x3) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) 15:42:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x200200, 0x0) getsockopt$packet_buf(r1, 0x107, 0x7, &(0x7f00000002c0)=""/156, &(0x7f0000000040)=0x9c) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 374.063902][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 374.080408][ T17] binder: undelivered TRANSACTION_ERROR: 29189 15:42:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086310, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 374.127766][ T17] binder: send failed reply for transaction 1604, target dead [ 374.160023][T13590] binder: 13577:13590 transaction failed 29201/-28, size 24-0 line 3147 15:42:27 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000, 0x0) [ 374.214816][T13624] binder: BINDER_SET_CONTEXT_MGR already set 15:42:27 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='\x00\x00\x00\x00\x00', 0x0, 0x0) [ 374.262807][T13590] binder: BINDER_SET_CONTEXT_MGR already set [ 374.262852][T13647] binder_alloc: 13577: binder_alloc_buf, no vma [ 374.278872][T13624] binder: 13620:13624 ioctl 40046207 0 returned -16 [ 374.308385][T13590] binder: 13577:13590 ioctl 40046207 0 returned -16 [ 374.320492][ T17] binder_send_failed_reply: 2 callbacks suppressed [ 374.320503][ T17] binder: send failed reply for transaction 1610 to 13577:13590 [ 374.336312][ T17] binder: undelivered TRANSACTION_COMPLETE [ 374.342858][ T17] binder: undelivered TRANSACTION_ERROR: 29201 15:42:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1800000000000000}}], 0x0, 0x0, 0x0}) 15:42:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socket$bt_bnep(0x1f, 0x3, 0x4) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e22, @local}}, 0xaa69, 0xd3f9, 0x7fffffff, 0x7fffffff, 0xc1}, &(0x7f0000000000)=0x98) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000380)={r4, @in={{0x2, 0x4e21, @remote}}, 0x8, 0x5, 0xfffffffffffffffc, 0x2, 0xa}, &(0x7f0000000080)=0x98) [ 374.356221][T13647] binder: 13577:13647 transaction failed 29189/-3, size 24-8 line 3147 [ 374.357866][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 374.388871][ T17] binder: undelivered TRANSACTION_ERROR: 29189 15:42:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630e, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 374.491886][T13835] binder: 13834:13835 transaction failed 29201/-28, size 24-0 line 3147 15:42:27 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x78030000, 0x0) 15:42:27 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000380)=ANY=[@ANYBLOB='[d::]:/lnb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x9, 0x20002) recvmsg(r0, &(0x7f0000000300)={&(0x7f0000000080)=@hci, 0x80, &(0x7f00000001c0)=[{&(0x7f0000000140)}, {&(0x7f0000000180)=""/35, 0x23}], 0x2, &(0x7f0000000240)=""/152, 0x98}, 0x2) 15:42:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000140)={0x0}, &(0x7f00000003c0)=0xc) write$FUSE_LK(r2, &(0x7f0000000400)={0x28, 0x0, 0x4, {{0x4b5a, 0x6, 0x0, r4}}}, 0x28) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000002c0)={{{@in=@dev, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in6=@ipv4={[], [], @empty}}}, &(0x7f0000000040)=0xe8) bind$packet(r5, &(0x7f0000000080)={0x11, 0x1c, r6, 0x1, 0x7}, 0x14) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c8, 0x0, 0x0, 0x0, 0x7fffffffff], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 374.564558][T13878] binder: BINDER_SET_CONTEXT_MGR already set [ 374.586475][T13881] binder_alloc_mmap_handler: 3 callbacks suppressed [ 374.586493][T13881] binder_alloc: binder_alloc_mmap_handler: 13834 20001000-20004000 already mapped failed -16 [ 374.627109][T13878] binder: 13877:13878 ioctl 40046207 0 returned -16 [ 374.656903][T13835] binder: BINDER_SET_CONTEXT_MGR already set [ 374.719740][T13835] binder: 13834:13835 ioctl 40046207 0 returned -16 [ 374.719763][T13983] binder_alloc: 13834: binder_alloc_buf, no vma 15:42:27 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a020000, 0x0) 15:42:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$VIDIOC_QUERYSTD(r2, 0x8008563f, &(0x7f0000000000)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 374.765261][T13983] binder: 13834:13983 transaction failed 29189/-3, size 24-8 line 3147 [ 374.769765][ T7807] binder: release 13834:13835 transaction 1616 out, still active [ 374.782173][ T7807] binder: unexpected work type, 4, not freed 15:42:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630f, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 374.806043][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 374.811943][ T7807] binder: undelivered TRANSACTION_ERROR: 29201 15:42:27 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c030000, 0x0) 15:42:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfdfdffff00000000}}], 0x0, 0x0, 0x0}) [ 374.883699][T14034] binder: BINDER_SET_CONTEXT_MGR already set [ 374.922996][T14034] binder: 14033:14034 ioctl 40046207 0 returned -16 [ 374.926709][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 374.953091][ T7807] binder: send failed reply for transaction 1616, target dead [ 374.992634][T14105] binder: 14082:14105 transaction failed 29201/-28, size 24-0 line 3147 15:42:28 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x80010000, 0x0) 15:42:28 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x20) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x400080, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000240)={{{@in6=@mcast1, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@initdev}, 0x0, @in=@empty}}, &(0x7f00000000c0)=0xe8) sendmsg$nl_route(r0, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x5000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)=@ipv4_getaddr={0x58, 0x16, 0x100, 0x70bd2b, 0x25dfdbfe, {0x2, 0x38, 0x10, 0x0, r1}, [@IFA_LABEL={0x14, 0x3, 'veth0\x00'}, @IFA_ADDRESS={0x8, 0x1, @rand_addr=0x4}, @IFA_BROADCAST={0x8, 0x4, @multicast2}, @IFA_ADDRESS={0x8, 0x1, @initdev={0xac, 0x1e, 0x0, 0x0}}, @IFA_LABEL={0x14, 0x3, 'ip6gretap0\x00'}]}, 0x58}}, 0x4004000) r2 = epoll_create1(0x0) r3 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r3, &(0x7f0000000040)) setsockopt$inet_mreqn(r0, 0x0, 0x0, &(0x7f00000003c0)={@multicast1, @remote, r1}, 0xc) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 375.058478][T14177] binder_alloc: binder_alloc_mmap_handler: 14082 20001000-20004000 already mapped failed -16 15:42:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106308, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 375.109003][T14105] binder: BINDER_SET_CONTEXT_MGR already set 15:42:28 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) fsetxattr$security_smack_transmute(r0, &(0x7f0000000300)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000340)='TRUE', 0x4, 0x1) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000080)={0xffffffffffffffff}, 0x13f, 0x6}}, 0x20) write$RDMA_USER_CM_CMD_NOTIFY(r2, &(0x7f00000002c0)={0xf, 0x8, 0xfa00, {r4, 0x8}}, 0x10) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5], 0x1f000}) ioctl$KVM_DEASSIGN_PCI_DEVICE(r2, 0x4040ae72, &(0x7f0000000000)={0x6, 0x0, 0x7, 0x4, 0x1}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:28 executing program 0: r0 = openat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x404800, 0x164) ioctl$KVM_GET_NESTED_STATE(r0, 0xc080aebe, &(0x7f00000002c0)={0x0, 0x0, 0x2080}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$sock_SIOCBRADDBR(r0, 0x89a0, &(0x7f0000000040)='veth1_to_team\x00') ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 375.155077][T14105] binder: 14082:14105 ioctl 40046207 0 returned -16 15:42:28 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x80969800, 0x0) [ 375.213974][ T7756] binder: release 14082:14105 transaction 1622 out, still active [ 375.221934][ T7756] binder: unexpected work type, 4, not freed [ 375.239624][T14231] binder: BINDER_SET_CONTEXT_MGR already set 15:42:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x2, 0x0, 0x0}) [ 375.273344][T14231] binder: 14230:14231 ioctl 40046207 0 returned -16 [ 375.280687][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 375.299451][ T7756] binder: send failed reply for transaction 1622, target dead [ 375.328690][T14231] binder: 14230:14231 transaction failed 29189/-22, size 0-0 line 2994 15:42:28 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff, 0x0) [ 375.406131][T14265] binder: 14253:14265 ioctl c0306201 200002c0 returned -14 15:42:28 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) recvmmsg(0xffffffffffffff9c, &(0x7f0000004ec0)=[{{&(0x7f00000002c0), 0x80, &(0x7f0000000080)=[{&(0x7f0000000340)=""/218, 0xda}, {&(0x7f0000000440)=""/4096, 0x1000}, {&(0x7f0000001440)=""/87, 0x57}, {&(0x7f00000014c0)=""/140, 0x8c}, {&(0x7f0000000000)=""/28, 0x1c}], 0x5, &(0x7f0000001580)=""/111, 0x6f}, 0x8}, {{&(0x7f0000001600)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, 0x80, &(0x7f0000000140)=[{&(0x7f0000001680)=""/210, 0xd2}, {&(0x7f0000001780)=""/144, 0x90}, {&(0x7f0000001840)=""/82, 0x52}, {&(0x7f00000018c0)=""/93, 0x5d}, {&(0x7f0000001940)=""/214, 0xd6}, {&(0x7f0000001a40)=""/128, 0x80}, {&(0x7f0000001ac0)=""/187, 0xbb}], 0x7, &(0x7f0000001b80)=""/36, 0x24}, 0x400000000}, {{&(0x7f0000001bc0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x80, &(0x7f0000002f00)=[{&(0x7f0000001c40)=""/85, 0x55}, {&(0x7f0000001cc0)=""/4096, 0x1000}, {&(0x7f0000002cc0)=""/82, 0x52}, {&(0x7f0000002d40)=""/221, 0xdd}, {&(0x7f0000002e40)=""/185, 0xb9}], 0x5, &(0x7f0000002f40)=""/221, 0xdd}, 0x1}, {{&(0x7f0000003040)=@hci, 0x80, &(0x7f0000003380)=[{&(0x7f00000030c0)}, {&(0x7f0000003100)=""/231, 0xe7}, {&(0x7f0000003200)=""/78, 0x4e}, {&(0x7f0000003280)=""/243, 0xf3}], 0x4, &(0x7f00000033c0)=""/64, 0x40}, 0x1}, {{&(0x7f0000003400)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @multicast2}}}, 0x80, &(0x7f0000003640)=[{&(0x7f0000003480)=""/1, 0x1}, {&(0x7f00000034c0)=""/232, 0xe8}, {&(0x7f00000035c0)=""/112, 0x70}], 0x3, &(0x7f0000003680)=""/159, 0x9f}, 0x944}, {{0x0, 0x0, &(0x7f0000004ac0)=[{&(0x7f0000003740)=""/152, 0x98}, {&(0x7f0000003800)=""/190, 0xbe}, {&(0x7f00000038c0)=""/34, 0x22}, {&(0x7f0000003900)=""/32, 0x20}, {&(0x7f0000003940)=""/207, 0xcf}, {&(0x7f0000003a40)=""/62, 0x3e}, {&(0x7f0000003a80)=""/6, 0x6}, {&(0x7f0000003ac0)=""/4096, 0x1000}], 0x8, &(0x7f0000004b00)=""/3, 0x3}, 0x7}, {{&(0x7f0000004b40)=@pptp={0x18, 0x2, {0x0, @initdev}}, 0x80, &(0x7f0000004dc0)=[{&(0x7f0000004bc0)=""/78, 0x4e}, {&(0x7f0000004c40)=""/95, 0x5f}, {&(0x7f0000004cc0)=""/22, 0x16}, {&(0x7f0000004d00)=""/187, 0xbb}], 0x4, &(0x7f0000004e00)=""/184, 0xb8}, 0x1}], 0x7, 0x10000, &(0x7f0000004fc0)) getsockopt$inet_tcp_buf(r2, 0x6, 0xb, &(0x7f0000005000)=""/198, &(0x7f0000005100)=0xc6) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 375.478706][T14345] binder_alloc: binder_alloc_mmap_handler: 14253 20001000-20004000 already mapped failed -16 15:42:28 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb8030000, 0x0) [ 375.582896][T14445] binder_alloc: 14253: binder_alloc_buf, no vma 15:42:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x40, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r2, 0x29, 0x2a, &(0x7f00000002c0)={0x9, {{0xa, 0x4e24, 0x5, @mcast2, 0x980f}}}, 0x84) linkat(r2, &(0x7f0000000040)='./file0\x00', r2, &(0x7f0000000080)='./file0\x00', 0x400) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106309, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:28 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x8, 0x10000) bind$isdn_base(r0, &(0x7f0000000080)={0x22, 0x201736c4, 0x8, 0x4, 0x4}, 0x6) [ 375.624357][ T5] binder: release 14253:14265 transaction 1628 out, still active [ 375.645007][ T5] binder: unexpected work type, 4, not freed [ 375.651040][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:28 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0ed0000, 0x0) 15:42:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x18, 0x0, 0x0}) [ 375.727210][T14463] binder: BINDER_SET_CONTEXT_MGR already set [ 375.739407][ T5] binder: undelivered TRANSACTION_COMPLETE [ 375.775194][T14463] binder: 14462:14463 ioctl 40046207 0 returned -16 [ 375.786658][ T5] binder: send failed reply for transaction 1628, target dead [ 375.816415][ T5] binder: undelivered transaction 1631, process died. [ 375.836643][T14474] binder: 14473:14474 ioctl c0306201 200002c0 returned -14 15:42:28 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) eventfd(0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 375.891183][T14572] binder_alloc: binder_alloc_mmap_handler: 14473 20001000-20004000 already mapped failed -16 [ 375.958423][T14474] binder: BINDER_SET_CONTEXT_MGR already set [ 375.998434][T14474] binder: 14473:14474 ioctl 40046207 0 returned -16 [ 375.998524][T14675] binder_alloc: 14473: binder_alloc_buf, no vma 15:42:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca000000, 0x0) [ 376.043626][ T5] binder: release 14473:14474 transaction 1634 out, still active [ 376.051538][ T5] binder: unexpected work type, 4, not freed [ 376.072199][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1800, 0x0, 0x0}) 15:42:29 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x48900, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000080)={0xd, 0x4, 0xff, 0x2, 0x0, r0, 0x81}, 0x2c) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:?llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) ioctl$LOOP_SET_DIRECT_IO(r0, 0x4c08, 0xf6) setsockopt$IP_VS_SO_SET_FLUSH(r0, 0x0, 0x485, 0x0, 0x0) [ 376.136243][ T5] binder: undelivered TRANSACTION_COMPLETE [ 376.147482][T14686] binder: BINDER_SET_CONTEXT_MGR already set [ 376.212704][T14686] binder: 14685:14686 ioctl 40046207 0 returned -16 [ 376.212806][ T5] binder: send failed reply for transaction 1634, target dead 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd0030000, 0x0) [ 376.255663][T14698] binder: 14697:14698 ioctl c0306201 200002c0 returned -14 [ 376.268647][ T5] binder: undelivered transaction 1637, process died. [ 376.283258][T14723] binder_alloc: binder_alloc_mmap_handler: 14697 20001000-20004000 already mapped failed -16 15:42:29 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/sequencer2\x00', 0x8000, 0x0) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000400)='/dev/hwrng\x00', 0x0, 0x0) connect$l2tp(r2, &(0x7f0000000440)=@pppol2tpin6={0x18, 0x1, {0x0, r3, 0x3, 0x2, 0x1, 0x0, {0xa, 0x4e22, 0x5, @mcast1, 0x2}}}, 0x32) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000000)) getsockopt$XDP_MMAP_OFFSETS(r4, 0x11b, 0x1, &(0x7f0000000300), &(0x7f0000000380)=0x60) getsockopt$IP_VS_SO_GET_TIMEOUT(r4, 0x0, 0x486, &(0x7f0000000140), &(0x7f00000002c0)=0xc) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$RDS_FREE_MR(r4, 0x114, 0x3, &(0x7f0000000080)={{0x80, 0x3}, 0x10}, 0x10) [ 376.311495][T14733] libceph: parse_ips bad ip '[d::]:?llb' [ 376.323429][T14698] binder: BINDER_SET_CONTEXT_MGR already set 15:42:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x18002, 0x0) ioctl$KVM_GET_DIRTY_LOG(r1, 0x4010ae42, &(0x7f0000000040)={0x10003, 0x0, &(0x7f0000ffb000/0x4000)=nil}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x284000, 0x0) [ 376.360995][T14698] binder: 14697:14698 ioctl 40046207 0 returned -16 [ 376.382676][ T5] binder: release 14697:14698 transaction 1640 out, still active [ 376.400243][T14723] binder_alloc: 14697: binder_alloc_buf, no vma 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea030000, 0x0) 15:42:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 376.408813][ T5] binder: unexpected work type, 4, not freed [ 376.429569][ T5] binder: undelivered TRANSACTION_COMPLETE [ 376.463903][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:29 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x202400, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000002c0)={0x0, @remote, @loopback}, &(0x7f0000000300)=0xc) ioctl$DRM_IOCTL_MODE_SETCRTC(r0, 0xc06864a2, &(0x7f0000000240)={&(0x7f00000000c0)=[0x400, 0x4, 0x4, 0x80], 0x4, 0x88, 0x5, 0x6, 0x4, 0x0, {0x200, 0xea, 0x6, 0x0, 0xfffffffffffffc00, 0x800, 0x1, 0x8, 0x9, 0x3ff, 0x2, 0x3f, 0x5, 0x40, "0b0b179f453e37a02c630c8abdf39a2e4c183a563d278273e9004f6df0d5ac21"}}) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000001840)={'vcan0\x00', 0x0}) getsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f00000003c0), &(0x7f0000000400)=0x4) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000380)={'team_slave_0\x00', r1}) sendmsg$nl_route_sched(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)=@newtfilter={0x34, 0x2c, 0x403, 0x70bd2d, 0x25dfdbfc, {0x0, r2, {0xb, 0x1a}, {0xffff}, {0xf, 0xe}}, [@TCA_RATE={0x8, 0x5, {0x8001, 0x3}}, @TCA_CHAIN={0x8, 0xb, 0x4}]}, 0x34}, 0x1, 0x0, 0x0, 0x800}, 0x40014) 15:42:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1000000, 0x0, 0x0}) [ 376.515297][ T5] binder: send failed reply for transaction 1640, target dead [ 376.546543][T14915] binder: 14914:14915 got reply transaction with bad transaction stack, transaction 1646 has target 14914:0 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6030000, 0x0) [ 376.566866][ T5] binder: undelivered transaction 1643, process died. 15:42:29 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@mcast2}}, &(0x7f0000000000)=0xe8) getresgid(&(0x7f0000000080), &(0x7f0000000140)=0x0, &(0x7f00000003c0)) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000400)={{{@in6=@ipv4={[], [], @local}, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@remote}}, &(0x7f0000000500)=0xe8) write$P9_RSTATu(r2, &(0x7f0000000540)={0x6d, 0x7d, 0x1, {{0x0, 0x4f, 0x537c, 0x3, {0x20, 0x3, 0x8}, 0x40000000, 0x3, 0x0, 0x200, 0x4, 'eth1', 0x9, '/dev/kvm\x00', 0x6, 'lobdev', 0x9, '/dev/kvm\x00'}, 0x9, '/dev/kvm\x00', r4, r5, r6}}, 0x6d) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 376.645852][T14928] binder: BINDER_SET_CONTEXT_MGR already set [ 376.696954][T14928] binder: 14919:14928 ioctl 40046207 0 returned -16 [ 376.735302][T15009] binder: 14919:15009 ioctl c0306201 200002c0 returned -14 15:42:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x10000, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff, 0x0) [ 376.754139][T15009] binder_alloc: binder_alloc_mmap_handler: 14919 20001000-20004000 already mapped failed -16 15:42:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 376.805981][ T17] binder: send failed reply for transaction 1646 to 14914:14915 [ 376.832798][T15139] binder_alloc: 14919: binder_alloc_buf, no vma 15:42:29 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x80181) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x3, &(0x7f00000000c0)={0xffffffffffffffff}, 0x113}}, 0x20) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f0000000180)={0xe, 0x18, 0xfa00, @id_resuseaddr={&(0x7f0000000080)=0x1, r1, 0x0, 0x1, 0x4}}, 0x20) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 376.856626][ T17] binder: send failed reply for transaction 1648 to 14919:15009 [ 376.878315][T15143] binder: BINDER_SET_CONTEXT_MGR already set [ 376.894339][ T17] binder: undelivered transaction 1651, process died. 15:42:29 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff, 0x0) [ 376.919005][T15143] binder: 15141:15143 ioctl 40046207 0 returned -16 15:42:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x2000000, 0x0, 0x0}) 15:42:30 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 377.083170][T15233] binder: 15231:15233 ioctl c0306201 200002c0 returned -14 [ 377.118230][T15257] binder_alloc: binder_alloc_mmap_handler: 15231 20001000-20004000 already mapped failed -16 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfeffffff, 0x0) 15:42:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x4048637e, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffff000, 0x0) [ 377.194232][T15233] binder: BINDER_SET_CONTEXT_MGR already set [ 377.219701][T15233] binder: 15231:15233 ioctl 40046207 0 returned -16 [ 377.220168][T15302] binder_alloc: 15231: binder_alloc_buf, no vma [ 377.268399][ T5] binder: send failed reply for transaction 1655 to 15231:15233 [ 377.291904][T15343] binder: 15338:15343 unknown command 1078485886 [ 377.300826][ T5] binder: undelivered transaction 1658, process died. 