ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 654.232327][ T6552] binder: 6527:6552 ioctl c018620b 0 returned -14 [ 654.247275][ T2986] binder: release 6527:6552 transaction 2923 out, still active [ 654.266654][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 654.302013][ T6553] *** Guest State *** [ 654.309225][ T6553] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 654.323253][ T6553] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 654.334073][ T6553] CR3 = 0x0000000000000000 [ 654.339076][ T6553] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 654.347700][ T6558] binder: 6555:6558 ioctl c018620b 0 returned -14 [ 654.349762][ T6553] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 654.361671][ T6553] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 654.365927][ T6558] binder: 6555:6558 ERROR: BC_REGISTER_LOOPER called without request [ 654.378280][ T6553] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.387763][ T6553] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.402572][ T6553] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 654.412488][ T6553] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.421949][ T6553] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.431317][ T6553] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.440375][ T6553] GDTR: limit=0x00000000, base=0x0000000000000000 [ 654.450079][ T6553] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.459156][ T6553] IDTR: limit=0x00000000, base=0x0000000000000000 [ 654.468840][ T6553] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 654.477986][ T6553] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 654.486007][ T6553] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 654.494995][ T6553] Interruptibility = 00000000 ActivityState = 00000000 [ 654.502409][ T6553] *** Host State *** [ 654.506518][ T6553] RIP = 0xffffffff811b40b0 RSP = 0xffff88805984f8e0 [ 654.513597][ T6553] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 654.521064][ T6553] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 654.529925][ T6553] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 654.536901][ T6553] CR0=0000000080050033 CR3=0000000092a4b000 CR4=00000000001426e0 [ 654.546265][ T6553] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 654.554356][ T6553] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 654.561520][ T6553] *** Control State *** [ 654.565986][ T6553] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 654.574569][ T6553] EntryControls=0000d1ff ExitControls=002fefff [ 654.581187][ T6553] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 654.589200][ T6553] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 654.596832][ T6553] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 654.604400][ T6553] reason=80000021 qualification=0000000000000000 [ 654.612222][ T6553] IDTVectoring: info=00000000 errcode=00000000 [ 654.639520][ T7808] binder: send failed reply for transaction 2919 to 6543:6548 17:33:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1b, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:25 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 654.650973][ T6553] TSC Offset = 0xfffffe9f90361fd4 [ 654.650985][ T6553] EPT pointer = 0x000000005885101e [ 654.680001][ T7808] binder: send failed reply for transaction 2923, target dead [ 654.703625][ T7808] binder: send failed reply for transaction 2926 to 6555:6559 [ 654.741102][ T6566] binder: 6562:6566 transaction failed 29189/-22, size 24-8 line 2994 17:33:25 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0x8004ae98, 0x0) [ 654.760938][ T6566] binder: 6562:6566 BC_INCREFS_DONE u0000000000000000 no match 17:33:25 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:25 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 654.871841][ T6573] binder: 6564:6573 BC_INCREFS_DONE u0000000000000000 no match [ 654.918396][ T6575] binder: 6574:6575 ioctl c018620b 0 returned -14 [ 654.943219][ T6577] binder: 6576:6577 ioctl c018620b 0 returned -14 [ 654.995783][ T6580] *** Guest State *** [ 655.001242][ T6581] binder: 6576:6581 ioctl c0306201 0 returned -14 [ 655.001290][ T6582] binder: 6574:6582 got transaction with invalid offset (0, min 0 max 0) or object. [ 655.018268][ T6582] binder: 6574:6582 transaction failed 29201/-22, size 0-8 line 3241 [ 655.018609][ T6580] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 655.036482][ T6580] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 655.046429][ T6580] CR3 = 0x0000000000000000 [ 655.050868][ T6580] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 655.057699][ T6580] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 655.064680][ T6580] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 655.079636][ T6580] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.088951][ T6580] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.099442][ T6580] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 655.112551][ T6580] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.122230][ T6580] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.131628][ T6580] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.141990][ T6583] binder: 6555:6583 ioctl c018620b 0 returned -14 [ 655.143643][ T6580] GDTR: limit=0x00000000, base=0x0000000000000000 [ 655.158226][ T6559] binder: 6555:6559 ERROR: BC_REGISTER_LOOPER called without request [ 655.166711][ T6580] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.176786][ T2986] binder: release 6555:6583 transaction 2935 out, still active [ 655.185262][ T6580] IDTR: limit=0x00000000, base=0x0000000000000000 17:33:25 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630d}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 655.194695][ T6580] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.204076][ T6580] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 655.221648][ T6580] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 655.245850][ T6580] Interruptibility = 00000000 ActivityState = 00000000 [ 655.258276][ T6580] *** Host State *** [ 655.262978][ T6580] RIP = 0xffffffff811b40b0 RSP = 0xffff888053f4f8e0 [ 655.271195][ T6586] binder: 6584:6586 ioctl c018620b 0 returned -14 [ 655.278335][ T6580] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 655.286599][ T6580] FSBase=00007fe957ae9700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 655.295673][ T6580] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 655.303101][ T6580] CR0=0000000080050033 CR3=0000000053a25000 CR4=00000000001426f0 [ 655.311275][ T6580] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 655.319365][ T6580] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 655.326348][ T6580] *** Control State *** [ 655.330918][ T6580] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 655.339375][ T6580] EntryControls=0000d1ff ExitControls=002fefff [ 655.345870][ T6580] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 655.354108][ T6580] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 655.362043][ T6580] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 655.369803][ T6580] reason=80000021 qualification=0000000000000000 [ 655.377025][ T6580] IDTVectoring: info=00000000 errcode=00000000 [ 655.383656][ T6580] TSC Offset = 0xfffffe9f2e38145d [ 655.388938][ T6580] EPT pointer = 0x000000008b44501e 17:33:25 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0x8090ae81, 0x0) 17:33:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1b, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:26 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 655.567470][ T7808] binder: send failed reply for transaction 2931 to 6576:6581 [ 655.576555][ T7808] binder: send failed reply for transaction 2935, target dead [ 655.580834][ T6592] *** Guest State *** [ 655.588470][ T6592] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 655.590381][ T7808] binder: send failed reply for transaction 2938 to 6584:6587 [ 655.609176][ T6597] binder: 6594:6597 transaction failed 29189/-22, size 24-8 line 2994 [ 655.622998][ T6592] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 655.630497][ T6597] binder: 6594:6597 BC_INCREFS_DONE u0000000000000000 no match [ 655.650477][ T6592] CR3 = 0x0000000000000000 [ 655.658387][ T6592] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 655.691498][ T6592] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 655.702227][ T6592] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 655.710431][ T6592] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.720194][ T6592] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.730845][ T6592] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:33:26 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:26 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 655.741200][ T6601] binder: 6599:6601 ioctl c0306201 0 returned -14 [ 655.768619][ T6592] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.803369][ T6605] binder: 6603:6605 ioctl c018620b 0 returned -14 [ 655.815323][ T6592] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.842965][ T6607] binder: 6606:6607 ioctl c018620b 0 returned -14 [ 655.845889][ T6592] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.858636][ T6592] GDTR: limit=0x00000000, base=0x0000000000000000 [ 655.867996][ T6608] binder: 6603:6608 got transaction with invalid offset (0, min 0 max 0) or object. [ 655.877491][ T6592] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.877507][ T6592] IDTR: limit=0x00000000, base=0x0000000000000000 [ 655.877524][ T6592] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 655.877535][ T6592] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 655.877546][ T6592] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 655.877557][ T6592] Interruptibility = 00000000 ActivityState = 00000000 [ 655.877574][ T6592] *** Host State *** [ 655.886769][ T6608] binder: 6603:6608 transaction failed 29201/-22, size 0-8 line 3241 [ 655.911942][ T6592] RIP = 0xffffffff811b40b0 RSP = 0xffff8880521278e0 [ 655.935016][ T6609] binder: 6606:6609 ioctl c0306201 0 returned -14 [ 655.949627][ T6592] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 655.963721][ T6592] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 655.972667][ T6592] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 655.979709][ T6592] CR0=0000000080050033 CR3=0000000096f49000 CR4=00000000001426f0 [ 655.987866][ T6592] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 655.995841][ T6592] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 656.002881][ T6592] *** Control State *** [ 656.007397][ T6592] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 656.015154][ T6592] EntryControls=0000d1ff ExitControls=002fefff [ 656.021617][ T6592] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 656.029608][ T6592] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 656.037342][ T6592] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 656.045425][ T6592] reason=80000021 qualification=0000000000000000 [ 656.052855][ T6592] IDTVectoring: info=00000000 errcode=00000000 [ 656.059290][ T6592] TSC Offset = 0xfffffe9ee25ee808 [ 656.065264][ T6587] binder: 6584:6587 ioctl c018620b 0 returned -14 [ 656.065986][ T6592] EPT pointer = 0x0000000090c8f01e [ 656.080118][ T7808] binder: release 6584:6611 transaction 2947 out, still active 17:33:26 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x6312}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:26 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0x8138ae83, 0x0) [ 656.195735][ T6617] binder: 6615:6617 ioctl c018620b 0 returned -14 [ 656.220108][ T6617] binder: 6615:6617 unknown command 25362 [ 656.236087][ T6617] binder: 6615:6617 ioctl c0306201 20000140 returned -22 [ 656.291135][ T6620] binder: 6615:6620 BC_INCREFS_DONE node 2951 has no pending increfs request [ 656.338048][ T6618] *** Guest State *** [ 656.342474][ T6618] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 656.353126][ T6618] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 17:33:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x20, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e0"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 656.381017][ T6618] CR3 = 0x0000000000000000 [ 656.385811][ T6618] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 656.393922][ T6618] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 656.401071][ T6618] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 656.409108][ T6618] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.426010][ T6618] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.436063][ T6618] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 656.445824][ T6618] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:26 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 656.471542][ T6618] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.484886][ T7808] binder: send failed reply for transaction 2944 to 6606:6609 [ 656.492679][ T7808] binder: send failed reply for transaction 2947, target dead [ 656.501135][ T6618] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.511110][ T6625] binder: 6623:6625 transaction failed 29189/-22, size 24-8 line 2994 [ 656.520125][ T7808] binder: send failed reply for transaction 2950 to 6615:6617 [ 656.529095][ T6620] binder: 6615:6620 ioctl c018620b 0 returned -14 [ 656.529264][ T6618] GDTR: limit=0x00000000, base=0x0000000000000000 [ 656.541099][ T6617] binder: 6615:6617 unknown command 25362 [ 656.545287][ T6625] binder_thread_write: 2 callbacks suppressed [ 656.545299][ T6625] binder: 6623:6625 BC_INCREFS_DONE u0000000000000000 no match [ 656.556885][ T6618] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.587784][ T6627] binder: 6615:6627 BC_INCREFS_DONE u0000000000000000 no match [ 656.593099][ T6620] binder: 6615:6620 transaction failed 29189/-22, size 24-8 line 2994 [ 656.599270][ T7808] binder_release_work: 6 callbacks suppressed [ 656.599279][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 17:33:27 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:27 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 656.627816][ T6617] binder: 6615:6617 ioctl c0306201 20000140 returned -22 [ 656.649878][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 656.650497][ T6618] IDTR: limit=0x00000000, base=0x0000000000000000 17:33:27 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046302}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 656.717594][ T6633] binder: 6632:6633 ioctl c018620b 0 returned -14 [ 656.727590][ T6636] binder: 6635:6636 ioctl c018620b 0 returned -14 [ 656.736963][ T6631] binder: 6628:6631 ioctl c0306201 0 returned -14 [ 656.740195][ T6618] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 656.762233][ T6631] binder: 6628:6631 BC_INCREFS_DONE u0000000000000000 no match [ 656.765767][ T6618] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 656.782233][ T6637] binder: 6632:6637 got transaction with invalid offset (0, min 0 max 24) or object. [ 656.805330][ T6637] binder: 6632:6637 transaction failed 29201/-22, size 24-8 line 3241 [ 656.818053][ T6618] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 656.823996][ T6640] binder: 6638:6640 ioctl c018620b 0 returned -14 [ 656.835061][ T6642] binder: 6632:6642 BC_INCREFS_DONE u0000000000000000 no match [ 656.836514][ T6618] Interruptibility = 00000000 ActivityState = 00000000 [ 656.850555][ T6640] binder: BC_ACQUIRE_RESULT not supported [ 656.857264][ T6640] binder: 6638:6640 ioctl c0306201 20000140 returned -22 [ 656.863618][ T6618] *** Host State *** [ 656.868875][ T6618] RIP = 0xffffffff811b40b0 RSP = 0xffff88808c28f8e0 [ 656.877461][ T6618] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 656.885014][ T6618] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 656.893874][ T6618] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 656.900589][ T6618] CR0=0000000080050033 CR3=0000000054a70000 CR4=00000000001426e0 [ 656.908537][ T6618] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 656.916340][ T6643] binder: 6638:6643 BC_INCREFS_DONE node 2961 has no pending increfs request [ 656.925479][ T6618] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 656.932642][ T6618] *** Control State *** [ 656.937016][ T6618] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 656.944713][ T6618] EntryControls=0000d1ff ExitControls=002fefff [ 656.951027][ T6618] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 656.958977][ T6618] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 17:33:27 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0x81a0ae8c, 0x0) [ 656.966751][ T6618] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 656.974489][ T6618] reason=80000021 qualification=0000000000000000 [ 656.981721][ T6618] IDTVectoring: info=00000000 errcode=00000000 [ 656.988172][ T6618] TSC Offset = 0xfffffe9e7d2362d7 [ 656.994326][ T6618] EPT pointer = 0x000000004f05501e [ 657.143646][ T6648] *** Guest State *** [ 657.148594][ T6648] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 657.164123][ T6648] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 657.174712][ T6648] CR3 = 0x0000000000000000 [ 657.179619][ T6648] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 657.187057][ T6648] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 657.194296][ T6648] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 657.202410][ T6648] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.211925][ T6648] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.221426][ T6648] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:33:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x20, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e0"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 657.242989][ T6648] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.267683][ T6648] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.278926][ T6648] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.297054][ T6648] GDTR: limit=0x00000000, base=0x0000000000000000 [ 657.306107][ T6648] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.315391][ T6648] IDTR: limit=0x00000000, base=0x0000000000000000 [ 657.329075][ T6648] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 657.338090][ T6648] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 657.349378][ T6648] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 657.357956][ T6648] Interruptibility = 00000000 ActivityState = 00000000 [ 657.365812][ T6648] *** Host State *** [ 657.369981][ T6648] RIP = 0xffffffff811b40b0 RSP = 0xffff8880521278e0 [ 657.379056][ T6648] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 657.387123][ T6648] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 657.396669][ T6648] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 657.403558][ T6648] CR0=0000000080050033 CR3=0000000054a70000 CR4=00000000001426f0 [ 657.412091][ T6648] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 657.420262][ T6648] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 657.436331][ T6648] *** Control State *** 17:33:27 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 657.446531][ T6648] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 657.457969][ T7808] binder: send failed reply for transaction 2957 to 6635:6641 [ 657.465495][ T7808] binder: send failed reply for transaction 2960 to 6638:6640 [ 657.473557][ T6648] EntryControls=0000d1ff ExitControls=002fefff [ 657.475436][ T6643] binder: 6638:6643 ioctl c018620b 0 returned -14 17:33:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1c, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d42683455"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 657.496825][ T6648] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 657.510022][ T6640] binder: BC_ACQUIRE_RESULT not supported [ 657.529811][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:28 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 657.543811][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 657.553888][ T6640] binder: 6638:6640 ioctl c0306201 20000140 returned -22 [ 657.553918][ T6648] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 17:33:28 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 657.620386][ T6660] binder: 6638:6660 BC_INCREFS_DONE u0000000000000000 no match [ 657.646286][ T6648] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 657.662869][ T6648] reason=80000021 qualification=0000000000000000 [ 657.670198][ T6648] IDTVectoring: info=00000000 errcode=00000000 [ 657.676520][ T6648] TSC Offset = 0xfffffe9e09006cb3 [ 657.692877][ T6667] binder: 6656:6667 ioctl c0306201 0 returned -14 [ 657.693238][ T6664] binder: 6663:6664 ioctl c018620b 0 returned -14 [ 657.711263][ T6667] binder: 6656:6667 BC_INCREFS_DONE u0000000000000000 no match [ 657.713073][ T6648] EPT pointer = 0x0000000087df201e [ 657.729021][ T6666] binder: 6665:6666 ioctl c018620b 0 returned -14 17:33:28 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:28 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xc0045878, 0x0) [ 657.815798][ T6671] binder: 6663:6671 got transaction with invalid offset (0, min 0 max 24) or object. [ 657.839515][ T6674] binder: 6673:6674 ioctl c018620b 0 returned -14 [ 657.862156][ T6671] binder: 6663:6671 transaction failed 29201/-22, size 24-8 line 3241 [ 657.885763][ T6676] binder: 6663:6676 BC_INCREFS_DONE u0000000000000000 no match [ 657.940785][ T6680] *** Guest State *** [ 657.945260][ T6680] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 657.956870][ T6680] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 657.980526][ T6680] CR3 = 0x0000000000000000 [ 657.988993][ T6680] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 657.996498][ T6680] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 658.003967][ T6680] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 658.012293][ T6680] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.021877][ T6680] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.031307][ T6680] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 658.040513][ T6680] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.049517][ T6680] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.059660][ T6680] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.068829][ T6680] GDTR: limit=0x00000000, base=0x0000000000000000 [ 658.077925][ T6680] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.088021][ T6680] IDTR: limit=0x00000000, base=0x0000000000000000 [ 658.098059][ T6680] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.106842][ T6680] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 658.114029][ T6680] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 658.122323][ T6680] Interruptibility = 00000000 ActivityState = 00000000 [ 658.129315][ T6680] *** Host State *** [ 658.133356][ T6680] RIP = 0xffffffff811b40b0 RSP = 0xffff888056ac78e0 [ 658.140169][ T6680] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 658.147614][ T6680] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 658.156225][ T6680] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 658.162952][ T6680] CR0=0000000080050033 CR3=00000000a8b36000 CR4=00000000001426e0 [ 658.170738][ T6680] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 658.178300][ T6680] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 658.185937][ T6680] *** Control State *** [ 658.190120][ T6680] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 658.197718][ T6680] EntryControls=0000d1ff ExitControls=002fefff [ 658.205062][ T6680] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 658.213809][ T6680] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 658.221402][ T6680] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 658.229075][ T6680] reason=80000021 qualification=0000000000000000 [ 658.236201][ T6680] IDTVectoring: info=00000000 errcode=00000000 17:33:28 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xc0045878, 0x0) [ 658.242547][ T6680] TSC Offset = 0xfffffe9d9a3e604e [ 658.247608][ T6680] EPT pointer = 0x000000008fcde01e 17:33:28 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 658.414173][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 658.445324][ T6685] *** Guest State *** [ 658.474571][ T6685] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 658.506326][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:28 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:28 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 658.555351][ T6685] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 658.578077][ T6685] CR3 = 0x0000000000000000 [ 658.583849][ T6695] binder: 6692:6695 BC_INCREFS_DONE u0000000000000000 no match [ 658.596963][ T6685] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 658.605659][ T6697] binder: 6690:6697 BC_INCREFS_DONE u0000000000000000 no match [ 658.632314][ T6685] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 658.644111][ T6678] binder: 6673:6678 ioctl c018620b 0 returned -14 [ 658.652789][ T2986] binder: release 6673:6699 transaction 2981 out, still active [ 658.662537][ T6685] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 658.665348][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 658.687430][ T6702] binder: 6698:6702 ioctl c018620b 0 returned -14 [ 658.687676][ T6701] binder: 6700:6701 ioctl c018620b 0 returned -14 17:33:29 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046307}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 658.705600][ T6685] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.729745][ T6685] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.740956][ T6705] binder: 6704:6705 ioctl c018620b 0 returned -14 [ 658.750693][ T6685] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 658.760429][ T6707] binder: 6698:6707 got transaction with invalid offset (0, min 0 max 24) or object. [ 658.771249][ T6685] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.780576][ T6705] binder: 6704:6705 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 658.790684][ T6707] binder: 6698:6707 BC_INCREFS_DONE u0000000000000000 no match [ 658.798339][ T6685] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.798367][ T6685] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.798381][ T6685] GDTR: limit=0x00000000, base=0x0000000000000000 [ 658.798399][ T6685] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.798411][ T6685] IDTR: limit=0x00000000, base=0x0000000000000000 [ 658.798428][ T6685] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 658.798449][ T6685] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 658.860092][ T6685] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 658.868438][ T6685] Interruptibility = 00000000 ActivityState = 00000000 [ 658.875406][ T6685] *** Host State *** [ 658.879417][ T6685] RIP = 0xffffffff811b40b0 RSP = 0xffff888056e9f8e0 [ 658.886241][ T6685] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 658.893952][ T6685] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 658.902750][ T6685] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 658.909465][ T6685] CR0=0000000080050033 CR3=000000005198f000 CR4=00000000001426e0 [ 658.917253][ T6685] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 658.924804][ T6685] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 658.933665][ T6685] *** Control State *** [ 658.937859][ T6685] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 658.945426][ T6685] EntryControls=0000d1ff ExitControls=002fefff [ 658.951684][ T6685] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 658.959515][ T6685] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 658.967059][ T6685] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 658.974670][ T6685] reason=80000021 qualification=0000000000000000 [ 658.981802][ T6685] IDTVectoring: info=00000000 errcode=00000000 [ 658.987983][ T6685] TSC Offset = 0xfffffe9d59677a40 [ 658.994130][ T6685] EPT pointer = 0x00000000937ed01e 17:33:29 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xc0189436, 0x0) [ 659.150709][ T6714] *** Guest State *** [ 659.170403][ T6714] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 659.191049][ T6714] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 659.202658][ T6714] CR3 = 0x0000000000002000 [ 659.207535][ T6714] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 659.214976][ T6714] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 659.222671][ T6714] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 659.229617][ T6714] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 659.236601][ T6714] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 659.244200][ T6714] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 659.255431][ T6714] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 659.264369][ T6714] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 659.273289][ T6714] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 659.282281][ T6714] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 659.291271][ T6714] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:29 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 659.311496][ T6714] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 659.319367][ T2986] binder: send failed reply for transaction 2981, target dead [ 659.320954][ T6714] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 659.328183][ T2986] binder_send_failed_reply: 4 callbacks suppressed [ 659.328194][ T2986] binder: send failed reply for transaction 2984 to 6700:6701 17:33:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:29 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) [ 659.376876][ T2986] binder: send failed reply for transaction 2988 to 6704:6708 [ 659.389626][ T6714] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 659.412848][ T6714] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 659.458579][ T6714] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 659.485592][ T6721] binder: 6720:6721 ioctl c018620b 0 returned -14 [ 659.499772][ T6714] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:33:29 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 659.512494][ T6714] Interruptibility = 00000000 ActivityState = 00000000 [ 659.521055][ T6714] *** Host State *** [ 659.526824][ T6714] RIP = 0xffffffff811b40b0 RSP = 0xffff8880577878e0 [ 659.535454][ T6714] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 659.541292][ T6708] binder: 6704:6708 ioctl c018620b 0 returned -14 [ 659.544618][ T6714] FSBase=00007fe957ae9700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 659.559548][ T6708] binder: 6704:6708 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 659.578982][ T6714] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 659.587792][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 659.599088][ T6730] binder: 6729:6730 ioctl c018620b 0 returned -14 17:33:30 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 659.603119][ T6714] CR0=0000000080050033 CR3=0000000097c71000 CR4=00000000001426f0 [ 659.608235][ T7808] binder: release 6704:6726 transaction 2998 out, still active [ 659.614292][ T6714] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 659.630436][ T6714] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 659.638711][ T6714] *** Control State *** [ 659.643206][ T6714] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 659.651772][ T6714] EntryControls=0000d1ff ExitControls=002fefff [ 659.670892][ T6714] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 659.680829][ T6714] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 659.690252][ T6714] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 659.698367][ T6714] reason=80000021 qualification=0000000000000000 [ 659.706163][ T6714] IDTVectoring: info=00000000 errcode=00000000 [ 659.713316][ T6714] TSC Offset = 0xfffffe9cf4aa2724 [ 659.720025][ T6734] binder: 6732:6734 ioctl c018620b 0 returned -14 [ 659.726944][ T6714] EPT pointer = 0x000000005048401e [ 659.736346][ T6734] binder: 6732:6734 BC_FREE_BUFFER u0000000000000000 no match 17:33:30 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xc018ae85, 0x0) [ 659.906739][ T6740] *** Guest State *** [ 659.911060][ T6740] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 659.922492][ T6740] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 659.933358][ T6740] CR3 = 0x0000000000002000 [ 659.938711][ T6740] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 659.946202][ T6740] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 659.954233][ T6740] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 659.961652][ T6740] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 659.969429][ T6740] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 659.977603][ T6740] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 659.993205][ T6740] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.002896][ T6740] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.013484][ T6740] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.023602][ T6740] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.033307][ T6740] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.043665][ T6740] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 660.053538][ T6740] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 660.063177][ T6740] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 660.072722][ T6740] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 660.082202][ T6740] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 660.090172][ T6740] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 660.098989][ T6740] Interruptibility = 00000000 ActivityState = 00000000 [ 660.109051][ T6740] *** Host State *** [ 660.116153][ T6740] RIP = 0xffffffff811b40b0 RSP = 0xffff88804e96f8e0 [ 660.123784][ T6740] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 660.133427][ T6740] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 660.142598][ T6740] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 660.150318][ T6740] CR0=0000000080050033 CR3=000000004b082000 CR4=00000000001426e0 [ 660.158999][ T6740] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 660.166693][ T6740] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 660.174252][ T6740] *** Control State *** [ 660.178858][ T6740] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 660.186370][ T6740] EntryControls=0000d1ff ExitControls=002fefff [ 660.193149][ T6740] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 660.202128][ T6740] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 660.210083][ T6740] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 660.217408][ T6740] reason=80000021 qualification=0000000000000000 [ 660.227465][ T6740] IDTVectoring: info=00000000 errcode=00000000 [ 660.234375][ T6740] TSC Offset = 0xfffffe9c8f18a2af [ 660.240487][ T6740] EPT pointer = 0x00000000a9a4a01e 17:33:30 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 660.269163][ T2986] binder: send failed reply for transaction 2992 to 6722:6725 [ 660.299462][ T2986] binder: send failed reply for transaction 2995 to 6720:6727 17:33:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x14, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:30 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) [ 660.328562][ T2986] binder: send failed reply for transaction 2998, target dead 17:33:30 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xc020660b, 0x0) [ 660.372916][ T2986] binder: send failed reply for transaction 3001 to 6729:6733 17:33:30 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 660.434896][ T2986] binder: send failed reply for transaction 3002 to 6732:6735 [ 660.472273][ T6750] binder: 6749:6750 ioctl c018620b 0 returned -14 [ 660.474752][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 660.484746][ T6752] binder_transaction: 2 callbacks suppressed [ 660.484768][ T6752] binder: 6747:6752 transaction failed 29189/-22, size 24-8 line 2994 [ 660.500222][ T6735] binder: 6732:6735 ioctl c018620b 0 returned -14 [ 660.513103][ T6735] binder: 6732:6735 BC_FREE_BUFFER u0000000000000000 no match [ 660.532087][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 660.539598][ T2986] binder: release 6732:6755 transaction 3007 out, still active [ 660.548014][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 660.569231][ T6759] binder: 6756:6759 ioctl c018620b 0 returned -14 17:33:31 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x4008630a}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:31 