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffdf9, 0x0) [ 377.327307][T15343] binder: 15338:15343 ioctl c0306201 200002c0 returned -22 15:42:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x18000000, 0x0, 0x0}) 15:42:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x440002, 0x0) openat$cgroup_ro(r1, &(0x7f0000000040)='cpuacct.stat\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000024c0)='/dev/dlm-control\x00', 0x400, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f0000002500)={0x7, 0x5, 0xa, 0x3f, 0x7, 0x20, 0x0, 0x1ff, 0x0}, &(0x7f0000002540)=0x20) setsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000002580)=@assoc_value={r4, 0x80000000}, 0x8) r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_inet_SIOCDARP(r5, 0x8953, &(0x7f0000000340)={{0x2, 0x4e24, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, 0x0, {0x2, 0x5, @loopback}, 'veth1\x00'}) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT(r2, 0x40505330, &(0x7f00000002c0)={{0x0, 0xaf}, {0x0, 0x9}, 0x6, 0x7, 0xf983}) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r6, 0xae80, 0x0) 15:42:30 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="040000005d3a2f6c6c623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:30 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_TX_RING(r2, 0x11b, 0x3, &(0x7f0000000080)=0x10000, 0x4) getsockopt$XDP_MMAP_OFFSETS(r2, 0x11b, 0x7, &(0x7f0000001300), &(0x7f0000000100)=0x60) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$TUNGETFEATURES(r3, 0x800454cf, &(0x7f0000000000)) write$FUSE_POLL(r3, &(0x7f0000000140)={0x18, 0x0, 0x3, {0x3}}, 0x18) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f, 0x0) 15:42:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 377.511784][T15467] ceph: device name is missing path (no : separator in ) [ 377.536363][ T5] binder: send failed reply for transaction 1661 to 15338:15343 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff8c, 0x0) [ 377.573918][T15469] binder: 15466:15469 ioctl c0306201 200002c0 returned -14 [ 377.609432][T15504] binder_alloc: binder_alloc_mmap_handler: 15466 20001000-20004000 already mapped failed -16 [ 377.643143][T15520] binder: BINDER_SET_CONTEXT_MGR already set [ 377.691372][T15520] binder: 15516:15520 ioctl 40046207 0 returned -16 [ 377.698498][T15469] binder: BINDER_SET_CONTEXT_MGR already set 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffff6, 0x0) [ 377.759746][T15469] binder: 15466:15469 ioctl 40046207 0 returned -16 [ 377.759914][T15584] binder_alloc: 15466: binder_alloc_buf, no vma [ 377.773118][ T5] binder: send failed reply for transaction 1663 to 15466:15469 [ 377.781366][ T5] binder: undelivered transaction 1666, process died. 15:42:30 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x400000, 0x0) ioctl$KVM_PPC_ALLOCATE_HTAB(r0, 0xc004aea7, &(0x7f0000000080)=0x1) ioctl$NBD_SET_SIZE(r0, 0xab02, 0x3) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:30 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffe, 0x0) [ 377.969534][T15711] binder: 15710:15711 got transaction to invalid handle 15:42:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfdfdffff, 0x0, 0x0}) 15:42:31 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) accept4$packet(r2, 0x0, &(0x7f0000000000), 0x800) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_open_dev$mouse(&(0x7f0000000080)='/dev/input/mouse#\x00', 0x0, 0x501002) 15:42:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x4404, 0x208101) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffff9c, 0xc00c642d, &(0x7f0000000080)={0x0, 0x80000, 0xffffffffffffff9c}) r3 = dup3(r0, r0, 0x80000) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r1, 0xc00c642e, &(0x7f0000000140)={r2, 0x80000, r3}) r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) openat$md(0xffffffffffffff9c, &(0x7f0000000040)='/dev/md0\x00', 0xc0, 0x0) ioctl$ASHMEM_SET_SIZE(r5, 0x40047703, 0x40) ioctl$KVM_RUN(r6, 0xae80, 0x0) getcwd(&(0x7f00000002c0)=""/45, 0x2d) 15:42:31 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x498e499e52, 0x0) [ 378.172203][T15791] binder: BINDER_SET_CONTEXT_MGR already set [ 378.185494][T15791] binder: 15777:15791 ioctl 40046207 0 returned -16 15:42:31 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4990643722, 0x0) [ 378.223260][T15826] binder: 15777:15826 ioctl c0306201 200002c0 returned -14 15:42:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 378.310812][T15826] binder_alloc: binder_alloc_mmap_handler: 15777 20001000-20004000 already mapped failed -16 [ 378.324185][ T5] binder: send failed reply for transaction 1669 to 15710:15711 [ 378.343399][ T5] binder: send failed reply for transaction 1671 to 15777:15826 15:42:31 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000280)=@sg0='/dev/sg0\x00', &(0x7f00000001c0)='./file0\x00', &(0x7f0000000180)='ntfs\x00', 0x0, 0x0) setxattr$security_smack_transmute(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.SMACK64TRANSMUTE\x00', &(0x7f00000000c0)='TRUE', 0x4, 0x1) [ 378.397501][T15939] binder_alloc: 15777: binder_alloc_buf, no vma [ 378.405277][T15938] binder: BINDER_SET_CONTEXT_MGR already set [ 378.421898][T15938] binder: 15937:15938 ioctl 40046207 0 returned -16 [ 378.430511][ T5] binder: undelivered transaction 1674, process died. [ 378.445986][T15938] binder_alloc: 15777: binder_alloc_buf, no vma 15:42:31 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc000000000, 0x0) 15:42:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfffffdfd, 0x0, 0x0}) [ 378.533276][T15938] binder_transaction: 9 callbacks suppressed [ 378.533295][T15938] binder: 15937:15938 transaction failed 29189/-3, size 0-0 line 3147 [ 378.592149][T15989] binder: 15988:15989 ioctl c0306201 200002c0 returned -14 15:42:31 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x4040800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=ANY=[@ANYBLOB='vd:N]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 378.666899][T16151] binder_alloc: binder_alloc_mmap_handler: 15988 20001000-20004000 already mapped failed -16 15:42:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$IOC_PR_RESERVE(r2, 0x401070c9, &(0x7f0000000000)={0x3}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 378.737003][T15989] binder: BINDER_SET_CONTEXT_MGR already set [ 378.776442][T16161] libceph: resolve 'vd' (ret=-3): failed [ 378.786103][T15989] binder: 15988:15989 ioctl 40046207 0 returned -16 [ 378.788691][ T7756] binder_release_work: 18 callbacks suppressed [ 378.788699][ T7756] binder: undelivered TRANSACTION_ERROR: 29189 [ 378.806972][T16161] libceph: parse_ips bad ip 'vd:N]' [ 378.825113][T16162] binder_alloc: 15988: binder_alloc_buf, no vma 15:42:31 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1000000000000, 0x0) [ 378.835639][T16166] binder: BINDER_SET_CONTEXT_MGR already set [ 378.859806][T16162] binder: 15988:16162 transaction failed 29189/-3, size 24-8 line 3147 15:42:31 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$SG_GET_NUM_WAITING(r2, 0x227d, &(0x7f0000000000)) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 378.915579][T16166] binder: 16164:16166 ioctl 40046207 0 returned -16 [ 378.926199][ T5] binder: release 15988:15989 transaction 1679 out, still active [ 378.934940][T16151] binder_alloc: 15988: binder_alloc_buf, no vma [ 378.942920][ T5] binder: unexpected work type, 4, not freed [ 378.954569][T16151] binder: 15988:16151 transaction failed 29189/-3, size 24-0 line 3147 [ 378.963793][ T5] binder: send failed reply for transaction 1679, target dead 15:42:31 executing program 1: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = syz_open_dev$mouse(&(0x7f00000002c0)='/dev/input/mouse#\x00', 0xb, 0x18000) r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_BEARER_NAMES(r0, &(0x7f00000001c0)={&(0x7f0000000080), 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x100, 0x70bd2c, 0x25dfdbfc, {}, ["", ""]}, 0xfffffffffffffe5a}, 0x1, 0x0, 0x0, 0x40}, 0x20000000) [ 379.006816][ T5] binder: undelivered transaction 1682, process died. [ 379.017755][T16151] binder: 15988:16151 ioctl c0306201 200002c0 returned -14 15:42:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$caif_stream(0x25, 0x1, 0x5) r2 = dup2(r1, r0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, &(0x7f00000002c0)={&(0x7f0000000040)=[0x9], 0x1, 0x5, 0x5, 0x5, 0x0, 0x80000001, {0xfffffffffffffffb, 0x3, 0x7ff, 0x100000000, 0x0, 0x3, 0x1, 0x75c, 0x1, 0x101, 0xdb, 0x401, 0x1, 0x7fff, "5b9c216886672e95863955044e2e1ad07939500d9b5553c7472a94f1853495d5"}}) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$DRM_IOCTL_GET_CAP(r2, 0xc010640c, &(0x7f0000000080)={0x7ff, 0xc8}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$PPPIOCGDEBUG(r0, 0x80047441, &(0x7f0000000000)) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x100000000000000, 0x0, 0x0}) [ 379.056531][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 379.079502][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:32 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000, 0x0) [ 379.229128][T16406] binder: 16401:16406 ioctl c0306201 200002c0 returned -14 [ 379.271357][T16410] binder: BINDER_SET_CONTEXT_MGR already set [ 379.301945][T16410] binder: 16400:16410 ioctl 40046207 0 returned -16 [ 379.308935][T16406] binder: BINDER_SET_CONTEXT_MGR already set 15:42:32 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r5, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 379.331503][T16406] binder: 16401:16406 ioctl 40046207 0 returned -16 [ 379.341243][T16417] binder: 16401:16417 transaction failed 29189/-3, size 24-8 line 3147 [ 379.341251][ T5] binder: send failed reply for transaction 1686 to 16401:16406 [ 379.341271][ T5] binder: undelivered transaction 1689, process died. [ 379.370983][ T5] binder_release_work: 13 callbacks suppressed [ 379.370988][ T5] binder: undelivered TRANSACTION_COMPLETE [ 379.391847][ T5] binder: undelivered TRANSACTION_COMPLETE [ 379.402668][ T5] binder: undelivered TRANSACTION_ERROR: 29189 [ 379.409215][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x200000000000000, 0x0, 0x0}) 15:42:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:32 executing program 1: 15:42:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 379.524651][T16599] netlink: 'syz-executor.5': attribute type 1 has an invalid length. 15:42:32 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffffffffffff, 0x0) [ 379.571150][T16610] binder: 16609:16610 ioctl c0306201 200002c0 returned -14 [ 379.605886][T16614] binder: BINDER_SET_CONTEXT_MGR already set [ 379.611969][T16614] binder: 16613:16614 ioctl 40046207 0 returned -16 15:42:32 executing program 1: r0 = openat$vicodec1(0xffffffffffffff9c, &(0x7f0000000440)='/dev/video37\x00', 0x2, 0x0) ioctl$VIDIOC_DQBUF(r0, 0xc0585611, &(0x7f00000004c0)={0x0, 0x9, 0x4, 0x0, {0x0, 0x2710}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "5bbc2297"}, 0x0, 0x0, @planes=0x0, 0x4}) [ 379.650713][T16618] binder_alloc_mmap_handler: 1 callbacks suppressed [ 379.650732][T16618] binder_alloc: binder_alloc_mmap_handler: 16609 20001000-20004000 already mapped failed -16 15:42:32 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x100000000000000, 0x0) [ 379.725161][T16622] netlink: 'syz-executor.5': attribute type 1 has an invalid length. [ 379.742533][T16614] binder: 16613:16614 transaction failed 29189/-3, size 0-0 line 3147 15:42:32 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x8000, 0x0, 0x0, 0x33, 0x3, 0x400003}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="f3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe53136660fd9ee6c450754e50c420fae9972b571112d02") 15:42:32 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x806, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x1) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 379.913930][T16610] binder: 16609:16610 transaction failed 29189/-3, size 24-8 line 3147 [ 379.934696][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 379.941432][T16739] binder: BINDER_SET_CONTEXT_MGR already set [ 379.952511][T16739] binder: 16609:16739 ioctl 40046207 0 returned -16 15:42:32 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0xfffffffffffffff8, 0x0, 0x9, 0x0, 0x0, 0x0, 0x3f}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02") [ 379.999256][T16610] binder: 16609:16610 ioctl c0306201 200002c0 returned -14 15:42:33 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x200000000000000, 0x0) [ 380.042877][T16745] binder: BINDER_SET_CONTEXT_MGR already set [ 380.072434][T16745] binder: 16743:16745 ioctl 40046207 0 returned -16 [ 380.102524][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.108812][ T7807] binder: send failed reply for transaction 1692 to 16609:16610 [ 380.115661][T16745] binder: 16743:16745 transaction failed 29189/-22, size 0-0 line 2994 15:42:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1800000000000000, 0x0, 0x0}) [ 380.152127][ T7807] binder: undelivered transaction 1695, process died. [ 380.184186][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 380.209549][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 380.217020][T16797] binder: 16785:16797 ioctl c0306201 200002c0 returned -14 [ 380.228289][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.241463][T16821] binder_alloc: binder_alloc_mmap_handler: 16785 20001000-20004000 already mapped failed -16 15:42:33 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x6, 0x0, 0xd, 0x0, 0x7, 0x3, 0x20000002}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02") 15:42:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x3, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 380.261107][T16821] binder: 16785:16821 transaction failed 29189/-3, size 24-8 line 3147 [ 380.262864][T16797] binder: BINDER_SET_CONTEXT_MGR already set [ 380.300602][T16797] binder: 16785:16797 ioctl 40046207 0 returned -16 [ 380.300794][ T7807] binder: release 16785:16797 transaction 1700 out, still active [ 380.307661][T16821] binder: 16785:16821 ioctl c0306201 200002c0 returned -14 15:42:33 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x8000, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) socketpair$tipc(0x1e, 0x7, 0x0, &(0x7f0000000080)) set_tid_address(&(0x7f0000000000)) 15:42:33 executing program 1: socketpair$unix(0x1, 0x800000000000001, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x7fff, 0x0, 0x0, 0xffffffffffffdff9, 0xffffffffffffffff, 0x0, 0x7}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02") 15:42:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 380.356898][ T7807] binder: unexpected work type, 4, not freed [ 380.376153][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 380.395462][ T7807] binder: undelivered TRANSACTION_COMPLETE [ 380.433624][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.451013][T16872] binder: BINDER_SET_CONTEXT_MGR already set 15:42:33 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x300000000000000, 0x0) 15:42:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfdfdffff00000000, 0x0, 0x0}) [ 380.514248][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.524136][T16872] binder: 16871:16872 ioctl 40046207 0 returned -16 [ 380.544373][ T7807] binder: send failed reply for transaction 1700, target dead 15:42:33 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r5, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 380.613209][T16894] binder: 16882:16894 ioctl c0306201 200002c0 returned -14 [ 380.661678][T16967] binder_alloc: binder_alloc_mmap_handler: 16882 20001000-20004000 already mapped failed -16 15:42:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 380.743068][T16967] binder_alloc_new_buf_locked: 4 callbacks suppressed [ 380.743078][T16967] binder_alloc: 16882: binder_alloc_buf, no vma [ 380.777875][T16989] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 380.801355][T16991] binder: BINDER_SET_CONTEXT_MGR already set [ 380.816883][T16967] binder: 16882:16967 transaction failed 29189/-3, size 24-8 line 3147 15:42:33 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x400000000000000, 0x0) 15:42:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 380.870114][T16994] binder: BINDER_SET_CONTEXT_MGR already set [ 380.886077][T16991] binder: 16882:16991 ioctl 40046207 0 returned -16 [ 380.894955][T16994] binder: 16993:16994 ioctl 40046207 0 returned -16 [ 380.895180][ T7756] binder: release 16882:16894 transaction 1706 out, still active 15:42:33 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r5, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:33 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) getsockopt$TIPC_GROUP_JOIN(r2, 0x10f, 0x87, &(0x7f0000000080), &(0x7f0000000140)=0x4) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getsockopt$inet_sctp_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000000000)={0x0, 0x8c}, &(0x7f0000000340)=0x8) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000380)={0x0, @in={{0x2, 0x4e22, @initdev={0xac, 0x1e, 0x0, 0x0}}}, 0x8, 0x8001, 0x65, 0x2, 0xa}, &(0x7f0000000440)=0x98) getsockopt$inet_sctp6_SCTP_STATUS(r2, 0x84, 0xe, &(0x7f0000000480)={r4, 0x3, 0x3, 0x2253, 0x4, 0x8, 0x47, 0x8, {r5, @in6={{0xa, 0x4e20, 0xff, @mcast1, 0x8}}, 0x1, 0x80, 0x9, 0x7, 0x27}}, &(0x7f0000000540)=0xb0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r2, 0x4058534c, &(0x7f00000002c0)={0xb4d, 0x101, 0x80000001, 0x9bb8, 0x9, 0xffffffffffffff00}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 380.936488][ T7756] binder: unexpected work type, 4, not freed [ 380.969792][ T7756] binder: undelivered TRANSACTION_COMPLETE 15:42:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x2, 0x0}) [ 380.993723][ T7756] binder: undelivered TRANSACTION_COMPLETE [ 381.022469][ T7756] binder: send failed reply for transaction 1706, target dead [ 381.059189][ T7756] binder_cleanup_transaction: 1 callbacks suppressed [ 381.059197][ T7756] binder: undelivered transaction 1709, process died. [ 381.098594][T17109] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 381.105860][T17112] binder_alloc: binder_alloc_mmap_handler: 17110 20001000-20004000 already mapped failed -16 [ 381.191965][T17117] binder: BINDER_SET_CONTEXT_MGR already set 15:42:34 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x500000000000000, 0x0) 15:42:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r5, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = syz_open_dev$audion(&(0x7f0000000140)='/dev/audio#\x00', 0x10001, 0x440002) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, &(0x7f00000002c0)="0fc79bef3d0000f30f06c4e1a5e938660fda05040000000f5fb9e200000066baf80cb871284288ef66bafc0cecb805000000b9008800000f01d9de9fc9c50000476d2e410f0133"}], 0x155555555555580f, 0x1, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_GET_LAPIC(r1, 0x8400ae8e, &(0x7f0000000340)={"b420ff3ef8da34a3bf08e8cdcdb27bdd609408d322477cdceec111a61f068ac0db48248750a8656d2f40cb4b1e76d0efadd241d6dd903c44f0ebbf4667650c46d31a26ebbd827b7ee6be754b07ac3d43398b8d94a921c7a6b9dc2eee112f4a89e40c593adb215ce55299c27fb57a33dbd1ee61ef83962345670aecf1d1a077bffc1604078edfd32cac0997255c9d43d8aa97abf43885666816bcabef7fc4e0bf8b985b58b17102564eb69bf6bfddad3e55a722c86df0f9b4b2d893f334ce6dfc80dd473d553975f8ccda9ca1694ce7010d5f7111b89a4072f20b961d09cc5401885e291dfe2b5c92165f665d3966b312c5d706ea29f0eb9e1f6fa14112f5807b6cf9855a3fa0c5f3ef8c9558a96d12e3087b4bb9ac9776a3e0ba014047e4ae3c0490f41dab51e167c4aee91aebe72657faf902fd20daeb4069a4c10ac05d5a260170116350ea759ce39c00868331b6bd8bd9823ae6e1608ce28e06a9478e96c1f041e2aaaa5dc8d5e740d12e65a81b5129b4fd7f9c577ca09ca001623ef5b436043f0a23be6d32822341af1f75b779eb1fabfd1cadbf3679da223141b187c53a53268a8547b174ee4a34e5cbdedea59e60ee59baba19a49757de571627e394eebfd25f77aa9b4f8880cf93727da2b0f62105718aa26da2117a750e9549c5ab5ebe413dc9e670393ebbd98c5f83c2b3f61d87bdecbfa7fb00520f879952700dc8b7756731411f602266b8074f46880f2f2d221569cbe93f84c017bc92310f251e8dd30a51099854eb6474ebaeb47f3c616dcf1cf8a9f4c9b5ae45f7838ccf05ac37eea912e5fea44dcfe264a3c8a7cda8959bf129a1e142a32b66ee4bbb7ada6bdd8b187b141b841f95cb5bd45bc36bf655f91404f12639b696f8e6f135ef69f6994e3b4d2701c4ace068ec1fd80ee462094616e7b3fbb1236ee287178581fd4c064597ba9e293e1d38506e38edefcaffc5e0bb33a60f582ecb7822f6fb28688aabb92935dc16fef6301a5d0c905bbe65dc20c1e30ecde0b7926cc16412f461ac0d260d0069759a4e1a129b6b338c9e55f56935764f4dd94ffa66c90b2464823f8f79e06f5dc2fe4ab7ee054776ffaf626fda3dd4213bd312fbf9ab3c1db385900c745f6aa340e20b5f5cb925df1910337efee5c2eb490b47f7fa91f57a0881c5c097ec1a240686df1415a231e940e1ca843dd9d302d09dc4bc71237799482239a11af531ca66d5312fc0be97b9ce5ee3e62845c4128abf65d9970ba2b809ff6f874a16c056d38efe647f12d2d85b4664f09c4b5b2712422d50a273ac7c3235e6d21aaa66d2299895bf6e690b493b3e8926897f7e9cfeb620ab3ff9b6c684b0bb41a88b66916fe4406e9ca7889f167a923ea838c68c58b79b97317c9b014591c3a5e7438050405003f8428c361b8ce080580b42bbc0a0ef74714c534df2f9c7f1"}) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) fcntl$dupfd(r5, 0x406, r3) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$RTC_RD_TIME(r4, 0x80247009, &(0x7f0000000040)) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 381.248356][T17117] binder: 17116:17117 ioctl 40046207 0 returned -16 [ 381.248408][T17111] binder: BINDER_SET_CONTEXT_MGR already set [ 381.288511][T17111] binder: 17110:17111 ioctl 40046207 0 returned -16 [ 381.337358][ T5] binder: release 17110:17111 transaction 1712 out, still active [ 381.345443][T17118] binder_alloc: 17110: binder_alloc_buf, no vma [ 381.355470][ T5] binder: unexpected work type, 4, not freed [ 381.381745][T17118] binder: 17110:17118 transaction failed 29189/-3, size 24-8 line 3147 [ 381.390792][ T5] binder: undelivered TRANSACTION_COMPLETE [ 381.409972][ T5] binder: undelivered TRANSACTION_COMPLETE 15:42:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x18, 0x0}) [ 381.424748][T17155] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 381.435599][ T5] binder: send failed reply for transaction 1712, target dead [ 381.461292][ T5] binder: undelivered transaction 1715, process died. 15:42:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:34 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x600000000000000, 0x0) [ 381.554643][T17269] binder_alloc: binder_alloc_mmap_handler: 17253 20001000-20004000 already mapped failed -16 15:42:34 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x48000402800, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0xc81, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_GUEST_DEBUG(r1, 0x4048ae9b, &(0x7f00000002c0)={0x1, 0x0, [0x5, 0xfff, 0x7, 0x80000000, 0x53, 0x80000001, 0x100000001, 0x4]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 381.636143][T17268] binder: BINDER_SET_CONTEXT_MGR already set [ 381.657294][T17268] binder: 17253:17268 ioctl 40046207 0 returned -16 [ 381.670219][T17344] binder: BINDER_SET_CONTEXT_MGR already set 15:42:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r5, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) 15:42:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = dup(r2) write$vhci(r3, &(0x7f00000002c0)=@HCI_SCODATA_PKT={0x3, "c7cb322587c620835a14b72eff9f4d7e83acc12007d9ee9caff5a1f609983feb6e1bf263f3037cc4c06900a9774f5bb684c01b09eb9549ec53efa6dfedebb6f17a4e5d677623d9c445c022f46b6d3fa342bfb41f883d435c029fa1de087e5299af305acc601210b5463b544adbca81c3444b4814ccc3fbadb9258623a61b153e04939a211e4bec06145479327b06b456ac7c8ccb257a38558edd78080c14e079f65fc851059703845154aae6a79a09bbcef77b0163bee6805912b719d9e6c5efc5e0e4febe28c4e085413cbdf88dd238b3968c80f2069ca7d72dd15354ad9b571e10b187f8896f861b9589e871ca8ef6b260b5502956c1a3f37e1d407bb8cca37e687771946d6e1dd9258f88e06d38a93217190c75822dea8f7e783a6d8e182dede16ebf6abec7f4e326f4505979737dc09056c675eefd2801dd1d863984c3bb212700fd154af103113209b7126be99bb3669869ae6d1d6ab9c0c8a3b92b052cbe67c53bfe9d52e68dece082a88cbc2c6cb101f7901d83332cdf8476837ce476f50fb11e46fc84b94573f3e4068d445a03161e5986f7e3f8a9cc5e79a10250ca1703501ac98afa4b276638bf6cfdb02bd51e720a7f553a7731ce87dfcc79b5b321a1201397232c4f8ca34ef6a3ff6f456d61df9a1f6967bd964bc6ed783a355d9e450570c060a3432f76434be59355d41daa69682290bbec221cda1bac16b2d17702a0055422994dd90f0bfdc1d3c30f5e3e0867e506b9c26acc1e577a5ded27265ada552ff9625f927a477b1c9a774cc776e3c71593cdcc220e31e2be8e48c56430021a1a587d6951dfabc72ccf02c2bdf86d535997b9e306fcbd80868627b167e68b1f2fcff1777f71eec74206aa89d87f87cd14ed3a01db2ee3e91be8782b475e14f4fb0ce2449d2d88fcc6df33683710199cb38fe8d7a9ec52e1cfbc7ebfa9607e957c5fbc29b8cbc1c9e7e1a6938acc22d9570de6fdeac944403dbf965f5c2fead21d8f0a80b2851862aa4e3dfaff6ab5ecd792d0e67512c6f512b83e74d90783fde60c707b12107e41f32d90e2da2a102aebf9b63120a77f4f5fc50d4c34e5fb6e0026150d40cd0282b5b6d181c9f30404c43aa3f3609129e4e487c288ef423dc78faae63e03a78917e44d95a1bdb2dbcd5ccba0398c63cd9c28b8f2955c79fddc51851ae961abf7a2ad4c85fa251a802c70dbfc71e76e202780f972812a346a02c0c8b4930995859eeebe305ac880f200a15db981f5f8ac5b565b34976a473ff28cdce11d27d07f3d628e6538bc9e248ae3f834e322bab3c2808a9b5490380d2ee7a592f90ab2a3654cb958322541c92c039aca76e9816f7bf5ec0d64fa50072176aaf473eacb4bedcdf9ec03115d277aefa0c3376037fc9cdf8ec53309b088fce85b4b165a69f6cd825713418af76009f5c9041948708a204444f7a7e52b45dab4e644de985966ec4d10f1e26aa6f07bc33a9d47dbc7adcffc6b69f322e9079b28f18a2f96ae88cce354cc30eacfdc5d30f7677d8aca95025119ab33e6c2239c2e000fd0b0cfafb32f7e8c0f40c5e21f6d0d713d053cc6a3b85f1efcfdc620d44e0929d680f36ce1fa4308d1c0339c50087a8a1f5f27ed00fbdbe556b4a3d622fa04bc4bfc3d73c8f6cda7fb0d4e0f54855aa8042b59b33dcbab53ca69bfb93fe3616185c3ce82e091834c584dfe8b67c6a08998f6c73329ec746bbf19b161f9fbf4114ae8d748b2819f76e6e4811d1c0eb0accfa2cdb467d64525346126522286d2e56064e834c37b13f7fc43224d3c8cd133f402ad4ac68a0116bda2098ddd69b1f2bce5093a7101ead7827307049de89be32fa7dd9aa4ace36f4d1254790d0acebb50cdf42a571e3a66695dd8d6de2ef8d8ff415ca39a8522c8a5376dcdc269a172798d080b892fe1fb855ef7ed0f95e43230772f1f0e793ccac0f53c33e245821bb10a08bf7c598ae0e8ef02cbe40ff2fc8968a9d75068bdcbf814fdfa2bfaeeb88ec7e93ed14d917ca3098f7032ee9a3d48afcada9c80e86303750b2a61daa0430aaf22fb608a50a579e4e9eb2a1adfd249f4e3f502da0405778db8004c2f7a33922e7c6521e81cce333f0cb10356b476074394339f0db537e12e2373a9f8f0ced49f210b17f53c7ee1d386b1351abbb5071b18abb54d16688835515134e11fcb3da6a5129780e2343bfe6b3590773427dc3d5584305e0f4ed1d27b287b47dc0fcdfbf3cb689d98e681ab39cf69aece051b87c99009e6e36d6f1ae6d4bf39790e3269382a26f19963539d9877c28c6dbbbbea18284fcd2789e1b1a4d1a2f5dac3cb8ade1b6c1f6a1f3467e5b7f71de2c9f779b8d8bbe8c37d03d1f69ef3d699219338f076baa535edb6c8f15a2b22626c43585ceb90eaf8c562652d2c9f32fd6bed185e7d091a0df8a3c8572b976f4bdd494776c6b4c0a94da33f05be3a3344b6533c60c5ef46e3d6c5aa290809c6ba9a93b91c7c61fcce7283d7162eac0713007245b65c2a6cb4b1452f3d78f903a1f4fa2d535fd6c24906e7a08cc594967b4078d59ef93d389a6fb587c0b817d56ab8c104d9cffe0ceba14dec5f653185887e0fb4860706cfd4f63353ef97372cf4abb29bb05aa1adc3cc48a7fd5b563b932e6a03bb8d0c1ddee0b192672261906c6e11e0b3ffb4280756055c2a75e1737f2aa1c4248a2a3aa4a9fce9b641b93dd90a6aa82482c7508eb83189e0f3c2c5d83396eba30ff6f54e2cdbdba7d5ccecae9962f0db8afbdd6edb252495b4c4cc95dcf94c64e61b71e67e235a533cc283652ee21d386df646e5ceeddffc3a701a8afde75106f21f3ea1913da60ae9cd2c30ce1efd13b12dac11dbeac3a55403f77f48617cf8edcaf279717b1348481c47455cb03c1f53dd12cfb727505a9e529946aca41d29b4e92768c2ebd18bb6e07469c5355ccaa1d3423e11fc6d870ce89209fce73d69fbb71bdb1ee1599e62bce5fb90c1a3e72514bc07b62456c7989028fbc84bd3a6c750de2ca49fce58327511f09b4a82af70db2385671602e39c03805ba915b6f34b7f965d43547192baed159b5b67f64954e83988767c78113289954ca6055e748c2060360f646b5849a290caf3ba607cadf6da63be46c1b0670e46fbe1039b1a027c9540c278bd9b5740318850c61275b4b343fbc830c82bf5329d4630b8c039a48c61661a35d397f35753e381779f29c1dae2bca5633444fec0674dc3060e73ce566399c8a4db1ed0776663c2a1be6888d8c2b7dcd7a93fe77b1ab233740fba296eeb0a72807e7bf20d9d768ff31ae3de7493740c02f08fc6ea242bbc019521bae7b61803bc257690d3a22c9db603bacaf8868d5ef5f7884a6acfe66ed578001192c96e4de561cec19c321cf6f59f337d8a9ae514442c94edc9f1526971e97beca975923aeed7bbfb716e381daeef86f1576a38aa30b4d6c33f7694ab0feefd4f24bd30bbca6b10495e7d41ff42b5b8163ae32c7fb762c6ae8435bf34f776ed89cad5bb1450aee311f77bb50cc2b69ace2b83eb461ea3337dcbbf5c2915ea9c9fee58ecf8b1e60ae5320ba7b1d8dd4201f41b1a98a315c659b82f867a6d1aaf1fb7290f97800a0911ea6e01b0b4e2996fabc53ebfec398fe29d0d425d0f05a583fabf41db362ae5026ae0489450ac7db16f53b9f8527db8ec0c989b5ee1fa0d031c1624b2b20dda5df21bf249b915464f67f99202c7617a7a8852eb8e19aff084bd71f709723d40a592af2b97aaf4ccde246180959d4000215ae3dec1131f531ca5f35cd0e5d0e2746132b687c53b8b4f2ee7878fa876e3a48d7b6b1f5a17ea3e0d32881904ce1792a93b06564ff714110c2c7354129204a0715a458dd2e97d09f46787cc4e0f953cbf74d10ab7a6e7c8ad4f3cd117344ae7915225cac3b501196588c740b7b15e2192661bc41f5f3f85d977cf6870c318937b7fb2ad0f4d6a63612b2b7f03fb5e68ea832341dbeac8a5fa1ae7565831711858e550044ccee51504ec87b67c8891d014255e087084b958c6f58772a36220189fb110015589510912d66deecbea701040f01912fe0abbe8e6d9bb87e6f70b9ac540dff9582ce49db201c136dee531f1e0ec158d4d8238c847744dcfb2b224bcbf44e2a0a6641d3ac92fd4011419320dbfd172d2dbf7fdc7b01aff5fc17596cc988cefb81ce6f6720546eb44b41f07b746b918222215e2e2c49a917e118c19816190a9dbcf4f09a6da7a7959b5e153a1d38e503b2c066708a3d97bccf8e2fc5e2e12de42f33393903e408a2aa8d22fbc56ca6fd3ba49a759839d32f7f48e749e9727112bb21cae644209339ad4800c7711bd7ef563c863a5468eabe2e1caaae29ea9b81ab8c873937bb52f38043c4269930df212bbe69d1099f032a65ab0055c8f704f73f30c24a8b1b3ee3858ae4753244762e9de988b46252d6e100391442940c76b872dad2a7311f5703c92ef08f509c7f193dcf19c9063f0c0ae706dc7cfff224a2493f2063388885084fa98b48f9c08d9334c23158d8d8327277ecd063fa55a2f53cce9fb1aded4ccb26c9cd289e78bd6a9ce63365d6c9849b2a52f9a8f09324832d21399a053bca403bc5132ac308d2754cf9b2e2e085b101799b502ae84b24f645b7f220cfb00aa609cdb565e91e599a37e7e82c278c6cf33a18c77bd37c2e9caeba487b48b0cb737c60b201ed99d7e6023c72ebb90b65e452cd9217ed1574b51dee1d1570cce5bf9f2760769576fb36fc19f9120e3b786466d4e24d4bcb9d8b5c7bdff02986030ea57b8d198c3ab346ed23391fe1f811c5efb7142c3d2d6f4723648fbec7250ad710c62fa2eac63094671f553248ef94cc96d040760db5acb3d61c106a07ceaa73d36013ddcf55d2bbaa94d4bcd290ffaf4e61ab15341ad092fbd9e2d2863fb71f312efdd4630bf6c2d5e88d1e1f3995cb2a9773698cac6852ed6b201e85e2dcf2797d7217b7c1ebf95b50adbe015a18b57b5e10ef2f0132dcdb9edd5f85edc5d2430ccc3c27ff6842b5c5847d326fb606bd633a8efeb819eb68a74f18809630a8453a843be7750e40ce0ce874c4e1d8bc8c4e08c82ae83784db02d6d09350a1013277f7af40c2293775746e97530879a54dbeed5357c35b1a7a35430cf606de22f199d0b7b9e2c8c92fe6e1683a0cb582578cc5668bfd4d6e78b8197d408521bf0de08e8538051cc583a99ed417b1d338e3bb64498d8647dc10fe489cedabd325006b06d9b6ecd6c8724fed19f90ae9001ed3b5ecd4c44d11ec7cef5fd81174753a22e6dd59aa397e8c748e45256d10c758456181d0e9b4699db89fce3d764d6eea1b26d405fbc5a6120724264d81edb40955fa6209dc6435288bb3e6369652585f06a71abfaca467af0cf7a637b8604dbf2360c691caf4a5114577326a7f3aecc07a8bd8f7bc12a6c1ac0d25d215216afb3ed384df0bf83b71f796edb08f320471af68cbd10d5d748e8df5b75654621aac92a2dfea65c87eef77a52e576dae8372f324d671b16d92f262616a89630a183bb905a433d88f678378622a28f58021e3099ea30063d35faaeba3d288b669747c90086baabcba3ab390cf1f910d616250543209c078cd43f60a0056c856104a09f2b8429544682344523016900c199e8babfd4217981b3a35158cc147e9d7543c4e4f140ac8f16ce30c33456a3034318d77e84c58117e2b78f2eae8adc232e43f3a913489a2bfabb222713be4f805c1242d33c9c7dc981ed9fd3896773645a0ca0a1bdb25804f903191ef7dd5eed7916cbcf7d3c2888dda9dae53966c004a55743"}, 0x1001) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) write$P9_ROPEN(r4, &(0x7f0000000000)={0x18, 0x71, 0x2, {{0xc2, 0x1, 0x4}, 0x80000000}}, 0x18) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) stat(&(0x7f0000000040)='./file0\x00', &(0x7f0000001300)={0x0, 0x0, 0x0, 0x0, 0x0}) ioprio_set$uid(0x3, r6, 0x81) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 381.719583][T17344] binder: 17342:17344 ioctl 40046207 0 returned -16 [ 381.720617][T17347] binder_alloc: 17253: binder_alloc_buf, no vma [ 381.749781][ T5] binder: send failed reply for transaction 1718 to 17253:17268 15:42:34 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 381.783406][T17354] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 381.790154][ T5] binder: undelivered transaction 1721, process died. 15:42:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) 15:42:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1800, 0x0}) 15:42:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:34 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x700000000000000, 0x0) [ 381.995672][T17465] binder_alloc: binder_alloc_mmap_handler: 17460 20001000-20004000 already mapped failed -16 [ 382.046414][T17461] binder: BINDER_SET_CONTEXT_MGR already set [ 382.072810][T17461] binder: 17460:17461 ioctl 40046207 0 returned -16 [ 382.091025][T17473] binder_alloc: 17460: binder_alloc_buf, no vma [ 382.093308][T17503] binder: BINDER_SET_CONTEXT_MGR already set [ 382.139545][T17503] binder: 17479:17503 ioctl 40046207 0 returned -16 [ 382.139572][ T2597] binder: release 17460:17461 transaction 1724 out, still active [ 382.154441][T17465] binder_alloc: 17460: binder_alloc_buf, no vma [ 382.177540][ T2597] binder: unexpected work type, 4, not freed 15:42:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1000000, 0x0}) [ 382.184564][ T2597] binder: send failed reply for transaction 1724, target dead [ 382.199820][ T2597] binder: undelivered transaction 1727, process died. [ 382.236250][T17620] binder_alloc: binder_alloc_mmap_handler: 17611 20001000-20004000 already mapped failed -16 [ 382.246913][T17612] binder: BINDER_SET_CONTEXT_MGR already set [ 382.262971][T17612] binder: 17611:17612 ioctl 40046207 0 returned -16 [ 382.270103][T17620] binder_alloc: 17611: binder_alloc_buf, no vma 15:42:35 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = getgid() fchownat(r2, &(0x7f0000000000)='./file0\x00', 0x0, r3, 0x800000000) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) munlock(&(0x7f0000ffb000/0x4000)=nil, 0x4000) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:35 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x800000000000000, 0x0) [ 382.290521][ T12] binder: release 17611:17612 transaction 1731 out, still active [ 382.315818][ T12] binder: unexpected work type, 4, not freed 15:42:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x2000000, 0x0}) [ 382.335155][ T12] binder: send failed reply for transaction 1731, target dead 15:42:35 executing program 0: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac) flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e) 15:42:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 382.375976][ T12] binder: undelivered transaction 1734, process died. 15:42:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) [ 382.461379][T17698] binder_alloc: binder_alloc_mmap_handler: 17690 20001000-20004000 already mapped failed -16 [ 382.503443][T17695] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.0'. [ 382.509173][T17691] binder: BINDER_SET_CONTEXT_MGR already set [ 382.525658][T17701] binder: BINDER_SET_CONTEXT_MGR already set [ 382.531897][T17691] binder: 17690:17691 ioctl 40046207 0 returned -16 [ 382.532141][T17699] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 382.538865][T17701] binder: 17700:17701 ioctl 40046207 0 returned -16 [ 382.539466][T17701] binder_alloc: 17690: binder_alloc_buf, no vma [ 382.568183][ T7756] binder: release 17690:17691 transaction 1737 out, still active [ 382.580114][ T7756] binder: unexpected work type, 4, not freed [ 382.595602][ T7756] binder: send failed reply for transaction 1737, target dead [ 382.611180][ T7756] binder: undelivered transaction 1740, process died. [ 382.619832][T17702] binder_alloc: 17690: binder_alloc_buf, no vma [ 382.631821][T17698] binder_alloc: 17690: binder_alloc_buf, no vma [ 382.638754][T17695] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.0'. 15:42:35 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00000000000000, 0x0) 15:42:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x18000000, 0x0}) 15:42:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:35 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00') ioctl$PPPIOCATTACH(r2, 0x4004743d, &(0x7f0000000080)=0x1) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$TIOCMBIS(r3, 0x5416, &(0x7f00000002c0)) 15:42:35 executing program 0: openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x80000, 0x0) r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x100, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r0, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = creat(&(0x7f0000000080)='./file0\x00', 0x10) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x8000, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) [ 382.866907][T17919] binder: BINDER_SET_CONTEXT_MGR already set [ 382.915014][T17919] binder: 17918:17919 ioctl 40046207 0 returned -16 [ 382.922684][T17929] binder_alloc: binder_alloc_mmap_handler: 17915 20001000-20004000 already mapped failed -16 [ 382.983805][T17949] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:36 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000000, 0x0) [ 383.029022][T17917] binder_alloc: 17915: binder_alloc_buf, no vma [ 383.050349][T17991] binder: BINDER_SET_CONTEXT_MGR already set [ 383.084754][ T7807] binder: release 17915:17917 transaction 1745 out, still active [ 383.095410][T17991] binder: 17915:17991 ioctl 40046207 0 returned -16 [ 383.105602][ T7807] binder: unexpected work type, 4, not freed 15:42:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:36 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) [ 383.150846][ T7807] binder: send failed reply for transaction 1745, target dead [ 383.185406][ T7807] binder: undelivered transaction 1748, process died. 15:42:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfdfdffff, 0x0}) [ 383.268003][T18043] binder: 18039:18043 got transaction to invalid handle [ 383.405621][T18100] binder: BINDER_SET_CONTEXT_MGR already set [ 383.430989][T18079] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 383.448061][T18100] binder: 18082:18100 ioctl 40046207 0 returned -16 15:42:36 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) fcntl$getownex(r2, 0x10, &(0x7f0000000000)) ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r3, 0x40a45323, &(0x7f00000002c0)={{0xf0, 0x401}, 'port0\x00', 0x20, 0x40, 0x7, 0x5, 0x20, 0x3ff, 0x4, 0x0, 0x0, 0x9}) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 383.508220][T18152] binder_alloc: binder_alloc_mmap_handler: 18082 20001000-20004000 already mapped failed -16 [ 383.537941][ T7807] binder: send failed reply for transaction 1751 to 18039:18043 15:42:36 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010000000000000, 0x0) [ 383.564851][ T7807] binder: send failed reply for transaction 1753 to 18082:18152 [ 383.584103][T18100] binder_transaction: 9 callbacks suppressed [ 383.584122][T18100] binder: 18082:18100 transaction failed 29189/-3, size 24-8 line 3147 15:42:36 executing program 0: r0 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x3, 0x2280) ioctl$KVM_SET_FPU(r0, 0x41a0ae8d, &(0x7f00000002c0)={[], 0x503dffed, 0x7, 0x8, 0x0, 0x80000000, 0xf002, 0x104000, [], 0x5}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f0000000540)=ANY=[@ANYBLOB="6d616e676c650000000000000000000000000000000000000000020000000000020000000000000000000000000000000000000000000000000000000000000000000000000000004455b5bda79c4966442282311545de7b9abfb07c0f723a8d8bd91c76d2ca03075feb7a6aedbd079adf79a119de53e85e931f4a187c4d31b6b96a72d31822ce"], 0x48) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000140)=0x0) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000480)=0x0) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000600)={{{@in6=@dev, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@loopback}, 0x0, @in=@local}}, &(0x7f00000004c0)=0xe8) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000500)={0x0}, &(0x7f0000000700)=0xc) r9 = geteuid() fcntl$getownex(r1, 0x10, &(0x7f0000002e00)={0x0, 0x0}) lstat(&(0x7f0000002e40)='./file0\x00', &(0x7f0000002e80)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000002f00)={0x0, 0x0, 0x0}, &(0x7f0000002f40)=0xc) r13 = fcntl$getown(r0, 0x9) fstat(r1, &(0x7f0000002f80)={0x0, 0x0, 0x0, 0x0, 0x0}) fstat(r2, &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000030c0)={0x0, r3, 0x0, 0x1, &(0x7f0000003080)='\x00'}, 0x30) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000003100)={{{@in6=@ipv4={[], [], @empty}, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in6}}, &(0x7f0000003200)=0xe8) fstat(r2, &(0x7f0000003240)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r19 = getpgrp(0x0) r20 = geteuid() getresgid(&(0x7f00000032c0), &(0x7f0000003300), &(0x7f0000003340)=0x0) sendmsg$netlink(r4, &(0x7f0000003440)={&(0x7f0000000080)=@kern={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000002dc0)=[{&(0x7f0000000740)={0x1464, 0x20, 0x0, 0x70bd2b, 0x25dfdbfc, "", [@generic="c71383d2abc0b64557378387e78ede40e9c75356a41dd50167cf23a63ee9a4b7da4d1a92978fb3f21c2c4b84ecbbed59f1970a49f46f00fb88a5854ef866f2fcde0531509368f2c5439c0e6d22b889eaf7273889506322a67baf53f07c3b8a802e41c8defe764213822edfba29797290907498e3933d72673305e51d3c68f7b2527b983cfb99e1f3745568b49d9fb356bc0150f2a78076d1d7f4c4e78e989bf9a69bdee356a84fbda8584ed77704a10aa070b4ce4036c276147c030a9ddbd7c61885abec462cd3b220a4521e58cb9661c31b8f6088e5b589cd7b3487980ec98e9e1e91fddd15c0f2197f549eb753e77c334310b338d2acb53e64506753f665ba8e45d1ce67a75b769ee3d7c58f9577c0ffead69edc3fb3f0e6e0e0d22edd8d5b211615773f10dcf385e72438f8306dde34ccf6893652b665d9fd8df1b8e595d34a0f91231532db85320fc55550a4df65df28cfa31f8f049577c104e194656743c7f5756572907ff458d33ed23135a9f4ad3401e86f38609896f74f04b43b61591c392456827e52b76bffade4de2939ceee9c93512be2e87da31e8e7e244d5640bb620a9c5cb99c74037431a8d3b23e5acb7c3d15a9cef0c3376c1538a7b92dee3be60ade1cc04651e7614749b1e84cee1216ef2df4854f7381fadd116f73c90c368953840ee5f827bb8a5079dc4dcb702ae785d6205f47d538f8faee5d67cff7ee6ed09b8c55487e7f416bb052ce60527896e0b14809c13aca86416ae5daadf40e31a08f084f12cb13b43df0bb6427d8843bb5f5130fcd02300d18ed23dda2c036c81bcaf8b2fd7930be6737a76013621a80ada143948f02fe313a5305d49aa77963fb7a64d6d55ccdfa48ec7072a6510b1a4c19834791e6c47c797cbcd5ec8341c8c79878232b7cc5e17c3bc0a29553f1268219c68279da5cf04ea54ad12518d31fed26b91ea72c19b28bb136ad374d67f4ec5a007f5f18245764ade45d326c9b945a3c8cebe273f216273fb2194abe62d4ca9e1c8f277956cc7e83b1a89a9e69ab52eac6d579c3c8e9af7ab022ca860d867cfa0584b6d01b7f72df127847720c08cbdb7f6f1cf02e86d072f3ff716f67a33d11d24fcb5dfb824c098b299479d7238226dd1bbbe2df1da59a357b3c700f9d922875bed8df46473bd5fe84f3c5f71639920bd302e78284abcf400b59d503467b539ca4673cdd8025bb2d0c1ba2a7ec4e15499f0b2de5d5f7c9e87c959a914f01d8ba17c6bb3caecc77c9fdcec76720928b295f3b16cde9b572ad29b4204f3852fdea2e88057a52d235215575e062824a984ba108ace922459f4a2a360541a3c30db6bdb41eed1e941f179ef1ff43dc5a5eeb7f74b8eb622996e28d51e0a19c7cc974ec84786a411bdc7b147266f7872b4c1c6e46927904b15dadeb76893bfdfc7ecdaf521de25768d3c7066386e81823d9b3a2f9ba444c28459150d212ef4a1e75aa6f33545c44bf772c20edad55728159d118a0b3be42ccfdf1d818a78fc75077ab2d8e3dddbc2e140dff8873fa6222a00e6de5936a97c11823caf51dad7cec59f252a93ae07d73093710024844d4e108a8e423e77e493078898e5e9339879d971e0ad9d5b42740dca49671a3cb32df0a27cde2da6f799e87dbf0d653031c16a59bf7626b24e6d6d94f4feaeae86a024aafe8a7b9c3e28a799535b7906010238e2cdba406de24764a73e4d2af683c1e27e48b1a8118360a0492bdeffc1990f6dda67d65383565dfe66bce1093a86835f5ed9f684959e67ddb7e1167638d7aa1f1cf9649a383c7a9fb2ed3034aa92823b69c75db6ccf6d089f81ff53ca7bd472235813ba1d11a9fa0ca3c4bc6da64986aa618ce2256a8483729176df50811f109ee9f892f77f3dc57ea68c768253e2b2174c25f157278c36de37d88596f9765d2725c43d0013dc76d3906a3c022679586bc90f42d7c1b0f06708a97f6aeb82e5b45874421e6aca53bca21e0836b7bcad7bb2d9ecb8f259c17658e10780405e5a54c8ffac2822ab4f9d0ccfb6cd693caf21799edfe4f0d0b617e4a825ed3064bd9eef17258539e99db785b0d85f7daf256c2d37088adcd5ed5fc7097e63ff6914d83eab46572fe5add4016084561dab1c203ce1943321ead78c101fee5fcbfb661f2376a5e39c2c1b9e30f4f1c9e6d812ed93d74333c6c866f42665d844ed6c36da745093c98a638c1f3d72fe97a7d5335ea3cdcba6803b3fdc9af5a55d0a2313fa96e5044d678660ff8604dcd6d7ac6c2d0c2f8b0bfb309a73691c15b27f50607fc69f42d3af8f60fee49a5e6eae1d4f11c91f7f824d3c220823627d2b4c44ef02dbfc639f1b81281c88f556d5dc6ddcb6cdf828006036c74594bac698fd083359a84116ca74216dcf76e05401e363ff68c2ad9317c0e3c3726701ec644a5696a17423d9bf6264daed27e6f069c2126d668312fea3cf6a622646e44411e61a464377060dbcb11cb192f638ac4a95de733ba52185b6d0ce6d89c5d8b388723351b7179e4db919f8c326dcfa0ad7cacd451608cb2f68c526a6b1d4e78552da0a663ec837dd21573c13dad8f81540810c931a668ed2acff95671fdd2d6f18279db3d9db0805000b6021ababaa884ec63f18009aff2f5e34e561de10ed686a50799e3bc456d30fd2a52cc9466d67bedaa206fdf4a20c1141b82ee2fd3865da432140a824843d902c4749c5cde0d02475d2ee518ebe22cd239ff3b9926746d7f4ed0bc5af5fefa73d26b46ed10b3c197aaf1f807f9a993e57abffa5a7fc764e78408b242d00aea7f437b754dda30313dea2c15fb0b7fa9a7052cbe396a750dceca8c7c5dbc530696d222604454e1afccd9495f91d64bf001572930a73fdb9eda8f0333b3b524aa762206b79587ca61dc42155cb55f6833d89cf10a7cf01e83b3b886c342d2d51695262de2c62ac470202ff779376d0c2baf6459cdbe4575c14aa96e4d2c5ade60191ad6a697f61838dc343bdefbb6f3c27eae3ec32cb9a0a54492c5f3c7640e2cb8a508492d201b74e4263663112078999d73999532e1eb2542a107d7b4e886b9775cdd86c55fccf0caf767fe475ef2abdcb6c24e3ba723eda4788cd8536930b8a54849e79bd6f3d1e84601b18f43b6aebd8d8991e8ae7bdbb6adb2fe520c16d48cdb7a9e43f066a246bc8525444ac83fbe4163fdbb65acf5058cea49c5b1356151b986f53d9ec7c2c49c85f94be04c5909f3568bbbf0be6180400ee3e3b342e3421834209eac7ff9c50a759f5e9cf6a0a8a2692d27b45e0f0735ac3c9ee2fb5e6a164bd388dc06bab4ea9efef472cd121d3b4892410a6bd2d1c4843ee9a838d73d7a8d7921390a2f2f31dd28af34a63b6cfff362f4133e9f6c115fad48e09285620ad09c82dd571d4228f436808a6a8a7f23001587a57539159a8a22e69f028e1d5eb14724c435e3360be2ae30920346b2dddecb599c414f6a962505aec7bf0351ded17d08e42c104196089678466f1406fb562ae6725d98e97229cdf6ec84a3d9005a1df8bf1a5985e70d823872cd3ae01fc9aa71ca5e0ad46ab7176d8813daf432ddb0dbb877f4422471f335b7ee17ab40f5202ba1fc4711a548d0ff3aeab03b754a339c7fc2460c724816dd8d47285df2029e905611578dddbcc87f697765e41417a70767f58bf9234b97380e8c925396c4753dfdd9c5753156ecab477953e43fab9ce722ba38bc2b24261525983a3e66ab24b8fcd7e4ae326590ddc3df1c6d63a788eabe750ae1816e050cb1246b2263055d9ca1610ad5d8ec471955a0ffb0ad05c6404c1595591d03c18fe2baa1f2671c6f8c9a85808ca4591f090ef22c61897466c171d52d83967520cc929a3da180a20e26a99970a31799d00a867317b90f34735af1f741bf1fd53aee6f86122772a58d0fe3e46d0a9dceb26acf3c4497cd969efa3ebb19024c58fe665033f091c6811967ff961c6cdefcc56c7660835ff53891071f73d49d2356d824a5e9984dc50722e2084b88e3bf70aa12f461d403d890469f0708581402f30113479935a75811d31ca45cfb08e37d11587d7fee5bea8c020405b0ae51fb2aa2ccf7a083574abb678d95943a78cb0f17d96818da42628739d138f69cff23c1c42dc47487cec690cf4d38cd8c309dbdfcf8081f9e816e369e29935c15f564c7e0b9d667be3af94f56d0bc2ee769ed5bfd69b8b9f81c8fe03da896c9a4b269ccf843af4a6f2c54ec7889f011313ed343ce115f27fc38822d34eb8dc6db99a74e1a6a6500f23ac924cc18c03b1cdc4932bbc9e0fd9360d8b9ca4145d72a78ed4c0f547e05ff126698e02b4b8e25bf2751f7c6256385df733389fd941fe7b27575751bcb8a778eb6101f0354b86d46b6e14db4a959c2a8a7d30fe20c61d16ff141b91ce03f51e3cd731210ed01ecc2cb1a509927229d688518ed8b8498af2f7ad6b2c946852b3f510ab7a4004cc243aadc19eda7a7ebf8918e57d74feba0bcc0d1dc95108066dc54f1279fe290747abbfc412da53a589bd66d982742c4c6bf8c34e60b749a732555e3748c0368c1575c417328233a5bfdd69636798ae4db129e137112f1f2e86eb7a4993a707b67e7280a9acc22bbb7d2c3edd7370f0af2b29ce8507f45ca4a5f4defc9d64c989cb475ee57600b54c1af408f75082e659439e00ac2ae8492f00a8d484664d6c663cec20c451e569a777896dd6a61f06901cc24582e9a6053151681716a338704b2ff4c557ffb8ee34386c3396b10faa6778d1bf1cfbd4abb81354e24e2e3c6696c6f3eb3bc785924c71f8a6c6d50dbf604391bc980b0cd27b453f99e70ed2191057e1c40332939d9e51067e201c727d4e9e5aa7300cfc73ff5a10fb4605012c8df502d6ae4d106f4943f6c9b802e984aa4877dcd0f88b6dad1a0adb97a4c844dddaa2c9d8d538b62f65db157f77a3cb1bacc71ff1e6ad8b68196b93e13cc1dc56d9611a5ecd92bdc355af5f175d2311d6a9bb8ec386f30ba7a7e73933b10048b3b907099e0689ed44bb895dc195d22628e017c56983dd7c98fcaee9750213715df8185dd647b687cbf7feacae0dd2e8b78cd8bca5fe468c5b6dc650f575a733197e51fe2698db25c9ba743b65ce7fa629e6a4d56bfd50c812e0cab8f423b5c1782b0cfd7cbb0bade2c69ff087628cae0e259ab3e182a7e48472db87a87a8def1b53b8b139fa62452f72797839c04fd09438ae3915c0ea3b1589b3086e5668f851b90c6e837aa2999d89d841f966cc1f438d0a1d687c50058d861a27ebc7d30750d7f91de5636bb444356b99b350ee5236d4880ef66d3e8a692476878fbf7c70f0565a89becb612b4bf1315010563b7be722e67fe4b0d6992a88a5c1d816862a5882697fa09dd99995650ec1bca7dd4db4ab7c556a554f30209919c0a682cb5f3b9da52ef8ecb6833b766511510eb0612286d94f6f0666e50eb7714840561589662a0d82696829010a88aba3c46666575f434dd7061af480cabe9870d9ca98097171448a4c6cb39ce206e9c209770a0f04162cb82764053aae8a9a2356d4cef2eafb455e04c7ec4f5c0ddfb12dc8801e0cdd983b9adfff9397988a8f1b72309b0089fd0639ceae1f7381bc4ab97e01cf702379296a57265aacf16c267035cd62e5377845e4ed0f9c76862ce1fdf886344ae1949128f235e6f983cf53a78569ffaa18998b418a0adcdc70a297a3013cca0f4afd8a96ba3f60855ced78561283c970eaf895ccf41f1fdc21525ec4c29a3072d05e39782c0b87b4a040a66585ebba275775552ba20c7f96fcae98374a4de70c03", @nested={0x218, 0x68, [@generic="12ea073b84a1371d02c32a3abd1689a56367ec3221b8d0095d73d1a8f2c2df54c5af1910664debdd8f08393b531b5906abf1c0e98937ae0e2ae84c9991ef5ec41ce967071c7402ffddecd031ac37", @typed={0x8, 0x5d, @pid=r5}, @typed={0x4, 0xd}, @typed={0xc, 0x51, @u64=0x8}, @generic="7c21f6e5750508214be2f389fce4db877fea59c88cd2930e520dd55b8ae7a1870392cd8c8a38655973fb0813f655fe375951ae4c2cc52065907811ed0cfa8e841cb980043854ddea5e9de6df2232c6567b0860121cf9ada6f7493d2597c9eb076ced449de3e14fbc2039f4f654d8218faf656bc26a2d75a30c833d57b3ba3e3d668d7b6276d2c311cff61b9d8a8dd229220385e7f39beeb3e07fefa02b8dc06e9ba0596ee2f70837b7b37f86321263c48dbcb7412dc028d25414c1dbd20b2d5e8fb7309ac5ad23c2fea2416d757e0bede06ce30966c2fa87a3f5779f46b122b18b452152864b5ed168c6233c8d2c5bdeea35e2dac8f6d086e57cac", @generic="8bcbc52fabd5b72679c6e8004329787e44902734485aeaafb393bc6f38c858eeced7cdddee21b5dc2ea0ee033b9ddca9f37f203e2dad8b1ed0fde302177b4491568735608a7dfa4b39a122da3190efdc6ab2fd4623d82b9300cf56840e1cad8417fecfc0ed4e21b87033d2d84635accc14cc9bfe1537d2c9dad38c73e07960538339293ba6f6cd4609e646a3273f937eca883bf02336a2d6581ffe474c2e2053febd21b7", @typed={0xc, 0x1d, @u64=0x101}]}, @nested={0x68, 0x48, [@typed={0xc, 0x88, @u64=0x1f}, @typed={0x10, 0x90, @str='/dev/adsp#\x00'}, @typed={0x14, 0x19, @ipv6=@initdev={0xfe, 0x88, [], 0x0, 0x0}}, @generic="e444695c4e7fc558f45093471ae8eba63cc22bd61272e2013124a23f8358abb78e1402743dd5bd03bf0ab647c45f12df8561"]}, @nested={0xac, 0x86, [@generic="6184de6d928fb83a3974fd9850ffc42a0f9a7746515ce012a4b2546bdcd1d361b2949d13fae69e641413bb4a77dbd348a0d069d7e7d3f32b98dd34b44cb14a0e0a00880c96e829897a20b4c7c240a733d11d4e53175f698aa06f38234ecf9587d7cf5e8bdd8bd788d2bbedac9a5e589133392202e741bcf55b8a7fc1b6bce5266f60e7aa79c682c9ec72b4b86f594364db7b25646c7d1172fc66c826cce16c54", @typed={0x8, 0x17, @fd=r3}]}, @typed={0xc, 0x50, @u64=0x8000}, @typed={0x8, 0x1f, @pid=r6}, @generic="67c8a180e4c2ca3176ce8fac0413ce4dfa4f6bc97ee31840320bd38638641b5564d8151dcc320f0283e0c6beadf7b43add1ecd66cde8349be84242845541a5e613a78ff9d8b00ac185d3cf00162200b83cf55531863fbadb9a82db51597d8e58561f69d82a91731b3a8d8133771efcc11e14f9ff1c1b4e154791c870bbea1266f9cf60da74d74a3e564f54b6c67b45107a11ce74568d1716bf3f350650e610cb6926e6c03d1554821df48fcf7490e8810fa4d4002d649420ef8a4f183bcb02d3f477e5793ab3", @typed={0x8, 0x5e, @uid=r7}, @typed={0x8, 0x18, @pid=r8}, @nested={0x3c, 0x49, [@typed={0x14, 0x28, @ipv6=@dev={0xfe, 0x80, [], 0x26}}, @generic="091d17403b340a", @typed={0x14, 0x7c, @ipv6=@ipv4={[], [], @loopback}}, @typed={0x8, 0x3f, @fd=r3}]}]}, 0x1464}, {&(0x7f0000001bc0)={0x1200, 0x33, 0x0, 0x70bd2d, 0x25dfdbfd, "", [@nested={0x118, 0x37, [@generic="0899b19cdccca67e91dcd6390fe4346b4d6767311ffa98387b3c7e0fa0a475fe2a514296d028f192765b4c97456761ef92af11bf3cefa0537af18bdf87c0622a546931c96b2a1c06d9b298a4697c20cd5ea129683d686c6aa2bd31b8eae78ca7f459fd7255a3d6016249d5025c010ecea2c32ef29e6ca528327b71965ffba75269", @typed={0xc, 0x4c, @u64=0x6}, @generic="7ead99575f452b08ef980338fa807931ef633d57abdab7b2da887c76ea7a59ae4a5c4f00bc4869258d8057bb2d87d5d67fc9faaf0cc2ef57735e8bf4d5b81e2a4b51b9c52a3debd914b78337ac07f9c7c8ccdbb2f8dde76a7b", @generic="375c72426f80d450be71c3326f7eb68376ba78d1bc2058a79ea8252876157f043cca42376520d9e4a7b052df"]}, @nested={0x100c, 0x16, [@typed={0x8, 0x0, @str='[\x00'}, @generic="d913ad47d41c42603fd56039a09c7096920befb7757ba9c7d5ddf2e8690e44cb4c477c7584670aefc4d2554b5fd2bc64f6bf9ce4899f7e50cde3e7a9c3426e45041d1492eb75afcfd2bcdb82a5ed028541f3236ba3778ceba72d70fddf810cf3f7b3efe051589302dcfa0d7a6fd330b74cee14a098d71913ddcf81a69684842ce2faf2f27ddc5c70edd0f393621b47f4e3a3d4b1c50691ff4b2087406ac70ec0f1a8752f1a59124c54a35f43f1e7c45357d4d4f2a9128f01c99c3b68a995f7f4b3eed2487791eaea0b1f2405a5fd87644a8abadfaeaf86d9eccf29cfcf0563f4ca15af2f458e56ba384670ef9ea387c66cd805c56254f142b51b574598a77e50b8bc79bce57b3d2df3dbc98a9bb5601a11d4f45e37f0ca5c582bceb660d06d8910b66f37e97f6808408d5efa821aab2098f3c50d515aa11ad3f83ea2b2c603db5f8ef8172008af1ff443e211fa06d93f6df5b08bee380df43634ac6d32b6ac3e74e1479e5d2f5713ac0957c566114b771e13bac992eafdfc7efdc76c1b993b6e20b859b75ec99003fb6977750093f7d9d0b8fb553b53dfb871fb9e9657900de56189cb062d369cf0fbf373f1359f7f8caa8013bef7b30f269991fdddf18a3e239882dcc48aad4a898242ce2bcbe7eca3cf6aa0acd0f407d46464ce6e61f5fe44adb3af4760056bb461c1a6a898c9b470b6b96d238dd0832b735770bb405869b10358b1197ce68b9e49afe31f12735a772e9f26f4a300a7748a661e390a6f061e8bd40663dcee744017d1fc8bd6b9780c3235dee54d6884a4d383c4c31b5bff53d1ead2a9b98395b33fd6f8dcfe1cb115c117d528489765dc8dff87c970e731b2521a3d85a730984cc9966e4c0aa24c3f4a6498bc1906f72cf09ef2c0d4abdd97be9a893f319dd9c1cfd348263ed8fe322dbc9ce357dc1a5ee7e2123ab86ed8fbf6e44be7caeb22b1754d7e44835a154fd984f56f7eb921431d6bf15272419277409a6165168ab6eb20a70c6db022428b12ad23759ca3c0285803e965b05014ce9dc25d1e892d65f4a558f8308aa8e9e1e78164744df105b7d4e8011070a68aa6182ce9877ca01dd8ced29b62a205abc085d84a5a2c0be7553b85178db40a680d6500e89e858debb394ae6bc33792d350a845b4b51363c8610f40a0cb9039ad4221e2652473a323bdea43726367a2216c2bd6b035fdabc54bcf961b91847d6d69d13bd4baa385c559b8568a227fd102428646797475718df178984ccf1c772c5cf5b99b823c810e38ba4f9974db7fcb758b84a7da99d3b7adba0d76fbed42b45dc125d4bdeb06fc0ea2c9f40d4191ae46f1a76f3920d7e058e521bab0fa2f998a302022529fd6cdce4d74315864bdb9b18bfa64f44f148734e9e7132706ec9062446c65813f2da7bc91cf79e9f8a729e4879917997168e6d7f043ee50c1978e4b6bb38891abeae100aa47da37aff03334272ceae03a8cc6b76accaf8cece1294443629cd40777956a9709b0e374a1ad377805adb9938d625018621dcdb835d68003588d14ba7f172922b5e8389545aa64fc8e05f3f5f7ce96145bffb3bbd05324c4dcf02c1b89490ffab2b62e05dff49b09f82f77bb4bfa50bfd690949185f08d178daa5663eab1a4c27523238894835e92d49fe8eac125e2bb7e13b4cfdad39d605e2e615e2f87f783b3ea75179e577575964d1c5551e3890e299265f5724400612e2c176ab824a9ef536ec453476ee3eec9dc3c599702be6c403505034155774b1439969129d65608310e52ff051ebd1ee04fbd5e598c8e9fa40a3158d1a320c9d281e284941a5b246e8772aad7e667d06122064bcc2dfe6c9c9a4d79426773cf8892016af078e65e76395fae2e6d3bf266d83978c89fee6d806e603389704afad52436e6f88107a91092a776a217be0168cddb06bf37ec1224c558df20ebc290e515829412cf9d68afbda1b86790d9fd0e371c3803de8494123f6a386dec599cf197b504a7ff8efe2b99c72665d598d3cb42beb92b4bc1e46241b45d36d7a441f8f8138b0e7e10252de27a56f146fe7410932b0d237a568e9f446ff2850829b14950f1a11baa9be0984b1236f7b4ca47daa3a289f7a99d423c228a3b7fa4649d894b19bd68cfbc0d05b41085cfb6e1fcf3efd36949d790647e2cfb95b462dfe3f39e3bc45a682e5793b24bc3061895c8390ca1ba64ed007dde1f82a243611787f3b4c2dd189b7b729df4fe0b32f4f36e337ce215f12561ce729e404b3e91b1a857e817661f8531bde76a67085d6df7e4116e969fcccf714b9861533f05ed827189f978c5e7c0e234ec5b7548135512ef7ac6500e5bca3969183caa83e1abd33b9ae33f93ce6d758e45f6b40ce5a5645f49ab2a4267f717f11cf952fcfde6d9f160e0fd3ed1546e76cd9bd7f9079ad43347eced0a5aa4926b24e09d4ba9160bdb643dafb45633750844cd494ee7201121e0c10c3d9b6b6972702cdd972684cb57f230068d3b9b6c13655fab1fbfde37383c7236dae34a8a3b21ba84eb586c173f2a554d02f0415a434ef3449aec2ad776310ff38ca7e47657eaf8a7bd070779c4f4507659de0edc53eba373c911274fe1642f0d59dfd608bba8a2f74061aa4007a8ca0e0beb482d92dcc59d456afcb092f7154671f2ae24d5c818c239ac7e37ca65f3f32ab928f4e0d30a0b2a266cbee494904545f3e52c7ecf3ad4b8b086249b817b3140864128afa377ead9f01c9e3a13d35c0733bcdbf6fda62a3d7c30a03a847f9122c46ea02883c36ff413bbe841be3ce6bc75bd66923c267af7e4ca2ab948c98000d9f80d4129c69904db82131a128175b392dbc88748af06b73b41bd03b896c6b33d2a6a950c3853436dbf57979ab1ea32d8fc80cf5419bce1f764202f3150fe4458f46fb81d9c10763156e027d35662707c47cffa88bde6c9a315db21c622b10e3643c40fa3fc2f9f72d24e546796d96e037c50197676dff36e75c5d92c7ded75289ce40d70b827c6f742a733f77b3358e27bacacbed85a51a84adfa33033d9a0d92106b88814dcc951414670d606ad5818b9a6d30055ac4f8c3df4b198566e5de06f58c972ce4607aca3f5581863912366e8109b4de3c3296aa2c4f6222b3a7c8d6479c26064af87ab7315b1a81a1e5ef236ba3889d70274e2962c723b3602ce7d58f253eeb26f8d4cf7b9a58098d8dbca1261257dd34a7ab0afbeadfe51154421086a0d7dfcbbec5d9fa006afe2d92daa541b868e5e35512946b0b87897efbb8646734d6a2b13c37bcb97671c1f5a58e9eb609499bbe7b98c3d324564830ab9a4f14f14c8d10ccdeab537bce3d2604c7aa0b6353b819455243d2a40856e24140a708fb67822969ed2a5ae024b6358d1bfb3d805c7f5a37f330e82d189447e24993dbffaa00373467b80c010b224bf81855078f1b130d1e3d0cb053ac04d608c66f50d9276741fbd77db1e59e0a5b04d33e82b006b6a0ea7b1ecab9d22266f7c6b937aec60eb292e251a34bc0b689d2d2ab13a42db239e5b05e23e7aa59c45d786e6178d43950229e1a07ac102807bf6b3a9d6c18ec36a1f1470923b21b1d95f1df3c2059d68ac3a974eead2815a594800fcfe68b4a73a371cfdda248540059d9c4b7d9f4afd53490c11876ef55f546579edd9af74e523f88da685e0309c203450f62c895a32c0c33c9f5745c6da369d956c7998c4cf89470ea7b8f052a9859d77e435c26d8fc401147cd5c4f270a1fc118a3fe3d035038e02f2d5e05249a7b1c52f6cf6a2d86bd5d613355527ebb5fb6b693847b886cc165c57a187336433f6c5495f1cede0cf44b61e206dd19abb6408b60e830855678d333cb54bd7ce1bd8ea18f69bb9933006ea5920a219567f52f8174039c5ba3dd17805bd65efe509774e3169c256b7ecef9c4c52158153f45d912cb917e2f0e58f66d651131871dd5c660c724990d4ca17c30ac8aa9eb2d43f472e8e0fe9619217dd5c440cfdbcd6e7ad7abf5fcc632fe5ab31af823fa49ef8d3568407764d7236df3983c2a5f72dd1bd6b41c762e3736fef474c05780878ea47b21baa5da5ac7173fa4d5597dc1e57a50079f79580bbe7e7afad67d32bd630f2926bc321a3e0ee47c5354d5be12b274384d8aa0fe3f97f599a59f1ffada2909c25c406b28a92f71209599ad932a559edbb7e0119c553b6cb9413855a94b1ad977b7f9b9e8235f481e05fa6dcf5aec5d4976d87a59ff43932e13f01ae2f9fdb8cc31ebe915c1363146c2aa9e7987b1890b712e03c3801b95239157089af668ec7c7221af2289bbdbaa1871363e1e05a529ebe308c02ad5c6b852f32b9c8bf1144910ddeb39f7b7c046fa7ebd10e2e40d3c21aeffb128fb731111850759be90198e7bc9a836bbe35c8eaac551e847c25deeae3c89d797654d75afa864220eee17a932dcf8acc0387df82826db7526896de09b7b91309e044c05ecccfaff1251f54a4682e9fcfb7d8e5c1d333a8d8c9727c7031b5c175ecedffce332aacb046a4141d334c8f32db8725df7a8a8e1fe1f286c9ae1f39724dce97694e20750fcf3ac5675342d0a30c625d8484652edf312892cd3ded2a63834a7057a451167df2c050147b3dbca92df72b07c1924a55e0640bf9bac096fd32ea774ac252959c93e782c8ffcb66084e5e10f4c049d4bda62bd827e410fbc16c51dbdb0e59ad1e45e8116122c785f38fe19920d00600d4a1a9293a2dc672e4a565d52412c0415060275813fbe0aa38e408bdee7608357f12373302a91252705a5b811aff2da912e10d529802c6b88208dc2b296d12f7207c54ededddbda354e4c791a82d21208b91afc46d19a01aa521bda0046bca8b86d8d29913033591cfb5630a954413d747d09cc80077a80334abcc268391d822d981031056e4953002a1cbce71e5f393060a29a5a2730bc4e6e4c1c9e5bfe5fc9467743a3f5ee8c28b8bf4110aec5891051024bafe915f900b51ca0fa5a4003341a4364429be8a20b628879185f8c13fece67c89cfff6c4a28f544f3d0e59b843af581a200c91991babf1af323791add856b3da657c2829231b5ee313b81ea4f5ce41a807ee8c8677a2dc2c2d9217e369fb02d6d47f9be238548b9d200cef958bc69f0de6af43818abf23642d35f00b79c0ed9ff551d9b3aed2d15fc092e620f896d34ab11c98ec866df73625a5b27dbb631c1e5fbcc905c1fd1e8373994fe2f4ecc6571df5c15b3a95d52cfb855e065758871b955ae87a050047d4db6ea6397536caf87acc8152179898326210ad4f910bafc973d256e62348a814d50df9c45fb9de9325c5b8715a42aa41f96b46ed621b3bb18a26dfeb87a6370b5e53e94315a778c95ebb352d47cf9519943cf51b079e6b95378754dbdfc3d4e660c1087e121df6d4538ee38de98f78cae41f05aaa5475bbe8f6429abc9d1c1c9e7789a7fa0fadfd0ae444ede5157b2645d68d9767421c352efbbba571957159c9846b6cd41604bb2627088fbc556fc00394526396eca3ebb9de365b41670a022a021c34bd5ec7e600e365185da63e08f00b62db8154727f95ced84f825747789432615cfb7c605bfb13c13e750285a60d49fad54f907624786dbf064d98b21a4146c18a6077adbb73626700f7faab86984de493767861bf488a7280972a56b4ac943401f47665a8ea75fbc8c347fb1c2a7b72ff28d6aa62564cfd752c3661caa98a6040f5aef34ccf1cd7ffcd6ddd6d05f9f815dc02f7408c0d93b787804820d42a1cf22a327df60f380ea6505fc70bc04bffa38dec4a840fb944b31ec359c0716d26"]}, @typed={0x8, 0x3a, @ipv4=@initdev={0xac, 0x1e, 0x0, 0x0}}, @generic="3368fb9b44d4f837e08b", @nested={0xb0, 0x26, [@generic="1c03dec246aa59bb938e8b259352b8b19a6290e830d79e8b6d46eb83f7c7150081fd26a31df9b9299b6e3ec365f7491394704472f6b138666ff2fd7d9640c9af190a52b5b197fbaca9cea3f5d1e5c3bdbb57a7db435392b880548f6da5d8b240cef4eda04679266f51ac1191fda2ee2410a88fc7aff31ce3ac0cd011193ae7769eb80f07bb0fb826374ba3b60558e7952f3255be79a24ef43c1c", @typed={0x10, 0x27, @str='bdevppp0[^\x00'}]}, @typed={0x8, 0x7a, @uid=r9}]}, 0x1200}], 0x2, &(0x7f0000003380)=[@cred={0x18, 0x1, 0x2, r10, r11, r12}, @cred={0x18, 0x1, 0x2, r13, r14, r15}, @cred={0x18, 0x1, 0x2, r16, r17, r18}, @cred={0x18, 0x1, 0x2, r19, r20, r21}, @rights={0x30, 0x1, 0x1, [r2, r2, r2, r3, r1, r1, r1, r1, r3]}, @rights={0x20, 0x1, 0x1, [r1, r3, r2, r2, r0]}], 0xb0, 0x8041}, 0x4000000) r22 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_S390_VCPU_FAULT(r22, 0x4004ae52, &(0x7f0000000000)=0x3) r23 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r23, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r23, 0xae80, 0x0) [ 383.626395][ T7807] binder: undelivered transaction 1756, process died. [ 383.656619][T18222] binder: BINDER_SET_CONTEXT_MGR already set 15:42:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfffffdfd, 0x0}) [ 383.700969][T18222] binder: 18217:18222 ioctl 40046207 0 returned -16 15:42:36 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) [ 383.830706][T18312] binder: BINDER_SET_CONTEXT_MGR already set [ 383.837255][T18316] binder: 18307:18316 transaction failed 29189/-3, size 24-8 line 3147 [ 383.850114][T18312] binder: 18307:18312 ioctl 40046207 0 returned -16 [ 383.882140][ T7807] binder: release 18307:18312 transaction 1760 out, still active [ 383.902583][T18357] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 383.916542][ T7807] binder: unexpected work type, 4, not freed 15:42:36 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2237649049000000, 0x0) 15:42:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x100000000000000, 0x0}) 15:42:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 383.941515][ T7807] binder_release_work: 15 callbacks suppressed [ 383.941522][ T7807] binder: undelivered TRANSACTION_ERROR: 29189 [ 384.019026][ T7807] binder: send failed reply for transaction 1760, target dead 15:42:37 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x200000000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xfffffffffffffffc, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_IRQFD(r2, 