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x2) [ 660.733709][ T6769] binder: 6768:6769 ioctl c018620b 0 returned -14 [ 660.752014][ T6769] binder: BC_ATTEMPT_ACQUIRE not supported [ 660.759135][ T6769] binder: 6768:6769 ioctl c0306201 20000140 returned -22 [ 660.774329][ T6771] *** Guest State *** [ 660.778561][ T6771] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 660.788815][ T6771] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 660.798793][ T6771] CR3 = 0x0000000000002000 [ 660.803404][ T6771] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 660.811308][ T6771] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 660.820063][ T6772] binder: 6768:6772 BC_INCREFS_DONE node 3015 has no pending increfs request [ 660.829172][ T6771] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 660.829186][ T6771] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 660.829201][ T6771] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 660.829224][ T6771] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 660.888954][ T6771] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.902692][ T6771] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.914728][ T6771] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.923573][ T6771] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.935101][ T6771] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 660.944372][ T6771] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 660.954522][ T6771] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 660.963911][ T6771] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 660.973304][ T6771] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 660.982468][ T6771] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 660.990062][ T6771] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 660.998692][ T6771] Interruptibility = 00000000 ActivityState = 00000000 [ 661.006168][ T6771] *** Host State *** [ 661.010300][ T6771] RIP = 0xffffffff811b40b0 RSP = 0xffff8880a4af78e0 [ 661.017491][ T6771] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 661.024820][ T6771] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 661.033773][ T6771] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 661.040735][ T6771] CR0=0000000080050033 CR3=000000008d429000 CR4=00000000001426f0 [ 661.048853][ T6771] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 661.056902][ T6771] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 661.063824][ T6771] *** Control State *** [ 661.069991][ T6771] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 661.078974][ T6771] EntryControls=0000d1ff ExitControls=002fefff [ 661.085506][ T6771] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 661.093601][ T6771] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 661.106988][ T6771] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 661.114971][ T6771] reason=80000021 qualification=0000000000000000 [ 661.122343][ T6771] IDTVectoring: info=00000000 errcode=00000000 [ 661.128747][ T6771] TSC Offset = 0xfffffe9c169bc344 [ 661.133794][ T6771] EPT pointer = 0x0000000056d6101e 17:33:31 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x3) 17:33:31 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x14, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 661.225683][ T7808] binder: send failed reply for transaction 3007, target dead [ 661.246769][ T7808] binder: send failed reply for transaction 3010 to 6749:6757 [ 661.268228][ T7808] binder: send failed reply for transaction 3013 to 6756:6764 17:33:31 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) [ 661.317797][ T7808] binder: send failed reply for transaction 3014 to 6768:6769 [ 661.326654][ T6769] binder: 6768:6769 ioctl c018620b 0 returned -14 [ 661.338918][ T6769] binder: BC_ATTEMPT_ACQUIRE not supported [ 661.339967][ T6772] binder: 6768:6772 transaction failed 29189/-22, size 24-8 line 2994 [ 661.360231][ T6780] *** Guest State *** [ 661.364570][ T6780] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 661.378081][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 661.397712][ T6780] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 17:33:31 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 661.421181][ T6788] binder: 6787:6788 ioctl c018620b 0 returned -14 [ 661.429357][ T6769] binder: 6768:6769 ioctl c0306201 20000140 returned -22 [ 661.458551][ T6780] CR3 = 0x0000000000000000 17:33:31 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086310}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 661.468729][ T6790] binder: 6782:6790 transaction failed 29189/-22, size 24-8 line 2994 [ 661.477564][ T6791] binder: 6787:6791 transaction failed 29189/-22, size 24-8 line 2994 [ 661.493201][ T6780] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 661.515062][ T6794] binder: 6793:6794 ioctl c018620b 0 returned -14 [ 661.546157][ T6780] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 661.580908][ T6780] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 661.588470][ T6780] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.598852][ T6780] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.608048][ T6799] binder: 6797:6799 ioctl c018620b 0 returned -14 [ 661.615155][ T6780] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 661.625547][ T6799] binder: 6797:6799 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 661.634178][ T6780] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.643186][ T6780] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.652165][ T6780] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.661109][ T6780] GDTR: limit=0x00000000, base=0x0000000000000000 [ 661.670487][ T6780] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.680343][ T6780] IDTR: limit=0x00000000, base=0x0000000000000000 [ 661.689551][ T6780] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 661.698656][ T6780] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 661.706071][ T6780] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 661.714465][ T6780] Interruptibility = 00000000 ActivityState = 00000000 [ 661.721609][ T6780] *** Host State *** [ 661.725645][ T6780] RIP = 0xffffffff811b40b0 RSP = 0xffff8880547078e0 [ 661.732581][ T6780] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 661.739846][ T6780] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 661.749102][ T6780] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 661.756218][ T6780] CR0=0000000080050033 CR3=0000000094a1b000 CR4=00000000001426e0 [ 661.764278][ T6780] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 661.772278][ T6780] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 661.779265][ T6780] *** Control State *** [ 661.783684][ T6780] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 661.791538][ T6780] EntryControls=0000d1ff ExitControls=002fefff [ 661.798501][ T6780] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 661.806405][ T6780] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 661.814229][ T6780] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 661.822715][ T6780] reason=80000021 qualification=0000000000000000 [ 661.830005][ T6780] IDTVectoring: info=00000000 errcode=00000000 [ 661.837433][ T6780] TSC Offset = 0xfffffe9bcebdf454 [ 661.843156][ T6780] EPT pointer = 0x0000000059e4801e 17:33:32 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4) [ 662.034305][ T6805] *** Guest State *** [ 662.038916][ T6805] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 662.049382][ T6805] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 662.060645][ T6805] CR3 = 0x0000000000002000 [ 662.065527][ T6805] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 662.073148][ T6805] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 662.080655][ T6805] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 662.098091][ T6805] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 662.124810][ T6805] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:33:32 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 662.133527][ T6805] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 662.153302][ T2986] binder: send failed reply for transaction 3021 to 6793:6798 [ 662.161072][ T6805] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.170232][ T6805] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.180932][ T6805] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.190804][ T6805] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.201967][ T6805] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.210939][ T6805] GDTR: limit=0x000007ff, base=0x0000000000001000 17:33:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x14, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:32 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 662.235764][ T6805] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 662.244510][ T6805] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 662.253445][ T6805] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 662.262480][ T6805] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 662.269717][ T6805] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 662.326627][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 662.332735][ T6805] Interruptibility = 00000000 ActivityState = 00000000 [ 662.332767][ T7808] binder_release_work: 4 callbacks suppressed [ 662.332774][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 662.351160][ T6805] *** Host State *** 17:33:32 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 662.383938][ T6800] binder: 6797:6800 ioctl c018620b 0 returned -14 [ 662.389525][ T6805] RIP = 0xffffffff811b40b0 RSP = 0xffff8880565978e0 [ 662.391448][ T6814] binder: 6813:6814 ioctl c018620b 0 returned -14 [ 662.406827][ T6815] binder: 6810:6815 transaction failed 29189/-22, size 24-8 line 2994 [ 662.417912][ T6800] binder: 6797:6800 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 662.430419][ T6817] binder: 6797:6817 transaction failed 29189/-22, size 24-8 line 2994 [ 662.436785][ T6805] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 662.440402][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 662.454330][ T6819] binder: 6816:6819 ioctl c018620b 0 returned -14 [ 662.467667][ T6805] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 662.476240][ T6805] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 17:33:32 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630e}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 662.476537][ T6820] binder: 6813:6820 transaction failed 29189/-22, size 24-8 line 2994 [ 662.491970][ T6821] binder_thread_write: 8 callbacks suppressed [ 662.491986][ T6821] binder: 6810:6821 BC_INCREFS_DONE u0000000000000000 no match [ 662.500825][ T6805] CR0=0000000080050033 CR3=00000000980cc000 CR4=00000000001426f0 [ 662.515011][ T6822] binder: 6807:6822 BC_INCREFS_DONE u0000000000000000 no match [ 662.529202][ T6820] binder: 6813:6820 BC_INCREFS_DONE u0000000000000000 no match [ 662.540333][ T6823] binder: 6816:6823 BC_INCREFS_DONE u0000000000000000 no match [ 662.552807][ T6825] binder: 6824:6825 ioctl c018620b 0 returned -14 [ 662.572679][ T6825] binder: 6824:6825 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 662.572914][ T6805] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 662.588753][ T6805] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 662.595977][ T6805] *** Control State *** [ 662.603177][ T6805] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 662.611109][ T6805] EntryControls=0000d1ff ExitControls=002fefff [ 662.617875][ T6805] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 662.626054][ T6805] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:33:33 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x5) [ 662.633901][ T6805] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 662.643422][ T6805] reason=80000021 qualification=0000000000000000 [ 662.650718][ T6805] IDTVectoring: info=00000000 errcode=00000000 [ 662.657805][ T6805] TSC Offset = 0xfffffe9b6b50c854 [ 662.664061][ T6805] EPT pointer = 0x000000008647501e [ 662.786636][ T6830] *** Guest State *** [ 662.791140][ T6830] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 662.801623][ T6830] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 662.811915][ T6830] CR3 = 0x0000000000002000 [ 662.816890][ T6830] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 662.824872][ T6830] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 662.833167][ T6830] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 662.840408][ T6830] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 662.847599][ T6830] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 662.855609][ T6830] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 662.865024][ T6830] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.874787][ T6830] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.884132][ T6830] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.911425][ T6830] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.931703][ T6830] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 662.941057][ T6830] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 662.950517][ T6830] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 662.962495][ T6830] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 662.972313][ T6830] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 662.981915][ T6830] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 662.989412][ T6830] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 662.997960][ T6830] Interruptibility = 00000000 ActivityState = 00000000 [ 663.005679][ T6830] *** Host State *** [ 663.009759][ T6830] RIP = 0xffffffff811b40b0 RSP = 0xffff8880565978e0 [ 663.016894][ T6830] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 663.024309][ T6830] FSBase=00007fe957b4c700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 663.033750][ T6830] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 663.040779][ T6830] CR0=0000000080050033 CR3=000000005a280000 CR4=00000000001426e0 [ 663.048787][ T6830] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 663.057613][ T6830] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 663.064733][ T6830] *** Control State *** [ 663.070529][ T6830] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 663.078101][ T6830] EntryControls=0000d1ff ExitControls=002fefff [ 663.084495][ T6830] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 663.092205][ T6830] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 663.099703][ T6830] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 663.107127][ T6830] reason=80000021 qualification=0000000000000000 [ 663.114372][ T6830] IDTVectoring: info=00000000 errcode=00000000 [ 663.121028][ T6830] TSC Offset = 0xfffffe9afdb23e94 17:33:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x16, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe1412"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 663.143022][ T6830] EPT pointer = 0x000000004ea5b01e 17:33:33 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6) 17:33:33 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:33 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 663.253483][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 663.272728][ T6840] binder: 6834:6840 transaction failed 29189/-22, size 24-8 line 2994 [ 663.283773][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:33:33 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 663.305192][ T6840] binder: 6834:6840 BC_INCREFS_DONE u0000000000000000 no match [ 663.356243][ T6827] binder: 6824:6827 ioctl c018620b 0 returned -14 [ 663.375863][ T6846] binder: 6844:6846 ioctl c018620b 0 returned -14 [ 663.383014][ T6847] binder: 6824:6847 transaction failed 29189/-22, size 24-8 line 2994 [ 663.400083][ T6827] binder: 6824:6827 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 663.428008][ T6846] binder: 6844:6846 transaction failed 29189/-22, size 24-8 line 2994 [ 663.428791][ T6851] binder: 6850:6851 ioctl c018620b 0 returned -14 [ 663.448563][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 663.455669][ T6853] binder: 6837:6853 BC_INCREFS_DONE u0000000000000000 no match [ 663.466149][ T6846] binder: 6844:6846 BC_INCREFS_DONE u0000000000000000 no match 17:33:33 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630f}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 663.476388][ T6849] *** Guest State *** [ 663.480426][ T6849] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 663.492486][ T6849] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 663.502988][ T6849] CR3 = 0x0000000000002000 [ 663.513891][ T6849] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 17:33:33 executing program 3: bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x4, 0x0, &(0x7f0000000700)="2ba063fb"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 663.522338][ T6855] binder: 6850:6855 BC_INCREFS_DONE u0000000000000000 no match [ 663.548562][ T6849] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 663.567042][ T6849] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 663.595476][ T6858] binder: 6856:6858 ioctl c018620b 0 returned -14 [ 663.602017][ T6849] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 663.602047][ T6849] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 663.602062][ T6849] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 663.602081][ T6849] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 663.602097][ T6849] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 663.602113][ T6849] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 663.602131][ T6849] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 663.602147][ T6849] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 663.602161][ T6849] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 663.602178][ T6849] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 663.603645][ T6849] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 663.627636][ T6858] binder: 6856:6858 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 663.675105][ T6860] binder: 6859:6860 ioctl c018620b 0 returned -14 [ 663.690025][ T6849] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 663.730646][ T6849] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 663.738727][ T6849] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 663.747245][ T6849] Interruptibility = 00000000 ActivityState = 00000000 [ 663.754685][ T6849] *** Host State *** [ 663.758914][ T6849] RIP = 0xffffffff811b40b0 RSP = 0xffff888059f778e0 [ 663.766287][ T6849] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 663.774097][ T6849] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 663.782907][ T6849] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 663.789755][ T6849] CR0=0000000080050033 CR3=00000000a54a3000 CR4=00000000001426e0 [ 663.797703][ T6849] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 663.805544][ T6849] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 663.812605][ T6849] *** Control State *** [ 663.816838][ T6849] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 663.824327][ T6849] EntryControls=0000d1ff ExitControls=002fefff [ 663.830840][ T6849] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 663.838575][ T6849] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:33:34 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7) [ 663.846046][ T6849] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 663.853606][ T6849] reason=80000021 qualification=0000000000000000 [ 663.861719][ T6849] IDTVectoring: info=00000000 errcode=00000000 [ 663.867915][ T6849] TSC Offset = 0xfffffe9aaed1c77b [ 663.873058][ T6849] EPT pointer = 0x0000000087e7401e 17:33:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x16, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe1412"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 664.009646][ T6865] *** Guest State *** [ 664.020727][ T6865] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 664.040234][ T6865] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 664.058979][ T6865] CR3 = 0x0000000000002000 [ 664.064101][ T6865] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 664.071970][ T6865] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 664.089682][ T6865] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 17:33:34 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:34 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 664.122149][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 664.131516][ T6865] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 664.139546][ T6871] binder: 6869:6871 BC_INCREFS_DONE u0000000000000000 no match [ 664.160715][ T6865] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 664.202854][ T6865] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 664.230178][ T6865] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 664.242595][ T7808] binder: undelivered TRANSACTION_COMPLETE 17:33:34 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 664.245377][ T6865] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 664.248479][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 664.265530][ T6865] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 664.275189][ T6865] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 664.292001][ T6865] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 664.301386][ T6877] binder: 6876:6877 ioctl c018620b 0 returned -14 [ 664.310961][ T6877] binder: 6876:6877 BC_FREE_BUFFER u0000000000000000 no match [ 664.319614][ T6865] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 664.332159][ T6879] binder: 6873:6879 got transaction with invalid offset (0, min 0 max 0) or object. [ 664.341775][ T6865] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 664.341792][ T6865] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 664.341808][ T6865] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.341818][ T6865] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 664.341830][ T6865] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 664.341840][ T6865] Interruptibility = 00000000 ActivityState = 00000000 [ 664.341846][ T6865] *** Host State *** [ 664.341857][ T6865] RIP = 0xffffffff811b40b0 RSP = 0xffff8880a7c8f8e0 [ 664.341877][ T6865] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 664.341889][ T6865] FSBase=00007fe957b4c700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 664.341900][ T6865] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 664.341915][ T6865] CR0=0000000080050033 CR3=0000000097002000 CR4=00000000001426f0 [ 664.341930][ T6865] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 664.341942][ T6865] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 664.341947][ T6865] *** Control State *** [ 664.341957][ T6865] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 664.341964][ T6865] EntryControls=0000d1ff ExitControls=002fefff [ 664.341977][ T6865] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 664.341986][ T6865] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 664.341995][ T6865] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 664.342003][ T6865] reason=80000021 qualification=0000000000000000 [ 664.342011][ T6865] IDTVectoring: info=00000000 errcode=00000000 [ 664.342018][ T6865] TSC Offset = 0xfffffe9a5764740c [ 664.342028][ T6865] EPT pointer = 0x000000009104d01e [ 664.378711][ T6881] binder: 6880:6881 ioctl c018620b 0 returned -14 [ 664.403908][ T6861] binder: 6856:6861 ioctl c018620b 0 returned -14 [ 664.541536][ T6883] binder: 6873:6883 BC_INCREFS_DONE u0000000000000000 no match 17:33:34 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x8) [ 664.573775][ T6861] binder: 6856:6861 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 664.604778][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:35 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106308}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 664.621000][ T7808] binder: release 6856:6884 transaction 3050 out, still active [ 664.697061][ T6891] binder: 6890:6891 ioctl c018620b 0 returned -14 [ 664.757474][ T6893] *** Guest State *** [ 664.762331][ T6893] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 664.772332][ T6893] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 664.782493][ T6893] CR3 = 0x0000000000000000 [ 664.787241][ T6893] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 664.794184][ T6893] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 664.802620][ T6893] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 664.827168][ T6893] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.836022][ T6893] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.846151][ T6893] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 664.856041][ T6893] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.864943][ T6893] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.873767][ T6893] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.882667][ T6893] GDTR: limit=0x00000000, base=0x0000000000000000 [ 664.891699][ T6893] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x16, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe1412"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 664.916819][ T6893] IDTR: limit=0x00000000, base=0x0000000000000000 [ 664.926972][ T6893] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 664.943345][ T6893] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 664.950664][ T6893] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 664.967458][ T6893] Interruptibility = 00000000 ActivityState = 00000000 [ 664.974860][ T6893] *** Host State *** [ 664.979048][ T6893] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b13f8e0 [ 664.985908][ T6893] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 664.993510][ T6893] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 665.001349][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 17:33:35 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 665.024558][ T6893] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 665.032298][ T6893] CR0=0000000080050033 CR3=00000000569d7000 CR4=00000000001426f0 [ 665.032850][ T7808] binder_send_failed_reply: 6 callbacks suppressed [ 665.032868][ T7808] binder: send failed reply for transaction 3047 to 6876:6882 [ 665.040935][ T6893] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 665.065218][ T7808] binder: send failed reply for transaction 3050, target dead 17:33:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x14, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:35 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 665.101365][ T7808] binder: send failed reply for transaction 3053 to 6880:6886 [ 665.150573][ T7808] binder: send failed reply for transaction 3054 to 6890:6894 [ 665.158751][ T6893] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 665.176579][ T6893] *** Control State *** [ 665.193638][ T6893] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca 17:33:35 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 665.201691][ T7808] binder: send failed reply for transaction 3057 to 6897:6899 [ 665.215056][ T6893] EntryControls=0000d1ff ExitControls=002fefff [ 665.224999][ T6907] binder: 6901:6907 got transaction with invalid offset (0, min 0 max 0) or object. [ 665.246280][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 665.248337][ T6910] binder: 6908:6910 ioctl c018620b 0 returned -14 [ 665.260341][ T6893] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 665.272603][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 665.273486][ T6893] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 665.289711][ T6913] binder: 6912:6913 ioctl c018620b 0 returned -14 [ 665.297536][ T6914] binder: 6908:6914 BC_FREE_BUFFER u0000000000000000 no match [ 665.297665][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 665.310776][ T6893] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 665.330998][ T6893] reason=80000021 qualification=0000000000000000 [ 665.339562][ T6893] IDTVectoring: info=00000000 errcode=00000000 [ 665.347156][ T6893] TSC Offset = 0xfffffe99f6dd9a1c 17:33:35 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x10) [ 665.353047][ T6893] EPT pointer = 0x0000000099b6101e [ 665.364979][ T6915] binder: 6912:6915 BC_INCREFS_DONE node 3069 has no pending increfs request [ 665.376823][ T6914] binder: 6908:6914 BC_INCREFS_DONE node 3066 has no pending increfs request [ 665.501456][ T6921] binder: 6890:6921 ioctl c018620b 0 returned -14 [ 665.511348][ T2986] binder: release 6890:6921 transaction 3071 out, still active [ 665.523609][ T6920] *** Guest State *** [ 665.534640][ T6920] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 17:33:35 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106309}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 665.547753][ T6920] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 665.558249][ T6920] CR3 = 0x0000000000000000 [ 665.563682][ T6920] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 665.577709][ T6920] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 665.605631][ T6920] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 665.620018][ T6925] binder: 6924:6925 ioctl c018620b 0 returned -14 [ 665.626435][ T6920] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.638736][ T6920] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.648212][ T6920] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 665.657941][ T6920] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.667504][ T6920] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.677071][ T6920] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.687833][ T6920] GDTR: limit=0x00000000, base=0x0000000000000000 [ 665.697543][ T6920] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.707204][ T6920] IDTR: limit=0x00000000, base=0x0000000000000000 [ 665.716679][ T6920] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 665.726101][ T6920] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 665.733518][ T6920] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 665.742068][ T6920] Interruptibility = 00000000 ActivityState = 00000000 [ 665.749335][ T6920] *** Host State *** [ 665.753466][ T6920] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b13f8e0 [ 665.760474][ T6920] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 665.768414][ T6920] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 665.777517][ T6920] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 665.784428][ T6920] CR0=0000000080050033 CR3=00000000842f9000 CR4=00000000001426e0 [ 665.792409][ T6920] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 665.800132][ T6920] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 665.808649][ T6920] *** Control State *** [ 665.812954][ T6920] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 665.820565][ T6920] EntryControls=0000d1ff ExitControls=002fefff [ 665.826908][ T6920] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 665.834621][ T6920] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 665.842152][ T6920] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 665.849546][ T6920] reason=80000021 qualification=0000000000000000 17:33:36 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x11) [ 665.856686][ T6920] IDTVectoring: info=00000000 errcode=00000000 [ 665.862873][ T6920] TSC Offset = 0xfffffe998c3bea7b [ 665.868094][ T6920] EPT pointer = 0x0000000058e0901e 17:33:36 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 665.951621][ T2986] binder: send failed reply for transaction 3062 to 6905:6911 [ 665.959427][ T2986] binder: send failed reply for transaction 3065 to 6908:6910 [ 665.986830][ T2986] binder: send failed reply for transaction 3068 to 6912:6915 17:33:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 665.998073][ T2986] binder: send failed reply for transaction 3071, target dead [ 666.005625][ T2986] binder: send failed reply for transaction 3074 to 6924:6926 17:33:36 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 666.082446][ T7808] binder: undelivered TRANSACTION_COMPLETE 17:33:36 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 666.157259][ T6940] binder_transaction: 3 callbacks suppressed [ 666.157280][ T6940] binder: 6932:6940 transaction failed 29189/-22, size 24-8 line 2994 [ 666.178922][ T6937] *** Guest State *** [ 666.193965][ T6937] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 666.224790][ T6943] binder: 6933:6943 got transaction with invalid offset (0, min 0 max 0) or object. [ 666.241701][ T6945] binder: 6944:6945 ioctl c018620b 0 returned -14 [ 666.259340][ T6937] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 666.259420][ T6943] binder: 6933:6943 transaction failed 29201/-22, size 0-8 line 3241 [ 666.279500][ T6937] CR3 = 0x0000000000002000 [ 666.284892][ T6946] binder: BINDER_SET_CONTEXT_MGR already set [ 666.286640][ T6937] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 666.294939][ T6946] binder: 6938:6946 ioctl 40046207 0 returned -16 [ 666.300596][ T6937] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 666.319991][ T6947] binder: 6944:6947 BC_INCREFS_DONE node 3081 has no pending increfs request [ 666.321363][ T6937] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 666.331157][ T6946] binder: 6938:6946 got transaction with invalid offset (0, min 0 max 0) or object. [ 666.344909][ T6937] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 666.346344][ T6946] binder: 6938:6946 transaction failed 29201/-22, size 0-8 line 3241 [ 666.362721][ T6937] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 666.372414][ T6937] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 666.381760][ T6937] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 666.391512][ T6937] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 666.400818][ T6937] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 666.409985][ T6937] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 666.419494][ T6937] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 666.426268][ T6926] binder: 6924:6926 ioctl c018620b 0 returned -14 [ 666.428618][ T6937] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 666.445688][ T2986] binder: release 6924:6949 transaction 3084 out, still active [ 666.453888][ T6937] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 666.463104][ T6937] IDTR: limit=0x000001ff, base=0x0000000000003800 17:33:36 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406300}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 666.472384][ T6937] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 666.481599][ T6937] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 666.489766][ T6937] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 666.505042][ T6937] Interruptibility = 00000000 ActivityState = 00000000 [ 666.512817][ T6937] *** Host State *** [ 666.523834][ T6937] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b9e78e0 [ 666.532025][ T6952] binder: 6951:6952 ioctl c018620b 0 returned -14 [ 666.538898][ T6937] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 666.549672][ T6937] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 666.558659][ T6937] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 666.565608][ T6937] CR0=0000000080050033 CR3=000000009875f000 CR4=00000000001426e0 [ 666.574939][ T6937] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 666.582923][ T6937] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 666.589906][ T6937] *** Control State *** [ 666.594267][ T6937] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 666.602671][ T6937] EntryControls=0000d1ff ExitControls=002fefff [ 666.609613][ T6937] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 666.617566][ T6937] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:33:37 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x48) [ 666.625145][ T6937] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 666.632708][ T6937] reason=80000021 qualification=0000000000000000 [ 666.639880][ T6937] IDTVectoring: info=00000000 errcode=00000000 [ 666.646916][ T6937] TSC Offset = 0xfffffe993a35bedf [ 666.652076][ T6937] EPT pointer = 0x000000005313401e [ 666.824246][ T6957] *** Guest State *** [ 666.829000][ T6957] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 666.840584][ T6957] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 666.850652][ T6957] CR3 = 0x0000000000000000 [ 666.855437][ T6957] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 666.862559][ T6957] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 666.869560][ T6957] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 666.877259][ T6957] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 666.886281][ T6957] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 666.895468][ T6957] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:33:37 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 666.943411][ T2986] binder: send failed reply for transaction 3080 to 6944:6947 [ 666.953513][ T2986] binder: send failed reply for transaction 3084, target dead [ 666.968145][ T6957] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:37 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 667.012989][ T6957] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.015482][ T2986] binder: send failed reply for transaction 3087 to 6951:6952 [ 667.032477][ T6952] binder: 6951:6952 ioctl c018620b 0 returned -14 [ 667.040493][ T6957] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.056656][ T6966] binder: 6961:6966 transaction failed 29189/-22, size 24-8 line 2994 [ 667.074849][ T6953] binder: 6951:6953 transaction failed 29189/-22, size 24-8 line 2994 [ 667.099525][ T6957] GDTR: limit=0x00000000, base=0x0000000000000000 17:33:37 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 667.106257][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 667.113523][ T6952] binder: 6951:6952 transaction failed 29189/-22, size 0-0 line 2994 [ 667.141820][ T6957] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.166459][ T6975] binder: 6964:6975 got transaction with invalid offset (0, min 0 max 0) or object. [ 667.174143][ T6957] IDTR: limit=0x00000000, base=0x0000000000000000 [ 667.188058][ T6974] binder: 6973:6974 ioctl c018620b 0 returned -14 [ 667.195730][ T6957] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.204143][ T6975] binder: 6964:6975 transaction failed 29201/-22, size 0-8 line 3241 17:33:37 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406301}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 667.205489][ T6957] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 667.232685][ T6957] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 667.249277][ T6977] binder: 6973:6977 BC_INCREFS_DONE node 3097 has no pending increfs request [ 667.261881][ T6957] Interruptibility = 00000000 ActivityState = 00000000 [ 667.273897][ T6957] *** Host State *** [ 667.284277][ T6957] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b9e78e0 [ 667.293333][ T6980] binder: 6979:6980 ioctl c018620b 0 returned -14 [ 667.298241][ T6957] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 667.307281][ T6981] binder: BINDER_SET_CONTEXT_MGR already set [ 667.313919][ T6957] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 667.314888][ T6980] binder: 6979:6980 got reply transaction with no transaction stack [ 667.323475][ T6981] binder: 6969:6981 ioctl 40046207 0 returned -16 [ 667.338618][ T6957] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 667.344198][ T6980] binder: 6979:6980 transaction failed 29201/-71, size 0-0 line 2899 [ 667.345460][ T6957] CR0=0000000080050033 CR3=0000000085262000 CR4=00000000001426f0 [ 667.354826][ T6982] binder: 6969:6982 got transaction with invalid offset (0, min 0 max 0) or object. [ 667.362626][ T6957] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 667.380168][ T6957] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 667.382050][ T6982] binder: 6969:6982 transaction failed 29201/-22, size 0-8 line 3241 [ 667.387774][ T6957] *** Control State *** [ 667.400823][ T6957] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 667.408638][ T6983] binder: 6979:6983 ioctl c018620b 0 returned -14 [ 667.415183][ T6957] EntryControls=0000d1ff ExitControls=002fefff [ 667.415199][ T6957] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 667.415222][ T6957] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 667.423536][ T7808] binder: release 6979:6983 transaction 3101 out, still active [ 667.448525][ T6957] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 17:33:37 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486311}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 667.460121][ T7808] binder: release 6979:6983 transaction 3104 out, still active [ 667.474179][ T6957] reason=80000021 qualification=0000000000000000 [ 667.498934][ T6957] IDTVectoring: info=00000000 errcode=00000000 17:33:37 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4c) [ 667.516632][ T6957] TSC Offset = 0xfffffe98db65b187 [ 667.525891][ T6957] EPT pointer = 0x00000000569d701e [ 667.546411][ T6986] binder: 6985:6986 ioctl c018620b 0 returned -14 [ 667.711750][ T6992] *** Guest State *** [ 667.722663][ T6992] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 667.733611][ T6992] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 667.744397][ T6992] CR3 = 0x0000000000000000 [ 667.749282][ T6992] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 667.756808][ T6992] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 667.764599][ T6992] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 667.774166][ T6992] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.789621][ T6992] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.799571][ T6992] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:33:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 667.810429][ T6992] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.819873][ T6992] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.829699][ T6992] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.839108][ T6992] GDTR: limit=0x00000000, base=0x0000000000000000 [ 667.849313][ T2986] binder_release_work: 10 callbacks suppressed [ 667.849322][ T2986] binder: undelivered TRANSACTION_ERROR: 29201 17:33:38 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 667.897481][ T7808] binder: send failed reply for transaction 3101, target dead [ 667.898621][ T6992] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 667.906009][ T7808] binder: send failed reply for transaction 3104, target dead [ 667.935947][ T6987] binder: 6985:6987 ioctl c018620b 0 returned -14 [ 667.944437][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 667.964013][ T6992] IDTR: limit=0x00000000, base=0x0000000000000000 [ 667.964688][ T6986] binder: 6985:6986 transaction failed 29189/-22, size 0-0 line 2994 [ 667.977172][ T7808] binder: undelivered TRANSACTION_COMPLETE 17:33:38 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 668.002793][ T6992] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.011502][ T7000] binder_thread_write: 11 callbacks suppressed [ 668.011517][ T7000] binder: 6995:7000 BC_INCREFS_DONE u0000000000000000 no match [ 668.018301][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 668.036046][ T6992] EFER = 0x0000000000000000 PAT = 0x0007040600070406 17:33:38 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 668.059320][ T6992] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 668.070411][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 668.074472][ T7003] binder: 6985:7003 BC_INCREFS_DONE u0000000000000000 no match [ 668.100189][ T7006] binder: 6998:7006 got transaction with invalid offset (0, min 0 max 0) or object. [ 668.127546][ T6992] Interruptibility = 00000000 ActivityState = 00000000 [ 668.151593][ T6992] *** Host State *** [ 668.156756][ T6992] RIP = 0xffffffff811b40b0 RSP = 0xffff888050b378e0 [ 668.176446][ T7009] binder: 7008:7009 ioctl c018620b 0 returned -14 [ 668.178709][ T6992] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 17:33:38 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486312}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 668.196336][ T6992] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 668.212160][ T6992] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 668.219336][ T6992] CR0=0000000080050033 CR3=00000000a8d1a000 CR4=00000000001426e0 [ 668.229241][ T6992] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 668.238077][ T7010] binder: BINDER_SET_CONTEXT_MGR already set [ 668.238752][ T6992] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 668.251560][ T6992] *** Control State *** [ 668.256386][ T6992] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 668.264440][ T6992] EntryControls=0000d1ff ExitControls=002fefff [ 668.271334][ T7010] binder: 7002:7010 ioctl 40046207 0 returned -16 [ 668.284393][ T7010] binder: 7002:7010 got transaction with invalid offset (0, min 0 max 0) or object. [ 668.305663][ T6992] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 668.310141][ T7014] binder: 7013:7014 ioctl c018620b 0 returned -14 [ 668.315156][ T6992] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 668.334521][ T7014] binder: 7013:7014 got reply transaction with no transaction stack [ 668.338208][ T6992] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 668.344017][ T7015] binder: 7002:7015 BC_INCREFS_DONE u0000000000000000 no match [ 668.360799][ T6992] reason=80000021 qualification=0000000000000000 [ 668.374661][ T6992] IDTVectoring: info=00000000 errcode=00000000 [ 668.383356][ T6992] TSC Offset = 0xfffffe985f42cab1 [ 668.393973][ T6992] EPT pointer = 0x00000000958b701e 17:33:38 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x60) [ 668.412869][ T7016] binder: 7013:7016 BC_INCREFS_DONE node 3122 has no pending increfs request [ 668.578633][ T7020] *** Guest State *** [ 668.583303][ T7020] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 668.593793][ T7020] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 668.603871][ T7020] CR3 = 0x0000000000000000 [ 668.608647][ T7020] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 668.615714][ T7020] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 668.622827][ T7020] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 668.630585][ T7020] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.639696][ T7020] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.648620][ T7020] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 668.657575][ T7020] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.670944][ T7020] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.679998][ T7020] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.688901][ T7020] GDTR: limit=0x00000000, base=0x0000000000000000 [ 668.698775][ T7020] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.708730][ T7020] IDTR: limit=0x00000000, base=0x0000000000000000 [ 668.717953][ T7020] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 668.727541][ T7020] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 668.735478][ T7020] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 668.744130][ T7020] Interruptibility = 00000000 ActivityState = 00000000 [ 668.751338][ T7020] *** Host State *** [ 668.755418][ T7020] RIP = 0xffffffff811b40b0 RSP = 0xffff88808ee5f8e0 [ 668.762401][ T7020] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 668.770497][ T7020] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 668.779355][ T7020] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 668.786915][ T7020] CR0=0000000080050033 CR3=00000000a8d1a000 CR4=00000000001426f0 [ 668.795562][ T7020] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 668.803754][ T7020] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 668.810764][ T7020] *** Control State *** 17:33:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x13, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 668.820809][ T2986] binder: undelivered TRANSACTION_ERROR: 29201 [ 668.832201][ T7020] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 668.854991][ T7020] EntryControls=0000d1ff ExitControls=002fefff 17:33:39 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 668.874782][ T7020] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 668.888479][ T7020] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 668.896950][ T7016] binder: 7013:7016 ioctl c018620b 0 returned -14 [ 668.897791][ T7020] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 668.915979][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 668.929672][ T7014] binder: 7013:7014 got reply transaction with no transaction stack [ 668.952091][ T7027] binder: 7024:7027 BC_INCREFS_DONE u0000000000000000 no match [ 668.972077][ T7020] reason=80000021 qualification=0000000000000000 17:33:39 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) [ 668.982153][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 668.998751][ T7020] IDTVectoring: info=00000000 errcode=00000000 [ 668.999055][ T7014] binder: 7013:7014 BC_INCREFS_DONE u0000000000000000 no match [ 669.017556][ T7020] TSC Offset = 0xfffffe97ea2efd93 17:33:39 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 669.037938][ T7020] EPT pointer = 0x0000000059de601e 17:33:39 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:39 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x68) [ 669.110664][ T7035] binder: 7033:7035 ioctl c018620b 0 returned -14 [ 669.147409][ T7032] binder: 7028:7032 got transaction with invalid offset (0, min 0 max 0) or object. [ 669.198885][ T7040] binder: BINDER_SET_CONTEXT_MGR already set [ 669.209156][ T7042] binder: 7039:7042 ioctl c018620b 0 returned -14 [ 669.223385][ T7040] binder: 7034:7040 ioctl 40046207 0 returned -16 [ 669.253398][ T7040] binder: 7034:7040 got transaction with invalid offset (0, min 0 max 0) or object. [ 669.355062][ T7045] *** Guest State *** [ 669.359310][ T7045] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 669.377223][ T7045] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 669.391146][ T7045] CR3 = 0x0000000000000000 [ 669.399453][ T7045] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 669.411553][ T7045] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 669.425575][ T7045] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 669.433038][ T7045] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.447114][ T7045] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.457020][ T7045] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 669.466995][ T7045] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.477453][ T7045] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.490811][ T7045] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.502909][ T7045] GDTR: limit=0x00000000, base=0x0000000000000000 [ 669.515495][ T7045] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.526588][ T7045] IDTR: limit=0x00000000, base=0x0000000000000000 [ 669.535968][ T7045] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 669.544983][ T7045] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 669.554170][ T7045] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 669.563024][ T7045] Interruptibility = 00000000 ActivityState = 00000000 [ 669.570466][ T7045] *** Host State *** [ 669.574641][ T7045] RIP = 0xffffffff811b40b0 RSP = 0xffff88808ee5f8e0 [ 669.581664][ T7045] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 669.589148][ T7045] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 669.598109][ T7045] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 669.605023][ T7045] CR0=0000000080050033 CR3=00000000a8d1a000 CR4=00000000001426e0 [ 669.613138][ T7045] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 669.620863][ T7045] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 669.628001][ T7045] *** Control State *** [ 669.632429][ T7045] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 669.640428][ T7045] EntryControls=0000d1ff ExitControls=002fefff [ 669.647563][ T7045] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 17:33:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x13, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 669.655521][ T7045] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 669.663393][ T7045] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 669.675586][ T7045] reason=80000021 qualification=0000000000000000 [ 669.697292][ T7045] IDTVectoring: info=00000000 errcode=00000000 [ 669.705686][ T7045] TSC Offset = 0xfffffe9780a8080a [ 669.710942][ T7045] EPT pointer = 0x00000000912d301e 17:33:40 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6c) [ 669.809168][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 17:33:40 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 669.862313][ T7042] binder: 7039:7042 ioctl c018620b 0 returned -14 [ 669.872201][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:33:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 669.908942][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:33:40 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x1000000, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:40 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:40 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') [ 669.949880][ T7057] *** Guest State *** [ 669.954074][ T7057] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 669.983933][ T7057] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 670.024997][ T7057] CR3 = 0x0000000000000000 [ 670.082237][ T7057] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 670.100506][ T7070] binder: 7067:7070 ioctl c018620b 0 returned -14 [ 670.121112][ T7074] binder: 7073:7074 ioctl c018620b 0 returned -14 [ 670.128343][ T7057] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 670.136115][ T7075] binder: 7064:7075 BC_INCREFS_DONE u0000000000000000 no match [ 670.148757][ T7072] binder: 7060:7072 got transaction with invalid offset (0, min 0 max 24) or object. [ 670.159180][ T7076] binder: 7067:7076 BC_INCREFS_DONE u0000000000000000 no match [ 670.160978][ T7057] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 670.177588][ T7072] binder: 7060:7072 BC_INCREFS_DONE u0000000000000000 no match [ 670.179471][ T7057] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.196651][ T7057] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.207382][ T7076] binder: 7067:7076 ioctl c018620b 0 returned -14 [ 670.208041][ T7057] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 670.214231][ T7078] binder: BINDER_SET_CONTEXT_MGR already set [ 670.223787][ T7057] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.239053][ T7057] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.244930][ T7808] binder: release 7067:7076 transaction 3147 out, still active [ 670.248601][ T7057] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.265887][ T7078] binder: 7066:7078 ioctl 40046207 0 returned -16 [ 670.266908][ T7057] GDTR: limit=0x00000000, base=0x0000000000000000 17:33:40 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f000000, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 670.281959][ T7057] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.291507][ T7057] IDTR: limit=0x00000000, base=0x0000000000000000 [ 670.304323][ T7057] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.314069][ T7057] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 670.323821][ T7057] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 670.342475][ T7057] Interruptibility = 00000000 ActivityState = 00000000 [ 670.359064][ T7057] *** Host State *** [ 670.364349][ T7082] binder: 7081:7082 ioctl c018620b 0 returned -14 [ 670.364598][ T7057] RIP = 0xffffffff811b40b0 RSP = 0xffff8880891df8e0 [ 670.379267][ T7057] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 670.387501][ T7057] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 670.398087][ T7057] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 670.405499][ T7057] CR0=0000000080050033 CR3=0000000086086000 CR4=00000000001426f0 [ 670.414499][ T7057] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 670.422380][ T7057] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 670.430230][ T7057] *** Control State *** [ 670.434777][ T7057] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 670.442649][ T7057] EntryControls=0000d1ff ExitControls=002fefff [ 670.449574][ T7057] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 670.457793][ T7057] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 670.465573][ T7057] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 670.473119][ T7057] reason=80000021 qualification=0000000000000000 [ 670.480873][ T7057] IDTVectoring: info=00000000 errcode=00000000 [ 670.487844][ T7057] TSC Offset = 0xfffffe97323051ae 17:33:40 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x74) [ 670.493594][ T7057] EPT pointer = 0x000000005188c01e [ 670.656157][ T7089] *** Guest State *** [ 670.660830][ T7089] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 670.672873][ T7089] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 670.683192][ T7089] CR3 = 0x0000000000002000 [ 670.688290][ T7089] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 670.695960][ T7089] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 670.703669][ T7089] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 670.726255][ T7089] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 670.740899][ T7089] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 670.751910][ T7089] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 670.761813][ T7089] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 670.771144][ T7089] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 670.782272][ T7089] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 670.792270][ T7089] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:41 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 670.799480][ T7808] binder_send_failed_reply: 9 callbacks suppressed [ 670.799493][ T7808] binder: send failed reply for transaction 3144 to 7073:7077 [ 670.805276][ T7089] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 670.808751][ T7082] binder: 7081:7082 ioctl c018620b 0 returned -14 [ 670.816262][ T7089] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 670.831234][ T7808] binder: send failed reply for transaction 3147, target dead [ 670.843641][ T7089] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 670.858209][ T7089] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 670.879311][ T7082] binder: 7081:7082 BC_INCREFS_DONE u0000000000000000 no match [ 670.890190][ T7808] binder: send failed reply for transaction 3150 to 7081:7083 17:33:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:41 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 670.914609][ T7089] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 670.949042][ T7089] EFER = 0x0000000000000001 PAT = 0x0007040600070406 17:33:41 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) [ 670.978668][ T7089] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 671.002832][ T7089] Interruptibility = 00000000 ActivityState = 00000000 [ 671.012446][ T7089] *** Host State *** 17:33:41 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x100000000000000, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 671.031981][ T7099] binder: 7098:7099 ioctl c018620b 0 returned -14 [ 671.039563][ T7089] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b85f8e0 [ 671.041749][ T7093] binder: 7091:7093 got transaction with invalid offset (0, min 0 max 24) or object. [ 671.056232][ T7089] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 671.076182][ T7089] FSBase=00007fe957ae9700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 671.098793][ T7089] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 671.108058][ T7104] binder: 7091:7104 BC_INCREFS_DONE u0000000000000000 no match [ 671.116801][ T7105] binder: 7098:7105 ioctl c0306201 0 returned -14 [ 671.129873][ T7089] CR0=0000000080050033 CR3=000000005616c000 CR4=00000000001426f0 [ 671.151333][ T7108] binder: 7107:7108 ioctl c018620b 0 returned -14 [ 671.161268][ T7089] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 671.175950][ T7089] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 671.184301][ T7089] *** Control State *** [ 671.188676][ T7089] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 671.197404][ T7089] EntryControls=0000d1ff ExitControls=002fefff [ 671.203944][ T7089] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 671.212275][ T7089] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 671.219935][ T7089] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 671.227511][ T7089] reason=80000021 qualification=0000000000000000 17:33:41 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7a) [ 671.234899][ T7110] binder: BINDER_SET_CONTEXT_MGR already set [ 671.241009][ T7089] IDTVectoring: info=00000000 errcode=00000000 [ 671.247202][ T7089] TSC Offset = 0xfffffe96cc4555a2 [ 671.252393][ T7110] binder: 7103:7110 ioctl 40046207 0 returned -16 [ 671.258969][ T7089] EPT pointer = 0x00000000a017b01e [ 671.442523][ T7114] *** Guest State *** [ 671.447091][ T7114] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 671.458492][ T7114] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 671.469372][ T7114] CR3 = 0x0000000000002000 [ 671.474184][ T7114] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 671.481650][ T7114] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 671.489267][ T7114] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 671.496283][ T7114] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 671.503265][ T7114] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 671.522899][ T7114] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 671.543090][ T7114] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 671.552081][ T7114] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 671.561810][ T7114] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 671.570821][ T7114] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 671.579833][ T7114] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 671.588790][ T7114] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 671.598856][ T7114] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 671.607909][ T7114] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 671.616806][ T7114] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 671.625686][ T7114] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 671.632953][ T7114] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 671.641247][ T7114] Interruptibility = 00000000 ActivityState = 00000000 [ 671.648353][ T7114] *** Host State *** [ 671.652285][ T7114] RIP = 0xffffffff811b40b0 RSP = 0xffff888052d878e0 [ 671.659105][ T7114] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 671.666323][ T7114] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 671.675139][ T7114] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 671.681773][ T7114] CR0=0000000080050033 CR3=000000009a383000 CR4=00000000001426f0 [ 671.689710][ T7114] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 671.697459][ T7114] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 671.704521][ T7114] *** Control State *** [ 671.708913][ T7114] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 671.716649][ T7114] EntryControls=0000d1ff ExitControls=002fefff [ 671.723087][ T7114] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 671.732283][ T7114] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:33:42 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 671.739872][ T7808] binder: send failed reply for transaction 3156 to 7095:7101 [ 671.739902][ T7808] binder: send failed reply for transaction 3159 to 7098:7105 [ 671.747716][ T7114] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 671.774191][ T7108] binder: 7107:7108 ioctl c018620b 0 returned -14 [ 671.786758][ T7114] reason=80000021 qualification=0000000000000000 17:33:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 671.790735][ T7808] binder: send failed reply for transaction 3162 to 7107:7109 [ 671.799636][ T7109] binder_transaction: 16 callbacks suppressed [ 671.799654][ T7109] binder: 7107:7109 transaction failed 29189/-22, size 24-8 line 2994 17:33:42 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 671.837346][ T7114] IDTVectoring: info=00000000 errcode=00000000 [ 671.861907][ T7114] TSC Offset = 0xfffffe9662850c4d [ 671.884078][ T7114] EPT pointer = 0x00000000a9a1d01e 17:33:42 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) 17:33:42 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00000000000000, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 671.953553][ T7124] binder: 7117:7124 got transaction with invalid offset (0, min 0 max 24) or object. [ 671.979529][ T7124] binder: 7117:7124 transaction failed 29201/-22, size 24-8 line 3241 [ 671.981720][ T7125] binder: 7123:7125 ioctl c018620b 0 returned -14 17:33:42 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x300) [ 672.094948][ T7134] binder: 7133:7134 ioctl c018620b 0 returned -14 [ 672.136720][ T7137] binder: 7123:7137 ioctl c0306201 0 returned -14 [ 672.149207][ T7139] binder: BINDER_SET_CONTEXT_MGR already set [ 672.155287][ T7139] binder: 7130:7139 ioctl 40046207 0 returned -16 [ 672.228859][ T7138] *** Guest State *** [ 672.233295][ T7138] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 672.243708][ T7138] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 672.253835][ T7138] CR3 = 0x0000000000000000 [ 672.258695][ T7138] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 672.266935][ T7138] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 672.289293][ T7138] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 672.309387][ T7138] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.319922][ T7138] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.329227][ T7138] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 672.338407][ T7138] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.347933][ T7138] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.356880][ T7138] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.365953][ T7138] GDTR: limit=0x00000000, base=0x0000000000000000 [ 672.374866][ T7138] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.383760][ T7138] IDTR: limit=0x00000000, base=0x0000000000000000 [ 672.393647][ T7138] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 672.402698][ T7138] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 672.409960][ T7138] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 672.418717][ T7138] Interruptibility = 00000000 ActivityState = 00000000 [ 672.426193][ T7138] *** Host State *** [ 672.430586][ T7138] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b13f8e0 [ 672.437518][ T7138] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 672.445224][ T7138] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 672.454310][ T7138] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 672.461462][ T7138] CR0=0000000080050033 CR3=0000000050703000 CR4=00000000001426f0 [ 672.469436][ T7138] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 672.477423][ T7138] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 672.484723][ T7138] *** Control State *** [ 672.489009][ T7138] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 672.496956][ T7138] EntryControls=0000d1ff ExitControls=002fefff [ 672.504092][ T7138] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 672.512321][ T7138] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 672.519842][ T7138] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 672.528844][ T7138] reason=80000021 qualification=0000000000000000 17:33:42 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x500) [ 672.536384][ T7138] IDTVectoring: info=00000000 errcode=00000000 [ 672.542980][ T7138] TSC Offset = 0xfffffe95f995ad64 [ 672.548138][ T7138] EPT pointer = 0x00000000921a701e 17:33:42 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 672.665522][ T7808] binder: send failed reply for transaction 3168 to 7121:7126 [ 672.675932][ T7808] binder: send failed reply for transaction 3171 to 7123:7137 [ 672.694212][ T7140] binder: 7133:7140 ioctl c018620b 0 returned -14 [ 672.703181][ T7134] binder: 7133:7134 transaction failed 29189/-22, size 24-8 line 2994 17:33:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x10, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 672.705432][ T7808] binder: send failed reply for transaction 3174 to 7133:7140 17:33:43 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) r1 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0xff, 0x800) getsockopt$inet6_tcp_int(r1, 0x6, 0x2f, &(0x7f0000000040), &(0x7f0000000080)=0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 672.783922][ T7149] *** Guest State *** [ 672.788167][ T7149] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 17:33:43 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 672.872178][ T7158] binder: 7152:7158 transaction failed 29189/-22, size 24-8 line 2994 [ 672.874173][ T7149] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 672.889930][ T7159] binder: 7156:7159 ioctl c018620b 0 returned -14 17:33:43 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) [ 672.918173][ T7162] binder: 7160:7162 ioctl c018620b 0 returned -14 [ 672.971753][ T7149] CR3 = 0x0000000000002000 [ 672.985988][ T7149] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 672.994520][ T7167] binder: 7160:7167 ioctl c0306201 0 returned -14 [ 673.002969][ T7149] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 673.010915][ T7149] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 673.025353][ T7149] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 673.034639][ T7149] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 673.051484][ T7149] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 673.063011][ T7149] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.081796][ T7149] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.092979][ T7149] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.108678][ T7149] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.121375][ T7149] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.133277][ T7149] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 673.145774][ T7149] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 673.161334][ T7149] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 673.171494][ T7149] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 673.186055][ T7149] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 673.194483][ T7149] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 673.207062][ T7149] Interruptibility = 00000000 ActivityState = 00000000 [ 673.214454][ T7149] *** Host State *** [ 673.219292][ T7149] RIP = 0xffffffff811b40b0 RSP = 0xffff88804f7478e0 [ 673.226267][ T7149] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 673.237227][ T7149] FSBase=00007fe957ae9700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 673.246121][ T7149] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 673.253495][ T7149] CR0=0000000080050033 CR3=0000000096bdf000 CR4=00000000001426e0 [ 673.261998][ T7149] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 673.270212][ T7149] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 673.277768][ T7149] *** Control State *** [ 673.282166][ T7149] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 673.290297][ T7149] EntryControls=0000d1ff ExitControls=002fefff [ 673.296634][ T7149] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 673.304877][ T7149] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 673.312754][ T7149] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 673.321711][ T7149] reason=80000021 qualification=0000000000000000 [ 673.329228][ T7149] IDTVectoring: info=00000000 errcode=00000000 17:33:43 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x600) [ 673.335651][ T7149] TSC Offset = 0xfffffe95b184149b [ 673.341188][ T7149] EPT pointer = 0x000000008f63901e [ 673.519572][ T7171] *** Guest State *** [ 673.523897][ T7171] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 673.534432][ T7171] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 673.544576][ T7171] CR3 = 0x0000000000002000 [ 673.549246][ T7171] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 673.556935][ T7171] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 673.580419][ T7171] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 673.587971][ T2986] binder: release 7151:7161 transaction 3180 out, still active [ 673.596199][ T7171] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 673.603392][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 673.611167][ T7171] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 673.620676][ T7171] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 17:33:43 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 