0x4020ae76, &(0x7f0000000000)={r2, 0x9, 0x7, r2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 384.070252][ T7807] binder: undelivered transaction 1763, process died. [ 384.087547][T18443] binder: BINDER_SET_CONTEXT_MGR already set [ 384.112896][T18443] binder: 18430:18443 ioctl 40046207 0 returned -16 [ 384.113000][T18432] binder: BINDER_SET_CONTEXT_MGR already set [ 384.176209][ T5] binder: send failed reply for transaction 1766 to 18418:18432 [ 384.187300][T18448] binder: 18418:18448 transaction failed 29189/-3, size 24-8 line 3147 [ 384.192430][T18432] binder: 18418:18432 ioctl 40046207 0 returned -16 [ 384.225602][ T5] binder: undelivered transaction 1769, process died. [ 384.264730][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x200000000000000, 0x0}) 15:42:37 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2401000000000000, 0x0) [ 384.310133][ T5] binder: undelivered TRANSACTION_ERROR: 29189 15:42:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) ioprio_set$uid(0x3, r4, 0xffffffff) [ 384.378761][T18595] binder: BINDER_SET_CONTEXT_MGR already set 15:42:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 384.432220][ T2597] binder: release 18593:18595 transaction 1772 out, still active [ 384.450959][T18595] binder: 18593:18595 ioctl 40046207 0 returned -16 15:42:37 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x200, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 384.481169][ T2597] binder: unexpected work type, 4, not freed [ 384.515153][ T2597] binder_release_work: 17 callbacks suppressed [ 384.515158][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1800000000000000, 0x0}) [ 384.546339][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 384.552757][T18608] binder: BINDER_SET_CONTEXT_MGR already set [ 384.583678][T18608] binder: 18607:18608 ioctl 40046207 0 returned -16 15:42:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) [ 384.591873][T18608] binder: 18607:18608 transaction failed 29189/-3, size 0-0 line 3147 [ 384.600323][ T2597] binder: send failed reply for transaction 1772, target dead [ 384.619150][T18618] binder: 18610:18618 transaction failed 29189/-3, size 24-8 line 3147 [ 384.668400][T18613] binder: BINDER_SET_CONTEXT_MGR already set [ 384.699543][ T2597] binder: release 18610:18613 transaction 1778 out, still active 15:42:37 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00000000000000, 0x0) [ 384.712393][T18613] binder: 18610:18613 ioctl 40046207 0 returned -16 [ 384.734727][T18675] validate_nla: 1 callbacks suppressed [ 384.734742][T18675] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 384.754623][ T2597] binder: unexpected work type, 4, not freed 15:42:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 384.781761][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 384.812913][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:37 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000380)={{0xfffffffffffffffe, 0x5723, 0x105, 0x4}, 'syz1\x00', 0x6}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) msgget(0x3, 0x280) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) r4 = msgget(0x2, 0xb1) msgrcv(r4, &(0x7f0000000400)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000038d96281a455fa1de8fbe41aa00e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020af82854034134a70ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000763ec73a46d0636c4bd3375036cd89799c6b337f72268b2140188e72c0dbaf65df"], 0xbf, 0x1, 0x3800) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f000000f000/0x18000)=nil, &(0x7f0000000080)=[@text16={0x10, &(0x7f0000000000)="3e0f01cab8d9000f00d0b893000f00d80fc71c660f383d55b69a0008a80066b80500000066b9af95610f0f01c10f20c4660fdc4b890f019e0b00", 0x3a}], 0x1, 0x10, &(0x7f0000000140), 0x0) 15:42:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfdfdffff00000000, 0x0}) [ 384.847914][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 384.909131][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 384.944390][ T2597] binder: send failed reply for transaction 1778, target dead [ 384.953946][T18769] binder: 18753:18769 got transaction to invalid handle [ 384.960928][T18769] binder: 18753:18769 transaction failed 29201/-22, size 0-0 line 2994 [ 385.000075][T18822] binder: BINDER_SET_CONTEXT_MGR already set 15:42:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) 15:42:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x40000000000000) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 385.043406][T18822] binder: 18788:18822 ioctl 40046207 0 returned -16 [ 385.104795][T18923] binder_alloc_mmap_handler: 4 callbacks suppressed [ 385.104813][T18923] binder_alloc: binder_alloc_mmap_handler: 18788 20001000-20004000 already mapped failed -16 [ 385.128975][T18822] binder: BINDER_SET_CONTEXT_MGR already set [ 385.139557][T18822] binder: 18788:18822 ioctl 40046207 0 returned -16 [ 385.148229][ T2597] binder: release 18788:18822 transaction 1786 out, still active 15:42:38 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0) [ 385.184019][ T2597] binder: unexpected work type, 4, not freed 15:42:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 385.231452][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) mprotect(&(0x7f0000003000/0x9000)=nil, 0x9000, 0x2000000) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x40000, 0x0) ioctl$TCXONC(r2, 0x540a, 0x1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 385.273249][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 385.310188][T18988] binder: BINDER_SET_CONTEXT_MGR already set 15:42:38 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x20040, 0x0) ioctl$KVM_X86_SETUP_MCE(r1, 0x4008ae9c, &(0x7f0000000080)={0x11, 0x2, 0xfd}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 385.366936][ T2597] binder: send failed reply for transaction 1784 to 18753:18769 [ 385.377703][T18988] binder: 18981:18988 ioctl 40046207 0 returned -16 [ 385.388585][ T2597] binder: send failed reply for transaction 1786, target dead [ 385.416870][T19070] binder_alloc: binder_alloc_mmap_handler: 19000 20001000-20004000 already mapped failed -16 [ 385.422042][ T2597] binder: send failed reply for transaction 1790 to 18788:18923 [ 385.430951][T19034] binder: BINDER_SET_CONTEXT_MGR already set 15:42:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lsetxattr$trusted_overlay_nlink(&(0x7f0000000140)='\x00', &(0x7f00000002c0)='trusted.overlay.nlink\x00', &(0x7f0000000300)={'L-'}, 0x28, 0x1) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) lsetxattr$trusted_overlay_nlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.nlink\x00', &(0x7f0000000080)={'L+', 0x7}, 0x28, 0x0) [ 385.464666][T19034] binder: 19000:19034 ioctl 40046207 0 returned -16 [ 385.469346][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 385.488182][ T2597] binder: undelivered TRANSACTION_ERROR: 29201 [ 385.494651][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 385.501256][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 385.507583][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:42:38 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil}) [ 385.507985][T19070] binder: 19000:19070 transaction failed 29189/-3, size 24-8 line 3147 [ 385.514597][T19092] binder: 19000:19092 transaction failed 29189/-3, size 24-0 line 3147 [ 385.563233][ T2597] binder: release 19000:19034 transaction 1794 out, still active [ 385.580024][ T2597] binder: unexpected work type, 4, not freed 15:42:38 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x529e498e49000000, 0x0) [ 385.613276][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 385.646492][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:38 executing program 3: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x400000, 0x0) bind$unix(r0, &(0x7f0000000180)=@abs={0x1, 0x0, 0x4e24}, 0x6e) r1 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) getsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000000100), &(0x7f00000003c0)=0x4) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x480400, 0x0) ioctl$VT_RESIZEX(r3, 0x560a, &(0x7f0000000080)={0x484, 0x3, 0xd0, 0x800, 0x8, 0x80000000}) ioctl$VHOST_GET_VRING_BASE(r3, 0xc008af12, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000080020000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) ioctl$TUNSETVNETBE(r3, 0x400454de, &(0x7f00000000c0)=0x1) r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000380)='/dev/zero\x00', 0x80e00, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r4, 0x84, 0x1d, &(0x7f0000000400)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000280)=0x18c) [ 385.680286][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 385.701553][T19145] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 385.705184][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:42:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 385.745778][ T2597] binder: send failed reply for transaction 1794, target dead [ 385.768397][T19181] binder_alloc: binder_alloc_mmap_handler: 19177 20001000-20004000 already mapped failed -16 15:42:38 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x2, 0x0, 0x7f, 0x0, 0x0, 0x3, 0x0, 0x4000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x4, 0xffffffffffffffff, 0x0) readlinkat(r2, &(0x7f0000000000)='./file0\x00', &(0x7f00000002c0)=""/238, 0xee) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_PPC_ALLOCATE_HTAB(r3, 0xc004aea7, &(0x7f0000000080)=0x1ff) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$TIPC_MCAST_REPLICAST(r3, 0x10f, 0x86) [ 385.831734][T19185] binder: BINDER_SET_CONTEXT_MGR already set 15:42:38 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)) [ 385.887126][T19184] binder: BINDER_SET_CONTEXT_MGR already set [ 385.894532][T19185] binder: 19177:19185 ioctl 40046207 0 returned -16 [ 385.904627][T19184] binder: 19183:19184 ioctl 40046207 0 returned -16 15:42:38 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7803000000000000, 0x0) [ 385.952805][T19181] binder_alloc_new_buf_locked: 7 callbacks suppressed [ 385.952814][T19181] binder_alloc: 19177: binder_alloc_buf, no vma [ 385.974115][T19205] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x101, 0x4000) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f00000002c0)={0x7fffffff, 0x3, 'client1\x00', 0xffffffff80000007, "a982ed5105c41e92", "b5f98a74967fa2f13de7a6d5687b41418ef3f689fe3d3fd6950ea81cd1de65ad", 0x5, 0x8}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 386.017863][T19178] binder_alloc: 19177: binder_alloc_buf, no vma [ 386.020417][ T12] binder: send failed reply for transaction 1801 to 19177:19178 15:42:39 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 386.068854][ T12] binder_cleanup_transaction: 4 callbacks suppressed [ 386.068864][ T12] binder: undelivered transaction 1804, process died. [ 386.072511][T19181] binder: 19177:19181 transaction failed 29189/-3, size 24-8 line 3147 [ 386.102582][T19178] binder: 19177:19178 transaction failed 29189/-3, size 24-0 line 3147 15:42:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x2) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20010, r1, 0x0) r2 = msgget(0x3, 0x8) msgctl$IPC_STAT(r2, 0x2, &(0x7f0000000000)=""/171) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r3 = syz_open_dev$sndpcmc(&(0x7f0000000280)='/dev/snd/pcmC#D#c\x00', 0x5, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1a, &(0x7f0000000380)={0x0, 0x8a, "4b2e148fb61698ac7d7d98ff50b82d98e77627d8ad6a455cca039b16818557797feb1937bb3fc57639650b2aa4ee598e3d05f64a0d52955821a55cfc60f10dec37bbed657c32bc977c243ba2c0e33715c4079c157c66251a12367dcc918a5b1354182d3554e6d016178015528f806cf22ea4e56cdbcbd588fac503354d944b0bda934972c3ee50eef18f"}, &(0x7f00000002c0)=0x92) setsockopt$inet_sctp_SCTP_DELAYED_SACK(r3, 0x84, 0x10, &(0x7f0000000480)=@sack_info={r4, 0xb9f, 0x5}, 0xc) lsetxattr$security_smack_transmute(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000140)='TRUE', 0x4, 0x2) ioctl$FS_IOC_FIEMAP(r0, 0xc020660b, &(0x7f00000004c0)=ANY=[@ANYBLOB="0180ffffffffffff0300000000000000000000000000000100000000000000008000000000000005005980eefff0361bbbd9de9350240000000000000200000000000000000000000000000000000000000000008500800000004c7f80e4ab5123cff539eda9e28b643c97031afb6ca6a13b87acef608571b59422f15b2d6e"]) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 15:42:39 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000080)=0x0) perf_event_open(&(0x7f00000002c0)={0x5, 0x70, 0x6, 0x9, 0x0, 0x0, 0x0, 0x100000000, 0x82050, 0x1, 0xffffffffffff0001, 0x7f, 0x80, 0x3f, 0xffffffffffff8001, 0x8001, 0x2, 0x9, 0x1000, 0x0, 0x7, 0x4, 0x642, 0x800000000000, 0xfffffffffffffff9, 0x8, 0x8c9a, 0x5, 0x7ff, 0x8, 0x8, 0x2, 0x180, 0x100, 0x800, 0x8, 0x1, 0x0, 0x0, 0x9, 0x4, @perf_bp={&(0x7f0000000000), 0x8}, 0x6800, 0x80000001, 0x5, 0x7, 0xfffffffffffffff9, 0x1, 0x19}, r3, 0x9, 0xffffffffffffff9c, 0xb) ioctl$KVM_ENABLE_CAP(r2, 0x4068aea3, &(0x7f0000000340)={0x74, 0x0, [0x8001, 0x2de7, 0x5, 0x7fff]}) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_SET_VAPIC_ADDR(r4, 0x4008ae93, &(0x7f0000000140)=0xf000) [ 386.252876][T19304] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 386.289557][T19309] binder: 19306:19309 got transaction to invalid handle [ 386.300972][T19310] binder: 19307:19310 got transaction to context manager from process owning it [ 386.366285][T19310] binder: BINDER_SET_CONTEXT_MGR already set 15:42:39 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a02000000000000, 0x0) [ 386.423832][T19310] binder: 19307:19310 ioctl 40046207 0 returned -16 15:42:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x40200, 0x0) ioctl$KDGKBENT(r2, 0x4b46, &(0x7f0000000040)={0x3, 0x7, 0x7}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 386.527843][ T2597] binder: send failed reply for transaction 1808 to 19306:19309 15:42:39 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 386.622830][T19525] binder: 19524:19525 got transaction to invalid handle [ 386.631455][T19529] binder: BINDER_SET_CONTEXT_MGR already set [ 386.660503][T19529] binder: 19527:19529 ioctl 40046207 0 returned -16 15:42:39 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) fcntl$getownex(r0, 0x10, &(0x7f0000000000)={0x0, 0x0}) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000140)={0xffffffffffffffff, r2, 0x0, 0x6, &(0x7f0000000080)='wlan0\x00', 0xffffffffffffffff}, 0x30) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000002c0)={r3, r2, 0x0, 0x9, &(0x7f0000000040)='/dev/kvm\x00', r4}, 0x30) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) 15:42:39 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) setxattr$security_capability(&(0x7f0000000080)='./file0\x00', &(0x7f0000000140)='security.capability\x00', &(0x7f00000002c0)=@v2={0x2000000, [{0x9, 0x8}, {0x9, 0x5}]}, 0x14, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$IOC_PR_CLEAR(r2, 0x401070cd, &(0x7f0000000000)={0xfffffffffffff941}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 386.678716][T19531] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 386.709894][T19556] binder_alloc: binder_alloc_mmap_handler: 19527 20001000-20004000 already mapped failed -16 15:42:39 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) 15:42:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:39 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c03000000000000, 0x0) [ 386.789833][T19529] binder: BINDER_SET_CONTEXT_MGR already set [ 386.844389][ T2597] binder: release 19524:19525 transaction 1813 out, still active [ 386.852918][ T2597] binder: send failed reply for transaction 1813, target dead [ 386.860427][ T2597] binder: send failed reply for transaction 1815 to 19527:19529 [ 386.872835][T19529] binder: 19527:19529 ioctl 40046207 0 returned -16 [ 386.899673][T19648] binder: 19645:19648 got transaction to invalid handle [ 386.922468][ T2597] binder: undelivered transaction 1818, process died. [ 386.936075][T19646] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="0100000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 387.009689][ T5] binder: send failed reply for transaction 1821 to 19645:19648 15:42:40 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8000000000000000, 0x0) [ 387.076366][T19776] binder: 19775:19776 got transaction with invalid offset (0, min 0 max 24) or object. [ 387.078555][T19786] binder: BINDER_SET_CONTEXT_MGR already set [ 387.099610][T19820] binder_alloc: binder_alloc_mmap_handler: 19775 20001000-20004000 already mapped failed -16 15:42:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r5 = mmap$binder(&(0x7f000000c000/0x8000)=nil, 0x8000, 0x0, 0x12, r3, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000140)={0x70, 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="08631040", @ANYRES64=r5, @ANYBLOB="020000000000000000634040030000000000000001000000000000000000000001000000000000000000000058000000000000000800000000000000", @ANYPTR64=&(0x7f00000002c0)=ANY=[@ANYBLOB="852a747000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB='\x00'], @ANYBLOB="010000000000000000000000000000003c0000000000852a6466000000000000", @ANYRES32=r2, @ANYBLOB="000000000100000000000000852a646600000000", @ANYRES32=r1, @ANYBLOB="000000000300000000000000"], @ANYPTR64=&(0x7f0000000080)=ANY=[@ANYBLOB='@\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="0f630c400200000000000000000000000b6300000c630000"], 0x7d, 0x0, &(0x7f00000003c0)="5137905f1c8f45c449906a529915c79132bd872098ab811a5e3c64ab4eb2358fa736b22284fa7cf0e58538f239255504982a537738040e7a6c53f5c56ff821197a257bb18baa70ff6e24c60d9e8dfd7999d4bd3898308e59e7439385730df901667a03e6e67ba5ab9c2e48f8d76804b7bfc80d64bf5d119c4167f9089d"}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 387.141115][T19786] binder: 19785:19786 ioctl 40046207 0 returned -16 15:42:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f000000a000/0x2000)=nil}) r3 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cuse\x00', 0x2, 0x0) read$FUSE(r3, &(0x7f0000002180), 0x1000) write$FUSE_NOTIFY_POLL(r0, &(0x7f0000000080)={0x18}, 0x18) write$FUSE_GETXATTR(r3, &(0x7f0000000040)={0x18, 0x0, 0x3}, 0x18) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ftruncate(r0, 0x1) ioctl$sock_bt_hidp_HIDPCONNDEL(r3, 0x400448c9, &(0x7f0000000140)={{0x6, 0x100000000, 0x8, 0x800, 0x7, 0x7fff}, 0x2e37}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 387.183099][T19776] binder: BINDER_SET_CONTEXT_MGR already set [ 387.192470][T19776] binder: 19775:19776 ioctl 40046207 0 returned -16 [ 387.213075][T19880] binder_alloc: 19775: binder_alloc_buf, no vma 15:42:40 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) [ 387.235524][T19776] binder_alloc: 19775: binder_alloc_buf, no vma 15:42:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$rxrpc(0x21, 0x2, 0xa) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000040)={'team_slave_1\x00', 0x1}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r3 = dup2(r2, r2) ioctl$sock_inet6_tcp_SIOCATMARK(r3, 0x8905, &(0x7f0000000000)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) openat$random(0xffffffffffffff9c, &(0x7f0000000080)='/dev/urandom\x00', 0x0, 0x0) 15:42:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 387.371305][T19975] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 387.402987][T19977] binder_alloc: 19976: binder_alloc_buf, no vma 15:42:40 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8001000000000000, 0x0) [ 387.446483][T19980] binder: BINDER_SET_CONTEXT_MGR already set [ 387.453242][T19977] binder: 19976:19977 ioctl 8905 20000000 returned -22 [ 387.460869][T19980] binder: 19979:19980 ioctl 40046207 0 returned -16 15:42:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) write$vnet(r2, &(0x7f0000001440)={0x1, {&(0x7f0000000380)=""/4096, 0x1000, &(0x7f0000001380)=""/149, 0x3, 0x1}}, 0x68) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r4 = syz_genetlink_get_family_id$nbd(&(0x7f0000000080)='nbd\x00') sendmsg$NBD_CMD_DISCONNECT(r2, &(0x7f0000000340)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2100}, 0xc, &(0x7f0000000140)={&(0x7f00000002c0)={0x5c, r4, 0x400, 0x70bd28, 0x25dfdbfd, {}, [@NBD_ATTR_SERVER_FLAGS={0xc}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0x1b8}, @NBD_ATTR_BLOCK_SIZE_BYTES={0xc, 0x3, 0x44f0f1ea}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0x30000000000000}, @NBD_ATTR_SERVER_FLAGS={0xc, 0x5, 0x1}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0xfffffffffffffff9}]}, 0x5c}, 0x1, 0x0, 0x0, 0x20004000}, 0x4040) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 387.488066][T19980] binder_alloc: 19976: binder_alloc_buf, no vma [ 387.521413][T19977] binder: BINDER_SET_CONTEXT_MGR already set [ 387.572136][T19977] binder: 19976:19977 ioctl 40046207 0 returned -16 [ 387.588840][T20081] binder: BINDER_SET_CONTEXT_MGR already set [ 387.617979][T20081] binder: 19976:20081 ioctl 40046207 0 returned -16 [ 387.688970][T20081] binder: 19976:20081 ioctl 8905 20000000 returned -22 [ 387.703212][T19977] binder_alloc: 19976: binder_alloc_buf, no vma 15:42:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) fcntl$F_SET_RW_HINT(r2, 0x40c, &(0x7f0000000000)=0x1) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 387.736719][T20081] binder: BINDER_SET_CONTEXT_MGR already set 15:42:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x200, 0x0) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 15:42:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 387.792880][T20081] binder: 19976:20081 ioctl 40046207 0 returned -16 15:42:40 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8096980000000000, 0x0) [ 387.853835][T20201] binder: 20200:20201 got transaction to invalid handle [ 387.898682][T20192] binder_alloc: 19976: binder_alloc_buf, no vma 15:42:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:40 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) 15:42:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 388.108708][ T12] binder: send failed reply for transaction 1833 to 20200:20201 [ 388.155522][T20317] binder: 20316:20317 got transaction to context manager from process owning it [ 388.174094][T20319] binder: BINDER_SET_CONTEXT_MGR already set [ 388.187178][T20319] binder: 20318:20319 ioctl 40046207 0 returned -16 [ 388.189235][T20314] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 388.222444][T20320] binder: 20316:20320 got transaction to context manager from process owning it 15:42:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff00000000, 0x0) [ 388.264413][T20320] binder_alloc: binder_alloc_mmap_handler: 20316 20001000-20004000 already mapped failed -16 15:42:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 388.327565][T20317] binder_alloc: 20316: binder_alloc_buf, no vma 15:42:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$radio(&(0x7f0000000000)='/dev/radio#\x00', 0x0, 0x2) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000140)=0xc) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) getsockopt$inet_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000000740), &(0x7f0000000780)=0x14) ioctl$EVIOCGBITSW(r4, 0x80404525, &(0x7f00000002c0)=""/133) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$VIDIOC_RESERVED(r4, 0x5601, 0x0) write$binfmt_elf64(r2, &(0x7f0000000380)={{0x7f, 0x45, 0x4c, 0x46, 0x46e, 0x1, 0x2, 0xffffffff, 0xfffffffffffffbff, 0x2, 0x0, 0x30e9af14, 0x2ec, 0x40, 0x294, 0x82, 0x80, 0x38, 0x2, 0x3, 0x5, 0x1000}, [{0x60000000, 0x2a02, 0x4, 0xc9, 0xe591, 0x7, 0x1, 0x3}, {0x6474e553, 0x40, 0x13, 0xfffffffffffffffa, 0x3, 0x8001, 0x9f, 0x3}], "63849195", [[], [], []]}, 0x3b4) ioctl$KVM_RUN(r5, 0xae80, 0x0) 15:42:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x802) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 388.428517][T20531] binder: 20529:20531 got transaction to invalid handle 15:42:41 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) 15:42:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) syncfs(r0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x420000, 0x0) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_GET_CONFIG(r1, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x102000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x44, r2, 0x400, 0x70bd2d, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x700}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}]}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x2}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0xc000) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0xc00) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$VIDIOC_EXPBUF(r4, 0xc0405610, &(0x7f0000000000)={0x6, 0x1, 0xfffffffffffffff9, 0x4000, 0xffffffffffffff9c}) ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r5, 0xae80, 0x0) [ 388.526598][T20579] binder: BINDER_SET_CONTEXT_MGR already set [ 388.549761][T20579] binder: 20564:20579 ioctl 40046207 0 returned -16 [ 388.597760][T20643] binder_alloc: binder_alloc_mmap_handler: 20564 20001000-20004000 already mapped failed -16 [ 388.610446][T20624] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:41 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb803000000000000, 0x0) 15:42:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 388.640769][T26837] binder: send failed reply for transaction 1840 to 20529:20531 [ 388.661773][T26837] binder: send failed reply for transaction 1842 to 20564:20643 [ 388.667997][T20648] binder_alloc: 20564: binder_alloc_buf, no vma [ 388.712896][T26837] binder: undelivered transaction 1845, process died. [ 388.740910][T20643] binder_transaction: 17 callbacks suppressed [ 388.740927][T20643] binder: 20564:20643 transaction failed 29189/-3, size 24-0 line 3147 15:42:41 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 388.782389][T20648] binder: 20564:20648 transaction failed 29189/-3, size 24-8 line 3147 15:42:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x800, 0x0) ioctl$KDGKBSENT(r2, 0x4b48, &(0x7f0000000080)={0x1, 0x1ff00, 0xffffffffffff1f4d}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r3, 0x400c6615, &(0x7f0000000140)) ioctl$KVM_RUN(r4, 0xae80, 0x0) 15:42:41 executing program 3: r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0xff00, 0x28800) r1 = syz_open_dev$vbi(&(0x7f0000000040)='/dev/vbi#\x00', 0x0, 0x2) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x620002, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, &(0x7f00000000c0)={r1, r2}) r3 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r4 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r4, 0x0) bind$netlink(r1, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfe, 0x80002100}, 0xc) socket$nl_xfrm(0x10, 0x3, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r4, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 388.990408][T20665] binder: 20656:20665 got transaction to invalid handle [ 389.008077][T20664] binder: BINDER_SET_CONTEXT_MGR already set [ 389.010877][T20665] binder: 20656:20665 transaction failed 29201/-22, size 0-0 line 2994 15:42:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) fchmodat(r2, &(0x7f0000000080)='./file0\x00', 0x40) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='mountstats\x00') ioctl$RTC_PLL_GET(r2, 0x801c7011, &(0x7f0000000140)) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 389.038340][T20664] binder: 20658:20664 ioctl 40046207 0 returned -16 15:42:42 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 389.086359][T20736] binder_alloc: binder_alloc_mmap_handler: 20658 20001000-20004000 already mapped failed -16 15:42:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 389.139251][T26837] binder: release 20658:20664 transaction 1852 out, still active [ 389.156071][T26837] binder: unexpected work type, 4, not freed [ 389.185007][T26837] binder: undelivered transaction 1859, process died. 15:42:42 executing program 3: r0 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000000000)={0xa, 0x0, 0x0, @local}, &(0x7f0000000040)=0x1c, 0x80000) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x1f, &(0x7f0000000080)={0x0, @in6={{0xa, 0x4e23, 0x3, @empty, 0xf44e}}, 0x7ff0, 0xffff}, &(0x7f0000000140)=0x88) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000380)={r1, @in={{0x2, 0x4e23, @empty}}, 0x10001, 0x7, 0x2, 0x800, 0x1}, 0x98) r2 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="0063404000000000cc00000000040000000000000000000000000000180000000000000008000000000000000000000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB="070000008197ef2f"]], 0x0, 0x0, 0x0}) syz_open_dev$mouse(&(0x7f0000000180)='/dev/input/mouse#\x00', 0x9, 0x20000) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca00000000000000, 0x0) [ 389.235511][T26837] binder: send failed reply for transaction 1850 to 20656:20665 [ 389.278460][T20777] binder: 20776:20777 got transaction to invalid handle [ 389.285691][T26837] binder: send failed reply for transaction 1852, target dead [ 389.323604][T20777] binder: 20776:20777 transaction failed 29201/-22, size 0-0 line 2994 [ 389.335954][T26837] binder: undelivered transaction 1855, process died. [ 389.350890][T26837] binder_release_work: 28 callbacks suppressed [ 389.350896][T26837] binder: undelivered TRANSACTION_ERROR: 29201 15:42:42 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 389.377875][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 389.379652][T20797] binder: BINDER_SET_CONTEXT_MGR already set 15:42:42 executing program 5: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x80000, 0x0) ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f00000002c0)={{0x2, 0x4e23, @multicast2}, {0x0, @remote}, 0x22, {0x2, 0x4e24, @broadcast}, 'bridge_slave_1\x00'}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 389.419455][T20797] binder: 20790:20797 ioctl 40046207 0 returned -16 [ 389.422261][T26837] binder: undelivered TRANSACTION_ERROR: 29189 [ 389.476177][T20797] binder_alloc: binder_alloc_mmap_handler: 20790 20001000-20004000 already mapped failed -16 [ 389.502738][T20868] binder: BINDER_SET_CONTEXT_MGR already set [ 389.508809][T20868] binder: 20790:20868 ioctl 40046207 0 returned -16 [ 389.515369][ T12] binder: undelivered transaction 1864, process died. 15:42:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffffa) add_key(&(0x7f0000000000)='blacklist\x00', &(0x7f0000000040)={'syz', 0x1}, &(0x7f00000002c0)="7380c658d54414f2bb12c471808027c64aac80dedc0b3aa74944ad670c0d2e65608557073d74474e5c0fbd35445b68c8104b71a2ad609ad0322d5b2cd704fe1fe4f1b8ee9fd7f21ed9eb714b8a74e3df504ac6775b486f6ec3690bac7c03d6607402e42cdee4", 0x66, r1) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 389.522985][ T12] binder_release_work: 16 callbacks suppressed [ 389.522990][ T12] binder: undelivered TRANSACTION_COMPLETE [ 389.530911][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 389.547724][ T12] binder: undelivered TRANSACTION_ERROR: 29189 15:42:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd003000000000000, 0x0) [ 389.611676][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 389.634432][T20979] binder: 20951:20979 got transaction to invalid handle [ 389.654571][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x2000, 0x0) ioctl$BLKRAGET(r2, 0x1263, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="00000000000000000010000000eaff00"], 0x0, 0x0, 0x0}) setsockopt$IP_VS_SO_SET_TIMEOUT(r2, 0x0, 0x48a, &(0x7f0000000080)={0x9, 0xfffffffffffffff8, 0xff}, 0xc) [ 389.667218][T20979] binder: 20951:20979 transaction failed 29201/-22, size 0-0 line 2994 [ 389.682125][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:42:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) write$P9_RXATTRCREATE(r2, &(0x7f0000000000)={0x7, 0x21, 0x1}, 0x7) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock\x00', 0x1, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:42 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) [ 389.779597][T21032] binder: BINDER_SET_CONTEXT_MGR already set [ 389.812235][T21032] binder: 21019:21032 ioctl 40046207 0 returned -16 [ 389.895686][T21112] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 389.907461][T21032] binder: 21019:21032 transaction failed 29201/-28, size 24-0 line 3147 15:42:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 389.952704][ T12] binder: undelivered TRANSACTION_COMPLETE [ 389.958709][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 389.988470][ T12] binder: undelivered TRANSACTION_ERROR: 29189 15:42:42 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea03000000000000, 0x0) 15:42:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x44200, 0x0) epoll_ctl$EPOLL_CTL_DEL(r1, 0x2, r0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x8000, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e24, @rand_addr=0x7fff}}, 0x5, 0x4}, &(0x7f0000000040)=0x88) setsockopt$inet_sctp_SCTP_AUTH_KEY(r1, 0x84, 0x17, &(0x7f0000000380)={r3, 0x7, 0x58, "d4a8d12ee64d01a3b00fbeb04a534012e9cd9cb2e1c6be7ffbaf98cbf9e0104580c51f95cfeb21026bcc7cf69fc8d19a808da6eb8d2ae6f754ba23fa0b50ea4a8cf81909ced12b4d7ba9a303a63b72f9a39e1f7ca826ef11"}, 0x60) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x40000400, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x9], 0x1efff, 0x10000}) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 390.020039][T21120] binder_alloc: binder_alloc_mmap_handler: 21019 20001000-20004000 already mapped failed -16 15:42:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) bind$inet6(r2, &(0x7f0000000080)={0xa, 0x4e24, 0x8, @remote, 0x400}, 0x1c) ioctl$KVM_SET_CPUID(r2, 0x4008ae8a, &(0x7f00000002c0)={0x4, 0x0, [{0xb, 0x8, 0x80, 0x4, 0x20}, {0x8000001f, 0x8, 0x5, 0x6b, 0x101}, {0x80000019, 0x8, 0xfffffffffffffc00, 0x2, 0xfffffffffffffff9}, {0xc0000001, 0x1, 0x200, 0x1000, 0x1f}]}) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f0000000340)={{0xf000, 0x103000, 0x1c, 0x1, 0x8, 0x0, 0x5, 0x0, 0x2d5, 0x1, 0x8, 0x10000}, {0xf002, 0x0, 0xb, 0x1000, 0x60b, 0x8, 0x8, 0x1, 0xffff, 0x60, 0xbf, 0x81}, {0x4, 0x3000, 0xf, 0x23, 0x40, 0xfffffffffffffa89, 0x85d5, 0x7, 0x9, 0xa97, 0x9, 0x5}, {0x2, 0x5000, 0x14, 0x10001, 0x1ff, 0xfffffffffffffffa, 0x81, 0xffff, 0x8, 0xfffffffffffffffb, 0x72a0, 0x8}, {0x2, 0x103000, 0x1f, 0x8, 0x7, 0x8, 0x6768, 0x9, 0x200, 0x1, 0x9, 0x101}, {0x0, 0x1, 0x0, 0x20, 0x7, 0x7, 0xff, 0x400000, 0x72, 0x1f, 0x8, 0x3b04}, {0xd000, 0x1000, 0x0, 0x10001, 0x1000, 0x7, 0x1f, 0x100, 0x3, 0xd3c, 0x20, 0x6}, {0x4, 0x2, 0x10, 0x100000000, 0x2, 0x1000, 0x0, 0x3, 0x6, 0xfffffffffffffffd, 0x3, 0xfffffffffffffffe}, {0xd002, 0x3000}, {0x2, 0x5000}, 0x2, 0x0, 0xf000, 0x2000, 0xf, 0x800, 0x1000, [0x8, 0x9, 0x9, 0x1f]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$EBT_SO_GET_INIT_INFO(r2, 0x0, 0x82, &(0x7f0000000480)={'broute\x00'}, &(0x7f0000000000)=0x50) [ 390.063177][T21173] binder: 21149:21173 got transaction to invalid handle [ 390.081862][T21120] binder: 21019:21120 transaction failed 29201/-28, size 24-0 line 3147 [ 390.083127][ T2597] binder: undelivered TRANSACTION_COMPLETE [ 390.101557][T21173] binder: 21149:21173 transaction failed 29201/-22, size 0-0 line 2994 [ 390.123199][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 390.129511][ T2597] binder: undelivered TRANSACTION_ERROR: 29201 [ 390.145906][ T2597] binder: release 21019:21120 transaction 1875 out, still active [ 390.154253][ T2597] binder: unexpected work type, 4, not freed [ 390.160570][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x1ff) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852ab70800000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) r2 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ubi_ctrl\x00', 0xc83, 0x0) setsockopt$TIPC_MCAST_BROADCAST(r2, 0x10f, 0x85) r3 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) ioctl$PERF_EVENT_IOC_REFRESH(r3, 0x2402, 0x9) prctl$PR_CAPBSET_READ(0x17, 0xc) 15:42:43 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) 15:42:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 390.294092][T21343] binder: 21328:21343 ioctl 0 20000040 returned -22 [ 390.310587][ T2597] binder: send failed reply for transaction 1875, target dead [ 390.318533][ T2597] binder: undelivered TRANSACTION_COMPLETE 15:42:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf603000000000000, 0x0) 15:42:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x1, 0x2) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f00000002c0)={{{@in=@initdev, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@empty}}, &(0x7f0000000140)=0xe8) getgroups(0x3, &(0x7f00000003c0)=[0xffffffffffffffff, 0x0, 0xee01]) fchownat(r1, &(0x7f0000000080)='./file0\x00', r2, r3, 0x400) r4 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x40, 0x8102) ioctl$KDDISABIO(r4, 0x4b37) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r5 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$KVM_RUN(r6, 0xae80, 0x0) prctl$PR_SET_THP_DISABLE(0x29, 0x0) [ 390.389033][T21343] binder: 21328:21343 transaction failed 29189/-22, size 24-8 line 2994 [ 390.414944][T21400] binder: 21399:21400 got transaction to invalid handle [ 390.460037][T21343] binder: 21328:21343 ioctl 0 20000040 returned -22 [ 390.465691][T21400] binder: 21399:21400 transaction failed 29201/-22, size 0-0 line 2994 [ 390.475953][T21367] binder: 21328:21367 got transaction with invalid offset (0, min 0 max 24) or object. [ 390.498428][ T12] binder: undelivered TRANSACTION_COMPLETE 15:42:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) r5 = socket$inet6_udplite(0xa, 0x2, 0x88) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000480)={0xffffffffffffffff, r3, 0x0, 0x1, &(0x7f0000000440)='\x00'}, 0x30) syz_open_procfs$namespace(r6, &(0x7f00000004c0)='ns/user\x00') ioctl$KVM_RUN(r4, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_RTOINFO(r3, 0x84, 0x0, &(0x7f0000000000)={0x0, 0x1, 0x0, 0x1}, &(0x7f0000000080)=0x10) ioctl$VIDIOC_S_AUDIO(r2, 0x40345622, &(0x7f0000000500)={0x5, "397b4e441b5dc7a82ee0cafd070294972127a3296e25e0e9f8a7bf393e668af1", 0x2, 0x1}) ioctl$VHOST_SET_LOG_BASE(r5, 0x4008af04, &(0x7f0000000340)=&(0x7f0000000300)) ioctl$EVIOCGVERSION(r3, 0x80044501, &(0x7f00000003c0)=""/80) ioctl$DRM_IOCTL_SET_VERSION(r3, 0xc0106407, &(0x7f0000000380)={0x0, 0x7, 0xa6, 0x40}) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r3, 0x84, 0x18, &(0x7f0000000140)={r7, 0x8}, &(0x7f00000002c0)=0x8) [ 390.505688][ T12] binder: undelivered TRANSACTION_COMPLETE 15:42:43 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) 15:42:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) fdatasync(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 390.677727][T21571] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 390.694828][ T12] binder: undelivered transaction 1885, process died. [ 390.702005][ T12] binder_send_failed_reply: 6 callbacks suppressed [ 390.702014][ T12] binder: send failed reply for transaction 1881 to 21399:21400 [ 390.721947][T21574] binder_alloc: binder_alloc_mmap_handler: 21572 20001000-20004000 already mapped failed -16 15:42:43 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff00000000, 0x0) [ 390.768690][T21581] binder: BINDER_SET_CONTEXT_MGR already set [ 390.776677][ T12] binder: undelivered transaction 1883, process died. [ 390.805075][T21581] binder: 21580:21581 ioctl 40046207 0 returned -16 [ 390.805796][ T12] binder: undelivered TRANSACTION_COMPLETE 15:42:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) fanotify_init(0x4, 0x181000) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x598fff, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$bt_BT_FLUSHABLE(r2, 0x112, 0x8, &(0x7f0000000000)=0xc59f, 0x4) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x10004, 0x0, 0x10000, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 390.817690][T21573] binder: BINDER_SET_CONTEXT_MGR already set [ 390.834142][T21573] binder: 21572:21573 ioctl 40046207 0 returned -16 15:42:43 executing program 3: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffff9c, 0x89e2, &(0x7f0000000000)={0xffffffffffffffff}) ioctl$FS_IOC_SETFLAGS(r0, 0x40046602, &(0x7f0000000040)=0x6) r1 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles\x00', 0x40, 0x0) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x30, 0x5, 0x0, {0x0, 0x5, 0x0, 0x1}}, 0x30) r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000100)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="00000000752133aab000000000"], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0}) [ 390.865455][ T12] binder: send failed reply for transaction 1887 to 21572:21573 [ 390.878220][ T12] binder: undelivered transaction 1890, process died. 15:42:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$SO_RDS_TRANSPORT(r2, 0x114, 0x8, &(0x7f0000000000)=0xffffffffffffffff, 0x4) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:43 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) 15:42:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 391.025398][T21793] binder_alloc: binder_alloc_mmap_handler: 21763 20001000-20004000 already mapped failed -16 15:42:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000040)='TIPC\x00') sendmsg$TIPC_CMD_GET_NODES(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x80000100}, 0xc, &(0x7f0000000140)={&(0x7f0000000080)={0x1c, r4, 0x200, 0x70bd28, 0x25dfdbff, {}, ["", "", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x4000080) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 391.123131][T21800] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 391.132919][T21804] binder: BINDER_SET_CONTEXT_MGR already set 15:42:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff00000000, 0x0) [ 