673.640456][ T7171] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.640642][ T2986] binder: send failed reply for transaction 3180, target dead [ 673.671133][ T2986] binder: send failed reply for transaction 3181 to 7156:7164 [ 673.678797][ T2986] binder: send failed reply for transaction 3184 to 7160:7167 17:33:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x10, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 673.688629][ T7173] binder: 7156:7173 ioctl c018620b 0 returned -14 [ 673.704819][ T7171] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.707961][ T7173] binder: 7156:7173 transaction failed 29189/-22, size 24-8 line 2994 [ 673.731668][ T2986] binder_release_work: 10 callbacks suppressed 17:33:44 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 673.731678][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 673.753062][ T7171] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.778473][ T7164] binder_thread_write: 4 callbacks suppressed [ 673.778491][ T7164] binder: 7156:7164 BC_INCREFS_DONE u0000000000000000 no match [ 673.787488][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 673.811340][ T7180] binder: 7177:7180 transaction failed 29189/-22, size 24-8 line 2994 [ 673.825824][ T7171] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:44 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) r1 = accept(0xffffffffffffff9c, &(0x7f0000000000)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000080)=0x80) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000000100)={0x0, 0xa876}, &(0x7f00000001c0)=0x8) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f0000000480)={r2, @in={{0x2, 0x4e22, @rand_addr=0x63d}}, 0x1, 0x2}, 0x90) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) [ 673.842977][ T7180] binder: 7177:7180 BC_INCREFS_DONE u0000000000000000 no match [ 673.869989][ T7171] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 673.875332][ T7185] binder: 7176:7185 BC_INCREFS_DONE u0000000000000000 no match [ 673.899729][ T7184] binder: 7183:7184 ioctl c018620b 0 returned -14 [ 673.911454][ T7171] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 673.943186][ T7171] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 673.958812][ T7189] binder: 7188:7189 ioctl c018620b 0 returned -14 [ 673.997681][ T7171] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 674.028145][ T7171] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) [ 674.044081][ T7171] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 674.072076][ T7171] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 674.081097][ T7171] Interruptibility = 00000000 ActivityState = 00000000 [ 674.102508][ T7171] *** Host State *** [ 674.111734][ T7171] RIP = 0xffffffff811b40b0 RSP = 0xffff8880537978e0 [ 674.125446][ T7171] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 674.132774][ T7171] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 674.142287][ T7171] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 674.149468][ T7171] CR0=0000000080050033 CR3=0000000053771000 CR4=00000000001426f0 [ 674.157744][ T7171] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 674.165919][ T7171] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) [ 674.172795][ T7171] *** Control State *** [ 674.177625][ T7171] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 674.185850][ T7171] EntryControls=0000d1ff ExitControls=002fefff [ 674.192052][ T7171] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 674.204603][ T7171] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 674.220184][ T7171] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 674.227974][ T7171] reason=80000021 qualification=0000000000000000 [ 674.246276][ T7171] IDTVectoring: info=00000000 errcode=00000000 [ 674.252728][ T7171] TSC Offset = 0xfffffe95464f82c9 [ 674.258486][ T7171] EPT pointer = 0x000000009569d01e 17:33:44 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x620) 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 674.457507][ T7203] *** Guest State *** [ 674.462058][ T7203] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 674.473501][ T7203] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 674.483970][ T7203] CR3 = 0x0000000000002000 [ 674.489283][ T7203] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 674.496992][ T7203] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 674.505412][ T7203] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 674.522326][ T7203] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 674.546076][ T7203] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:33:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x10, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 674.573040][ T2986] binder: release 7176:7185 transaction 3190 out, still active [ 674.575396][ T7203] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 674.587582][ T2986] binder: undelivered TRANSACTION_COMPLETE 17:33:44 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:44 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 674.638957][ T7808] binder: send failed reply for transaction 3190, target dead [ 674.648016][ T7203] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 674.683241][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 674.706772][ T7203] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:45 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 674.742562][ T7203] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 674.752231][ T7220] binder: 7212:7220 transaction failed 29189/-22, size 24-8 line 2994 [ 674.752562][ T7193] binder: 7188:7193 ioctl c018620b 0 returned -14 [ 674.813704][ T7203] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 674.816979][ T7193] binder: 7188:7193 transaction failed 29189/-22, size 24-8 line 2994 [ 674.828091][ T7221] binder: 7212:7221 BC_INCREFS_DONE u0000000000000000 no match [ 674.848903][ T7225] binder: 7223:7225 ioctl c018620b 0 returned -14 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) [ 674.852812][ T7203] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 674.857391][ T7224] binder: 7188:7224 BC_INCREFS_DONE u0000000000000000 no match [ 674.875276][ T7226] binder: 7217:7226 BC_INCREFS_DONE u0000000000000000 no match [ 674.884906][ T7203] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 674.887100][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 674.916713][ T7203] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 674.938185][ T7203] IDTR: limit=0x000001ff, base=0x0000000000003800 17:33:45 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000280)='/dev/audio\x00', 0x10000, 0x0) ioctl$TCGETA(r0, 0x5405, &(0x7f00000002c0)) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0xfd2b, 0x0, &(0x7f0000000380)=[@transaction_sg={0x40486311, {{0x1, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)=[@fda={0x66646185, 0x0, 0x4, 0x22}, @ptr={0x70742a85, 0x0, &(0x7f0000000000), 0x0, 0x3, 0x9}], &(0x7f0000000100)=[0x0, 0x58, 0x30, 0x20]}, 0x3}}], 0x18f, 0x0, 0x0}) [ 674.970540][ T7203] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 675.000686][ T7203] EFER = 0x0000000000000001 PAT = 0x0007040600070406 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) r1 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) [ 675.013585][ T7203] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 675.048697][ T7234] binder: 7232:7234 ioctl c018620b 0 returned -14 [ 675.058042][ T7203] Interruptibility = 00000000 ActivityState = 00000000 [ 675.072063][ T7203] *** Host State *** [ 675.077227][ T7203] RIP = 0xffffffff811b40b0 RSP = 0xffff888052e1f8e0 [ 675.084917][ T7203] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 675.093958][ T7203] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 675.103110][ T7203] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 675.110090][ T7203] CR0=0000000080050033 CR3=00000000535c9000 CR4=00000000001426e0 [ 675.118400][ T7203] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 675.127523][ T7237] binder: 7232:7237 got transaction to invalid handle [ 675.135645][ T7203] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) [ 675.142541][ T7237] binder: 7232:7237 transaction failed 29201/-22, size 0-0 line 2994 [ 675.150798][ T7203] *** Control State *** [ 675.155209][ T7203] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 675.163128][ T7237] binder: 7232:7237 ioctl c0306201 200001c0 returned -14 [ 675.170417][ T7203] EntryControls=0000d1ff ExitControls=002fefff [ 675.177873][ T7203] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 675.185759][ T7203] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 675.193647][ T7203] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 675.201140][ T7203] reason=80000021 qualification=0000000000000000 [ 675.209583][ T7203] IDTVectoring: info=00000000 errcode=00000000 [ 675.216335][ T7203] TSC Offset = 0xfffffe94c5d039fc [ 675.222995][ T7203] EPT pointer = 0x000000009726201e 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:45 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x700) 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:45 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 675.544707][ T7808] binder: release 7217:7226 transaction 3200 out, still active [ 675.556489][ T7251] *** Guest State *** [ 675.560784][ T7251] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 675.581779][ T7808] binder: undelivered TRANSACTION_COMPLETE 17:33:45 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 675.607219][ T7251] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 675.627627][ T2986] binder: send failed reply for transaction 3200, target dead [ 675.635931][ T7258] binder: 7252:7258 BC_INCREFS_DONE u0000000000000000 no match [ 675.639524][ T7251] CR3 = 0x0000000000002000 17:33:45 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 675.674128][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:33:46 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 675.714506][ T7251] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 675.739883][ T7251] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 675.792891][ T7251] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 675.821311][ T7251] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 675.838957][ T7266] binder: 7265:7266 ioctl c018620b 0 returned -14 [ 675.840164][ T7251] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 675.854941][ T7269] binder: 7232:7269 ioctl c018620b 0 returned -14 [ 675.864374][ T7269] binder: 7232:7269 transaction failed 29189/-22, size 24-8 line 2994 [ 675.873819][ T7237] binder: 7232:7237 got transaction to invalid handle [ 675.881326][ T7251] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 675.893719][ T7264] binder: 7260:7264 BC_INCREFS_DONE u0000000000000000 no match [ 675.900551][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 675.910122][ T7237] binder: 7232:7237 ioctl c0306201 200001c0 returned -14 [ 675.917529][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 675.929756][ T7251] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:46 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$VIDIOC_SUBDEV_G_CROP(r0, 0xc038563b, &(0x7f0000000000)={0x1, 0x0, {0x8f96, 0xfd, 0x7fffffff, 0x100000000}}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 675.932842][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 675.954262][ T7251] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 676.010244][ T7251] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 676.030291][ T7251] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 676.047903][ T7276] binder: 7274:7276 ioctl c018620b 0 returned -14 17:33:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 676.048055][ T7251] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 676.063878][ T7251] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 676.073650][ T7251] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 676.083687][ T7251] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 676.092769][ T7251] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 676.103455][ T7251] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 676.118597][ T7251] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 676.127629][ T7251] Interruptibility = 00000000 ActivityState = 00000000 [ 676.136231][ T7251] *** Host State *** [ 676.140375][ T7251] RIP = 0xffffffff811b40b0 RSP = 0xffff8880537978e0 [ 676.152658][ T7251] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 676.174407][ T7251] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 676.183934][ T7251] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 676.201697][ T7251] CR0=0000000080050033 CR3=00000000a5b6d000 CR4=00000000001426e0 17:33:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 676.213429][ T7251] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 676.233310][ T7251] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 676.246861][ T7251] *** Control State *** [ 676.256008][ T7251] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca 17:33:46 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 676.278847][ T7251] EntryControls=0000d1ff ExitControls=002fefff [ 676.295223][ T7251] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 676.311423][ T7251] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 676.333126][ T7251] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 676.343632][ T7251] reason=80000021 qualification=0000000000000000 [ 676.350865][ T7251] IDTVectoring: info=00000000 errcode=00000000 [ 676.374212][ T7251] TSC Offset = 0xfffffe943051b6cf [ 676.379296][ T7251] EPT pointer = 0x00000000a44c101e 17:33:46 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:46 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x1100) 17:33:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:46 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 676.512507][ T7808] binder: release 7260:7264 transaction 3211 out, still active [ 676.533921][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 676.560005][ T7808] binder: send failed reply for transaction 3211, target dead [ 676.578447][ T7296] binder: 7290:7296 BC_INCREFS_DONE u0000000000000000 no match 17:33:46 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) [ 676.612589][ T7808] binder_send_failed_reply: 4 callbacks suppressed [ 676.612599][ T7808] binder: send failed reply for transaction 3212 to 7265:7271 [ 676.642542][ T7808] binder: send failed reply for transaction 3215 to 7274:7279 17:33:46 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 676.682394][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 676.765270][ T7306] binder: 7304:7306 ioctl c018620b 0 returned -14 [ 676.782652][ T7307] binder: 7299:7307 BC_INCREFS_DONE u0000000000000000 no match 17:33:47 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x2000) [ 676.836595][ T7279] binder: 7274:7279 ioctl c018620b 0 returned -14 [ 676.863668][ T7808] binder: release 7274:7279 transaction 3223 out, still active 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:47 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x8, 0x0, &(0x7f0000000000), 0x141, 0x0, 0x0}) [ 676.887879][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 677.010007][ T7321] binder: 7320:7321 ioctl c018620b 0 returned -14 17:33:47 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x2006) [ 677.071161][ T7323] binder: 7320:7323 unknown command 0 [ 677.081406][ T7323] binder: 7320:7323 ioctl c0306201 200002c0 returned -22 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 677.281091][ T7333] *** Guest State *** [ 677.288325][ T7333] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 677.311039][ T7333] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 17:33:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 677.340871][ T7333] CR3 = 0x0000000000000000 [ 677.365587][ T7333] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 677.380091][ T7333] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 677.392104][ T7333] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 677.420840][ T7333] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.431600][ T7333] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.457238][ T2986] binder: release 7299:7307 transaction 3219 out, still active [ 677.466092][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 677.472639][ T7333] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 677.499287][ T7333] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:47 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 677.517279][ T2986] binder: send failed reply for transaction 3219, target dead [ 677.527281][ T2986] binder: send failed reply for transaction 3220 to 7304:7310 [ 677.540684][ T7333] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.553264][ T2986] binder: send failed reply for transaction 3223, target dead 17:33:47 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 17:33:47 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 677.577312][ T7333] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.588991][ T2986] binder: send failed reply for transaction 3226 to 7320:7323 [ 677.616229][ T7333] GDTR: limit=0x00000000, base=0x0000000000000000 [ 677.634043][ T7333] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.643269][ T7333] IDTR: limit=0x00000000, base=0x0000000000000000 [ 677.678531][ T7333] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 677.698745][ T7333] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 677.709981][ T7333] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 677.723937][ T7333] Interruptibility = 00000000 ActivityState = 00000000 [ 677.737434][ T7333] *** Host State *** [ 677.741566][ T7333] RIP = 0xffffffff811b40b0 RSP = 0xffff88804b13f8e0 [ 677.753788][ T7333] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 677.766298][ T7333] FSBase=00007fe957ae9700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 677.782640][ T7333] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 677.791073][ T7333] CR0=0000000080050033 CR3=00000000a8494000 CR4=00000000001426e0 [ 677.803518][ T7323] binder: 7320:7323 ioctl c018620b 0 returned -14 [ 677.806125][ T7333] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 677.818682][ T7349] binder_transaction: 1 callbacks suppressed [ 677.818705][ T7349] binder: 7320:7349 transaction failed 29189/-22, size 24-8 line 2994 [ 677.839650][ T7323] binder: 7320:7323 unknown command 0 [ 677.867477][ T7353] binder: 7351:7353 ioctl c018620b 0 returned -14 [ 677.867966][ T7323] binder: 7320:7323 ioctl c0306201 200002c0 returned -22 [ 677.881519][ T7333] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 677.907147][ T7333] *** Control State *** [ 677.911365][ T7333] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 677.923458][ T7333] EntryControls=0000d1ff ExitControls=002fefff [ 677.930285][ T7333] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 677.947877][ T7358] binder: 7351:7358 transaction failed 29189/-22, size 24-8 line 2994 [ 677.965196][ T7333] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 677.972959][ T7333] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 677.986548][ T7333] reason=80000021 qualification=0000000000000000 [ 677.994248][ T7333] IDTVectoring: info=00000000 errcode=00000000 [ 678.010214][ T7333] TSC Offset = 0xfffffe934173e806 17:33:48 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="cd45000000000000"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x101000, 0x0) bind$rds(r1, &(0x7f0000000080)={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x16}}, 0x10) r2 = getpid() sched_setattr(r2, &(0x7f0000000000)={0x30, 0x2, 0x0, 0x7, 0x7, 0x0, 0x800, 0xa7d9}, 0x0) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cachefiles\x00', 0x1, 0x0) write$FUSE_INIT(r1, &(0x7f0000000380)={0x50, 0x0, 0x4, {0x7, 0x1d, 0xfffffffffffffe01, 0x1000, 0x3000000000000000, 0x100, 0x7f, 0x5d}}, 0x50) [ 678.015295][ T7333] EPT pointer = 0x0000000087b6701e 17:33:48 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x3f00) 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 678.135669][ T7364] binder: 7363:7364 ioctl c018620b 0 returned -14 17:33:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 678.225168][ T7372] binder: 7363:7372 BC_INCREFS_DONE u0000000000000000 node 3234 cookie mismatch 0000000000000000 != 00000000000045cd [ 678.259909][ T7369] *** Guest State *** 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 678.266533][ T7369] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 678.298060][ T7369] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 678.321721][ T7369] CR3 = 0x0000000000000000 [ 678.328517][ T7379] binder: 7375:7379 ioctl c0306201 0 returned -14 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 678.355633][ T7369] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 678.367704][ T7369] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 678.380207][ T7369] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 678.388064][ T7369] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.397721][ T7369] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.406991][ T7369] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 678.427603][ T7369] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.437504][ T7369] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 678.460651][ T7369] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.469961][ T7369] GDTR: limit=0x00000000, base=0x0000000000000000 [ 678.480813][ T7369] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.493917][ T7369] IDTR: limit=0x00000000, base=0x0000000000000000 [ 678.515329][ T7369] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 678.526185][ T7369] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 678.534010][ T7369] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 678.542733][ T7369] Interruptibility = 00000000 ActivityState = 00000000 [ 678.550132][ T7369] *** Host State *** [ 678.554735][ T7369] RIP = 0xffffffff811b40b0 RSP = 0xffff8880554478e0 17:33:48 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r0, 0x0) [ 678.562575][ T7369] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 678.571544][ T7369] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 678.580718][ T7369] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 678.589412][ T7369] CR0=0000000080050033 CR3=0000000096358000 CR4=00000000001426f0 [ 678.597687][ T7369] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 678.605646][ T7369] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 678.612930][ T7369] *** Control State *** [ 678.617437][ T7369] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 678.625309][ T7369] EntryControls=0000d1ff ExitControls=002fefff [ 678.637732][ T7369] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 678.647674][ T7369] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 678.659862][ T7369] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 678.698538][ T7808] binder: release 7354:7357 transaction 3232 out, still active [ 678.699808][ T7369] reason=80000021 qualification=0000000000000000 [ 678.716146][ T7369] IDTVectoring: info=00000000 errcode=00000000 [ 678.724726][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 678.740567][ T7369] TSC Offset = 0xfffffe92be1dde28 [ 678.753406][ T7369] EPT pointer = 0x00000000a136701e 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r0, 0x0) 17:33:49 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 17:33:49 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 678.776422][ T7808] binder: send failed reply for transaction 3232, target dead [ 678.814625][ T7808] binder: send failed reply for transaction 3233 to 7363:7372 [ 678.822573][ T7394] binder: 7393:7394 ioctl c018620b 0 returned -14 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r0, 0x0) [ 678.869904][ T7398] binder: 7393:7398 transaction failed 29189/-22, size 24-8 line 2994 [ 678.938039][ T7404] binder: 7363:7404 ioctl c018620b 0 returned -14 [ 678.945017][ T7404] binder: 7363:7404 transaction failed 29189/-22, size 24-8 line 2994 [ 678.953471][ T7372] binder_thread_write: 4 callbacks suppressed [ 678.953484][ T7372] binder: 7363:7372 BC_INCREFS_DONE u0000000000000000 no match 17:33:49 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_SET_DEST(r1, &(0x7f00000003c0)={&(0x7f0000000100), 0xc, &(0x7f0000000380)={&(0x7f0000000ac0)={0x138, r2, 0x8, 0x20000000070bd29, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_DAEMON={0x4}, @IPVS_CMD_ATTR_DAEMON={0x58, 0x3, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'syz_tun\x00'}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1\x00'}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'caif0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e20}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x5}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @local}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x10000}, @IPVS_CMD_ATTR_SERVICE={0x24, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x2, 0x2}}, @IPVS_SVC_ATTR_AF={0x8}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x0, 0x2a}}]}, @IPVS_CMD_ATTR_DAEMON={0x5c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @remote}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x101}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'gretap0\x00'}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x4}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'lapb0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x40, 0x2, [@IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@empty}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfffffffeffffffff}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x100000000}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x200000000000}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x6}]}]}, 0x138}, 0x1, 0x0, 0x0, 0x20000000}, 0x5) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$ipvs(&(0x7f0000000000)='IPVS\x00') 17:33:49 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4800) 17:33:49 executing program 1: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 678.994981][ T2986] binder_release_work: 2 callbacks suppressed [ 678.994990][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 679.024288][ T7406] binder: 7397:7406 BC_INCREFS_DONE node 3240 has no pending increfs request 17:33:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 679.077614][ T7412] binder: 7408:7412 ioctl c018620b 0 returned -14 [ 679.109093][ T7415] binder: 7413:7415 ioctl c018620b 0 returned -14 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 679.168758][ T7421] binder: 7413:7421 transaction failed 29189/-22, size 24-8 line 2994 [ 679.225751][ T7421] binder: 7413:7421 BC_INCREFS_DONE u0000000000000000 no match [ 679.261325][ T7429] binder: 7423:7429 ioctl c0306201 0 returned -14 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 679.294186][ T7429] binder: 7423:7429 BC_INCREFS_DONE u0000000000000000 no match 17:33:49 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4c00) 17:33:49 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 679.529551][ T7440] *** Guest State *** [ 679.534377][ T7440] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 679.549581][ T7440] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 679.560039][ T7440] CR3 = 0x0000000000000000 [ 679.564779][ T7440] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 679.571880][ T7440] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 679.578769][ T7440] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 679.592292][ T7442] binder: BINDER_SET_CONTEXT_MGR already set [ 679.599919][ T7440] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.604418][ T7442] binder: 7437:7442 ioctl 40046207 0 returned -16 [ 679.620898][ T7440] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.631590][ T7440] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 679.640635][ T7440] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.646309][ T7442] binder: 7437:7442 BC_INCREFS_DONE u0000000000000000 no match [ 679.649566][ T7440] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.666347][ T7440] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.675479][ T7440] GDTR: limit=0x00000000, base=0x0000000000000000 [ 679.685211][ T7440] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 679.701789][ T7440] IDTR: limit=0x00000000, base=0x0000000000000000 [ 679.704563][ T7808] binder: release 7397:7406 transaction 3239 out, still active [ 679.710546][ T7440] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:49 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 679.710560][ T7440] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 679.710580][ T7440] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 679.722974][ T7808] binder: unexpected work type, 4, not freed [ 679.741983][ T7440] Interruptibility = 00000000 ActivityState = 00000000 [ 679.754332][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 679.762351][ T7440] *** Host State *** [ 679.768905][ T7440] RIP = 0xffffffff811b40b0 RSP = 0xffff8880547678e0 [ 679.776149][ T7440] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 679.784089][ T7808] binder: send failed reply for transaction 3239, target dead [ 679.814507][ T7440] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 17:33:50 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) [ 679.827043][ T7808] binder: send failed reply for transaction 3242 to 7408:7420 [ 679.864442][ T7440] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 679.871284][ T7808] binder: send failed reply for transaction 3246 to 7437:7442 [ 679.894012][ T7440] CR0=0000000080050033 CR3=000000008f4af000 CR4=00000000001426f0 [ 679.904515][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 679.911438][ T7440] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 679.921819][ T7425] binder: 7413:7425 ioctl c018620b 0 returned -14 [ 679.930833][ T7449] binder: 7444:7449 BC_INCREFS_DONE node 3249 has no pending increfs request [ 679.938783][ T7425] binder: 7413:7425 transaction failed 29189/-22, size 24-8 line 2994 [ 679.948814][ T7440] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 679.957661][ T7440] *** Control State *** [ 679.964584][ T7440] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 679.972007][ T7440] EntryControls=0000d1ff ExitControls=002fefff [ 679.984316][ T7425] binder: 7413:7425 BC_INCREFS_DONE u0000000000000000 no match 17:33:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 680.033551][ T7440] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 680.053561][ T7440] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 17:33:50 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0xfffffffffffffdf9, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) signalfd(r0, &(0x7f0000000000)={0x9}, 0x8) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:50 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00000000000000, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 680.083805][ T7440] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 680.091264][ T7440] reason=80000021 qualification=0000000000000000 [ 680.134315][ T7440] IDTVectoring: info=00000000 errcode=00000000 [ 680.140566][ T7440] TSC Offset = 0xfffffe920d548c27 [ 680.146198][ T7440] EPT pointer = 0x00000000565b201e [ 680.155188][ T7455] binder: 7452:7455 ioctl c0306201 0 returned -14 17:33:50 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6000) [ 680.185340][ T7455] binder: 7452:7455 BC_INCREFS_DONE u0000000000000000 no match [ 680.196249][ T7458] binder: 7456:7458 ioctl c018620b 0 returned -14 17:33:50 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x101000, 0x0) ioctl$SG_NEXT_CMD_LEN(r1, 0x2283, &(0x7f0000000040)=0x3e) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 680.258603][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 680.264963][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:33:50 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 680.385881][ T7468] binder: 7466:7468 ioctl c018620b 0 returned -14 [ 680.428399][ T7469] *** Guest State *** [ 680.432715][ T7469] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 680.447079][ T7469] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 680.467984][ T7469] CR3 = 0x0000000000000000 [ 680.472649][ T7469] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 680.479708][ T7469] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 680.486960][ T7469] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 680.494580][ T7469] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.503621][ T7469] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.514099][ T7476] binder: BINDER_SET_CONTEXT_MGR already set [ 680.522829][ T7476] binder: 7471:7476 ioctl 40046207 0 returned -16 [ 680.537719][ T7469] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 680.538065][ T7476] binder: 7471:7476 got transaction with invalid offset (0, min 0 max 24) or object. [ 680.546471][ T7469] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.546490][ T7469] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.546506][ T7469] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.546518][ T7469] GDTR: limit=0x00000000, base=0x0000000000000000 [ 680.546536][ T7469] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.546549][ T7469] IDTR: limit=0x00000000, base=0x0000000000000000 [ 680.546565][ T7469] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 680.546576][ T7469] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 680.546587][ T7469] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 680.546598][ T7469] Interruptibility = 00000000 ActivityState = 00000000 [ 680.546604][ T7469] *** Host State *** [ 680.546615][ T7469] RIP = 0xffffffff811b40b0 RSP = 0xffff888057ec78e0 [ 680.546642][ T7469] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 680.546654][ T7469] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 680.546675][ T7469] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 680.558552][ T7476] binder: 7471:7476 transaction failed 29201/-22, size 24-8 line 3241 [ 680.593919][ T7469] CR0=0000000080050033 CR3=0000000059bf1000 CR4=00000000001426e0 [ 680.611938][ T7476] binder: 7471:7476 BC_INCREFS_DONE u0000000000000000 no match [ 680.658744][ T7808] binder: release 7444:7449 transaction 3248 out, still active [ 680.668093][ T7469] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 680.668108][ T7469] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 680.668113][ T7469] *** Control State *** 17:33:50 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 680.668123][ T7469] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 680.668131][ T7469] EntryControls=0000d1ff ExitControls=002fefff [ 680.668145][ T7469] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 680.668164][ T7469] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 680.710286][ T7808] binder: unexpected work type, 4, not freed [ 680.721771][ T7469] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 680.754484][ T7469] reason=80000021 qualification=0000000000000000 [ 680.773725][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 680.789363][ T7469] IDTVectoring: info=00000000 errcode=00000000 [ 680.796665][ T7469] TSC Offset = 0xfffffe919519bbec [ 680.803188][ T7808] binder: send failed reply for transaction 3248, target dead [ 680.810103][ T7469] EPT pointer = 0x000000009144d01e [ 680.824725][ T7808] binder: send failed reply for transaction 3252 to 7456:7462 17:33:51 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 680.863985][ T7808] binder: send failed reply for transaction 3255 to 7466:7474 [ 680.890875][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:51 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6800) 17:33:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 680.922548][ T7482] binder: 7481:7482 ioctl c018620b 0 returned -14 [ 680.931518][ T7483] binder: 7477:7483 BC_INCREFS_DONE node 3261 has no pending increfs request [ 681.057957][ T7492] binder: 7489:7492 BC_INCREFS_DONE u0000000000000000 no match [ 681.092729][ T7491] *** Guest State *** [ 681.097187][ T7491] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 681.108781][ T7491] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 681.118926][ T7491] CR3 = 0x0000000000000000 [ 681.123898][ T7491] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 681.130775][ T7491] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 681.137695][ T7491] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 681.145968][ T7491] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.161301][ T7491] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.170521][ T7491] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 681.180912][ T7495] binder: 7466:7495 ioctl c018620b 0 returned -14 [ 681.187754][ T7491] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.197072][ T2986] binder: release 7466:7495 transaction 3266 out, still active 17:33:51 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x9330, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x109101, 0x0) openat$cgroup_ro(r1, &(0x7f0000000080)='cpuset.effective_cpus\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB='\rc\x00\x00'], 0x1, 0x0, &(0x7f0000000700)='+'}) r2 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x20000, 0x0) ioctl$KDMKTONE(r2, 0x4b30, 0x3f) ioctl$PPPIOCGMRU(r2, 0x80047453, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 681.207692][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 681.208139][ T7491] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:33:51 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 681.257123][ T7491] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.282008][ T7491] GDTR: limit=0x00000000, base=0x0000000000000000 [ 681.282962][ T7498] binder: 7497:7498 ioctl c018620b 0 returned -14 [ 681.295331][ T7491] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.348049][ T7491] IDTR: limit=0x00000000, base=0x0000000000000000 [ 681.357309][ T7491] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 681.367823][ T7491] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 681.375747][ T7491] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 681.384212][ T7491] Interruptibility = 00000000 ActivityState = 00000000 [ 681.391522][ T7491] *** Host State *** [ 681.395973][ T7491] RIP = 0xffffffff811b40b0 RSP = 0xffff888057ec78e0 [ 681.402952][ T7491] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 681.410455][ T7491] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 681.419382][ T7491] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 681.426444][ T7491] CR0=0000000080050033 CR3=0000000059bf1000 CR4=00000000001426f0 [ 681.434471][ T7491] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 681.444480][ T7491] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 681.451771][ T7491] *** Control State *** [ 681.456231][ T7491] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 681.463878][ T7491] EntryControls=0000d1ff ExitControls=002fefff [ 681.470423][ T7491] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 681.478439][ T7491] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 681.486232][ T7491] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 681.493744][ T7491] reason=80000021 qualification=0000000000000000 [ 681.502042][ T7491] IDTVectoring: info=00000000 errcode=00000000 [ 681.508597][ T7491] TSC Offset = 0xfffffe9138380069 [ 681.513810][ T7491] EPT pointer = 0x0000000098a0001e [ 681.519493][ T7503] binder: BINDER_SET_CONTEXT_MGR already set 17:33:51 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6c00) [ 681.546069][ T7503] binder: 7500:7503 ioctl 40046207 0 returned -16 [ 681.566663][ T7504] binder: 7500:7504 got transaction with invalid offset (0, min 0 max 0) or object. [ 681.602737][ T7504] binder: 7500:7504 transaction failed 29201/-22, size 0-8 line 3241 [ 681.626850][ T7808] binder: release 7477:7483 transaction 3260 out, still active [ 681.634464][ T7808] binder: unexpected work type, 4, not freed [ 681.668738][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 681.671549][ T7503] binder: 7500:7503 BC_INCREFS_DONE u0000000000000000 no match [ 681.690643][ T7808] binder: send failed reply for transaction 3260, target dead [ 681.697428][ T7508] *** Guest State *** [ 681.703135][ T7508] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 17:33:51 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:33:51 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 681.710293][ T7808] binder: send failed reply for transaction 3263 to 7481:7488 [ 681.729749][ T7808] binder: send failed reply for transaction 3266, target dead [ 681.754508][ T7508] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 681.770531][ T7808] binder: send failed reply for transaction 3269 to 7497:7502 [ 681.794580][ T7514] binder: 7513:7514 ioctl c018620b 0 returned -14 [ 681.798721][ T7508] CR3 = 0x0000000000002000 [ 681.808526][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 681.839950][ T7508] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 681.871502][ T7508] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 681.879320][ T7517] binder: 7513:7517 transaction failed 29189/-22, size 24-8 line 2994 [ 681.908385][ T7508] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 681.913449][ T7517] binder: 7513:7517 BC_INCREFS_DONE u0000000000000000 no match [ 681.919974][ T7508] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 681.944954][ T7508] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 681.956091][ T7508] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 681.969232][ T7508] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 681.979698][ T7508] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 681.989328][ T7508] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 681.998819][ T7508] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.008768][ T7508] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.018873][ T7508] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 682.028231][ T7508] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 682.037600][ T7508] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 682.046785][ T7508] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 682.056064][ T7508] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 682.063653][ T7508] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 682.072467][ T7508] Interruptibility = 00000000 ActivityState = 00000000 [ 682.079940][ T7508] *** Host State *** [ 682.084379][ T7508] RIP = 0xffffffff811b40b0 RSP = 0xffff88805495f8e0 [ 682.092425][ T7508] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 682.100023][ T7508] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 682.100257][ T7502] binder: 7497:7502 ioctl c018620b 0 returned -14 [ 682.109555][ T7508] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 682.123103][ T7508] CR0=0000000080050033 CR3=00000000989bc000 CR4=00000000001426f0 [ 682.131459][ T7508] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 682.139197][ T7508] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 682.146468][ T7508] *** Control State *** [ 682.146814][ T2986] binder: release 7497:7524 transaction 3278 out, still active [ 682.151638][ T7508] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 682.171292][ T7508] EntryControls=0000d1ff ExitControls=002fefff [ 682.180279][ T7508] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 682.189911][ T2986] binder: undelivered TRANSACTION_ERROR: 29201 17:33:52 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000480)=ANY=[@ANYBLOB="00000000000000000145b12e1205d9b15570b40d266b7947084aedc333e3dca127b7c69f0e05586eb9ffae377f4990341b458ba5bc004433d947dd7102ca44cb16889ce1ef675c21952e74de0b0865497d2f5836d30800ac0abe0923c6cafd40a7cf2375081c1e43d8c28f2cab4ceca0515a3862af3680647d3f0c9b2a05057cef9ea91e0e404c6e08f1ee5e20d2b1587428817daefdc2c94a586b5875dfda1a346afe27e10d29401f8fc52e83890ba5994b73e8d129342f9fe905d0f92e9d4a6a76"]], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 682.204042][ T7508] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 682.204902][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 682.232240][ T7508] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 682.249021][ T7508] reason=80000021 qualification=0000000000000000 17:33:52 executing program 3: perf_event_open(&(0x7f0000000580)={0x2, 0x70, 0x5c63, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = creat(&(0x7f0000000040)='./bus\x00', 0x0) fsetxattr(r0, &(0x7f00000001c0)=@known='user.syz\x00', 0x0, 0x0, 0x0) [ 682.259624][ T7508] IDTVectoring: info=00000000 errcode=00000000 [ 682.282374][ T7528] binder: 7527:7528 ioctl c018620b 0 returned -14 [ 682.289384][ T7508] TSC Offset = 0xfffffe90e3b5d857 [ 682.296144][ T7508] EPT pointer = 0x0000000053c0e01e 17:33:52 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7400) 17:33:52 executing program 3: mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) bind$bt_sco(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x3) [ 682.475421][ T7537] *** Guest State *** [ 682.483224][ T7537] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 682.505451][ T7537] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 682.545631][ T7537] CR3 = 0x0000000000002000 [ 682.555265][ T7537] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 682.569443][ T7537] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 682.594700][ T7537] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 682.601753][ T7537] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 682.620993][ T7537] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 682.630382][ T7808] binder: release 7515:7521 transaction 3275 out, still active 17:33:52 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x3f00, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 682.638699][ T7537] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 682.655419][ T7537] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.682787][ T2986] binder: send failed reply for transaction 3275, target dead 17:33:52 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 682.690531][ T7537] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.700389][ T2986] binder: send failed reply for transaction 3278, target dead [ 682.722333][ T7537] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.731782][ T2986] binder: send failed reply for transaction 3281 to 7527:7531 [ 682.758068][ T7537] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 682.775233][ T7547] binder: 7543:7547 ioctl c018620b 0 returned -14 [ 682.778826][ T7537] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:33:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 682.801070][ T7537] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 682.820128][ T7537] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 682.842707][ T7537] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 682.870096][ T7547] binder: 7543:7547 transaction failed 29189/-22, size 24-8 line 2994 [ 682.883225][ T7537] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 682.903007][ T7537] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 682.918663][ T7537] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 682.933831][ T7537] Interruptibility = 00000000 ActivityState = 00000000 [ 682.947873][ T7537] *** Host State *** [ 682.956602][ T7537] RIP = 0xffffffff811b40b0 RSP = 0xffff88805970f8e0 17:33:53 executing program 1: socketpair$unix(0x1, 0x800000000003, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_rx_ring(r1, 0x107, 0x5, &(0x7f0000000000)=@req3={0x6000000, 0x3, 0x6000000, 0x3}, 0x1c) [ 682.970486][ T7537] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 682.986447][ T7537] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 683.004817][ T7537] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 683.021723][ T7537] CR0=0000000080050033 CR3=00000000555f1000 CR4=00000000001426f0 [ 683.056158][ T7537] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 683.085290][ T7558] binder: 7527:7558 ioctl c018620b 0 returned -14 [ 683.089940][ T7537] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 683.098219][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 683.107752][ T7808] binder: release 7527:7558 transaction 3289 out, still active 17:33:53 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="000000009702a68a27ab9530dc508f88088f393a8f53a4e0d02f9373706c06fee6d29c9af711e98efc76d1d067d7bd64064c766874a0a6e3e95fd6fce3b9f9bad26ef174a74fc1b8a73ce0317a1b4bd250ff78ae8629c2421e5481dac6a04bbd392042b8961def17b6e156748bff930fd0528fe40c0e93693db225cce7d01a2950e921950d28c0cff8a9e5862eae6f4f4cc2552bb59920cab0000247ee6ca79067fd08be990e0c23b9025adb4c56da64dc158e28da6cd3c48c7cd405289cc2f26a81edd50b6a2ba97e38cdd3cc84085e7fec19f656df89d83d9e999bf612852f0300000005516014af6c64aa78567e1a6e6f6eeea2b032968e7d268674368331bda1d06c70ed1b99132cbcab1f0f24b2f330cc4ddf8020c13fea65fb68df7ee38da2602c51ed473201c664718bd276d8dd2ad263c0b8d26ef862e17b30b1bd57cab837862397d0ca7152ed7ee479350808362108a1128f8fde15d347762f89e64b94e7f2f025d7c4e6b85d090bbcc95c7602a3730738fe8c80f02773104906ff94037b5b44392ef7b5182867f23f5e6d93dd44adb3b97566653e3e12bb348243f42c3a0a018da0a6c7e3"], 0x1, 0x0, &(0x7f0000000700)='+'}) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x200000, 0x0) vmsplice(r0, &(0x7f00000002c0)=[{&(0x7f0000000740)="39a2cd1d15241163d51e53713dbf8017074d2bf24a626d3f38fa19f05660c3f1c521f3f75d4451ca1f26db6016303f7aa9d482fda354008a3a0801bb243dc06f48aa5ddda6649832aded22533a615bf14e81462dd3398eb3c96f343f55df705b5ae6576e1c335dc5d61f2463910d0a46c4e22a9cbc124f7bc94cbe3690c6bb2cded6e44f780730d9164126978a89e2fdc1535e4bafd196a4f0372d11df5bd7937a02c17767a8f3c6f173496fef295dd3bd9c572220218d18e84208f2ec85c3b2ebaa91fb83226ab24831a2d2b5b4814aec3d1bb67e106c95ded673fc8c1f4182146fdea32fcea1506d52ffbff517b219db36961781d61f8a9d9249661a0cc1e6ad3ae3dd4854708234ed9ded331bbbce43696617ef1f2962c3eacdc0d6e738d605aafe5d88d9e094c5ac319d221402935d350e0f9071700d763f36ff120a600bc88855a2bee23e66c5bb4984720be7a1582ccfd70a0f4aedbb825b78f38b3973ead6afbdf93e9849e23292371e756b8731982d04adf179ec9d90ab2df6768602773ffe756e0d11c82ae0902bc86b9af61eb57edcdb2b289d6afe0d8b7ca907fd6c30c2918eec32920ccfb5119e81bb03e56749f4792d0d6452c4e9214d19fcc194766ec61b8203094999005fbda5bc4ad5837b5b6cd510e996c167abdbecd68aebfeccaa9593e4b30c0e5f5a48210634733947a38ae72cab5c291b5c36f8bb25201434229771fe929ae79948fb1d871d2be668db92607dd775744b0a8010606882fddecc7c2e5d3c1ef86c10b5022243d8924aa5256c736e0708ce43279e2e45bff4c91023b0e45ad8a48c6ef574af3d6fb8b7b4bc618e53c61556c9492ec92144254ae5fb1c731f0b0ef4983773a241c016c9f920677dd044fb22e998e16631a9248f8b48febc991278f1c25e36f12fd7fa3da1ca6f984cd02b9bb56888dae3a17b932440745dd58a8d5247edd79a567fb35e96cb1c9ffc02410e0bf00edd15e93cd66527d6f2e48476287a2f585fc0a4bf122bd86bfecd5607d0912578d29b20b9d3f3629daf272bbc59f234bdea98de4a4a7c7c2b38d4ea391f3fb51fb5813634b1ae4c7dae1d1ea5990b8594cc78c1773755442589e6d5a3da86cebecf73c7bce2ecfefc12c508184701bf025b4ca59db45cdde9c33c1391f5f930f78536b2b6367974c6bce0c006c8c45bd9b70a7b550b4ae7423a82ed220ba67ab75b5c785395ff092ce3c340630289e504fd0c8aaa3d3a05257e370ad9cecb80704aa7ecbf7451d200fb427d769945fe9a75c467b8341ffcb90c32d8487804ccbf41b9b72d9dfc8408d65e0819b00ec1502a330f71539d348a611958e60545d2274a852c2e7057d46366822e94792d805c960eae17418357a1c290742fa41ff1b55bd700a2358138ea3428aee73398fcc06ff0519e95ae1f8b3b19263848d59c3cbb57c9a0dcd869afbd44a4a04bbec071229ae880282adc59e200e108c7e724815561ef303e52d8482fd280d602972c8a08a4f643184fc20ee6a88670c322ee968c474b724849f0c19dcf4b73ec3d1a362bf870fa59c161a072190adc63febc16ffd81fb078a3bbe6d5d569876b06c402d48642e12f2860860359388c6d839a456d7f096977ba6862629d2f76ea83cea3b3223a376499be456e034b4bbac0e32de034b931c857d0e113e4d764b76d787bfdb1726ee1595d135c9c735fe3f93d8a716f5959574fbaa7aa6d274c7f3db975690b9cf52891bf5233ab7e517e110fe78e3f333ea28982133ad50866f10355e3e433d23d44fff0d1370454499c9c21d6a3116ce4c3d5227c61c5a6788035ad36923a0a2737a7f509abc086b2ac3ccd9e870cd7bfe65001cf3d66770982f63f8442f920015c16bed71585da50672810fe26295eca377bec71351165df62f7e0d92e6a9195efc575289587096bb2a15dcfb7622d21a8a53f0fbe90bea3e7e892898fc1505605bdc945ccaa79430e39c594769c4324cd2d25724b0c717f8e2d85f592131dbdc654a32b9f762f24701a7a53da66d971b0d8607a252f0a1410159a9b375c8ac57baf990a630107e20b3224d4d87505086eea8541d69cff75e8c8fe3a96fc1996945c7539deb446f51700ad041c55cb1147fa91ba94b12217967dac84acf5f7675e9f438e46131e806abec3969c9c606f39c808c62f3f1e04585eec4c0ab382bf82f7608496baacacbe535df8bcbf697b7f0c0a5c8bda54ffe02d9863ac352318433df1c45fb2961c2974ab9a5c439c56839400f2ffc36c0de963e87fee77c8f4795606278b5b4aaeb5fe349c30f80b6e6d5874336d3a2854297213806aa0e3554c85fe2110a099858b0c6ae8ea7ef28ea9de05f8174d807bda3ac4ce396ddf5b738f3b0b1bd27c34a27dc3123ddd856507b61640fbeae91b628a51a64c4a6032321279d393300b6d13cd2c9973560c036837956fe0cc8873e9d035f95b1a563430ce70899a0f296cf9830e6bbaa0659150fcbfd8d60e2a3079e5a36027578c2fab054000bee0fddcd77aaa8db96526c0bf2e8056731d78d5eee339c0480f0b41c897dc6463a29e02fe95e85ebb630dd90f3c9f0af1bd062ce977c8c60359b4910c3e5e3e07092bd310ef1427a2e074c5a1c5512c99671987207e5790cd2e81e055736638f7540d09aa0a3a8c905b5c8bca9bd368ed32d4cae46235c6d63a1f4315626120f3f3ecd490f6119a8c4160c9a54e543c8888aa1c7bca90ade20b804ea467b51b7df29de7a4ea38ebf7973716d66001711d81b2df2c8356f17dce72752b7cdfacc804559bbdbf5a0909796c09d87122376352d3f256a556bb5bc4ad12c1327c6219590f96acaf64ab959e3f24625540bc960b8eb8997f79a07ed75e2ce6f3275e4e05339a4bf4397dc700c83d080b80662fc8f40df27116e2e9442ba2705939e3587a00830813b711354d17792c4ed8b300621887cbfccf7e5ad5f9a13684757ebe38b31e2c967ce51ccf6afc8c9ef9f3f02a21c251bd74c11d9a48d264e554983fb7e88345e314f42c2e9dbba85d3a95781559656796564440131bde832a2069229ade921e415af28540b59f4f20bfedfa48f2cd012959bdd0b059a3079712b3ef1ea5d3902765ecf17e6103e3a559b5deea00874b8d6a2762bf8cb06cdd888dcc672f67dd601f87e9893de0cd9faf4ce6f1597e0ed03fc4aaeccfb98ed79233d7fdd75efec18e413a4d5256f0c62a94af9ad5ead0717d9e1875fab3b49e615c8e134030355d91b67d043d65e2fc342348372095259c9b86c82833fa5081de14963a3507da1e0b8a39f54894d906c819afe0edea533e0c132c8c8248479dd872c22acf120bd967891fc0664a9df55d4b8de9692d04d0f7a33ca8ff1502cc9eb7d3ed06f83cfb4a2d27445a0701e43cc7b5b88dd7677fa35c033770665285c19d38171857fb4ff511a84ded2a1b2334122629c6c80ae6085e4b3ad1c2ddad5fc6f7261b03bc1651fc9e4476fb6959c4ac1b08a5c551e7b7321b725eb77749dd5009ecf3aa918619fb83be4b564c3f4576bfa03213ca1327f6c109cc52422fc0a240d2c6ea751f6acc050ab67407e3131abb811953298f6e704cba9cf7bda5e2a8874d8279d4095c74364f8bd114b50f7edd41f26cb48c4e0f85f07968e2c1a8fc279dd3dd557fa6a4ff34310b6b72b942666a2d8bad30d9664ee60809c65668e173bf769a99b8e9a2b16cb0e49e88596e7e50e36891857ae6617dec4c3ec553ab50c084b5213e4ebfa304e507218232cd7fc8faf86a53de337252e6cb603ac89441b63b96ea1f91d8aa1bb19cb52a38c200519ee354cace50e7a1ef23af91a1f34ad947f35e86cb242db5365d60d7a14ff018e86dc130d86e97e617dbe0bdf10463048ceba865dce461b92d0715b2de566662515a41e8cb590e9e9dce806ca868119d3350552505ac3677a81c73011dbaeb33a0c714cedd3b7d5faebd0c1a9703396054a97b8e7c5feeaebe7f9d175ac09287d4cd063f31bf34c200f8ae9d43dbe60da9d0cdd3133898c2d04708910e8eee811ce1ad95445091ceedc0e2fea5903f3ec92c4c3c7213b4a03cf8d0f1ea187b48a9470c16560217ac206482ffe5e882be8119c5233bf8ea9ee3cf4972e99ce37155a952bcc416e7d7fe35890096c908b5d0d41675dd1729bae6c0d1285377742fa08fd4f632bd642c64f93a8d9dfaedcf63aabdbb54ed114deb8c190cdc2edcb4064cc4562908cc2ccb382afe8e743cf71125690c5effb2f1ee18c01c84a7bcf1dbf36b4bc2e01bd11f808cd650176d7fba4ca937fa73a7fbc8b8f1b47ecf91d8653d375d8450e6073a86c9d2c814e106375cde65cb7c7ff35a1716d1c6b20cde25a59133c197d24c6636c87b6764ac86326654203ab47d7f184c38f414027c182174e3f4c9d54264151376c8344e61b46c91001862495a4743f5a3f61961125991f2bbbbacbfce5098f99eb2997166fec27e51698b8c52a37d341a917ec32a742a35a51432c1e86306c591f16f113ab64eab29f861c34b19e26aa84242fc3335407e05f0dc2cfd31c3ac16390ac737ebca3948be98e42a1510028194fc1b4ad038f42f37a2b56bfd9a29526db82dee6169288a1315cd0cb234ecbb5dcc0e3d37f07b784740d15299bc4e5288b0c65df787c513fc236cfbcd6dd5abc49950680c620e177887e115961f784993a7c9a9d8ccc4c40381b1061d659a5d6b21b92dca74f88db7d3626397ce3bd407d52ab799cace0b6d172251ff547be9a7d1cec7fee0734f1f7a48521b4e98b9e15c25a0af697699e8a0004cea81881594831f81017c8060de53dfa90905500f3afa52c166020d81381b9a6d8ccf3510f8722cf93bccc9bd8328c04e529b2cd25d6d64d0d344f809b94dca84b8ab0e579f805d925697fc406e48f29239dac5684ed3823afc618dba770391cc392a939e0152860fe033d6509ec0b0904a799302677c7ed9cce9fd176b308c544ecde39c3b099b9f440bbbe54e2afda40be8bdec5126d4c40e0b07f1565e698b39598e77a60025f6fe875cbc45ba889960c6a86248be871fccb61fca6c66982f0023398526c2847db025901bed0b4dded1568f99ecdf5eb13eefdd04ecb7865451af8f5759af911b938d3519ce4d32f37080e05239bf3e4d814b8aaa499321441bd3404d37b0eefd06eca1d31d38870886714b5bdea86426b85e5ae62c5ad3d203201b21d5ed0631e70c944042d0ede7d3c398b0785d1fb22ba220e9f737a63f679fd421e660e97df24727ecd38e8f2f99cc21d78beee111fee89815a2b8a33ad62f7dbb81afe5dbccef1d486636d2e16433c8453873b884d15f843fdb2b12530e7e9424812aa6f304018f124a2c18f05b145fd40b4c4351eeef34b346127517877590002f4e5a09048c11f7ce825b9b4fe670c7826d3710c038cf1a5529e49da963473c5f64095757c1e5576c22d196c92a75a63d54b0e5e6d8afa330bb17ff12be11ec65fa1d95a1b9682445bd091f11a00217081f0c89a358a0323d3b490061462ba5eb8a284ab0906202322ba8b764941dd3f50059c7c9cab0a554cf3fa46d21ceb67c97d52e9ab1eb12b98ebd6aa13ef523f6ffa59ffbb51802576521ed3b4eac408147241d939ff14063408ac18e0058b57e0b0098e768e0108dd3db7ab022e1b55aab6fe38d7f4976698161ad3f263eb8b5d4714cdeda70566401a45fb19a44c1b8646df4509a1c08689b7a65ef3b51f291e5fb7a37fd0b486015b1d19b6a6bfe5469df9ae8ea2fa2fc39a5aff14cddded3b188566b924788fb5f4f95c5", 0x1000}, {&(0x7f0000000640)="1a087d174397886eda05ba2e173d65afb8de3ed54155d85188f9762064acc6b1afd8f3f5f0a1befece2e6023e8d0aa621339be2ba1a8abbf83af4942799f18a9172d160a11ff15e5ecc6d4a9c609a9736372aaf400d05acf69ca5aa9da9d1944957a7d0aec5ae69eb0a1ad10fafdbaba96db", 0x72}, {&(0x7f00000000c0)="78b6d8c93fe30e1a30964ed2881b382c31cfe6508a59926d1ca0e6ffbf95", 0x1e}], 0x3, 0x2) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000003c0)='TIPC\x00') sendmsg$TIPC_CMD_SHOW_PORTS(r2, &(0x7f0000000380)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40000004}, 0xc, &(0x7f00000001c0)={&(0x7f0000000100)={0x1c, r3, 0x10, 0x70bd2d, 0x25dfdbfe, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x4000080) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) alarm(0x81) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000001740)={0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000001800)=[@acquire_done={0x40106309, r4, 0x1}, @transaction_sg={0x40486311, {{0x4, 0x0, 0x4, 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001780)=[@flat={0x77682a85, 0x100, r4, 0x3}, @fd={0x66642a85, 0x0, r1, 0x0, 0x4}], &(0x7f00000017c0)=[0x18]}, 0x6}}, @free_buffer={0x40086303, r4}, @increfs_done={0x40106308, r4, 0x4}, @register_looper, @clear_death={0x400c630f, 0x0, 0x3}], 0xd5d6f8a66a39d183, 0x0, 0x0}) [ 683.133471][ T7537] *** Control State *** [ 683.154110][ T7537] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 683.174413][ T7537] EntryControls=0000d1ff ExitControls=002fefff [ 683.195621][ T7537] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 683.247604][ T7537] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 683.278996][ T7561] binder: 7560:7561 ioctl c018620b 0 returned -14 [ 683.297864][ T7537] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 683.305799][ T7561] binder: 7560:7561 unknown command 0 [ 683.334540][ T7561] binder: 7560:7561 ioctl c0306201 20000140 returned -22 [ 683.350130][ T7537] reason=80000021 qualification=0000000000000000 [ 683.387135][ T7537] IDTVectoring: info=00000000 errcode=00000000 17:33:53 executing program 3: syz_mount_image$ext4(&(0x7f0000000100)='ext2\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x1000000, 0x0) [ 683.420046][ T7537] TSC Offset = 0xfffffe9079a69b5d [ 683.426621][ T7562] binder: 7560:7562 ioctl c0306201 20000080 returned -14 [ 683.445356][ T7537] EPT pointer = 0x00000000a01f701e 17:33:53 executing program 3: r0 = socket$kcm(0x11, 0x3, 0x0) ioctl$PERF_EVENT_IOC_QUERY_BPF(0xffffffffffffffff, 0xc008240a, 0x0) setsockopt$sock_attach_bpf(r0, 0x107, 0xf, &(0x7f0000000040), 0x4) sendmsg(r0, &(0x7f0000000440)={&(0x7f00000001c0)=@nfc={0x112, 0x2}, 0x80, &(0x7f0000000340)=[{&(0x7f0000000240)="650391fe1292af1425ec27208e1b49b4595d5ffada4acce266a944b9bf31be05b1a39c4ed4752c6371254c008f568e6a5f7a3070644ab30d944d39deca2f07270e82845bd49dc96a2d3a273dc32dbb68b84304de6155932344de7a7701da4782ecbfd8c5537641b1fc15eaa03064c1641d58a5f3385281c7e5e59a29701f5dd7c3f2e0ecde8106610ef9ed77f5f4c2ba88ede17ae9b021159addf2614ded248f786b535e55b59ae01ebc6a74a5e7308bcb7d92e82b5dfbe8c72d7a4a288e9e6e664a103b8f49469a6a58f58bc08b76ab437ff88fc977dfcb42cd630ad9836784", 0xe0}], 0x1}, 0x0) [ 683.543037][ T7808] binder: release 7544:7552 transaction 3286 out, still active 17:33:53 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7a00) 17:33:53 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 683.597183][ T7568] net_ratelimit: 9 callbacks suppressed [ 683.597199][ T7568] skbuff: bad partial csum: csum=5295/60453 headroom=160 headlen=214 [ 683.601877][ T7808] binder: send failed reply for transaction 3286, target dead [ 683.617475][ T7808] binder: send failed reply for transaction 3289, target dead [ 683.638160][ T7808] binder: send failed reply for transaction 3292 to 7560:7561 [ 683.648251][ T7561] binder: 7560:7561 ioctl c018620b 0 returned -14 [ 683.656659][ T7568] skbuff: bad partial csum: csum=5295/60453 headroom=160 headlen=214 [ 683.665132][ T7561] binder: 7560:7561 unknown command 0 17:33:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 683.710154][ T7561] binder: 7560:7561 ioctl c0306201 20000140 returned -22 [ 683.717066][ T7570] binder: 7560:7570 transaction failed 29189/-22, size 24-8 line 2994 17:33:54 executing program 3: socketpair$unix(0x1, 0x0, 0x0, 0x0) mkdir(&(0x7f0000000000)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) lsetxattr$system_posix_acl(0x0, 0x0, &(0x7f0000000340)={{}, {0x1, 0x3}, [{0x2, 0x1}, {0x2, 0x7}], {0x4, 0x4}, [], {0x10, 0x7}, {0x20, 0x1}}, 0x34, 0x1) clone(0x800002502000ff8, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount(&(0x7f0000000140)=@nullb='[d::]:,54.:\x00', &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='ceph\x00', 0x0, 0x0) 17:33:54 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000740)=ANY=[@ANYBLOB="0c63000098cb6eba39eb5e4e6ea8104ddbf5570a6235f16e30c39b682ac0efb87c7910447d96af0cb5bc1094cde623f1b332d1a63dd5e65c198e0a3831aefa681a453e9fa46941552fe4dd49452fe8e2c893ad281d59975eb85919dcc0b1b551ab399089516c00e6596d20755aa6ac108ba3840362521f6b9d3898c333f388fef5783ec2fb61ddae095b2d03"], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r0 = add_key(&(0x7f0000000080)='ceph\x00', &(0x7f0000000100)={'syz', 0x3}, &(0x7f0000000580)="14c8513fb6f336347658a48b39c4ae56003a9bd99174107bad5b81a29466816ecb4ef570caff7bbb72bdfee616420c588e37b0c1685bc5d09a02f32f8b3b5005a19bcc45baeb8991796efd5a74df119379461faadf15d894c7c65fcb84ea22bea6b250d2f64450c4810c24ff1c1c0b15909b8a47c025178753f736bd0ec9202cb7d4df307b98b4463e7548d5a1480ce48f05c35fe79dc126391152c630838833dd58c6fc72daad4167b5898b99e85fc982c3856ddb7065382fecde484b5999d490a0b98c8c1357f1eb3fd25a", 0xcc, 0xfffffffffffffff8) add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000280)={'syz', 0x0}, &(0x7f0000000480)="1a6a0fd1637e0d0e4508d86cca02b5e628c7f13a6123d350435698465f63e29cfe175ac8a1c0ce0cea20b5b370eacd879cfb96d25ff4af1c489e6edf11bf91cd640c229a8abad898c18c71270a4535cc217c667c3cea3ab3a14390bf33d2d1352e8fcd88b94983bab2fa5734ed6cd92dfa1f048ea7f5a3c27f3e144b5c010e71757118483f25c6cf8acb0442f6ab3888b1e855cacf6ae15c78db4253134b55a27077b1b16af56d7f739ba15c19085dccf86a53bc4db3a11d28bd33ff056c2fb7df3fb0632cf24e0e4fe12152c7ddea93d03f0013524704fe9ff3ccd5d90940e2", 0xe0, r0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x363, 0x0, &(0x7f0000000280), 0x0, 0x0, 0x0}) [ 683.867211][ T7581] *** Guest State *** [ 683.871416][ T7581] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 683.898260][ T7581] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 683.935781][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 683.941735][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 683.946191][ T7581] CR3 = 0x0000000000002000 [ 683.947778][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 683.955446][ T7591] libceph: resolve '54.' (ret=-3): failed [ 683.958119][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 683.971605][ T7581] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 17:33:54 executing program 3: perf_event_open(&(0x7f0000000080)={0x400000000001, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x401, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = perf_event_open(&(0x7f0000000600)={0x1, 0x70, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r0, 0x4, 0x2400) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) write(r2, &(0x7f00000001c0), 0x1000002ac) read(r1, &(0x7f0000000200)=""/250, 0x50c7e3e3) pipe(0x0) write(0xffffffffffffffff, &(0x7f00000001c0), 0xfffffef3) [ 683.989386][ T7581] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 684.005664][ T7581] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 684.014481][ T7581] RFLAGS=0x00000002 DR7 = 0x0000000000000400 17:33:54 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x2bb, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xb3, 0x0, &(0x7f0000000000)="315e2bfb468b1693818a9b96bedc4cde6ed87f32d8ef145597ea7a60862cb34602f427b196df1e2beafe2a02a9c5aa18da737c9d7c1d2bcf03206e4146d69712a3e5970648e05e88ebe247584e9dc4dd8f274619d63a66cf55bb834ed1bea21ec664d0b0b0e423e60056fdda1d45d6b4833e7844827b183dd9a172a12372e790b718380b26be19dd8c373adf3f67d4eecefb09e56285bec217715e5d940d944cee868a941d0dce711a842ffb351098acc71126"}) mmap$binder(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x4, 0x2810, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000480)=[@reply_sg={0x40486312, {{0x2, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000380)=[@fda={0x66646185, 0x7, 0x3, 0x30}, @ptr={0x70742a85, 0x0, &(0x7f0000000100), 0x1, 0x2, 0x29}, @fda={0x66646185, 0x8, 0x3, 0x37}], &(0x7f00000001c0)=[0x40, 0x40, 0x0]}, 0x6}}], 0xffffffffffffff84, 0x0, 0x0}) [ 684.036818][ T7581] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 684.045559][ T7591] libceph: parse_ips bad ip '[d::]:,54.' [ 684.078574][ T7581] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 684.138424][ T7581] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 684.188353][ T7581] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 684.200534][ T7604] binder: 7603:7604 ioctl c018620b 0 returned -14 [ 684.215304][ T7581] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 684.250726][ T7581] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 684.269861][ T7581] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 684.282657][ T7606] binder: 7603:7606 unknown command 0 [ 684.294335][ T7581] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 684.304428][ T7606] binder: 7603:7606 ioctl c0306201 20000440 returned -22 [ 684.319612][ T7581] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 684.329146][ T7607] binder: 7603:7607 got reply transaction with no transaction stack [ 684.338669][ T7581] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 684.356767][ T7581] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 684.368638][ T7607] binder: 7603:7607 transaction failed 29201/-71, size 104-24 line 2899 [ 684.375953][ T7581] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 684.385163][ T7607] binder: 7603:7607 ioctl c0306201 200002c0 returned -14 [ 684.403236][ T7581] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 684.422402][ T7581] Interruptibility = 00000000 ActivityState = 00000000 [ 684.438704][ T7581] *** Host State *** [ 684.447462][ T7581] RIP = 0xffffffff811b40b0 RSP = 0xffff88801c0778e0 [ 684.462711][ T7581] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 684.477927][ T7581] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 684.496095][ T7581] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 684.510625][ T7581] CR0=0000000080050033 CR3=00000000211ca000 CR4=00000000001426f0 [ 684.519160][ T2986] binder: release 7573:7583 transaction 3297 out, still active [ 684.527945][ T7581] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 684.546085][ T7581] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 684.561597][ T7581] *** Control State *** [ 684.570432][ T7581] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 684.581146][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 684.581193][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 684.587008][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 684.592863][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 684.599373][ T7581] EntryControls=0000d1ff ExitControls=002fefff 17:33:54 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) [ 684.610738][ T2986] binder: send failed reply for transaction 3297, target dead [ 684.611188][ T7581] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 684.619111][ T2986] binder: send failed reply for transaction 3300 to 7603:7606 [ 684.651815][ T7581] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 684.692281][ T7581] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 684.724279][ T7581] reason=80000021 qualification=0000000000000000 [ 684.740402][ T7581] IDTVectoring: info=00000000 errcode=00000000 [ 684.754179][ T7581] TSC Offset = 0xfffffe8fbee1ed51 [ 684.771720][ T7581] EPT pointer = 0x000000001dbe701e [ 684.828925][ T7612] binder: 7609:7612 ioctl c0306201 0 returned -14 [ 684.987375][ T7606] binder: 7603:7606 ioctl c018620b 0 returned -14 [ 685.008599][ T7607] binder: 7603:7607 unknown command 0 [ 685.014146][ T7607] binder: 7603:7607 ioctl c0306201 20000440 returned -22 [ 685.046149][ T7607] binder: 7603:7607 got reply transaction with bad transaction stack, transaction 3308 has target 7609:0 [ 685.062718][ T7607] binder: 7603:7607 transaction failed 29201/-71, size 104-24 line 2914 [ 685.072290][ T7607] binder: 7603:7607 ioctl c0306201 200002c0 returned -14 [ 685.080443][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 685.086792][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 685.093170][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 685.115132][ T7808] binder: release 7603:7607 transaction 3308 out, still active [ 685.126796][ T7808] binder: unexpected work type, 4, not freed [ 685.132814][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 685.140777][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 [ 685.559415][ T2986] binder: release 7609:7612 transaction 3305 out, still active [ 685.586063][ T2986] binder: send failed reply for transaction 3305, target dead [ 685.599679][ T2986] binder: send failed reply for transaction 3308, target dead 17:33:56 executing program 1: 17:33:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:56 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x80ffff) 17:33:56 executing program 3: 17:33:56 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0xfffffffffffffe37, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x2) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000), 0x17a, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:56 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) [ 685.936908][ T7625] binder: 7619:7625 ioctl c018620b 0 returned -14 17:33:56 executing program 3: 17:33:56 executing program 1: [ 685.983817][ T7631] binder_thread_write: 4 callbacks suppressed [ 685.983831][ T7631] binder: 7624:7631 BC_INCREFS_DONE u0000000000000000 no match [ 686.019282][ T7625] binder: 7619:7625 unknown command 1986356271 [ 686.032411][ T7635] binder: 7622:7635 ioctl c0306201 0 returned -14 [ 686.033367][ T7625] binder: 7619:7625 ioctl c0306201 20000440 returned -22 [ 686.067710][ T7632] binder: 7619:7632 BC_INCREFS_DONE u0000000000000000 no match 17:33:56 executing program 3: [ 686.093323][ T7632] binder: 7619:7632 ioctl c018620b 0 returned -14 [ 686.109396][ T7632] binder: 7619:7632 unknown command 1986356271 [ 686.116763][ T7639] *** Guest State *** [ 686.121020][ T7639] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 686.134770][ T7632] binder: 7619:7632 ioctl c0306201 20000440 returned -22 17:33:56 executing program 1: [ 686.146294][ T7625] binder: 7619:7625 BC_INCREFS_DONE u0000000000000000 no match [ 686.156906][ T7639] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 686.186527][ T7639] CR3 = 0x0000000000000000 17:33:56 executing program 5: r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x42000, 0x0) setsockopt$IP_VS_SO_SET_ADD(r0, 0x0, 0x482, &(0x7f0000000040)={0xb7, @dev={0xac, 0x14, 0x14, 0x27}, 0x4e21, 0x2, 'nq\x00', 0x4, 0x1000, 0xffffffff00000000}, 0x2c) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 686.198311][ T7639] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 686.215239][ T7639] RFLAGS=0x00010002 DR7 = 0x0000000000000400 17:33:56 executing program 1: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x4) setsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000140)={0x8, 