391.172614][T21804] binder: 21801:21804 ioctl 40046207 0 returned -16 [ 391.180020][ T12] binder: send failed reply for transaction 1893 to 21763:21770 15:42:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = open(&(0x7f0000000000)='./file0\x00', 0x0, 0x10) ioctl$VIDIOC_S_PARM(r2, 0xc0cc5616, &(0x7f0000000040)={0xf, @output={0x1000, 0x1, {0x7f, 0x8}, 0x8000, 0x4}}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000000)='net/netfilter\x00') ioctl$SNDRV_CTL_IOCTL_RAWMIDI_INFO(r1, 0xc10c5541, &(0x7f00000002c0)={0x7d1, 0x100000000, 0x0, 0x0, 0x0, [], [], [], 0x9, 0x5}) dup(r0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:44 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 391.335158][T21887] binder_alloc: binder_alloc_mmap_handler: 21866 20001000-20004000 already mapped failed -16 [ 391.366538][T21881] binder: BINDER_SET_CONTEXT_MGR already set 15:42:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 391.378835][T21924] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 391.390732][T21881] binder: 21866:21881 ioctl 40046207 0 returned -16 15:42:44 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 391.442951][T21927] binder_alloc_new_buf_locked: 2 callbacks suppressed [ 391.442959][T21927] binder_alloc: 21866: binder_alloc_buf, no vma [ 391.470195][T21931] binder: BINDER_SET_CONTEXT_MGR already set 15:42:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfeffffff00000000, 0x0) [ 391.507533][ T12] binder: release 21866:21881 transaction 1898 out, still active [ 391.515782][T21887] binder_alloc: 21866: binder_alloc_buf, no vma [ 391.523150][T21931] binder: 21930:21931 ioctl 40046207 0 returned -16 [ 391.532145][ T12] binder: unexpected work type, 4, not freed [ 391.542922][ T12] binder: send failed reply for transaction 1898, target dead 15:42:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_G_TUNER(r2, 0xc054561d, &(0x7f0000000040)={0x7f, "56ab02eed99731daf2fe45a6e09ae20164171fbc3f14b197d734e5c72324b61a", 0x4, 0x200, 0xef9, 0x6, 0x14, 0x2, 0x3ff, 0x1}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:44 executing program 3: r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x5, 0x80000) timerfd_gettime(r0, &(0x7f0000000040)) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BLKFRASET(r0, 0x1264, &(0x7f0000000080)=0x9) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) ioctl$SCSI_IOCTL_SYNC(r1, 0x4) ioctl$VIDIOC_S_FREQUENCY(r0, 0x402c5639, &(0x7f00000000c0)={0x3ff, 0x5, 0x2}) [ 391.594158][T21957] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 391.605359][ T12] binder: undelivered transaction 1901, process died. 15:42:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x101800, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@ipv4={[], [], @multicast1}, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}, 0x0, @in=@local}}, &(0x7f0000000080)=0xe8) lstat(&(0x7f0000000140)='./file0\x00', &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000000440)=0x0, &(0x7f0000000480)=0x0, &(0x7f00000004c0)=0x0) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000580)={{{@in6, @in=@broadcast}}, {{@in6=@empty}, 0x0, @in=@remote}}, &(0x7f0000000680)=0xe8) write$P9_RSTATu(r2, &(0x7f0000000500)={0x71, 0x7d, 0x2, {{0x0, 0x54, 0x80, 0x3, {0x80, 0x0, 0x1}, 0x100000, 0x1, 0x20, 0x3, 0xe, 'selinuxvmnet0$', 0x0, '', 0x6, 'wlan0\x8e', 0xd, 'vboxnet0bdev('}, 0x8, '{,vmnet0', r3, r5, r8}}, 0x71) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x2, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000000}, 0x0, 0x0, 0xffffffffffffffff, 0x0) dup2(r2, r1) ioctl$VIDIOC_G_AUDIO(r2, 0x80345621, &(0x7f00000006c0)) r9 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) write$FUSE_DIRENTPLUS(r9, &(0x7f0000000a80)=ANY=[@ANYBLOB="a002000000000000080000000000000004000000000000000000000000000000ff0f0000000000000000000000000000000000000800000001000000000000005e00000000000000010000000000000009000000000000003f0000000000000007000000000000000200000003000000040000000008000006000000", @ANYRES32=r7, @ANYRES32=r5, @ANYBLOB="070000000000010000000000000000000100000000000800000000000600000000000000776c616e308e00000500000000000000030000000000000001010000000000004000000000000000080000000900000002000000000000004200000000000000d7000000000000000900000000000000060000000000000004000000000000000100000000000000000000f80000000000000000", @ANYRES32=r8, @ANYRES32=r5, @ANYBLOB="04000000ff03000000000000020000000000000003000000000000000b000000040000002f6465762f6d69786572000000000000010000000000000003000000000000000100000000000000080000000000000001010000fdffffff0000000000000000030000000000000001000000010000000002000000000000ff0700000000000009000000000000000000000000000080070000000900000002000000", @ANYRES32=r6, @ANYRES32=r5, @ANYBLOB="0500000001000000000000000600000000000000ff0100000000000004000000080000007d252b2900000000040000000000000000000000000000000000000000000000feffffffffffffff0100008007000000010000000000000000000000000000000800000000000000001000000000000003000000000000000100000000000000ff010000080000000200000004000000ff7f0000", @ANYRES32=r4, @ANYRES32=r5, @ANYBLOB="0600b49e490001000000000000000003000000000000000733000000f2ff0009000000c90200002f6465762f6b766d0000000000000000a19cba913f5a0f78baad99c5696cc70ed872117edafbf43ff9237df6824700b22af46eb14b2ac2e14fc81b233dee60d50ffd0b718037f685d34c9b47df953a421db8f3eb6754462932f533995b128ec1ca8ee03b374b77221675446a3819efe0a2090f0b1887babbc04aa1bf509c378ba02cf508f3c68e9d68a3c12a0a94e03c75c2fa7fe090155d682879e18aa4b7985aaec8b415011f47b0b15dac2f3679130f7f2d109b8d7298e87415e819664d87eead30580dd37dacbe9c439aeceb377ff481f84d55e2431e02bc07b1353574d54e10b7445f05687be45312b5d672df6ce2247f27ea6c239eba9e"], 0x2a0) 15:42:44 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 391.749181][T22051] binder: 22050:22051 got transaction to invalid handle 15:42:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="000009ccec743482dbbcd9000000000000"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) r2 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x7e7, 0x400) epoll_ctl$EPOLL_CTL_MOD(r2, 0x3, r0, &(0x7f00000000c0)={0x2}) ioctl$UI_END_FF_ERASE(r2, 0x400c55cb, &(0x7f0000000080)={0x7, 0x0, 0xf93a}) 15:42:44 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f00000000, 0x0) 15:42:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) r5 = socket$inet6_udplite(0xa, 0x2, 0x88) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000480)={0xffffffffffffffff, r3, 0x0, 0x1, &(0x7f0000000440)='\x00'}, 0x30) syz_open_procfs$namespace(r6, &(0x7f00000004c0)='ns/user\x00') ioctl$KVM_RUN(r4, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_RTOINFO(r3, 0x84, 0x0, &(0x7f0000000000)={0x0, 0x1, 0x0, 0x1}, &(0x7f0000000080)=0x10) ioctl$VIDIOC_S_AUDIO(r2, 0x40345622, &(0x7f0000000500)={0x5, "397b4e441b5dc7a82ee0cafd070294972127a3296e25e0e9f8a7bf393e668af1", 0x2, 0x1}) ioctl$VHOST_SET_LOG_BASE(r5, 0x4008af04, &(0x7f0000000340)=&(0x7f0000000300)) ioctl$EVIOCGVERSION(r3, 0x80044501, &(0x7f00000003c0)=""/80) ioctl$DRM_IOCTL_SET_VERSION(r3, 0xc0106407, &(0x7f0000000380)={0x0, 0x7, 0xa6, 0x40}) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r3, 0x84, 0x18, &(0x7f0000000140)={r7, 0x8}, &(0x7f00000002c0)=0x8) [ 391.960359][T22215] binder: BINDER_SET_CONTEXT_MGR already set [ 391.994537][T22215] binder: 22213:22215 ioctl 40046207 0 returned -16 [ 391.994624][ T12] binder: send failed reply for transaction 1905 to 22050:22051 15:42:45 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 392.045471][T22270] binder_alloc: binder_alloc_mmap_handler: 22213 20001000-20004000 already mapped failed -16 [ 392.082728][T22270] binder_alloc: 22213: binder_alloc_buf, no vma 15:42:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) lstat(&(0x7f0000000040)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fchownat(r2, 0x0, 0x0, r3, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$sock_inet6_tcp_SIOCOUTQ(r2, 0x5411, &(0x7f0000000140)) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) [ 392.098758][T22215] binder_alloc: 22213: binder_alloc_buf, no vma [ 392.114970][T22274] binder: 22271:22274 got transaction to invalid handle 15:42:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) r2 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x80000000, 0x0) ioctl$KVM_SET_TSC_KHZ(r2, 0xaea2, 0xffff) [ 392.150840][T22279] netlink: 'syz-executor.1': attribute type 1 has an invalid length. 15:42:45 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffffff00000000, 0x0) [ 392.257558][T22378] binder: BINDER_SET_CONTEXT_MGR already set 15:42:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 392.336107][T22378] binder: 22377:22378 ioctl 40046207 0 returned -16 [ 392.349338][T26837] binder: send failed reply for transaction 1913 to 22271:22274 [ 392.377913][T26837] binder: send failed reply for transaction 1915 to 22377:22458 15:42:45 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 392.419853][T22458] binder_alloc: binder_alloc_mmap_handler: 22377 20001000-20004000 already mapped failed -16 [ 392.424338][T26837] binder: undelivered transaction 1918, process died. [ 392.455109][T22494] binder_alloc: 22377: binder_alloc_buf, no vma [ 392.473702][T22493] binder: BINDER_SET_CONTEXT_MGR already set [ 392.494644][T22497] netlink: 'syz-executor.1': attribute type 1 has an invalid length. [ 392.503576][T22493] binder: 22492:22493 ioctl 40046207 0 returned -16 [ 392.510991][T22378] binder_alloc: 22377: binder_alloc_buf, no vma 15:42:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$ashmem(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ashmem\x00', 0x180, 0x0) ioctl$ASHMEM_GET_NAME(r2, 0x81007702, &(0x7f0000000100)=""/71) r3 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x1ff, 0x200000) write$P9_RREADDIR(r3, &(0x7f0000000040)={0x68, 0x29, 0x1, {0x22e1, [{{0x2c, 0x4, 0x5}, 0x7ff, 0x5, 0x7, './file0'}, {{0x2, 0x1, 0x1}, 0x6, 0x6, 0x7, './file0'}, {{0x0, 0x4, 0x8}, 0x2ac0, 0x2, 0x7, './file0'}]}}, 0x68) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) 15:42:45 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 392.617609][T22546] binder_alloc: binder_alloc_mmap_handler: 22540 20001000-20004000 already mapped failed -16 15:42:45 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffffffff000, 0x0) 15:42:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00') ioctl$PPPIOCATTACH(r2, 0x4004743d, &(0x7f0000000080)=0x1) r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$TIOCMBIS(r3, 0x5416, &(0x7f00000002c0)) [ 392.668430][T22542] binder: BINDER_SET_CONTEXT_MGR already set 15:42:45 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 392.745570][T22542] binder: 22540:22542 ioctl 40046207 0 returned -16 [ 392.752999][T22610] binder_alloc: 22540: binder_alloc_buf, no vma 15:42:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x1000000000, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_GET_CPUID2(r2, 0xc008ae91, &(0x7f00000002c0)={0x5, 0x0, [{}, {}, {}, {}, {}]}) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = add_key(&(0x7f0000000040)='.dead\x00', &(0x7f0000000080)={'syz', 0x1}, &(0x7f00000003c0)="6ae29673918ba1f5ea8cbe8a719bacd64ca4fb3ebf38b10dc7e33aba7ac5f8749d35fdef7432431e71f1d8a926f17d6fdc1b249dc82fdd4ac8d4870d80ea2f90ae71f27fb59ab6862f954b8627f76b7d2a97753eb06dc9da045a6c7fdb443a203ab18976486cf4b3fc8a84b4c974b9c3ea933084a8c8c20d238a4a4e6ecc1a1c0c79c9fbfb5a19f0956f5a44e980b4f4", 0x90, 0xfffffffffffffff8) keyctl$KEYCTL_PKEY_VERIFY(0x1c, &(0x7f00000000c0)={r4, 0x62a}, &(0x7f0000000480)={'enc=', 'pkcs1', ' hash=', {'md4\x00'}}, &(0x7f0000000140)="b407488001244424df7df2e892cacb3c4003c7e2", &(0x7f0000000500)="3ebbb09968b4468cec47766c893e3124ec9ec4ecf366d44635d5cb368cc29f93b4416bdb21b0d24c088bd2b15bbbd2fcbf1c965e633d01f5d51c7bbf031416f4068c9daee6be7f12adcfd486170d2f8818b6aa1563633fa04eecdadd91a3b6195fcf4d98900988b8452c424ffcebfab55aef8eb21dbdb15ee41d6b0008fd5a3bdec9907632325742631754517586fe938ee2cc37a70ec1e3dcb074db3f595188d0d30c2bb9f88a2adb50a31fc0c1c2ed9fe051af82cdfcef1f1fbcb2c42a615e9bc607b4") [ 392.788661][T22546] binder_alloc: 22540: binder_alloc_buf, no vma [ 392.812483][ T5] binder: release 22540:22542 transaction 1923 out, still active 15:42:45 executing program 2: r0 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x60840) sendmsg$nl_crypto(r0, &(0x7f0000000280)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4202402}, 0xc, &(0x7f0000000240)={&(0x7f00000000c0)=@alg={0x108, 0x10, 0x100, 0x70bd2d, 0x25dfdbfb, {{'ctr-camellia-aesni\x00'}, [], [], 0x2400, 0x2400}, [{0x8, 0x1, 0xff}, {0x8, 0x1, 0x547}, {0x8, 0x1, 0x84}, {0x8, 0x1, 0x7}, {0x8, 0x1, 0x5}]}, 0x108}, 0x1, 0x0, 0x0, 0x20004010}, 0x4004051) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=ANY=[], &(0x7f0000000200)='./file0\x00', &(0x7f0000000000)='c\x00\x00\x06\x00', 0x0, 0x0) sendto(r0, &(0x7f0000000380)="5e23f4a6a8ccadbcba6ca6170c090f04f57df5f7657ffd6fd2aa5be862085160f695e161a7e730c80ed6b6374d54b7aeb8653308f0cca83d7b555056c0b69c4f60948c187a14ccfcd2fde96940b4318d313f6870cbaf2a0940f9de7a561fd78e77e5ecfc4332298b8f910ff5dbca7a9d1ed45fd7090d7b262cafb53482bd1b6d76c0bc607b274d5c1f859789511a8e64f44c6aea8964fa89c9798d25308d47d219febcaaf25698dbf330406290e85069487913978f3d1ab4e86d5447f9e6cd651bedeff26fe9d53bcca23e1b3c72140c59db419ae92f66695647bd64c5f0a314", 0xe0, 0x1, 0x0, 0x0) [ 392.835641][ T5] binder: unexpected work type, 4, not freed [ 392.841807][ T5] binder: send failed reply for transaction 1923, target dead 15:42:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x8986c1dc7fa3a8e9) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 392.922774][ T5] binder: undelivered transaction 1926, process died. [ 392.923770][T22625] binder: 22622:22625 got transaction to invalid handle 15:42:45 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.001593][T22630] binder: BINDER_SET_CONTEXT_MGR already set [ 393.041057][T22630] binder: 22628:22630 ioctl 40046207 0 returned -16 15:42:46 executing program 2: clock_gettime(0x1, &(0x7f0000000300)={0x0, 0x0}) utimes(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)={{}, {r0, r1/1000+30000}}) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer\x00', 0x80, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000001c0)='TIPC\x00') sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r2, &(0x7f00000002c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x1080}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x30, r3, 0x1, 0x70bd2c, 0x25dfdbfd, {{}, 0x0, 0x5, 0x0, {0x14, 0x19, {0x2, 0x3f, 0x3, 0x4}}}, [""]}, 0x30}, 0x1, 0x0, 0x0, 0x4080}, 0x40004) mount(&(0x7f0000000080)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623aff0e1214ac6efe3c01a89bc77c89079f191a8fb9a0bf5bf2850b53bf12fc512ded4167be200b899292219649d3380654b5"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) socket$nl_route(0x10, 0x3, 0x0) 15:42:46 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac) flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e) 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.095510][T22707] binder: BINDER_SET_CONTEXT_MGR already set [ 393.121504][T22707] binder: 22628:22707 ioctl 40046207 0 returned -16 15:42:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) accept4(r2, &(0x7f0000000400)=@pppol2tpin6, &(0x7f0000000000)=0x80, 0xa9adb2af4651e89) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) timer_create(0x7, &(0x7f0000000040)={0x0, 0x33, 0x1, @thr={&(0x7f0000000000), &(0x7f00000002c0)="e27c68a2691e635605b4ff19cfb7d1e4d0f8f1c8ff175b8a801d48f852ac18c55d6f3818ced97b1d95da4af53889770be0a25acfa47853342ef829c2d0952eeb6b667b89ac9ed0d6336a7715c341131a427235cc13c656e932bc4a5b874f2eb80fa2d3f937d537f0a22fdd5c24d5de75de43986fcc2e2fdf803e66f29e37ab82f41e191aef770fbff568a4c953c0dc8d137870f8f900420b75b135a736bcdce722b894930617d8a34b546b99f38137e8e8178a3483cc59f5327f5d8fb3fd19d77e198939dd9aef65737250234fedd91db035f431bd5143872bf3ee6c8ffbd7d761f3913ce58edc3b10"}}, &(0x7f0000000080)=0x0) timer_settime(r4, 0x0, &(0x7f0000000140)={{0x77359400}}, &(0x7f00000003c0)) 15:42:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 393.176132][ T5] binder: release 22628:22630 transaction 1932 out, still active [ 393.201607][ T5] binder: unexpected work type, 4, not freed [ 393.207138][T22747] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) 15:42:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000000000000001"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) r2 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x8a, 0x101000) fcntl$setpipe(r1, 0x407, 0x9) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f00000004c0)=ANY=[@ANYRES32=0x0, @ANYBLOB="1c000000d27ba46ff75ed0846f12e642daeb33cd72db45136634903ee7c1bc827805f476c6bdf8384caaee0e3effbfbcd55f9beb544a77e657e013d29f5d199bd1ada436781b41752329031f00e4c404cb481f55811fe74333e651bef41b46dba504c3ca133923949329d2b90d3a0335b51f10c409660e3b33de9cb5aab7aa4df8c2c33c735afe06920a4776d18d1cdf87fc771cc07ee54b7de1072664f8efa09c45ba564632c536c4530c86e288d0c1a6bc810b7438952c5be2c517fe203dc33b929cd6eb2dc0bc3418142dd639353b973b56f908c7f850624b57f8fcd6435413e2e5d609753a1082f4276c025994edaa75b80d2ee489151b1a2ce0f6077e8360e702b5f2c49d9d4c534b072c29e20d752c2142b6528c416b"], &(0x7f0000000080)=0x24) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu/syz0\x00', 0x200002, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f00000000c0)={0x100, 0xffffffffffffff7f, 0x4, 0xff, 0x0, 0x5, 0x7fff, 0x16c9, r3}, &(0x7f0000000100)=0x20) [ 393.234290][ T5] binder: undelivered transaction 1939, process died. [ 393.259261][ T5] binder: send failed reply for transaction 1930 to 22622:22625 [ 393.286133][T22754] binder: 22752:22754 got transaction to invalid handle [ 393.306610][ T5] binder: send failed reply for transaction 1932, target dead 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.359705][ T5] binder: undelivered transaction 1935, process died. [ 393.370645][ T5] binder: send failed reply for transaction 1936 to 22628:22630 [ 393.378705][T22770] binder: BINDER_SET_CONTEXT_MGR already set [ 393.385267][T22770] binder: 22769:22770 ioctl 40046207 0 returned -16 15:42:46 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac) flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e) 15:42:46 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpu.stat\x00', 0x0, 0x0) ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-control\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r1, 0xc0145401, &(0x7f0000000080)={0x0, 0x3, 0x8000, 0x1}) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623affabe9be69345821654a7cddea1f5fa888c7c0dab83a19757e15ee44a404e2c919942320107c6809000000000000000817672a7bc339265b048456dda9277988fb1facb8847ce54d5bfce592fee93722295ef4b8104d71a09f0e8257b892931c1484b80c91628bcc5853b48bf881d7f2372a5a4aa71ca00e09656e6a400cbfe8a90fd772fdc45fc1b2711a650d64941d624f83f74597dd555167e4714e77b60000000000000000000000005cadc51839d575"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 393.475031][T22817] binder_alloc: binder_alloc_mmap_handler: 22769 20001000-20004000 already mapped failed -16 15:42:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0x0, 0x802) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 393.559453][ T7807] binder: release 22769:22770 transaction 1947 out, still active [ 393.582123][T22875] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. [ 393.593528][ T7807] binder: unexpected work type, 4, not freed 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.636620][ T7807] binder: undelivered transaction 1950, process died. [ 393.673992][ T7807] binder: send failed reply for transaction 1941 to 22752:22754 [ 393.682685][T22885] binder: 22882:22885 got transaction to invalid handle [ 393.707912][ T7807] binder: send failed reply for transaction 1943 to 22769:22817 [ 393.718833][T22891] binder_alloc: binder_alloc_mmap_handler: 22886 20001000-20004000 already mapped failed -16 [ 393.730301][ T7807] binder: undelivered transaction 1946, process died. [ 393.741966][ T7807] binder: send failed reply for transaction 1947, target dead [ 393.750610][T22889] binder: BINDER_SET_CONTEXT_MGR already set 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.759449][T22889] binder: 22886:22889 ioctl 40046207 0 returned -16 [ 393.797587][ T7807] binder: undelivered transaction 1958, process died. 15:42:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$TIOCNXCL(r2, 0x540d) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 15:42:46 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac) flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e) [ 393.819450][T22891] binder_transaction: 18 callbacks suppressed [ 393.819467][T22891] binder: 22886:22891 transaction failed 29189/-22, size 24-8 line 2994 15:42:46 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/schedule_icmp\x00', 0x2, 0x0) setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0x7, &(0x7f0000000140)={0x8, 0x3, 0xfffffffffffffffd, 0x9}, 0x10) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000000)='ceph\x00', 0x2000, 0x0) mount(&(0x7f0000000180)=ANY=[@ANYBLOB="2f6465f600000000703000"], &(0x7f00000001c0)='./file0\x00', &(0x7f0000000240)='bfs\x00', 0x1, &(0x7f0000000280)='ppp1system^\xb1-}mime_typelo\'(&\x00') symlink(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='./file0\x00') 15:42:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:46 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 393.911470][T22998] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. 