0x7f48, 0x3, 0x9, 0x5, 0x80000000800, 0x1, 0xffffffffffffff01, 0x5, 0x1, 0x7}, 0xb) r1 = socket$inet_smc(0x2b, 0x1, 0x0) r2 = socket$inet6(0xa, 0x1000000000002, 0x1) ioctl(r0, 0x100008912, &(0x7f0000000300)="02979e0700145f80f9b889") getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f00000000c0)={0x0, 0x7, 0x30}, &(0x7f0000000140)=0xc) setsockopt$inet_sctp6_SCTP_AUTH_DELETE_KEY(r2, 0x84, 0x19, &(0x7f0000000180)={r3, 0x8}, 0x8) setsockopt$inet_tcp_TCP_FASTOPEN_KEY(r1, 0x6, 0x21, &(0x7f0000000040)="000000888000dae7770a34e96eda00", 0xffffffffffffff23) ioctl$EXT4_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000280)) accept$inet(r1, &(0x7f0000000000)={0x2, 0x0, @loopback}, &(0x7f0000000080)=0x10) setsockopt$inet_mreqsrc(r1, 0x0, 0x26, &(0x7f00000001c0)={@empty, @multicast1, @multicast2}, 0xc) close(r1) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r1, 0x6, 0x23, &(0x7f0000000200)={&(0x7f0000fff000/0x1000)=nil, 0x1000}, &(0x7f0000000240)=0x10) r4 = socket$inet6(0xa, 0x20000800000004, 0x83) ioctl(r4, 0x8912, &(0x7f0000000280)="153f6234488dd25d5c6070") r5 = socket(0x400020000000010, 0x2, 0x4) write(r5, &(0x7f0000000400)="1f00000054000d0000000000fc07ff1b070404000400000007000100010039cb648ffcea50597d9ca2f35eef5d07934709c8fd98d6f18d63fccaf309628c25c5e4c37862b739b68e091b060ab62ace3dcb9a91bb2f93340b7e298d538acfb378746bc54d8cb51fb20b2f3251fd05bd2274e0054206b072b869d05315e263706ab167b546f22f71dd3bf147180000000000", 0x91) r6 = socket$inet6_sctp(0xa, 0x1, 0x84) sendto$inet6(r6, &(0x7f0000e33fe0)='X', 0x1, 0x0, 0x0, 0x0) write$binfmt_aout(r6, &(0x7f0000000340)=ANY=[@ANYBLOB="61db6041e36cef2bc9873e3230"], 0xd) r7 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r6, 0x84, 0x72, &(0x7f0000000080)={0x0, 0x401, 0x30}, 0xc) setsockopt$inet_sctp6_SCTP_CONTEXT(r7, 0x84, 0x11, &(0x7f00000002c0)={r3, 0xffff}, 0x8) ioctl$sock_SIOCINQ(r6, 0x541b, &(0x7f0000000100)) sendmsg(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000005c0)=[{&(0x7f0000000040)="ac", 0x1}], 0x1}, 0x0) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r6, 0x84, 0x72, &(0x7f00000000c0), 0xc) write$binfmt_misc(r6, &(0x7f0000000240)={'syz1'}, 0x34000) [ 686.269983][ T7639] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 686.287981][ T7648] binder: 7647:7648 ioctl c018620b 0 returned -14 17:33:56 executing program 3: r0 = socket$inet(0x2, 0x3, 0x19) connect$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x0, @local}, 0xf5) setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x23, &(0x7f0000000000)={{{@in=@multicast2, @in=@multicast1}}, {{@in6}, 0x0, @in6=@loopback}}, 0xe8) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f00000000c0)="0adc1f123c123f3188b070") setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000180)={@multicast2, @local, 0x0, 0x1, [@dev]}, 0x14) setsockopt$inet_mreqn(r0, 0x0, 0x100000000000026, &(0x7f0000000380)={@multicast2, @local}, 0xc) [ 686.329568][ T7639] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.365670][ T7639] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.371589][ T7654] binder: 7647:7654 transaction failed 29189/-22, size 24-8 line 2994 [ 686.398257][ T7639] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 686.419388][ T7654] binder: 7647:7654 BC_INCREFS_DONE u0000000000000000 no match [ 686.439173][ T7639] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.454055][ T7639] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.473291][ T7639] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.494704][ T7639] GDTR: limit=0x00000000, base=0x0000000000000000 [ 686.507790][ T7639] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.535429][ T7639] IDTR: limit=0x00000000, base=0x0000000000000000 [ 686.551642][ T7639] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 686.561541][ T7639] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 686.569712][ T7639] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 686.578837][ T7639] Interruptibility = 00000000 ActivityState = 00000000 [ 686.586302][ T7639] *** Host State *** [ 686.594282][ T7639] RIP = 0xffffffff811b40b0 RSP = 0xffff88805225f8e0 [ 686.607536][ T7639] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 686.614820][ T7639] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 686.623809][ T7639] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 686.630640][ T7639] CR0=0000000080050033 CR3=0000000084ef1000 CR4=00000000001426f0 [ 686.638681][ T7639] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 686.646125][ T7639] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 686.653511][ T7639] *** Control State *** [ 686.657681][ T7639] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 686.665155][ T7639] EntryControls=0000d1ff ExitControls=002fefff [ 686.671659][ T7639] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 686.679604][ T7639] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 686.687468][ T7639] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 686.694955][ T7639] reason=80000021 qualification=0000000000000000 [ 686.702152][ T7639] IDTVectoring: info=00000000 errcode=00000000 [ 686.708327][ T7639] TSC Offset = 0xfffffe8e8f82ad50 [ 686.709302][ T2986] binder: release 7622:7635 transaction 3313 out, still active [ 686.713454][ T7639] EPT pointer = 0x000000001a45501e 17:33:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:56 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x1000000) 17:33:56 executing program 3: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)) 17:33:56 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) getpeername$inet6(0xffffffffffffffff, 0x0, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:33:56 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) [ 686.763157][ T2986] binder: send failed reply for transaction 3313, target dead 17:33:57 executing program 3: r0 = socket$inet(0x2, 0x4000000000000001, 0x2) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f0000000040), 0x4) bind$inet(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f0000c86f88)={0x800000000002, 0x70, 0xfffffffffffffff8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = open(&(0x7f0000000040)='./file0\x00', 0x200c2, 0x0) write$binfmt_elf64(r1, &(0x7f0000004000)=ANY=[@ANYRESHEX], 0x12) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendfile(r1, r1, &(0x7f00000001c0), 0xa198) perf_event_open(&(0x7f00000000c0)={0x7, 0x70, 0x0, 0x9, 0x9, 0x995, 0x0, 0x2, 0x0, 0x0, 0x9, 0x0, 0x7ff, 0xffffffffffff6e05, 0xffffffff, 0x0, 0x9, 0x0, 0x0, 0x0, 0x329, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10001, 0x0, 0x0, 0x7, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x0, 0x200}, 0x100, 0x28000, 0x0, 0x3, 0x9, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffff9c, 0x9) ioctl$EXT4_IOC_SWAP_BOOT(r1, 0x6611) 17:33:57 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) getpeername$inet6(0xffffffffffffffff, 0x0, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 686.933449][ T7683] binder: 7678:7683 BC_INCREFS_DONE u0000000000000000 no match [ 687.000592][ T7691] binder: 7676:7691 ioctl c0306201 0 returned -14 17:33:57 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) getpeername$inet6(0xffffffffffffffff, 0x0, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:33:57 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x2000000) [ 687.084998][ T7695] binder: 7647:7695 ioctl c018620b 0 returned -14 [ 687.101188][ T7695] binder: 7647:7695 transaction failed 29189/-22, size 24-8 line 2994 [ 687.131314][ T7654] binder: 7647:7654 BC_INCREFS_DONE u0000000000000000 no match 17:33:57 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x3e, 0x0) ioctl$SNDRV_SEQ_IOCTL_PVERSION(r1, 0x80045300, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$KVM_SET_XSAVE(r1, 0x5000aea5, &(0x7f0000000740)={"17a99f8e4ffc135874b1d28a232741bc4d34b3e701c464e746772a46ff0b42ef32d76e13c665b2b5042ea17c3f22ddc502fefb028649b63a99a4d4886d9ef69b587a1dff02e1c9eb53ca4dd374d54c8c07b86690bb8cee0a9bbe68ad2d7fc43806e567b64b7ca48fbbc4b06cd5b7db011191e70df0a9a3625c931704f051c7419f385afd02d2481103652e8665d945652d0bff065b1cb4628d3e5541dcff69c4350fd927c57da6fc9c32a656cbf5f4fe941fdff4ef402564ee935835e65bb87ba25f441f9feaeeeaa8c1fbc403f7a4e0432da94918a0c30d227cd9670a616412bb3612a7c9a3670c1a20507d122fe7d576e979f59239284350554e582aa617ba510431328d94d8ffbd2020485a5e83b593d684bb46bd7461b06bc5bc1d80f522eb7ced53c359e3f4c1e6aca5f2967c5694017b7230c1136dbeeceb12211614121829f23ed0273e65010eebbfaf2febf4ab69aba8669f2cac8e351b38ae6ff22214f3739fdf0f51dc994aff97a33e43c327e7d4dd53aae9e8b6d77ca69554b6e5d5618152a60057490ce257f05073cfcee100be1e9c1e22f2ef95932d3ce03d1835b87fab97ddcb9083e31c3741377627e4d2851c6585e2ae29b9359f8faf3f2115f160a3746b9c617e196563267377b25d5bdf9b4f7314b2a78e036222d86d97a73d6207e49da1c928831a72fcdfc879e3fd990a8f03272754135737dec4d5802ad6bbad4c860d366c8a069978f98065d7046c5b867b4710119d5fe6760b5688b5fe7ab8441fa14555b472644935df25563a16432c377535772586d699dcefe7cc177e29d17bbf9b3a89f5dff9174c10d350e2b1a06fbb706c5449db8ed058029e4af7faa57af8a05d61bf3e5fef2b4057c8db756344f79754c491ffa2e62e769a95fb9a43065fee175854bcc9721ab9e4d164079b5d3af1eee16ac48f460e2748ffffc100650975bc3d690703896d45d09c483a3885e8674feb914ab706707c0d4c88d09809149e73d9250b566bb050b3fdfe514c18cef8f4961e55b4edb416eab858e26d98841717d614693b683e9ba3a644be2398002f087ec4f77266a3fe89bc245e8735ffc45afb69232dd2c2699f09caabed71ebfccac4bfedf5307522c41c240b467465f0d10c6163de1beb9ab65e479259072dc3c12f1b7cc5ad489b5b68e2e0e793448f56c7a2990680b266d1450d1163f9be0ff089e1208510d19e1505827046796f79908d9ca43a1185ebd822063eb719dba80c221dddbf551217bc441b9ecf4638b97e006a83951e3dc37716072c5c57741dda026b75d3dd8533e3d710342fd9c33b00daa019f47a3ab990f4a865612c1198aad7751777f5ac8239443b274a8a6282b14f823488fac99764e129dc7b82f1cb75ef80bb600d5186b2354fa551a462dbda4b876ec884bc9616a9d7f500908b74adab03504a788073"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:57 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) getpeername$inet6(0xffffffffffffffff, 0x0, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 687.305562][ T7707] binder: 7706:7707 ioctl c018620b 0 returned -14 [ 687.314100][ T7705] *** Guest State *** [ 687.319692][ T7705] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 17:33:57 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 687.351050][ T7705] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 687.372819][ T7705] CR3 = 0x0000000000002000 [ 687.383245][ T7705] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 687.422235][ T7705] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 687.447474][ T7705] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 687.467687][ T7705] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 687.474845][ T7705] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 687.490694][ T7705] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 687.511276][ T7705] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 687.529721][ T7705] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 687.540412][ T7705] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 687.565250][ T7705] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 687.574912][ T7705] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 687.584750][ T7705] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 687.594274][ T7705] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 687.605244][ T7705] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 687.615183][ T7705] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 687.625744][ T7705] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 687.634649][ T7705] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 687.645311][ T7705] Interruptibility = 00000000 ActivityState = 00000000 [ 687.653185][ T7705] *** Host State *** [ 687.657637][ T7705] RIP = 0xffffffff811b40b0 RSP = 0xffff88808601f8e0 [ 687.664423][ T7705] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 17:33:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:57 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 687.672203][ T7705] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 687.681527][ T7705] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 687.697290][ T7808] binder: release 7676:7691 transaction 3318 out, still active [ 687.697603][ T7705] CR0=0000000080050033 CR3=000000001a415000 CR4=00000000001426f0 17:33:57 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 687.731911][ T2986] binder: send failed reply for transaction 3318, target dead [ 687.747620][ T7705] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 687.779257][ T7705] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 687.780319][ T2986] binder: send failed reply for transaction 3322 to 7706:7711 17:33:57 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, 0x0) [ 687.821083][ T7705] *** Control State *** 17:33:58 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 687.859778][ T7705] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 687.892004][ T7705] EntryControls=0000d1ff ExitControls=002fefff [ 687.900544][ T7729] binder: 7723:7729 transaction failed 29189/-22, size 0-8 line 2994 17:33:58 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 687.916164][ T7705] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 687.948250][ T7705] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 687.979355][ T7705] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 687.997392][ T7705] reason=80000021 qualification=0000000000000000 [ 688.010805][ T7705] IDTVectoring: info=00000000 errcode=00000000 [ 688.018287][ T7705] TSC Offset = 0xfffffe8de42f98c2 17:33:58 executing program 1: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 688.032883][ T7705] EPT pointer = 0x0000000059bf101e [ 688.051520][ T7738] binder: BINDER_SET_CONTEXT_MGR already set [ 688.093513][ T7738] binder: 7732:7738 ioctl 40046207 0 returned -16 [ 688.094187][ T7711] binder: 7706:7711 ioctl c018620b 0 returned -14 [ 688.124951][ T7738] binder: 7732:7738 ioctl c0306201 0 returned -14 17:33:58 executing program 1: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:33:58 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x3000000) [ 688.143077][ T7808] binder: release 7706:7743 transaction 3333 out, still active [ 688.159464][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:33:58 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf2b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000, 0x0, 0x0, 0x0, @perf_config_ext, 0x40000}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:33:58 executing program 1: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 688.318930][ T7752] binder: 7751:7752 ioctl c018620b 0 returned -14 17:33:58 executing program 1: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 688.379037][ T7755] *** Guest State *** [ 688.386919][ T7755] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 688.400699][ T7755] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 688.413316][ T7755] CR3 = 0x0000000000002000 [ 688.418166][ T7755] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 688.435621][ T7755] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 688.458545][ T7755] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 688.468607][ T7755] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 688.476771][ T7755] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 688.484642][ T7755] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 688.494421][ T7755] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 688.503246][ T7755] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 688.523547][ T7755] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 688.532908][ T7755] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 688.551729][ T7755] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 688.561576][ T7755] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 688.577954][ T7755] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 688.588320][ T7755] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 688.597471][ T7755] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 688.606721][ T7755] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 688.614174][ T7755] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 688.622561][ T7755] Interruptibility = 00000000 ActivityState = 00000000 [ 688.629679][ T7755] *** Host State *** [ 688.633633][ T7755] RIP = 0xffffffff811b40b0 RSP = 0xffff88805088f8e0 [ 688.640470][ T7755] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 688.648745][ T7755] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 688.657861][ T7808] binder: release 7724:7734 transaction 3327 out, still active [ 688.675094][ T7755] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 688.675973][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 688.681830][ T7755] CR0=0000000080050033 CR3=0000000092721000 CR4=00000000001426f0 [ 688.681848][ T7755] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 688.681860][ T7755] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 688.681866][ T7755] *** Control State *** [ 688.681876][ T7755] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 688.681885][ T7755] EntryControls=0000d1ff ExitControls=002fefff [ 688.681900][ T7755] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 17:33:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:58 executing program 1: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 688.681910][ T7755] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 688.681920][ T7755] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 688.681929][ T7755] reason=80000021 qualification=0000000000000000 [ 688.681937][ T7755] IDTVectoring: info=00000000 errcode=00000000 [ 688.681951][ T7755] TSC Offset = 0xfffffe8d51d5f877 [ 688.775672][ T2986] binder: release 7732:7738 transaction 3330 out, still active 17:33:58 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 688.797920][ T2986] binder: send failed reply for transaction 3327, target dead 17:33:59 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406301}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 688.847022][ T2986] binder: send failed reply for transaction 3330, target dead [ 688.854656][ T2986] binder: send failed reply for transaction 3333, target dead 17:33:59 executing program 1: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 688.892022][ T2986] binder: send failed reply for transaction 3336 to 7751:7758 [ 688.910840][ T7789] binder: 7775:7789 transaction failed 29189/-22, size 0-8 line 2994 [ 688.973576][ T7755] EPT pointer = 0x0000000091d8001e [ 688.983176][ T7802] binder: 7790:7802 ioctl c018620b 0 returned -14 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:33:59 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4000000) [ 689.018599][ T7802] binder: 7790:7802 got reply transaction with no transaction stack [ 689.036906][ T7802] binder: 7790:7802 transaction failed 29201/-71, size 0-0 line 2899 [ 689.109490][ T7758] binder: 7751:7758 ioctl c018620b 0 returned -14 [ 689.116773][ T7818] binder: 7790:7818 BC_INCREFS_DONE node 3346 has no pending increfs request [ 689.137970][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 689.145769][ T7808] binder: release 7751:7820 transaction 3348 out, still active 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:33:59 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="75a9a3816009eb8e8a8016f07336ce2a1264dabd2cedef3f703856fb13af90993be953da4a5d595e315d7e8766139e7a6852d38848d6447cafde05d7035f850609dbf63fd9a71cf2afa7cf040000000000000088b0a3eb492f9049b52eea4c7dd90488ee4edf59cd6ef96a16d507a335034a14ba9e6b4122b646434e251bb771632d607c6de3db700824c9ac4a2e7ac63557163deb038c9551bc441016b4d7ac0495166bd85a0a0547b116b207dab7be510f9c5d57796fa36f6c0c9e669ad459df7193f8085702a39bf06582bda7d65951f957e583c7ff3385ddd31482cd8cd686250c03723ee3933eaaec7ae756391cd78ac4302ad9d30bd2147ffe8db0e8bd54faa8e3d2f1d70cd12c532044a0e50739e1cb826dfaef59e4188a8f293ac5c88da67e517e5c8d7854522e9b2b509a31e633528a1c206079fa4c145b3ad6d035b36fdb1ad4d377809ede"], 0xffffffffffffffb2, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="08631040", @ANYRES64=0x0, @ANYBLOB="00b7b0c6e444587a"], 0x0, 0x0, 0x0}) r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x200, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000000480)={{{@in=@remote, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}}}, &(0x7f0000000040)=0x48561dc818e98560) io_setup(0xaa, &(0x7f00000000c0)=0x0) r5 = syz_open_dev$vcsa(&(0x7f0000000100)='/dev/vcsa#\x00', 0x100000000, 0x80001) r6 = bpf$OBJ_GET_PROG(0x7, &(0x7f0000000800)={&(0x7f00000007c0)='./file0\x00', 0x0, 0x10}, 0x10) io_submit(r4, 0x5, &(0x7f0000000b40)=[&(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x7, r5, &(0x7f00000001c0), 0x0, 0x7fffffff, 0x0, 0x2, r2}, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x7, 0x8, r0, &(0x7f0000000740)="bfc14738648c0c50a52e06a39948f89ea09346506b9eec832a173f44856c63a7de7d3c0c01a55efd31fcfc909ee12d0369015c162e24e062fc029255db3b87d2cc42a7977e97b377817601fbb984ee286442429f140291c5da5ce3096eea", 0x5e, 0x9, 0x0, 0x0, r2}, &(0x7f0000000940)={0x0, 0x0, 0x0, 0x0, 0x20, r6, &(0x7f0000000840)="6153d8a68eb426694b6255dfb90e34f4b606a119eef4cd9f160c336f9518ee570ef558dfe18b49510ec895c5e78c5b27d3db9d1b36fb35cd3189840b50ea30e936794d4c1717f3afd839632bf86b1936638ee847f3cd8d76c3ec60851a11012e330b7da2249d56250e9441afe33c2791bbdf28379ceebe40e1bdfdd8d61558f7d16622df6ef61da063a75cb89e32da316de40ef4411e6b2656f0cef8f18c9e36ee66ecb6aff51359073aef7e64a3491074e3419170a7e80a8537671f408b204658fdb46ecf16115468ec6f90203d", 0xce, 0x3, 0x0, 0x1, r2}, &(0x7f00000009c0)={0x0, 0x0, 0x0, 0x8, 0xfffffffffffffff7, r0, &(0x7f0000000980)="12658f73dc1121f31f836e37ab2a4753900aa8af1ce74cd9526592b6ae7b514379418aa4a334ca59446c38", 0x2b, 0x304, 0x0, 0x2, r2}, &(0x7f0000000b00)={0x0, 0x0, 0x0, 0x3, 0x4cc8, r2, &(0x7f0000000a00)="a08b8ef41629ac6db4620b264e8923d2ebbfdacfd4e4d730fd12fb5c4c29c1b298b8d02f7130ae99778773f541246df9c8d086d5c7f6c937da01292e45b54b8d7f2bb04293356cff4f65c6ea447bd853489c7e2a1bfdda2e14b7665df2d62e235aeefa2660f5eb2c92543c1b222fc5cdf4f6932b59f74c7a7359fd57a305a1b1534aeb59e18794cc2975f9ca55f8c1b1f217b3050ef995fc3d7fd1131edcc6ab31d759a2dd87a2537689f63b9c149dc56776ee8eac0e0427985e03fadafc3f034c671f66", 0xc4, 0x4, 0x0, 0x3, r2}]) setsockopt$inet_mreqn(r2, 0x0, 0x24, &(0x7f0000000080)={@multicast1, @local, r3}, 0xc) socket$nl_xfrm(0x10, 0x3, 0x6) 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 689.270477][ T7823] *** Guest State *** [ 689.276506][ T7823] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 689.301449][ T7831] binder: 7828:7831 ioctl c018620b 0 returned -14 [ 689.303090][ T7823] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 689.322597][ T7831] binder: 7828:7831 unknown command -2119980683 [ 689.349281][ T7831] binder: 7828:7831 ioctl c0306201 20000140 returned -22 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 689.391476][ T7823] CR3 = 0x0000000000000000 [ 689.400409][ T7823] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 689.423985][ T7836] binder: 7828:7836 BC_INCREFS_DONE u0000000000000000 node 3352 cookie mismatch 7a5844e4c6b0b700 != 0000000000000000 [ 689.427901][ T7823] RFLAGS=0x00010002 DR7 = 0x0000000000000400 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 689.468320][ T7823] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 689.477127][ T7823] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.486316][ T7823] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.496521][ T7823] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 689.518148][ T7823] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.527914][ T7823] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.537272][ T7823] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.551295][ T7823] GDTR: limit=0x00000000, base=0x0000000000000000 [ 689.562728][ T7823] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.576705][ T7823] IDTR: limit=0x00000000, base=0x0000000000000000 [ 689.591751][ T7823] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 689.612886][ T7823] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 689.620067][ T7823] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 689.638243][ T7823] Interruptibility = 00000000 ActivityState = 00000000 [ 689.647951][ T7823] *** Host State *** [ 689.651878][ T7823] RIP = 0xffffffff811b40b0 RSP = 0xffff888052cd78e0 17:33:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:33:59 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 689.663550][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 689.667384][ T7823] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 689.681484][ T7823] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 689.698750][ T7823] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 689.724369][ T7808] binder: release 7785:7804 transaction 3342 out, still active [ 689.735562][ T7823] CR0=0000000080050033 CR3=00000000129b0000 CR4=00000000001426f0 17:33:59 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 689.772459][ T7823] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 689.781009][ T7808] binder: release 7790:7802 transaction 3345 out, still active [ 689.783966][ T7823] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 689.815526][ T7808] binder: unexpected work type, 4, not freed [ 689.823924][ T7823] *** Control State *** [ 689.834129][ T7852] binder_alloc: 7785: binder_alloc_buf, no vma [ 689.847447][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 689.855472][ T7823] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca 17:34:00 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 689.862898][ T7823] EntryControls=0000d1ff ExitControls=002fefff [ 689.870624][ T7852] binder: 7849:7852 transaction failed 29189/-3, size 0-8 line 3147 [ 689.888413][ T7808] binder: send failed reply for transaction 3342, target dead [ 689.902273][ T7857] binder: 7849:7857 BC_INCREFS_DONE u0000000000000000 no match [ 689.928602][ T7808] binder: send failed reply for transaction 3345, target dead [ 689.936211][ T7823] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 689.951106][ T7808] binder: send failed reply for transaction 3348, target dead [ 689.961764][ T7860] binder: 7859:7860 ioctl c018620b 0 returned -14 [ 689.966621][ T7823] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 689.978085][ T7823] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 689.978511][ T7808] binder: send failed reply for transaction 3351 to 7828:7831 [ 689.985428][ T7823] reason=80000021 qualification=0000000000000000 [ 689.985437][ T7823] IDTVectoring: info=00000000 errcode=00000000 [ 689.985444][ T7823] TSC Offset = 0xfffffe8cd8f26c39 [ 689.985454][ T7823] EPT pointer = 0x000000001a49201e [ 689.994321][ T7831] binder: 7828:7831 ioctl c018620b 0 returned -14 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 690.029171][ T7860] binder: 7859:7860 BC_INCREFS_DONE node 3360 has no pending increfs request 17:34:00 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x5000000) [ 690.067561][ T7836] binder: 7828:7836 BC_INCREFS_DONE u0000000000000000 node 3363 cookie mismatch 7a5844e4c6b0b700 != 0000000000000000 [ 690.095113][ T7808] binder: release 7859:7860 transaction 3359 out, still active [ 690.108958][ T7808] binder: unexpected work type, 4, not freed [ 690.115067][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 690.132164][ T7831] binder: 7828:7831 unknown command -2119980683 [ 690.160271][ T7831] binder: 7828:7831 ioctl c0306201 20000140 returned -22 17:34:00 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630f}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 690.182295][ T7808] binder: release 7828:7836 transaction 3362 out, still active 17:34:00 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x180, 0x0) getpeername$inet6(r1, &(0x7f0000000040)={0xa, 0x0, 0x0, @dev}, &(0x7f0000000080)=0x1c) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 690.225619][ T7875] binder: 7874:7875 ioctl c018620b 0 returned -14 [ 690.252721][ T7875] binder: 7874:7875 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x0) [ 690.329758][ T7877] *** Guest State *** [ 690.337716][ T7877] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 690.352313][ T7885] binder: 7884:7885 ioctl c018620b 0 returned -14 [ 690.373172][ T7877] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 690.399921][ T7877] CR3 = 0x0000000000000000 [ 690.420494][ T7877] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 690.440878][ T7877] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 690.448167][ T7877] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 690.456293][ T7877] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x0) [ 690.466296][ T7877] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.484726][ T7877] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 690.494597][ T7877] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.508657][ T7877] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.520933][ T7877] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.535045][ T7877] GDTR: limit=0x00000000, base=0x0000000000000000 [ 690.544351][ T7877] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.554791][ T7877] IDTR: limit=0x00000000, base=0x0000000000000000 [ 690.564362][ T7877] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 690.580804][ T7877] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 690.588544][ T7877] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 690.591330][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 690.598056][ T7877] Interruptibility = 00000000 ActivityState = 00000000 [ 690.611477][ T7877] *** Host State *** 17:34:00 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x0) 17:34:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 690.616389][ T7877] RIP = 0xffffffff811b40b0 RSP = 0xffff88805a7c78e0 [ 690.623656][ T7877] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 690.631484][ T7877] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 690.640459][ T7877] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 690.664217][ T7877] CR0=0000000080050033 CR3=000000001299a000 CR4=00000000001426e0 [ 690.695153][ T7877] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 17:34:00 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 17:34:00 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 690.721126][ T7877] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 690.737751][ T7808] binder: send failed reply for transaction 3356, target dead [ 690.747491][ T7808] binder: send failed reply for transaction 3359, target dead [ 690.763747][ T7877] *** Control State *** [ 690.775425][ T7877] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 690.783418][ T7901] binder: 7897:7901 transaction failed 29189/-22, size 0-8 line 2994 [ 690.796379][ T7808] binder: send failed reply for transaction 3365 to 7874:7879 [ 690.813892][ T7877] EntryControls=0000d1ff ExitControls=002fefff [ 690.822076][ T7904] binder: 7902:7904 ioctl c018620b 0 returned -14 [ 690.831221][ T7808] binder: send failed reply for transaction 3368 to 7884:7889 [ 690.840915][ T7877] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 690.851388][ T7877] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 690.860368][ T7904] binder: 7902:7904 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 690.869166][ T7877] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 690.869178][ T7877] reason=80000021 qualification=0000000000000000 [ 690.869186][ T7877] IDTVectoring: info=00000000 errcode=00000000 [ 690.869194][ T7877] TSC Offset = 0xfffffe8c46fccaba [ 690.869204][ T7877] EPT pointer = 0x000000001a50901e [ 690.916352][ T7906] binder: 7902:7906 transaction failed 29189/-22, size 24-8 line 2994 [ 690.930177][ T7906] binder: 7902:7906 BC_INCREFS_DONE u0000000000000000 no match 17:34:01 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6000000) 17:34:01 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 691.027718][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 691.115731][ T7913] *** Guest State *** [ 691.120741][ T7913] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 691.132040][ T7913] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 691.145193][ T7913] CR3 = 0x0000000000002000 [ 691.150943][ T7889] binder: 7884:7889 ioctl c018620b 0 returned -14 [ 691.165016][ T7913] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 691.182894][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:34:01 executing program 5: r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0x10000, 0x0) ioctl$SIOCX25SFACILITIES(r0, 0x89e3, &(0x7f0000000080)={0x30, 0x3, 0x8, 0x6, 0x3}) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="c5e678d1c8886b54120b4e58dc8fe1bedee4bd4fa818664a7b3d0e4b10750b87d7156fd288354b9b941cce00e4a433cc6860944a26452cab16362b39591cc608308aeede33205fe1b2df0e904be705f8c25e6475ee9e11af22653746519490717d14c0b0cb68173439ab13076fabd7741c746a339c7176c6387e4964b28a0fc196979494f5", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) [ 691.214577][ T7913] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 691.224270][ T7913] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 691.245057][ T7921] binder: BINDER_SET_CONTEXT_MGR already set [ 691.252882][ T7913] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 691.268407][ T7921] binder: 7916:7921 ioctl 40046207 0 returned -16 [ 691.278629][ T7913] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 691.293995][ T7913] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 691.303910][ T7913] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 691.313153][ T7913] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 691.322227][ T7913] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 691.331974][ T7924] binder: 7922:7924 unknown command -780605755 [ 691.332052][ T7913] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 691.347684][ T7913] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 691.347716][ T7924] binder: 7922:7924 ioctl c0306201 200002c0 returned -22 [ 691.356947][ T7913] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 691.373180][ T7913] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 691.382377][ T7913] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 691.393512][ T7913] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 691.402632][ T7913] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 691.410208][ T7913] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 691.418794][ T7913] Interruptibility = 00000000 ActivityState = 00000000 [ 691.426211][ T7913] *** Host State *** [ 691.430793][ T7913] RIP = 0xffffffff811b40b0 RSP = 0xffff8880891cf8e0 [ 691.437705][ T7913] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 691.445420][ T7913] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 691.454373][ T7913] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 691.461430][ T7913] CR0=0000000080050033 CR3=00000000970af000 CR4=00000000001426e0 [ 691.469876][ T7913] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 691.477608][ T7913] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 691.484674][ T7913] *** Control State *** [ 691.489069][ T7913] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 691.497324][ T7913] EntryControls=0000d1ff ExitControls=002fefff [ 691.503748][ T7913] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 691.511587][ T7913] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:34:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 691.519234][ T7913] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 691.528895][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 691.549167][ T7913] reason=80000021 qualification=0000000000000000 [ 691.556252][ T7913] IDTVectoring: info=00000000 errcode=00000000 [ 691.564608][ T7913] TSC Offset = 0xfffffe8bd74c64d9 [ 691.585697][ T7913] EPT pointer = 0x000000000d3df01e 17:34:01 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:01 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6200000) [ 691.650371][ T7928] binder: 7926:7928 got transaction with invalid offset (0, min 0 max 0) or object. [ 691.676640][ T7928] binder: 7926:7928 transaction failed 29201/-22, size 0-8 line 3241 [ 691.699573][ T7808] binder: send failed reply for transaction 3380 to 7922:7923 [ 691.716870][ T7923] binder: 7922:7923 transaction failed 29189/-22, size 24-8 line 2994 [ 691.716879][ T7924] binder: 7922:7924 unknown command -780605755 [ 691.716898][ T7924] binder: 7922:7924 ioctl c0306201 200002c0 returned -22 [ 691.727077][ T7932] binder: 7926:7932 BC_INCREFS_DONE u0000000000000000 no match 17:34:01 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) [ 691.750037][ T7808] binder: send failed reply for transaction 3383 to 7916:7921 [ 691.781428][ T7931] binder: 7930:7931 ioctl c018620b 0 returned -14 17:34:01 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 691.795390][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 691.812924][ T7931] binder: 7930:7931 transaction failed 29189/-22, size 24-8 line 2994 [ 691.867567][ T7931] binder: 7930:7931 BC_INCREFS_DONE u0000000000000000 no match 17:34:02 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r2 = syz_genetlink_get_family_id$team(&(0x7f0000000040)='team\x00') getsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000080)={0x0, @broadcast, @initdev}, &(0x7f0000000100)=0xc) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000000480)={{{@in6=@loopback, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@broadcast}}, &(0x7f00000001c0)=0xe8) recvmmsg(0xffffffffffffff9c, &(0x7f0000000d40)=[{{0x0, 0x0, &(0x7f00000006c0)=[{&(0x7f00000005c0)=""/126, 0x7e}, {&(0x7f0000000640)=""/76, 0x4c}, {&(0x7f0000000740)=""/72, 0x48}, {&(0x7f00000007c0)=""/136, 0x88}], 0x4}, 0x7fff}, {{&(0x7f0000000880)=@hci={0x1f, 0x0}, 0x80, &(0x7f0000000c40)=[{&(0x7f0000000900)=""/147, 0x93}, {&(0x7f00000009c0)=""/215, 0xd7}, {&(0x7f0000000ac0)=""/89, 0x59}, {&(0x7f0000000b40)=""/219, 0xdb}], 0x4, &(0x7f0000000c80)=""/155, 0x9b}, 0xc13}], 0x2, 0x2, &(0x7f0000000dc0)={0x0, 0x989680}) accept$packet(r0, &(0x7f0000000e00)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000e40)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000ec0)={'team0\x00', 0x0}) accept4$packet(0xffffffffffffffff, &(0x7f0000003680)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f00000036c0)=0x14, 0x80800) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000003700)={{{@in6=@local, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in=@dev}}, &(0x7f0000003800)=0xe8) recvmsg(0xffffffffffffff9c, &(0x7f0000003a00)={&(0x7f0000003840)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, 0x80, &(0x7f00000038c0), 0x0, &(0x7f0000003900)=""/204, 0xcc}, 0x0) getsockopt$inet_mreqn(0xffffffffffffff9c, 0x0, 0x23, &(0x7f0000003a40)={@initdev, @multicast2, 0x0}, &(0x7f0000003a80)=0xc) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000003ac0)={{{@in=@empty, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in6=@ipv4={[], [], @remote}}}, &(0x7f0000003bc0)=0xe8) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000003c00)={{{@in6=@loopback, @in6=@ipv4={[], [], @empty}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in6=@mcast1}}, &(0x7f0000003d00)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000003d40)={{{@in6=@mcast2, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in6=@dev}}, &(0x7f0000003e40)=0xe8) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000003f00)={'bridge_slave_0\x00', 0x0}) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000003f40)={'hwsim0\x00', 0x0}) getsockopt$inet_mreqn(0xffffffffffffff9c, 0x0, 0x23, &(0x7f0000004040)={@loopback, @loopback, 0x0}, &(0x7f0000004080)=0xc) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f00000040c0)={{{@in6=@initdev, @in6=@ipv4={[], [], @initdev}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@local}}, &(0x7f00000041c0)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004240)={{{@in=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@ipv4={[], [], @multicast1}}}, &(0x7f0000004340)=0xe8) getpeername$packet(0xffffffffffffffff, &(0x7f0000004480)={0x11, 0x0, 0x0}, &(0x7f00000044c0)=0x14) accept$packet(0xffffffffffffff9c, &(0x7f0000004500)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000004540)=0x14) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000004580)={'nlmon0\x00', 0x0}) accept4$packet(0xffffffffffffff9c, &(0x7f00000045c0)={0x11, 0x0, 0x0}, &(0x7f0000004600)=0x14, 0x80800) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000004700)={{{@in6=@empty, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@dev}}, &(0x7f0000004800)=0xe8) recvmmsg(0xffffffffffffffff, &(0x7f0000007a80)=[{{&(0x7f0000004840)=@ethernet={0x0, @dev}, 0x80, &(0x7f0000005940)=[{&(0x7f00000048c0)=""/4096, 0x1000}, {&(0x7f00000058c0)=""/89, 0x59}], 0x2, &(0x7f0000005980)=""/217, 0xd9}, 0x8001}, {{&(0x7f0000005a80)=@rxrpc=@in6={0x21, 0x0, 0x2, 0x1c, {0xa, 0x0, 0x0, @mcast2}}, 0x80, &(0x7f0000005f00)=[{&(0x7f0000005b00)=""/84, 0x54}, {&(0x7f0000005b80)=""/2, 0x2}, {&(0x7f0000005bc0)=""/216, 0xd8}, {&(0x7f0000005cc0)=""/219, 0xdb}, {&(0x7f0000005dc0)=""/13, 0xd}, {&(0x7f0000005e00)=""/198, 0xc6}], 0x6}, 0x9}, {{&(0x7f0000005f80)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, 0x80, &(0x7f0000006140)=[{&(0x7f0000006000)=""/192, 0xc0}, {&(0x7f00000060c0)=""/122, 0x7a}], 0x2, &(0x7f0000006180)=""/180, 0xb4}, 0x8}, {{&(0x7f0000006240)=@xdp={0x2c, 0x0, 0x0}, 0x80, &(0x7f00000074c0)=[{&(0x7f00000062c0)=""/84, 0x54}, {&(0x7f0000006340)=""/53, 0x35}, {&(0x7f0000006380)}, {&(0x7f00000063c0)=""/232, 0xe8}, {&(0x7f00000064c0)=""/4096, 0x1000}], 0x5, &(0x7f0000007540)=""/215, 0xd7}, 0x7ff}, {{&(0x7f0000007640)=@ethernet={0x0, @local}, 0x80, &(0x7f0000007980)=[{&(0x7f00000076c0)=""/148, 0x94}, {&(0x7f0000007780)=""/141, 0x8d}, {&(0x7f0000007840)=""/135, 0x87}, {&(0x7f0000007900)=""/93, 0x5d}], 0x4, &(0x7f00000079c0)=""/178, 0xb2}, 0x1000}], 0x5, 0x2, &(0x7f0000007bc0)={0x77359400}) getsockopt$inet6_mreq(0xffffffffffffffff, 0x29, 0x1c, &(0x7f0000007c00)={@mcast2, 0x0}, &(0x7f0000007c40)=0x14) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000007c80)={{{@in=@dev, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in=@local}}, &(0x7f0000007d80)=0xe8) getpeername$packet(0xffffffffffffff9c, &(0x7f0000007dc0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000007e00)=0x14) getpeername(0xffffffffffffffff, &(0x7f0000007e40)=@hci={0x1f, 0x0}, &(0x7f0000007ec0)=0x80) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x23, &(0x7f0000007f00)={@multicast1, @dev, 0x0}, &(0x7f0000007f40)=0xc) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x23, &(0x7f0000007f80)={@broadcast, @loopback, 0x0}, &(0x7f0000007fc0)=0xc) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000008000)={{{@in=@initdev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in=@initdev}}, &(0x7f0000008100)=0xe8) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000008140)={{{@in=@broadcast, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@initdev}, 0x0, @in=@broadcast}}, &(0x7f0000008240)=0xe8) getsockname$packet(0xffffffffffffff9c, &(0x7f0000008780)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000087c0)=0x14) getsockopt$inet_pktinfo(0xffffffffffffff9c, 0x0, 0x8, &(0x7f0000008800)={0x0, @remote, @broadcast}, &(0x7f0000008840)=0xc) accept$packet(0xffffffffffffff9c, &(0x7f0000008880)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000088c0)=0x14) ioctl$sock_SIOCGIFINDEX(0xffffffffffffff9c, 0x8933, &(0x7f0000008d00)={'ip6erspan0\x00', 0x0}) sendmsg$TEAM_CMD_OPTIONS_GET(r0, &(0x7f00000098c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000009880)={&(0x7f0000008d40)={0xb3c, r2, 0x400, 0x70bd27, 0x25dfdbff, {}, [{{0x8, 0x1, r3}, {0x130, 0x2, [{0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r4}}, {0x8}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x7}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0xfffffffffffffff7}}, {0x8, 0x6, r5}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0xfff}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r6}}}]}}, {{0x8, 0x1, r7}, {0x74, 0x2, [{0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x5}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r8}}}]}}, {{0x8, 0x1, r9}, {0x260, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r10}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0xff}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x4}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r11}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8, 0x6, r12}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8, 0x6, r13}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0xa00000000000000}}, {0x8, 0x6, r14}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x8}}, {0x8, 0x6, r15}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x7}}, {0x8, 0x6, r16}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x4}}}]}}, {{0x8, 0x1, r17}, {0x11c, 0x2, [{0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x1ff}}}, {0x6c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x3c, 0x4, [{0xa8b, 0xfff, 0xfffffffffffffffe, 0x7}, {0x3ff, 0xd6, 0x21f6, 0x8000}, {0x3, 0x9, 0x10001, 0xfffffffffffff001}, {0x4, 0x3f, 0x6, 0x200}, {0x40, 0x40, 0x5, 0x7ff}, {0x7ff, 0x2, 0x5000000000000, 0x9}, {0x8001, 0x1, 0x3, 0x800}]}}}, {0x3c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0xc, 0x4, [{0xb29d, 0x9, 0x9, 0xede3}]}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0xfffffffffffffffb}}}]}}, {{0x8, 0x1, r18}, {0x1ac, 0x2, [{0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'broadcast\x00'}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r19}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r20}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x8000}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r21}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8, 0x6, r22}}}, {0x44, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x14, 0x4, [{0xffffffff80000001, 0x1, 0x100, 0x100000000}, {0x2, 0x8, 0x8, 0x1}]}}}]}}, {{0x8, 0x1, r23}, {0x174, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r24}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x8001}}, {0x8, 0x6, r25}}}, {0x3c, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0xc, 0x4, 'random\x00'}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x1ff}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x1}}, {0x8, 0x6, r26}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x1}}, {0x8}}}]}}, {{0x8, 0x1, r27}, {0x40, 0x2, [{0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r28}}}]}}, {{0x8, 0x1, r29}, {0x16c, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r30}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r31}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x4}}, {0x8, 0x6, r32}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x101}}, {0x8, 0x6, r33}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r34}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x1}}}]}}, {{0x8, 0x1, r35}, {0xf4, 0x2, [{0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x2}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r36}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r37}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x7fff}}, {0x8}}}]}}]}, 0xb3c}, 0x1, 0x0, 0x0, 0x8081}, 0x0) 17:34:02 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 691.993332][ T7943] *** Guest State *** [ 692.010824][ T7943] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 692.023221][ T7943] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 692.038710][ T7947] binder: 7946:7947 ioctl c018620b 0 returned -14 [ 692.048665][ T7943] CR3 = 0x0000000000002000 [ 692.067044][ T7943] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 692.069092][ T7951] binder: 7949:7951 ioctl c018620b 0 returned -14 [ 692.097523][ T7943] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 692.112232][ T7943] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 692.121776][ T7943] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 692.133386][ T7943] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 692.143214][ T7943] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 692.154220][ T7943] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 692.170427][ T7953] binder: 7949:7953 BC_INCREFS_DONE node 3400 has no pending increfs request [ 692.179939][ T7943] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 692.191040][ T7943] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 692.200895][ T7943] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 692.209914][ T7943] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 692.219224][ T7943] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 692.229447][ T7943] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 692.238528][ T7943] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 692.248037][ T7943] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.257001][ T7943] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 692.264458][ T7943] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 692.272855][ T7943] Interruptibility = 00000000 ActivityState = 00000000 [ 692.280127][ T7943] *** Host State *** [ 692.284180][ T7943] RIP = 0xffffffff811b40b0 RSP = 0xffff88804e9bf8e0 [ 692.291095][ T7943] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 692.298391][ T7943] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 692.307105][ T7943] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 692.314018][ T7943] CR0=0000000080050033 CR3=000000009f2fb000 CR4=00000000001426f0 [ 692.322274][ T7943] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 692.329933][ T7943] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 692.336869][ T7943] *** Control State *** [ 692.341236][ T7943] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 692.348795][ T7943] EntryControls=0000d1ff ExitControls=002fefff [ 692.355040][ T7943] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 692.364040][ T7943] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 692.371725][ T7943] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 692.379302][ T7943] reason=80000021 qualification=0000000000000000 [ 692.386523][ T7943] IDTVectoring: info=00000000 errcode=00000000 [ 692.392956][ T7943] TSC Offset = 0xfffffe8b62f0805e 17:34:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 692.398949][ T7943] EPT pointer = 0x00000000980cc01e [ 692.416466][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 17:34:02 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7000000) [ 692.577336][ T7962] binder: 7956:7962 got transaction with invalid offset (0, min 0 max 0) or object. [ 692.588153][ T7962] binder: 7956:7962 transaction failed 29201/-22, size 0-8 line 3241 [ 692.618305][ T7960] *** Guest State *** [ 692.622747][ T7960] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 692.633287][ T7960] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 692.643460][ T7960] CR3 = 0x0000000000000000 [ 692.648267][ T7960] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 692.655236][ T7960] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 692.668587][ T7808] binder_thread_release: 3 callbacks suppressed [ 692.668600][ T7808] binder: release 7940:7950 transaction 3393 out, still active [ 692.674967][ T7808] binder: release 7938:7945 transaction 3390 out, still active [ 692.698704][ T7960] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 692.711593][ T7808] binder_send_failed_reply: 3 callbacks suppressed 17:34:02 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 17:34:02 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 692.711602][ T7808] binder: send failed reply for transaction 3390, target dead [ 692.737197][ T7960] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.763599][ T7960] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.773053][ T7808] binder: send failed reply for transaction 3393, target dead [ 692.793896][ T7808] binder: send failed reply for transaction 3396 to 7946:7952 [ 692.818012][ T7960] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 692.829904][ T7960] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.838192][ T7808] binder: send failed reply for transaction 3399 to 7949:7951 [ 692.841292][ T7970] binder: 7969:7970 ioctl c018620b 0 returned -14 [ 692.853138][ T7960] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.863333][ T7971] binder: 7946:7971 ioctl c018620b 0 returned -14 17:34:03 executing program 1 (fault-call:2 fault-nth:0): socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 692.873882][ T7960] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.884046][ T7971] binder: 7946:7971 transaction failed 29189/-22, size 24-8 line 2994 [ 692.889683][ T7960] GDTR: limit=0x00000000, base=0x0000000000000000 [ 692.910788][ T7960] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 692.920817][ T7952] binder: 7946:7952 BC_INCREFS_DONE u0000000000000000 no match [ 692.952239][ T7960] IDTR: limit=0x00000000, base=0x0000000000000000 [ 692.969177][ T7977] binder: 7969:7977 BC_INCREFS_DONE node 3409 has no pending increfs request [ 692.982720][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:03 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 693.011594][ T7960] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 693.049617][ T7960] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 693.061810][ T7960] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 693.082198][ T7960] Interruptibility = 00000000 ActivityState = 00000000 [ 693.087469][ T7983] binder: 7982:7983 ioctl c018620b 0 returned -14 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2, 0x4) [ 693.110636][ T7960] *** Host State *** [ 693.115533][ T7960] RIP = 0xffffffff811b40b0 RSP = 0xffff88802693f8e0 [ 693.123237][ T7960] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 693.141163][ T7960] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 693.150154][ T7986] binder: 7982:7986 BC_INCREFS_DONE u0000000000000000 no match [ 693.172704][ T7960] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 693.188702][ T7960] CR0=0000000080050033 CR3=0000000084128000 CR4=00000000001426e0 [ 693.197959][ T7960] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 693.215183][ T7960] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x200000, 0x4) [ 693.222167][ T7960] *** Control State *** [ 693.232369][ T7960] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 693.242405][ T7960] EntryControls=0000d1ff ExitControls=002fefff [ 693.256323][ T7960] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 693.270476][ T7960] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 693.291559][ T7960] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 693.299334][ T7960] reason=80000021 qualification=0000000000000000 [ 693.313744][ T7960] IDTVectoring: info=00000000 errcode=00000000 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x2) 17:34:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 693.320703][ T7960] TSC Offset = 0xfffffe8b09abd8e5 [ 693.327131][ T7960] EPT pointer = 0x000000001a4d801e [ 693.343486][ T7808] binder: undelivered TRANSACTION_ERROR: 29201 17:34:03 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x8000000) 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x3) [ 693.506810][ T8003] binder: 7996:8003 got transaction with invalid offset (0, min 0 max 24) or object. [ 693.534188][ T8003] binder: 7996:8003 BC_INCREFS_DONE u0000000000000000 no match [ 693.576437][ T8005] *** Guest State *** [ 693.580865][ T8005] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 693.596281][ T2986] binder: release 7967:7972 transaction 3405 out, still active [ 693.616224][ T2986] binder: release 7969:7970 transaction 3408 out, still active 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x8) [ 693.623850][ T2986] binder: unexpected work type, 4, not freed 17:34:03 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:03 executing program 3: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 693.647796][ T8005] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 693.684047][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 693.715555][ T2986] binder: send failed reply for transaction 3405, target dead [ 693.725894][ T8005] CR3 = 0x0000000000000000 [ 693.736827][ T2986] binder: send failed reply for transaction 3408, target dead [ 693.744994][ T8005] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 693.775875][ T8019] binder: 8015:8019 ioctl c018620b 0 returned -14 [ 693.786092][ T8005] RFLAGS=0x00010002 DR7 = 0x0000000000000400 17:34:03 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x9) [ 693.822877][ T8019] binder: 8015:8019 BC_INCREFS_DONE u0000000000000000 no match [ 693.831690][ T8005] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 693.841681][ T8005] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 693.878538][ T8005] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 693.884044][ T7986] binder: 7982:7986 ioctl c018620b 0 returned -14 [ 693.887276][ T8005] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 693.887294][ T8005] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 693.887312][ T8005] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:04 executing program 3 (fault-call:5 fault-nth:0): perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 693.887330][ T8005] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 693.887349][ T8005] GDTR: limit=0x00000000, base=0x0000000000000000 [ 693.912519][ T8023] binder: 7982:8023 BC_INCREFS_DONE u0000000000000000 no match 17:34:04 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x13) 17:34:04 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000001c0)=[@enter_looper], 0xfffffffffffffd0e, 0x0, &(0x7f0000000700)='+'}) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x101000, 0x0) ioctl$FIGETBSZ(r0, 0x2, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x101, 0x0) setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f0000000080)=0x3, 0x4) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 694.003850][ T8005] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 694.007494][ T8029] binder: 8028:8029 ioctl c018620b 0 returned -14 [ 694.022520][ T8005] IDTR: limit=0x00000000, base=0x0000000000000000 [ 694.036537][ T8005] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 694.073390][ T8005] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 694.111470][ T8005] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:04 executing program 1: r0 = syz_open_dev$vcsn(&(0x7f0000000080)='/dev/vcs#\x00', 0x13, 0x40) ioctl$sock_inet_SIOCSIFPFLAGS(r0, 0x8934, &(0x7f00000000c0)={'veth0_to_team\x00'}) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000100)={0x4, [0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000140)=0x14) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000180)={r2, 0x4}, &(0x7f00000001c0)=0x8) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:04 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$radio(&(0x7f0000000080)='/dev/radio#\x00', 0x3, 0x2) ioctl$VIDIOC_SUBDEV_S_EDID(r0, 0xc0285629, &(0x7f00000001c0)={0x0, 0xffffffffffff8001, 0x2e, [], &(0x7f0000000100)=0x6}) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB="85a978bbf2f45959b2be06e5cd20305497beee4f2b9bc9c7c1ad2a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, 0x0}) syz_open_dev$cec(&(0x7f0000000280)='/dev/cec#\x00', 0x3, 0x2) openat$cgroup_ro(r0, &(0x7f0000000200)='cpuset.memory_pressure\x00', 0x0, 0x0) [ 694.135669][ T8005] Interruptibility = 00000000 ActivityState = 00000000 [ 694.147951][ T8005] *** Host State *** [ 694.157500][ T8005] RIP = 0xffffffff811b40b0 RSP = 0xffff8880516df8e0 [ 694.168546][ T8005] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 694.207123][ T8005] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 17:34:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 694.253175][ T8044] binder: 8042:8044 ioctl c018620b 0 returned -14 [ 694.254363][ T8005] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 694.287215][ T8005] CR0=0000000080050033 CR3=000000001a413000 CR4=00000000001426f0 [ 694.326549][ T8005] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 694.334277][ T8047] binder: 8042:8047 got transaction with invalid offset (0, min 0 max 24) or object. [ 694.362420][ T8005] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 694.369247][ T8005] *** Control State *** [ 694.378868][ T8047] binder_transaction: 2 callbacks suppressed [ 694.378887][ T8047] binder: 8042:8047 transaction failed 29201/-22, size 24-8 line 3241 [ 694.394576][ T8005] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 694.402003][ T8005] EntryControls=0000d1ff ExitControls=002fefff [ 694.409415][ T8005] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 694.417399][ T8005] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 694.425144][ T8051] binder: 8048:8051 got transaction with invalid offset (0, min 0 max 24) or object. [ 694.434801][ T8005] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 694.442102][ T8005] reason=80000021 qualification=0000000000000000 [ 694.449322][ T8051] binder: 8048:8051 transaction failed 29201/-22, size 24-8 line 3241 [ 694.457663][ T8005] IDTVectoring: info=00000000 errcode=00000000 [ 694.464115][ T8005] TSC Offset = 0xfffffe8a877d4ef9 [ 694.469380][ T8005] EPT pointer = 0x000000000d3f801e [ 694.474725][ T8052] binder: 8048:8052 BC_INCREFS_DONE u0000000000000000 no match 17:34:04 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x10000000) 17:34:04 executing program 1: socketpair$unix(0x1, 0x8000000000003, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x80, 0x0) ioctl$PPPIOCSCOMPRESS(r1, 0x4010744d) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400203) write$nbd(r1, &(0x7f00000000c0)={0x67446698, 0x0, 0x3, 0x3, 0x3, "c45f3bee8cd3ef68f49587feb020d8dfc88cc88dd68652f1fa385ce6c464562b6e8052dddc243684de4de634b05749cb9a47d7cec8b5c14fb98e1fb44ff8b9232136800eb111a02de29c7e70d72ee9fca26b60fd6278bf368e915e9e"}, 0x6c) ioctl$KVM_DEASSIGN_DEV_IRQ(r1, 0x4040ae75, &(0x7f0000000040)={0xf618, 0x6, 0x1, 0x302}) mbind(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x1, &(0x7f0000000240)=0x8, 0x0, 0x2) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) ioctl$SG_GET_SG_TABLESIZE(r1, 0x227f, &(0x7f0000000200)) getsockopt$IP_VS_SO_GET_DESTS(r1, 0x0, 0x484, &(0x7f0000000140)=""/69, &(0x7f00000001c0)=0x45) [ 694.574561][ T7808] binder: release 8017:8022 transaction 3414 out, still active 17:34:04 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:04 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) pipe2(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}, 0x84000) ioctl$KDSIGACCEPT(r2, 0x4b4e, 0x3) socketpair(0x4, 0x802, 0x200, &(0x7f0000000040)={0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000080)={0x0, 0x3, 0x7, 0x6}, &(0x7f00000000c0)=0x10) ioctl$SG_NEXT_CMD_LEN(r1, 0x2283, &(0x7f0000000180)=0x8a) r4 = fcntl$dupfd(r0, 0x406, r3) ioctl$SCSI_IOCTL_DOORUNLOCK(r4, 0x5381) ioctl$KVM_DIRTY_TLB(r1, 0x4010aeaa, &(0x7f0000000100)={0x6d, 0x8}) [ 694.621693][ T7808] binder: send failed reply for transaction 3414, target dead [ 694.632912][ T7808] binder: send failed reply for transaction 3417 to 8028:8033 [ 694.656725][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:34:04 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 694.715601][ T8061] *** Guest State *** [ 694.719682][ T8061] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 694.800905][ T8061] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 694.834614][ T8069] binder: 8068:8069 ioctl c018620b 0 returned -14 [ 694.856895][ T8061] CR3 = 0x0000000000002000 [ 694.867936][ T8061] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 694.875284][ T8061] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 694.884376][ T8061] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 694.891525][ T8061] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 694.899426][ T8061] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:34:05 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x7) [ 694.907843][ T8061] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 694.937229][ T8061] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 694.958586][ T8061] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 694.978983][ T8061] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 694.999507][ T8061] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:05 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = syz_open_dev$amidi(&(0x7f0000000280)='/dev/amidi#\x00', 0x6, 0x440441) clock_gettime(0x200000000000000, &(0x7f0000000100)={0x0, 0x0}) ioctl$SNDRV_CTL_IOCTL_ELEM_WRITE(r1, 0xc4c85513, &(0x7f00000003c0)={{0x6, 0x2, 0x100000000, 0x4344, 'syz0\x00', 0x100000001}, 0x0, [0x81, 0x7, 0xfffffffffffffffa, 0x7, 0x100000000, 0x9, 0x40, 0x8, 0x7fffffff, 0x1, 0x2, 0x84, 0x1, 0x20, 0x1, 0x20000000000, 0xffffffffc69f5ce6, 0x3, 0x7, 0xff, 0xfffffffffffeffff, 0x0, 0x80000001, 0x800, 0x101, 0x100000000, 0x101, 0xb0, 0x0, 0xffffffff, 0x1, 0x10000, 0x1c1e, 0x2, 0x401, 0x6, 0xfffffffffffffffc, 0xffff, 0x81, 0x9, 0x1, 0x3b7bba29, 0xffffffffffff0000, 0x4, 0xffff, 0x400, 0x7ff, 0x3, 0x80000001, 0x1, 0x9, 0x1, 0x80000001, 0x1000, 0x101, 0x401, 0xffffffff, 0x0, 0xffff, 0x2, 0x7, 0xa79, 0xfffffffffffffff8, 0x5, 0x401, 0xfffffffffffffffb, 0x8001, 0x1ff, 0x4, 0x3, 0x9, 0x6, 0x22e, 0xa46, 0x6, 0x0, 0x5f4f6ac4, 0x7fff, 0x4, 0x80000000, 0x4, 0x7, 0x7, 0x3, 0x57e89a8b, 0x66e, 0x4, 0x7, 0x1, 0x71, 0xffffffffffffffff, 0x0, 0x9, 0x9, 0xfffffffffffffffc, 0x5, 0xfffffffffffffff7, 0x0, 0x1, 0xfffffffffffffe01, 0x800, 0x1, 0x3, 0x7, 0x800, 0x100, 0x6, 0x5, 0xff, 0x92e3, 0xfff, 0x9, 0x5, 0x1, 0x100, 0x5, 0x438c5064, 0x3ff, 0xf1, 0x38, 0x7ff, 0x4da0327f, 0x2, 0x8, 0x7fff, 0x0, 0xa29, 0x4], {r2, r3+10000000}}) ioctl$sock_bt_hidp_HIDPGETCONNLIST(r1, 0x800448d2, &(0x7f0000000380)={0x1, &(0x7f00000002c0)=[{}]}) [ 695.014222][ T8061] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.023797][ T8061] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 695.033342][ T8061] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 695.053617][ T8047] binder: 8042:8047 ioctl c018620b 0 returned -14 [ 695.064020][ T8050] binder: 8042:8050 got transaction with invalid offset (0, min 0 max 24) or object. [ 695.079290][ T8061] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 695.101663][ T8050] binder: 8042:8050 transaction failed 29201/-22, size 24-8 line 3241 17:34:05 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup2(r0, r1) r3 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x40800, 0x0) r4 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x5, 0x80041) r5 = syz_genetlink_get_family_id$team(&(0x7f0000000400)='team\x00') getsockopt$inet_mreqn(r3, 0x0, 0x23, &(0x7f0000000440)={@multicast2, @rand_addr, 0x0}, &(0x7f0000000480)=0xc) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000500)={{{@in6=@mcast2, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@remote}}, &(0x7f0000000600)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r3, 0x8933, &(0x7f0000000640)={'team0\x00', 0x0}) getsockname(r0, &(0x7f0000000680)=@xdp={0x2c, 0x0, 0x0}, &(0x7f0000000700)=0x80) recvmmsg(r2, &(0x7f0000004100)=[{{&(0x7f0000000780)=@sco, 0x80, &(0x7f0000000a00)=[{&(0x7f0000000800)=""/135, 0x87}, {&(0x7f00000008c0)=""/22, 0x16}, {&(0x7f0000000900)=""/215, 0xd7}], 0x3}, 0x100000000}, {{&(0x7f0000000a40)=@ipx, 0x80, &(0x7f0000001e80)=[{&(0x7f0000000ac0)=""/174, 0xae}, {&(0x7f0000000b80)=""/236, 0xec}, {&(0x7f0000000c80)=""/51, 0x33}, {&(0x7f0000000cc0)=""/3, 0x3}, {&(0x7f0000000d00)=""/211, 0xd3}, {&(0x7f0000000e00)=""/4096, 0x1000}, {&(0x7f0000001e00)=""/17, 0x11}, {&(0x7f0000001e40)=""/60, 0x3c}], 0x8, &(0x7f0000001f00)=""/50, 0x32}, 0x4}, {{&(0x7f0000001f40)=@alg, 0x80, &(0x7f0000002540)=[{&(0x7f0000001fc0)=""/110, 0x6e}, {&(0x7f0000002040)=""/41, 0x29}, {&(0x7f0000002080)=""/234, 0xea}, {&(0x7f0000002180)=""/18, 0x12}, {&(0x7f00000021c0)=""/218, 0xda}, {&(0x7f00000022c0)=""/86, 0x56}, {&(0x7f0000002340)=""/242, 0xf2}, {&(0x7f0000002440)=""/166, 0xa6}, {&(0x7f0000002500)=""/49, 0x31}], 0x9, &(0x7f0000002600)=""/104, 0x68}, 0x8}, {{&(0x7f0000002680)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0x80, &(0x7f0000002900)=[{&(0x7f0000002700)=""/124, 0x7c}, {&(0x7f0000002780)=""/100, 0x64}, {&(0x7f0000002800)=""/3, 0x3}, {&(0x7f0000002840)=""/67, 0x43}, {&(0x7f00000028c0)=""/45, 0x2d}], 0x5, &(0x7f0000002980)=""/81, 0x51}, 0x7}, {{&(0x7f0000002a00)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @random}, 0x80, &(0x7f0000002c40)=[{&(0x7f0000002a80)=""/97, 0x61}, {&(0x7f0000002b00)=""/155, 0x9b}, {&(0x7f0000002bc0)=""/101, 0x65}], 0x3, &(0x7f0000002c80)=""/253, 0xfd}}, {{&(0x7f0000002d80)=@sco, 0x80, &(0x7f0000003fc0)=[{&(0x7f0000002e00)=""/4096, 0x1000}, {&(0x7f0000003e00)=""/233, 0xe9}, {&(0x7f0000003f00)=""/88, 0x58}, {&(0x7f0000003f80)}], 0x4, &(0x7f0000004000)=""/242, 0xf2}, 0x5d}], 0x6, 0x20, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000004280)={{{@in=@initdev, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}, 0x0, @in=@multicast1}}, &(0x7f0000004380)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000004480)={'team0\x00', 0x0}) getpeername$packet(r3, &(0x7f0000004500)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000004540)=0x14) getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000004640)={{{@in, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{}, 0x0, @in6=@loopback}}, &(0x7f0000004740)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000004780)={'team0\x00', 0x0}) getsockopt$inet6_mreq(r4, 0x29, 0x1b, &(0x7f00000047c0)={@rand_addr, 0x0}, &(0x7f0000004800)=0x14) accept$packet(r4, &(0x7f0000004840)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000004880)=0x14) accept$packet(r2, &(0x7f00000048c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000004900)=0x14) getsockopt$inet_mreqn(r1, 0x0, 0x24, &(0x7f0000004940)={@loopback, @rand_addr, 0x0}, &(0x7f0000004980)=0xc) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f00000049c0)={{{@in=@multicast2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6}}, &(0x7f0000004ac0)=0xe8) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000004b00)={'nlmon0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000004c00)={'team0\x00', 0x0}) getsockopt$inet_mreqn(r4, 0x0, 0x23, &(0x7f0000004c40)={@local, @multicast1, 0x0}, &(0x7f0000004c80)=0xc) getsockopt$inet6_mreq(r2, 0x29, 0x1c, &(0x7f0000004cc0)={@dev, 0x0}, &(0x7f0000004d00)=0x14) getsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000004d40)={{{@in6=@loopback, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@loopback}, 0x0, @in6=@ipv4={[], [], @empty}}}, &(0x7f0000004e40)=0xe8) accept4$packet(r3, &(0x7f0000004ec0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000004f00)=0x14, 0x800) accept$packet(r3, &(0x7f0000004f40)={0x11, 0x0, 0x0}, &(0x7f0000004f80)=0x14) getsockopt$inet6_mreq(r4, 0x29, 0x14, &(0x7f0000005140)={@mcast1, 0x0}, &(0x7f0000005180)=0x14) accept4$packet(r3, &(0x7f00000051c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000005200)=0x14, 0x800) getsockopt$inet_IP_IPSEC_POLICY(r4, 0x0, 0x10, &(0x7f0000005240)={{{@in, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in=@remote}}, &(0x7f0000005340)=0xe8) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000005440)={'vlan0\x00', 0x0}) getsockopt$inet6_IPV6_IPSEC_POLICY(r4, 0x29, 0x22, &(0x7f00000057c0)={{{@in6=@empty, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @multicast2}}, 0x0, @in=@empty}}, &(0x7f00000058c0)=0xe8) getpeername$packet(r4, &(0x7f0000005900)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000005940)=0x14) getsockopt$inet6_mreq(r4, 0x29, 0x15, &(0x7f0000005980)={@local, 0x0}, &(0x7f00000059c0)=0x14) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f0000005a40)={{{@in6=@empty, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4}, 0x0, @in6=@mcast2}}, &(0x7f0000005b40)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r3, 0x8933, &(0x7f0000005b80)={'team0\x00', 0x0}) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000005f40)={{{@in=@local, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in6=@local}}, &(0x7f0000006040)=0xe8) ioctl$sock_ifreq(r3, 0x89a2, &(0x7f0000006140)={'ip6gre0\x00', @ifru_addrs=@xdp={0x2c, 0x3, 0x0, 0x19}}) sendmsg$TEAM_CMD_OPTIONS_SET(r2, &(0x7f0000006c40)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000006c00)={&(0x7f0000006180)={0xa58, r5, 0x128, 0x70bd27, 0x25dfdbfe, {}, [{{0x8, 0x1, r6}, {0x44, 0x2, [{0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x3bd}}, {0x8, 0x6, r7}}}]}}, {{0x8, 0x1, r8}, {0x1e0, 0x2, [{0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0xfffffffffffffffb}}, {0x8, 0x6, r9}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x401}}, {0x8, 0x6, r10}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x400}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r11}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r12}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x5}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x589}}, {0x8, 