15:42:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="ff4723f0ad73e67b"], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x80000, 0x0) ioctl$EVIOCGMASK(r2, 0x80104592, &(0x7f0000000080)={0x15, 0x84, &(0x7f0000000140)="ca8d128362a70e26ea333cb3f7ec833c3703fbb4069b52bd6eadd7ecbc516b240ac45a042cd3950a28562f1537efc7bec1a3ab7792c2e25bebd37f9246c1fed7739602fba8bd43df80fe40ecc462d0bb084fd20cfeb7b3cbb07524aa025053bad5bc181452afa29991698fa89e73b101c355eb9e114196ce59813f6bf0cd946d23914a17"}) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs\x00', 0x448002, 0x0) setsockopt$inet6_tcp_TCP_CONGESTION(r3, 0x6, 0xd, &(0x7f0000000100)='illinois\x00', 0x9) ioctl$KVM_S390_VCPU_FAULT(r3, 0x4004ae52, &(0x7f0000000000)=0x4) [ 393.991822][T23007] binder: 23005:23007 got transaction to invalid handle 15:42:47 executing program 2: setxattr$security_ima(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.ima\x00', &(0x7f0000000140)=@v2={0x7, 0x1, 0x3, 0x7fffffff, 0x5a, "2a5946fe9d02273823c943c6209977e1b35c1a410e6efca0ac47a30d4950a64bfafd83df29505f6f71ae63668efda63735d771866b9cbb1ce3da157e3fc44499ed98359c2140f97dc32132729f39d8d0a45d2e1e9245b8c6a6a0"}, 0x64, 0x2) r0 = socket(0x5, 0x6, 0x100) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffffff, 0x84, 0x18, &(0x7f00000000c0)={0x0, 0x6}, &(0x7f00000001c0)=0x8) setsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000240)={r1, 0x6619}, 0x8) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r0, 0x84, 0x77, &(0x7f0000000280)={r1, 0x8, 0x2, [0x4, 0x7]}, &(0x7f00000002c0)=0xc) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.041187][T23007] binder: 23005:23007 transaction failed 29201/-22, size 0-0 line 2994 [ 394.046519][T23015] binder: BINDER_SET_CONTEXT_MGR already set [ 394.128472][T23015] binder: 23014:23015 ioctl 40046207 0 returned -16 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.192211][T23067] binder_alloc: binder_alloc_mmap_handler: 23014 20001000-20004000 already mapped failed -16 15:42:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 15:42:47 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac) 15:42:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x14100, 0x0) ioctl$VHOST_SET_VRING_BASE(r1, 0x4008af12, &(0x7f0000000040)={0x0, 0x9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_NR_MMU_PAGES(r2, 0xae44, 0x4) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 394.237586][T23015] binder: BINDER_SET_CONTEXT_MGR already set [ 394.299419][T23015] binder: 23014:23015 ioctl 40046207 0 returned -16 [ 394.299443][ T12] binder: release 23005:23007 transaction 1961 out, still active [ 394.315445][T23133] binder: BINDER_SET_CONTEXT_MGR already set [ 394.336055][T23137] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.339048][T23133] binder: 23131:23133 ioctl 40046207 0 returned -16 [ 394.348028][ T12] binder: send failed reply for transaction 1961, target dead [ 394.358167][T23134] binder: 23014:23134 transaction failed 29189/-22, size 24-8 line 2994 [ 394.368423][ T12] binder: undelivered transaction 1966, process died. [ 394.394948][T23015] binder: 23014:23015 transaction failed 29189/-22, size 24-0 line 2994 [ 394.436429][ T2597] binder_release_work: 37 callbacks suppressed [ 394.436436][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 394.458965][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 15:42:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000007c87d08b923de854af81df9a0000000000"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) 15:42:47 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r7 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r7, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r7, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r6, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r7, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162) 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.488312][ T2597] binder: undelivered TRANSACTION_ERROR: 29189 [ 394.595779][T23256] binder_alloc: binder_alloc_mmap_handler: 23249 20001000-20004000 already mapped failed -16 [ 394.609721][T23254] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. 15:42:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) 15:42:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 394.643185][T23251] binder: BINDER_SET_CONTEXT_MGR already set [ 394.649222][T23251] binder: 23249:23251 ioctl 40046207 0 returned -16 [ 394.653391][T23256] binder_alloc: 23249: binder_alloc_buf, no vma 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.687035][T23256] binder: 23249:23256 transaction failed 29189/-3, size 24-8 line 3147 15:42:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b642f3a5d3a2f6c6c623aff"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 394.774592][ T12] binder: undelivered transaction 1973, process died. [ 394.792671][T23267] binder: 23263:23267 got new transaction with bad transaction stack, transaction 1976 has target 23263:0 [ 394.811795][ T12] binder: undelivered TRANSACTION_ERROR: 29189 15:42:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="2478d399dbecfe680000000000781935d04a2e00000085a2"]], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x22b, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0}) [ 394.822530][ T12] binder_release_work: 27 callbacks suppressed [ 394.822535][ T12] binder: undelivered TRANSACTION_COMPLETE [ 394.837245][T23267] binder: 23263:23267 transaction failed 29201/-71, size 0-0 line 3044 [ 394.862650][T23272] ceph: device name is missing path (no : separator in [d/:]:/llb:ÿ) 15:42:47 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) [ 394.864820][ T12] binder: undelivered TRANSACTION_COMPLETE [ 394.878882][T23275] binder: BINDER_SET_CONTEXT_MGR already set [ 394.897223][ T12] binder: undelivered TRANSACTION_ERROR: 29189 15:42:47 executing program 2: mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=ANY=[@ANYBLOB], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = dup2(0xffffffffffffffff, 0xffffffffffffff9c) name_to_handle_at(r0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000240)={0xcd, 0x9, "f4f4f39996471021802fe288324ffbce159c9b0c0226fd999030d364e5f7d681e2e30206def719353e0992990436fc2d768ff6d01d68adb1fe91311e3bbcdbd6d429ab65cf3467e712c2e66033cb07924a29e95fb0b16867c4ece939097f4921612aedbe58a8503d7eeb00ba1e6c66d25b151c1a9601d20a8413e2678779e28a83eb462afbd3c2b89f8ab064637e52b58cc5f9f1f073a31fa6ef75d89690ce1d5c2bfed99214d37f8382f18df36cc191fc10e895eae47bef6b9b8049dd38b87775e2c39068"}, &(0x7f0000000040), 0x0) 15:42:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_GET_XCRS(r2, 0x8188aea6, &(0x7f0000000000)=ANY=[@ANYBLOB="0500000006000000ffffff7f0000000007640000000000000300000000000000dc0e00000000000003000000000000004e0100000000000001000080000000000600000000000000d0000000000000000208000000000000"]) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) setsockopt$inet6_icmp_ICMP_FILTER(r2, 0x1, 0x1, &(0x7f0000000080)={0x3}, 0x4) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 394.937943][T23275] binder: 23273:23275 ioctl 40046207 0 returned -16 [ 394.938532][T23336] ------------[ cut here ]------------ [ 394.950047][T23336] kernel BUG at drivers/android/binder_alloc.c:1141! 15:42:47 executing program 5: r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10) openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) r7 = creat(&(0x7f0000000200)='./file0\x00', 0x40) setsockopt$inet6_udp_encap(r7, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000}) openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0) ioctl$KVM_HAS_DEVICE_ATTR(r7, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1}) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0) ioctl$KVM_RUN(r6, 0xae80, 0x0) ioctl$KVM_SET_XCRS(r7, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]}) 15:42:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 395.019138][ T12] binder: undelivered TRANSACTION_COMPLETE [ 395.040495][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 395.063414][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 395.081979][T23336] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 395.082511][T23275] binder: 23273:23275 transaction failed 29189/-22, size 24-0 line 2994 [ 395.088214][T23336] CPU: 0 PID: 23336 Comm: syz-executor.3 Not tainted 5.1.0-rc2+ #40 [ 395.088222][T23336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 395.088244][T23336] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 395.088264][T23336] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41 [ 395.098602][T23386] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'. [ 395.104587][T23336] RSP: 0000:ffff8880591c76d8 EFLAGS: 00010216 [ 395.104599][T23336] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c64b000 [ 395.104606][T23336] RDX: 000000000000036a RSI: ffffffff854c7d46 RDI: 0000000000000006 [ 395.104613][T23336] RBP: ffff8880591c7758 R08: ffff8880572a8440 R09: 0000000000000028 [ 395.104619][T23336] R10: ffffed100b238f32 R11: ffff8880591c7997 R12: 0000000000000020 [ 395.104627][T23336] R13: 0000000000000028 R14: ffff88808f769d10 R15: 0000000000000000 [ 395.104639][T23336] FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f5dd3b40 [ 395.104657][T23336] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 395.121558][ T3876] kobject: 'loop1' (0000000064106c60): kobject_uevent_env [ 395.140928][T23336] CR2: 0000000030223000 CR3: 00000000941a3000 CR4: 00000000001426f0 [ 395.140939][T23336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 395.140946][T23336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 395.140950][T23336] Call Trace: [ 395.140977][T23336] ? memcpy+0x46/0x50 [ 395.141001][T23336] binder_alloc_copy_from_buffer+0x37/0x42 [ 395.225101][T23393] ceph: device name is missing path (no : separator in M) [ 395.227052][T23336] binder_get_object+0xc3/0x200 [ 395.227079][T23336] binder_transaction+0x2b4a/0x6690 [ 395.244571][T23394] kobject: 'kvm' (000000002baf0604): kobject_uevent_env [ 395.246370][T23336] ? binder_thread_read+0x3d50/0x3d50 [ 395.262043][ T3876] kobject: 'loop1' (0000000064106c60): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 395.263308][T23336] ? __lock_acquire+0x548/0x3fb0 [ 395.263345][T23336] ? __might_fault+0x12b/0x1e0 [ 395.263369][T23336] ? lock_downgrade+0x880/0x880 [ 395.272856][ T3876] kobject: 'loop2' (000000006b36aef2): kobject_uevent_env [ 395.273463][T23336] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 395.280420][ T3876] kobject: 'loop2' (000000006b36aef2): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 395.285795][T23336] ? _copy_from_user+0xdd/0x150 [ 395.285814][T23336] binder_thread_write+0x64a/0x2820 [ 395.285834][T23336] ? binder_transaction+0x6690/0x6690 [ 395.285849][T23336] ? __might_fault+0x12b/0x1e0 [ 395.285874][T23336] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 395.314251][T23393] ceph: device name is missing path (no : separator in M) [ 395.317710][T23336] ? _copy_from_user+0xdd/0x150 [ 395.317730][T23336] binder_ioctl+0x1033/0x183b [ 395.317754][T23336] ? binder_thread_write+0x2820/0x2820 [ 395.334561][T23394] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 395.339058][T23336] ? __fget+0x381/0x550 [ 395.339075][T23336] ? ksys_dup3+0x3e0/0x3e0 [ 395.339098][T23336] ? get_old_timespec32+0x200/0x200 [ 395.359615][T23399] kobject: 'kvm' (000000002baf0604): kobject_uevent_env [ 395.360702][T23336] ? tomoyo_file_ioctl+0x23/0x30 [ 395.360726][T23336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 395.378291][T23385] kobject: 'kvm' (000000002baf0604): kobject_uevent_env 15:42:48 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) 15:42:48 executing program 2: mkdir(&(0x7f00000001c0)='./file0\x00', 0x20000000000140) mount(&(0x7f0000000080)=ANY=[@ANYBLOB="4d001a00002b160000000000"], &(0x7f0000000000)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) r0 = accept4(0xffffffffffffffff, &(0x7f0000000140)=@x25, &(0x7f0000000040)=0x80, 0x80800) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f00000000c0)={0x0, 0xf82}, &(0x7f0000000200)=0x1) setsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000240)={r1, 0x5, 0x30}, 0xc) 15:42:48 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) 15:42:48 executing program 2: mount(&(0x7f0000000000)=ANY=[@ANYBLOB="f29e3c48a04620bcc1425bd6607d5f8d682f34295a2ca32cdbd0ef1e0f69"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 395.382847][T23336] ? security_file_ioctl+0x93/0xc0 [ 395.382866][T23336] ? binder_thread_write+0x2820/0x2820 [ 395.382881][T23336] __ia32_compat_sys_ioctl+0x197/0x620 [ 395.382904][T23336] do_fast_syscall_32+0x281/0xc98 [ 395.411417][T23399] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 395.413737][T23336] entry_SYSENTER_compat+0x70/0x7f [ 395.413749][T23336] RIP: 0023:0xf7ff8869 [ 395.413763][T23336] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 395.413778][T23336] RSP: 002b:00000000f5dd30cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 395.447183][T23387] kobject: 'kvm' (000000002baf0604): kobject_uevent_env [ 395.447990][T23336] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c0306201 [ 395.447999][T23336] RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000 [ 395.448016][T23336] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 15:42:48 executing program 1: openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) 15:42:48 executing program 2: setxattr$security_selinux(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.selinux\x00', &(0x7f00000000c0)='system_u:object_r:xen_device_t:s0\x00', 0x22, 0x0) mkdir(&(0x7f0000000340)='./file0\x00', 0x0) mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0) [ 395.460968][T23385] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 395.462779][T23336] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 395.462787][T23336] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 395.462800][T23336] Modules linked in: [ 395.475858][T23336] ---[ end trace e04b6ab01cdeba88 ]--- [ 395.506358][T23387] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 395.521111][T23336] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 395.530857][ T3876] kobject: 'loop1' (0000000064106c60): kobject_uevent_env [ 395.532923][T23406] binder: 23405:23406 got new transaction with bad transaction stack, transaction 1981 has target 23405:0 [ 395.551564][ T3876] kobject: 'loop1' (0000000064106c60): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 395.558393][T23336] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41 [ 395.578029][ T3876] kobject: 'loop2' (000000006b36aef2): kobject_uevent_env [ 395.635628][T23387] kobject: 'kvm' (000000002baf0604): kobject_uevent_env [ 395.642611][T23406] binder: 23405:23406 transaction failed 29201/-71, size 0-0 line 3044 [ 395.657703][T23336] RSP: 0000:ffff8880591c76d8 EFLAGS: 00010216 [ 395.659676][T23387] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 395.667047][T23275] binder: BINDER_SET_CONTEXT_MGR already set [ 395.686804][T23336] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c64b000 [ 395.702921][T23275] binder: 23273:23275 ioctl 40046207 0 returned -16 [ 395.710247][T23414] ------------[ cut here ]------------ [ 395.715755][T23414] kernel BUG at drivers/android/binder_alloc.c:1141! [ 395.724961][ T3876] kobject: 'loop2' (000000006b36aef2): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 395.733442][T23336] RDX: 000000000000036a RSI: ffffffff854c7d46 RDI: 0000000000000006 [ 395.737436][T23414] invalid opcode: 0000 [#2] PREEMPT SMP KASAN [ 395.744408][T23336] RBP: ffff8880591c7758 R08: ffff8880572a8440 R09: 0000000000000028 [ 395.749441][T23414] CPU: 1 PID: 23414 Comm: syz-executor.3 Tainted: G D 5.1.0-rc2+ #40 [ 395.749448][T23414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 395.749467][T23414] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 395.749481][T23414] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41 [ 395.749487][T23414] RSP: 0018:ffff888062ea76d8 EFLAGS: 00010212 [ 395.758091][T23336] R10: ffffed100b238f32 R11: ffff8880591c7997 R12: 0000000000000020 [ 395.766861][T23414] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c84c000 [ 395.766869][T23414] RDX: 00000000000002db RSI: ffffffff854c7d46 RDI: 0000000000000006 [ 395.766875][T23414] RBP: ffff888062ea7758 R08: ffff888062454240 R09: 0000000000000028 [ 395.766882][T23414] R10: ffffed100c5d4f32 R11: ffff888062ea7997 R12: 0000000000000020 [ 395.766888][T23414] R13: 0000000000000028 R14: ffff8880905a4b50 R15: 0000000000000000 [ 395.766899][T23414] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f5db2b40 [ 395.766907][T23414] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 395.766914][T23414] CR2: 0000000000000000 CR3: 00000000941a3000 CR4: 00000000001426e0 [ 395.766925][T23414] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 395.766931][T23414] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 395.766936][T23414] Call Trace: [ 395.766961][T23414] ? memcpy+0x46/0x50 [ 395.766980][T23414] binder_alloc_copy_from_buffer+0x37/0x42 [ 395.767002][T23414] binder_get_object+0xc3/0x200 [ 395.777943][T23336] R13: 0000000000000028 R14: ffff88808f769d10 R15: 0000000000000000 [ 395.783631][T23414] binder_transaction+0x2b4a/0x6690 [ 395.783658][T23414] ? binder_thread_read+0x3d50/0x3d50 [ 395.783675][T23414] ? mark_held_locks+0xf0/0xf0 [ 395.783687][T23414] ? mark_held_locks+0xf0/0xf0 [ 395.783703][T23414] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 395.783716][T23414] ? binder_get_thread+0x1db/0x7c0 [ 395.783730][T23414] ? lock_downgrade+0x880/0x880 [ 395.783753][T23414] ? __might_fault+0xfb/0x1e0 [ 395.804085][T23336] FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f5dd3b40 [ 395.809550][T23414] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 395.809567][T23414] ? _copy_from_user+0xdd/0x150 [ 395.809586][T23414] binder_thread_write+0x64a/0x2820 [ 395.809613][T23414] ? binder_transaction+0x6690/0x6690 [ 395.818247][T23336] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 395.829070][T23414] ? kasan_check_write+0x14/0x20 [ 395.829086][T23414] ? do_raw_spin_lock+0x12a/0x2e0 [ 395.829105][T23414] ? __might_fault+0xfb/0x1e0 [ 395.829130][T23414] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 395.829144][T23414] ? _copy_from_user+0xdd/0x150 [ 395.829161][T23414] binder_ioctl+0x1033/0x183b [ 395.829179][T23414] ? binder_thread_write+0x2820/0x2820 [ 395.829201][T23414] ? __fget+0x381/0x550 [ 395.837872][T23336] CR2: 00000000081220f0 CR3: 00000000941a3000 CR4: 00000000001426f0 [ 395.845195][T23414] ? ksys_dup3+0x3e0/0x3e0 [ 395.845209][T23414] ? get_old_timespec32+0x200/0x200 [ 395.845227][T23414] ? tomoyo_file_ioctl+0x23/0x30 [ 395.845240][T23414] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 395.845255][T23414] ? security_file_ioctl+0x93/0xc0 [ 395.845272][T23414] ? binder_thread_write+0x2820/0x2820 [ 395.845287][T23414] __ia32_compat_sys_ioctl+0x197/0x620 [ 395.845313][T23414] do_fast_syscall_32+0x281/0xc98 [ 395.853973][T23336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 395.861364][T23414] entry_SYSENTER_compat+0x70/0x7f [ 395.861375][T23414] RIP: 0023:0xf7ff8869 [ 395.861390][T23414] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 395.861396][T23414] RSP: 002b:00000000f5db20cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 395.861408][T23414] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201 [ 395.861416][T23414] RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000 [ 395.861449][T23414] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 395.871455][T23336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 395.876981][T23414] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 395.876989][T23414] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 395.877001][T23414] Modules linked in: [ 395.890614][ T3876] kobject: 'loop5' (00000000fe1647a9): kobject_uevent_env [ 395.894725][T23336] Kernel panic - not syncing: Fatal exception [ 395.906265][ T3876] kobject: 'loop5' (00000000fe1647a9): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 395.909909][T23336] Kernel Offset: disabled [ 396.222266][T23336] Rebooting in 86400 seconds..