0x6, r13}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x9}}}]}}, {{0x8, 0x1, r14}, {0x134, 0x2, [{0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'roundrobin\x00'}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x80}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x10}}, {0x8, 0x6, r15}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x6}}, {0x8, 0x6, r16}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x1}}}]}}, {{0x8, 0x1, r17}, {0x1b8, 0x2, [{0x4c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8}, {0x1c, 0x4, 'hash_to_port_mapping\x00'}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x6}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r18}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x3ff}}, {0x8, 0x6, r19}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r20}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r21}}}, {0x3c, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0xc, 0x4, 'random\x00'}}}]}}, {{0x8, 0x1, r22}, {0x3c, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x9}}}]}}, {{0x8, 0x1, r23}, {0xbc, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r24}}}, {0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r25}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x1fd7c000000}}, {0x8, 0x6, r26}}}]}}, {{0x8, 0x1, r27}, {0x108, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r28}}}, {0x4c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8}, {0x1c, 0x4, 'hash_to_port_mapping\x00'}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x7}}, {0x8, 0x6, r29}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r30}}}]}}, {{0x8, 0x1, r31}, {0x1b8, 0x2, [{0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'broadcast\x00'}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x80}}, {0x8}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x5d}}, {0x8}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x6582546f}}, {0x8, 0x6, r32}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r33}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x100}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x7c90}}, {0x8, 0x6, r34}}}]}}, {{0x8, 0x1, r35}, {0xb8, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x10001}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r36}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x5}}, {0x8, 0x6, r37}}}]}}, {{0x8, 0x1, r38}, {0x74, 0x2, [{0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0xc3}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x2}}}]}}]}, 0xa58}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000881) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) madvise(&(0x7f0000002000/0x4000)=nil, 0x4000, 0xf) r39 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_SET(r4, &(0x7f0000000380)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000340)={&(0x7f0000000140)={0x1e8, r39, 0x800, 0x70bd2d, 0x25dfdbfe, {}, [@TIPC_NLA_MON={0x34, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x401}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x8001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x5}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x80}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x81}]}, @TIPC_NLA_SOCK={0xc, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x9}]}, @TIPC_NLA_MEDIA={0x90, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x100000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0xc, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x100}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xd}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffff8}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}]}, @TIPC_NLA_BEARER={0xf8, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x9, @remote, 0x8000000}}, {0x20, 0x2, @in6={0xa, 0x4e21, 0x7c, @empty, 0x51}}}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'bond0\x00'}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @empty}}, {0x20, 0x2, @in6={0xa, 0x4e21, 0x7, @remote, 0x3}}}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x1b}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0xffff, @empty, 0x4}}, {0x14, 0x2, @in={0x2, 0x4e23, @multicast2}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x9}]}, @TIPC_NLA_NET={0xc, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x8}]}]}, 0x1e8}, 0x1, 0x0, 0x0, 0x80}, 0x1) [ 695.110884][ T8061] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 695.120704][ T8061] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 695.135153][ T8061] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:05 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='z*\b\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) syz_open_dev$amidi(&(0x7f0000000080)='/dev/amidi#\x00', 0x9, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0xfffffffffffffdf5, 0x0, &(0x7f00000002c0), 0x0, 0x0, 0x0}) [ 695.186009][ T8061] Interruptibility = 00000000 ActivityState = 00000000 [ 695.198716][ T8061] *** Host State *** 17:34:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 695.235329][ T8061] RIP = 0xffffffff811b40b0 RSP = 0xffff8880581278e0 [ 695.256721][ T8090] binder: 8089:8090 ioctl c018620b 0 returned -14 [ 695.259342][ T8061] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 695.293096][ T8061] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 695.318274][ T8061] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 695.328722][ T8061] CR0=0000000080050033 CR3=000000001a413000 CR4=00000000001426f0 [ 695.328910][ T8098] binder: 8089:8098 got transaction with invalid offset (0, min 0 max 24) or object. [ 695.337318][ T8061] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 695.354752][ T8061] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 695.358236][ T8098] binder: 8089:8098 transaction failed 29201/-22, size 24-8 line 3241 [ 695.362846][ T8099] binder: 8095:8099 got transaction with invalid offset (0, min 0 max 24) or object. [ 695.381010][ T8061] *** Control State *** [ 695.385441][ T8061] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 695.393845][ T8061] EntryControls=0000d1ff ExitControls=002fefff [ 695.399551][ T8099] binder: 8095:8099 transaction failed 29201/-22, size 24-8 line 3241 [ 695.400279][ T8061] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 695.418795][ T8099] binder: 8095:8099 BC_INCREFS_DONE u0000000000000000 no match [ 695.420135][ T8061] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 695.434593][ T8061] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 695.443331][ T8061] reason=80000021 qualification=0000000000000000 [ 695.450550][ T8061] IDTVectoring: info=00000000 errcode=00000000 [ 695.457418][ T8061] TSC Offset = 0xfffffe89f0ea34f0 [ 695.462961][ T8061] EPT pointer = 0x000000000cc1601e 17:34:05 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x11000000) [ 695.562537][ T7808] binder: release 8063:8071 transaction 3423 out, still active [ 695.597185][ T7808] binder: send failed reply for transaction 3423, target dead 17:34:05 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:05 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 695.610353][ T7808] binder: send failed reply for transaction 3426 to 8068:8073 [ 695.615732][ T8103] *** Guest State *** [ 695.622388][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 695.625612][ T8103] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 695.671190][ T8103] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 695.712809][ T8109] binder: 8108:8109 ioctl c018620b 0 returned -14 [ 695.752189][ T8103] CR3 = 0x0000000000002000 [ 695.764187][ T8103] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 695.772209][ T8109] binder: 8108:8109 transaction failed 29189/-22, size 24-8 line 2994 [ 695.781629][ T8103] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 695.789960][ T8109] binder: 8108:8109 BC_INCREFS_DONE u0000000000000000 no match [ 695.798645][ T8103] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 695.807179][ T8103] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 695.815672][ T8103] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 695.823468][ T8103] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 695.823483][ T8111] binder: 8108:8111 ioctl c018620b 0 returned -14 [ 695.839251][ T8103] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.839305][ T8109] binder: 8108:8109 transaction failed 29189/-22, size 24-8 line 2994 [ 695.848472][ T8103] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.866828][ T8103] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.876728][ T8103] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.885784][ T8103] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 695.894769][ T8103] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 695.903841][ T8103] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 17:34:06 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 695.912905][ T8103] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 695.921992][ T8103] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 695.931120][ T8103] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 695.939571][ T8103] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 695.950148][ T8103] Interruptibility = 00000000 ActivityState = 00000000 [ 695.958225][ T8103] *** Host State *** [ 695.962435][ T8103] RIP = 0xffffffff811b40b0 RSP = 0xffff888053f0f8e0 [ 695.970900][ T8103] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 695.986082][ T8103] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 695.995107][ T8103] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 696.009411][ T8103] CR0=0000000080050033 CR3=000000001a413000 CR4=00000000001426f0 [ 696.017552][ T8103] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 696.025222][ T8103] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 696.049417][ T8103] *** Control State *** [ 696.050350][ T8117] binder: 8116:8117 ioctl c018620b 0 returned -14 [ 696.054149][ T8103] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 696.070661][ T8098] binder: 8089:8098 ioctl c018620b 0 returned -14 [ 696.078898][ T8120] binder: 8089:8120 got transaction with invalid offset (0, min 0 max 24) or object. [ 696.084122][ T8117] binder: 8116:8117 ioctl c0306201 20000440 returned -11 [ 696.103710][ T8103] EntryControls=0000d1ff ExitControls=002fefff 17:34:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:06 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f00000002c0)={r0}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000240)='TIPCv2\x00') sendmsg$TIPC_NL_SOCK_GET(r1, &(0x7f0000000200)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f00000001c0)={&(0x7f00000005c0)=ANY=[@ANYBLOB='\x00\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="000128bd7000fddbdf25060000003c00060006000200080001000400000004000200080001000800000008000100030000000800010004000000080001008a0a0000080001000600000044000600080001000100000004000200080001000400000008000100850000000400020008000100010000000400020004000200080001000104000008000100ffffffff301d5d781238f6a919cae46239c904300eab1310ca24bd237d64bca6017d80f164ed0d"], 0x94}, 0x1, 0x0, 0x0, 0x40}, 0x1) r3 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x80000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x6) ioctl$sock_FIOGETOWN(r3, 0x8903, &(0x7f0000000300)=0x0) write$P9_RREADLINK(r3, &(0x7f0000000580)={0x10, 0x17, 0x2, {0x7, './file0'}}, 0x10) write$P9_RGETLOCK(r3, &(0x7f0000000340)={0x25, 0x37, 0x2, {0x0, 0x5, 0xfff, r4, 0x7, 'TIPCv2\x00'}}, 0x25) getsockopt$EBT_SO_GET_INIT_ENTRIES(r1, 0x0, 0x83, &(0x7f00000004c0)={'broute\x00', 0x0, 0x4, 0xdc, [], 0x4, &(0x7f0000000380)=[{}, {}, {}, {}], &(0x7f00000003c0)=""/220}, &(0x7f0000000540)=0x78) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r1, 0x84, 0x16, &(0x7f00000000c0)={0x3, [0xb2b, 0x7, 0x10000]}, &(0x7f0000000280)=0xa) madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x4) [ 696.117874][ T8120] binder: 8089:8120 transaction failed 29201/-22, size 24-8 line 3241 [ 696.129670][ T8103] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 696.149017][ T8103] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 17:34:06 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, @perf_config_ext, 0x0, 0x7, 0x0, 0x0, 0x5e9}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000380)='/dev/vfio/vfio\x00', 0x20000, 0x0) write$P9_RCLUNK(r0, &(0x7f00000003c0)={0x7, 0x79, 0x1}, 0x7) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x2000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f0000000040)=@assoc_id=0x0, &(0x7f0000000080)=0x4) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r2, &(0x7f0000000440)={0x60000002}) ioctl$RTC_AIE_OFF(r0, 0x7002) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r2, 0x84, 0x77, &(0x7f0000000480)=ANY=[@ANYRES32=r3, @ANYBLOB="a00405f0d6837330dd62f6b10002000200030000040400d304682e8709ec1cb534f6b0a2246633fe74b904e2605669e57082b6a96c8a578d73a1001fa8891d4f870614e40634784b16e712cdd9c1f17b7433eabf3c7c282b320853a3491918aa642a203529685f957b000140ab8191077c0d6ff6b0f08daaf11632b011cdec0677e9ec26ba3aafe21850c947ddb232dcc4923cd78cb354093740fcb2565138496ee6"], &(0x7f00000001c0)=0x12) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffdf7, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 696.210307][ T8117] binder: 8116:8117 BC_INCREFS_DONE node 3440 has no pending increfs request [ 696.226560][ T8103] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 696.262400][ T8103] reason=80000021 qualification=0000000000000000 [ 696.283560][ T8132] binder: 8116:8132 ioctl c018620b 0 returned -14 [ 696.291658][ T8103] IDTVectoring: info=00000000 errcode=00000000 17:34:06 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x81, 0x0) openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f0000000140)='/proc/self/attr/current\x00', 0x2, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x200a00, 0x0) pipe(&(0x7f00000000c0)) r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000100)='/proc/capi/capi20ncci\x00', 0x22000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 696.311457][ T8103] TSC Offset = 0xfffffe896ef917a0 [ 696.317480][ T2986] binder: release 8116:8117 transaction 3439 out, still active [ 696.336176][ T2986] binder: unexpected work type, 4, not freed [ 696.336607][ T8134] binder: 8133:8134 ioctl c018620b 0 returned -14 [ 696.349346][ T8103] EPT pointer = 0x000000001a4dd01e [ 696.362086][ T2986] binder: undelivered TRANSACTION_COMPLETE 17:34:06 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5450, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 696.386257][ T2986] binder: release 8116:8117 transaction 3443 out, still active 17:34:06 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x20000000) 17:34:06 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000fef000/0x11000)=nil, 0x11000, 0x7) [ 696.509229][ T8144] binder: 8143:8144 ioctl c018620b 0 returned -14 17:34:06 executing program 0: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 696.551518][ T2986] binder: release 8106:8112 transaction 3435 out, still active [ 696.577735][ T2986] binder: send failed reply for transaction 3435, target dead [ 696.588103][ T2986] binder: send failed reply for transaction 3439, target dead 17:34:06 executing program 1: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) socket$inet6_dccp(0xa, 0x6, 0x0) [ 696.610576][ T2986] binder: send failed reply for transaction 3442 to 8124:8130 [ 696.621778][ T2986] binder: send failed reply for transaction 3443, target dead [ 696.638006][ T2986] binder: send failed reply for transaction 3446 to 8133:8139 [ 696.662984][ T2986] binder: send failed reply for transaction 3449 to 8143:8144 [ 696.673376][ T8151] binder: 8143:8151 ioctl c018620b 0 returned -14 [ 696.687796][ T8144] binder: 8143:8144 transaction failed 29189/-22, size 24-8 line 2994 [ 696.692989][ T8158] binder: 8156:8158 ioctl c018620b 0 returned -14 17:34:06 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5451, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:06 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x73) acct(0x0) [ 696.731289][ T8158] binder: 8156:8158 transaction failed 29189/-22, size 24-8 line 2994 [ 696.732328][ T8159] *** Guest State *** [ 696.755918][ T8159] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 696.779214][ T8159] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 696.780001][ T8158] binder_thread_write: 4 callbacks suppressed [ 696.780015][ T8158] binder: 8156:8158 BC_INCREFS_DONE u0000000000000000 no match [ 696.835125][ T8159] CR3 = 0x0000000000002000 [ 696.844845][ T8166] binder: 8165:8166 ioctl c018620b 0 returned -14 [ 696.863572][ T8159] PDPTR0 = 0x0000000000000000 PDPTR1 = 0x0000000000000000 17:34:06 executing program 0 (fault-call:12 fault-nth:0): perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 696.879176][ T8166] binder: 8165:8166 BC_INCREFS_DONE u0000000000000000 no match [ 696.889822][ T8159] PDPTR2 = 0x0000000000000000 PDPTR3 = 0x0000000000000000 [ 696.914107][ T8159] RSP = 0x0000000000000f80 RIP = 0x0000000000000000 [ 696.923219][ T8169] binder: 8165:8169 ioctl c018620b 0 returned -14 [ 696.930758][ T8159] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 696.950312][ T8169] binder: 8165:8169 BC_INCREFS_DONE u0000000000000000 no match [ 696.972417][ T8159] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 697.003789][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 697.020374][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 697.037332][ T8159] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 17:34:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:07 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) fcntl$F_GET_RW_HINT(r0, 0x40b, &(0x7f0000000040)) [ 697.055381][ T8159] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.076745][ T8159] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.119679][ T8159] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.129990][ T8139] binder: 8133:8139 ioctl c018620b 0 returned -14 [ 697.143135][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 697.164933][ T8159] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.179241][ T8159] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.188592][ T8159] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 697.206548][ T8183] binder: 8173:8183 BC_INCREFS_DONE u0000000000000000 no match 17:34:07 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280), 0xfffffffffffffd1c, 0x0, 0x0}) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, r0) 17:34:07 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:07 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$IOC_PR_RELEASE(r0, 0x401070ca, &(0x7f0000000040)={0x9, 0x8}) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x202000, 0x0) ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f00000000c0)={'team0\x00', @dev={[], 0x1d}}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 697.215098][ T8159] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 697.227804][ T2986] binder: release 8133:8139 transaction 3460 out, still active [ 697.246587][ T8159] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 697.282419][ T8185] binder: 8184:8185 ioctl c018620b 0 returned -14 [ 697.294903][ T8159] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 697.325174][ T8192] binder: 8191:8192 ioctl c018620b 0 returned -14 [ 697.325457][ T8159] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 697.345731][ T8193] binder: 8184:8193 BC_INCREFS_DONE node 3465 has no pending increfs request [ 697.349299][ T8159] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 697.376274][ T8159] Interruptibility = 00000000 ActivityState = 00000000 [ 697.388979][ T8195] binder: 8191:8195 unknown command 0 [ 697.397543][ T8159] *** Host State *** [ 697.401664][ T8159] RIP = 0xffffffff811b40b0 RSP = 0xffff88800cc1f8e0 [ 697.407673][ T8195] binder: 8191:8195 ioctl c0306201 200002c0 returned -22 [ 697.419273][ T8159] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 697.426529][ T8159] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 697.435249][ T8159] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 697.442258][ T8159] CR0=0000000080050033 CR3=000000001a40c000 CR4=00000000001426f0 [ 697.450129][ T8159] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 697.457596][ T8159] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 697.464538][ T8159] *** Control State *** [ 697.468822][ T8159] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 697.476516][ T8159] EntryControls=0000d1ff ExitControls=002fefff [ 697.483018][ T8159] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 697.490868][ T8159] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 697.498392][ T8159] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 697.505828][ T8159] reason=80000021 qualification=0000000000000000 [ 697.513019][ T8159] IDTVectoring: info=00000000 errcode=00000000 [ 697.519269][ T8159] TSC Offset = 0xfffffe88da41827d [ 697.524569][ T8159] EPT pointer = 0x0000000053a2501e 17:34:07 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x3f000000) 17:34:07 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x80000, 0x0) syz_kvm_setup_cpu$x86(r0, r2, &(0x7f0000006000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, &(0x7f0000000080)="66ba4100ec67f26636460f0011670f0966baf80cb86ac2a481ef66bafc0c66b8bd8166ef66baf80cb8e0658984ef66bafc0c66ed66400f38817d0e2e0f01c9b909040000b8687ea43eba16f516550f30360f30660f388007", 0x58}], 0x1, 0x41, &(0x7f0000000140), 0x0) 17:34:07 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = creat(&(0x7f0000000040)='./file0\x00', 0x40) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x701ba28c48e978c0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x7) ftruncate(r0, 0x7f) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:07 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20ncci\x00', 0x4800, 0x0) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f00000000c0)={0x0, @in={{0x2, 0x4e20, @multicast1}}}, &(0x7f0000000180)=0x84) r2 = getpgid(0x0) syz_open_procfs(r2, &(0x7f00000002c0)='fdinfo/3\x00') setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x5, &(0x7f00000001c0)={r1, @in={{0x2, 0x4e20, @multicast2}}}, 0x84) r3 = openat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x400002, 0x110) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000280)='/dev/sequencer2\x00', 0x2, 0x0) [ 697.710723][ T8205] *** Guest State *** [ 697.715263][ T8205] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 697.726326][ T8205] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 697.774742][ T8172] FAULT_INJECTION: forcing a failure. [ 697.774742][ T8172] name fail_futex, interval 1, probability 0, space 0, times 0 [ 697.775210][ T7808] binder: release 8171:8176 transaction 3457 out, still active [ 697.795490][ T8205] CR3 = 0x0000000000002000 [ 697.795506][ T8205] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 697.795517][ T8205] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 697.795524][ T8205] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 697.795534][ T8205] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 697.795548][ T8205] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 697.795561][ T8205] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 697.795581][ T8205] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.831608][ T8172] CPU: 1 PID: 8172 Comm: syz-executor.0 Not tainted 5.1.0-rc2+ #37 [ 697.861071][ T8172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 697.871174][ T8172] Call Trace: [ 697.874502][ T8172] dump_stack+0x172/0x1f0 [ 697.878871][ T8172] should_fail.cold+0xa/0x15 [ 697.883045][ T8205] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.883491][ T8172] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 697.892911][ T8205] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.898008][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.898045][ T8172] ? __lockdep_free_key_range+0x120/0x120 [ 697.898071][ T8172] get_futex_key+0xba3/0x1660 [ 697.907667][ T8205] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.912355][ T8172] ? unqueue_me_pi+0xc0/0xc0 [ 697.912377][ T8172] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 697.912393][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.912416][ T8172] futex_wake+0xf9/0x4d0 [ 697.912432][ T8172] ? __lockdep_free_key_range+0x120/0x120 [ 697.912456][ T8172] ? get_futex_key+0x1660/0x1660 [ 697.919046][ T8205] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 697.922928][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.922949][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.922966][ T8172] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 697.922979][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.923002][ T8172] do_futex+0x324/0x1df0 [ 697.923016][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.923048][ T8172] ? perf_trace_lock+0xeb/0x510 [ 697.923072][ T8172] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 697.937990][ T8205] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 697.942639][ T8172] ? debug_smp_processor_id+0x3c/0x280 [ 697.942666][ T8172] ? exit_robust_list+0x2c0/0x2c0 [ 697.942684][ T8172] ? __might_fault+0x12b/0x1e0 [ 697.942699][ T8172] ? find_held_lock+0x35/0x130 [ 697.942713][ T8172] ? __might_fault+0x12b/0x1e0 [ 697.942737][ T8172] ? lock_downgrade+0x880/0x880 [ 697.949968][ T8205] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 697.952602][ T8172] mm_release+0x33d/0x490 [ 697.952622][ T8172] do_exit+0x417/0x2fa0 [ 697.952642][ T8172] ? get_signal+0x331/0x1d50 [ 697.952665][ T8172] ? find_held_lock+0x35/0x130 [ 697.960072][ T8205] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 697.963442][ T8172] ? mm_update_next_owner+0x640/0x640 [ 697.963465][ T8172] ? kasan_check_write+0x14/0x20 [ 697.963485][ T8172] ? _raw_spin_unlock_irq+0x28/0x90 [ 697.963498][ T8172] ? get_signal+0x331/0x1d50 [ 697.963510][ T8172] ? _raw_spin_unlock_irq+0x28/0x90 [ 697.963531][ T8172] do_group_exit+0x135/0x370 17:34:08 executing program 1: socketpair$unix(0x1, 0xb, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full\x00', 0xd00, 0x0) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') sendmsg$IPVS_CMD_GET_INFO(r1, &(0x7f00000002c0)={&(0x7f0000000140), 0xc, &(0x7f0000000280)={&(0x7f0000000380)=ANY=[@ANYBLOB="c66ff81d0800000000000000b3a20f47", @ANYRES16=r2, @ANYBLOB="000826bd7000ffdbdf250f0000007000030008000500ac1414bb080007004e200000080004000100000008000300020000000800030002000000080005007f00000114000600dc60784840d18173994f957d4a0be1e414000600ff0200000000000000000000000000011400020069706464703000000000000000000000"], 0x84}, 0x1, 0x0, 0x0, 0x800}, 0x10) r3 = syz_init_net_socket$ax25(0x3, 0x5, 0xc3) fsetxattr$trusted_overlay_opaque(r1, &(0x7f00000001c0)='trusted.overlay.opaque\x00', &(0x7f0000000200)='y\x00', 0x2, 0x2) epoll_wait(r1, &(0x7f0000000300)=[{}, {}, {}, {}, {}, {}], 0x6, 0xfff) accept4$ax25(r3, &(0x7f0000000000)={{0x3, @default}, [@null, @netrom, @netrom, @remote, @default, @null, @bcast, @rose]}, &(0x7f0000000080)=0x48, 0x80800) [ 697.972906][ T8205] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 697.977703][ T8172] get_signal+0x399/0x1d50 [ 697.977737][ T8172] ? binder_thread_write+0x2820/0x2820 [ 697.977762][ T8172] ? do_vfs_ioctl+0x120/0x1390 [ 697.983831][ T8205] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 697.989488][ T8172] do_signal+0x87/0x1940 [ 697.989507][ T8172] ? ioctl_preallocate+0x210/0x210 [ 697.989531][ T8172] ? __fget+0x381/0x550 17:34:08 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 697.995758][ T8205] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 697.999262][ T8172] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 697.999283][ T8172] ? setup_sigcontext+0x7d0/0x7d0 [ 697.999307][ T8172] ? kick_process+0xef/0x180 [ 698.005731][ T8205] Interruptibility = 00000000 ActivityState = 00000000 [ 698.009936][ T8172] ? exit_to_usermode_loop+0x43/0x2c0 [ 698.009953][ T8172] ? do_syscall_64+0x52d/0x610 [ 698.009975][ T8172] ? exit_to_usermode_loop+0x43/0x2c0 [ 698.016862][ T8205] *** Host State *** 17:34:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 698.024939][ T8172] ? lockdep_hardirqs_on+0x418/0x5d0 [ 698.024960][ T8172] ? trace_hardirqs_on+0x67/0x230 [ 698.024981][ T8172] exit_to_usermode_loop+0x244/0x2c0 [ 698.025002][ T8172] do_syscall_64+0x52d/0x610 [ 698.025033][ T8172] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 698.025048][ T8172] RIP: 0033:0x458209 [ 698.025072][ T8172] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 17:34:08 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5460, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 698.031213][ T8205] RIP = 0xffffffff811b40b0 RSP = 0xffff88800cc1f8e0 [ 698.035692][ T8172] RSP: 002b:00007fbc1bc9cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 698.035709][ T8172] RAX: fffffffffffffe00 RBX: 00007fbc1bc9cc90 RCX: 0000000000458209 [ 698.035717][ T8172] RDX: 0000000020000140 RSI: 00000000c0306201 RDI: 0000000000000005 [ 698.035724][ T8172] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 698.035732][ T8172] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1bc9d6d4 [ 698.035739][ T8172] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 0000000000000007 [ 698.100042][ T7808] binder: send failed reply for transaction 3457, target dead [ 698.106489][ T8193] binder: 8184:8193 ioctl c018620b 0 returned -14 [ 698.114866][ T7808] binder: send failed reply for transaction 3460, target dead [ 698.136311][ T8195] binder: 8191:8195 ioctl c018620b 0 returned -14 [ 698.155296][ T8215] binder: 8184:8215 BC_INCREFS_DONE u0000000000000000 no match [ 698.180005][ T8195] binder: 8191:8195 unknown command 0 [ 698.200397][ T7808] binder: send failed reply for transaction 3463 to 8173:8183 [ 698.251269][ T8195] binder: 8191:8195 ioctl c0306201 200002c0 returned -22 [ 698.315246][ T7808] binder: send failed reply for transaction 3464 to 8184:8185 [ 698.327260][ T8205] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 698.351884][ T7808] binder: send failed reply for transaction 3467 to 8191:8195 [ 698.393239][ T8227] binder: 8226:8227 ioctl c018620b 0 returned -14 [ 698.404950][ T8205] FSBase=00007fe957ae9700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 17:34:08 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r2 = creat(&(0x7f0000000100)='./file0\x00', 0x8) ioctl$KVM_GET_DIRTY_LOG(r2, 0x4010ae42, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000003000/0x3000)=nil}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) fsetxattr(r3, &(0x7f0000000080)=@known='trusted.overlay.metacopy\x00', &(0x7f00000000c0)='wlan1eth0\x00', 0xa, 0x0) fcntl$getown(r0, 0x9) [ 698.433254][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 698.438944][ T8205] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 698.448582][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 698.458423][ T8205] CR0=0000000080050033 CR3=00000000846d6000 CR4=00000000001426e0 [ 698.463692][ T8232] binder: 8226:8232 BC_INCREFS_DONE u0000000000000000 no match [ 698.477278][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 698.494475][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 698.500793][ T8205] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 698.517154][ T8205] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 698.523401][ T8236] binder: 8226:8236 ioctl c018620b 0 returned -14 [ 698.535756][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 698.538417][ T8205] *** Control State *** [ 698.550465][ T7808] binder: release 8226:8227 transaction 3478 out, still active [ 698.563770][ T8205] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 698.582409][ T8205] EntryControls=0000d1ff ExitControls=002fefff 17:34:08 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="374a398c8c4b815d075f254351fdc87e0c98f7dfc41d141054113c3c7720a9211c1f9c27e3fee4ca1a3b22cc65592ec1448a1186a5f8eadf4e966b64b32810acbc7fc8c9f090163eddc6d293b7d76699b176770867"], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="006340400000000000000000000000000059f86af6c10c7d2f0fd8b35d7594bf000000000000000000000000000000000000001800a41ec4033332cf1bd8", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f00000000c0), 0x0, 0x0, 0x0}) prctl$PR_MCE_KILL(0x21, 0x1, 0x1) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r0, 0x111, 0x4, 0x0, 0x4) 17:34:08 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 698.593198][ T8205] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 698.606965][ T8205] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 698.615232][ T8205] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 698.623439][ T8205] reason=80000021 qualification=0000000000000000 [ 698.633637][ T8205] IDTVectoring: info=00000000 errcode=00000000 [ 698.640599][ T8205] TSC Offset = 0xfffffe884fd903bb [ 698.646087][ T8205] EPT pointer = 0x000000001a41e01e 17:34:08 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) getsockname$unix(r0, &(0x7f0000000040), &(0x7f00000000c0)=0x6e) madvise(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x65) 17:34:08 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x48000000) [ 698.749974][ T8245] binder: 8244:8245 ioctl c018620b 0 returned -14 [ 698.762510][ T8246] binder: 8242:8246 ioctl c018620b 0 returned -14 [ 698.795596][ T8246] binder: 8242:8246 unknown command -1942402505 [ 698.814957][ T8246] binder: 8242:8246 ioctl c0306201 20000140 returned -22 17:34:08 executing program 1: socketpair$unix(0x1, 0xfffffffffffffffe, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000080)=0x8) pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x84800) ioctl$UFFDIO_UNREGISTER(r2, 0x8010aa01, &(0x7f0000000040)={&(0x7f0000004000/0x3000)=nil, 0x3000}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$sock_ifreq(r1, 0x8919, &(0x7f0000000100)={'ip6_vti0\x00', @ifru_names='ipddp0\x00'}) madvise(&(0x7f0000004000/0x1000)=nil, 0x1000, 0xb) [ 698.841048][ T8253] binder: 8244:8253 BC_INCREFS_DONE node 3482 has no pending increfs request [ 698.864925][ T8254] binder: 8242:8254 ioctl c018620b 0 returned -14 [ 698.886441][ T8246] binder: 8242:8246 unknown command -1942402505 [ 698.914964][ T8246] binder: 8242:8246 ioctl c0306201 20000140 returned -22 [ 698.930482][ T8255] *** Guest State *** [ 698.940622][ T8255] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 698.950239][ T8255] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 17:34:09 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="08631040", @ANYRES64=0x0, @ANYBLOB="9ffb486214002000"], 0x0, 0x0, 0x0}) r1 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x3f, 0x1) ioctl$VT_WAITACTIVE(r1, 0x5607) 17:34:09 executing program 1: r0 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000080)={'syz', 0x3}, &(0x7f00000000c0)="9c4e36d8fb5ef8bb33379ebbb65e60bf656b285bfda4d21eedbad56df7429095089fadaba5db92202723e8f6a78fc52a89b96b6e7b476fd9bcd8a649600b615f579bf2cfb6e77111bcac533e42c2ff5416b025a2c83dc7a28685448aa223fee179bc8e984050983c14a64d63597effa8e49b36a57d835f0ddcb759d1f548991cbe086c794269fbe5eadb71339bc2dc8b640f70e130fe8b4ecfe7a3b50c3cb60a3511bc4becce2f13501b94ceeda2f7163ab239a0e249c21c3f8f3447543cff3d4be6c13cc819", 0xc6, 0xfffffffffffffffa) keyctl$get_keyring_id(0x0, r0, 0x3) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 698.980947][ T8255] CR3 = 0x0000000000000000 [ 699.038234][ T8255] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 699.058774][ T8267] binder: 8266:8267 ioctl c018620b 0 returned -14 [ 699.070202][ T8255] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 699.077904][ T7808] binder: release 8220:8234 transaction 3475 out, still active [ 699.086691][ T8255] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 699.096652][ T8255] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.106598][ T8255] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.111901][ T2986] binder: send failed reply for transaction 3475, target dead [ 699.116646][ T8255] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:34:09 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x2, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 699.132554][ T2986] binder: send failed reply for transaction 3478, target dead [ 699.138693][ T8270] binder: 8266:8270 BC_INCREFS_DONE u0000000000000000 no match [ 699.153756][ T8255] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 699.179295][ T2986] binder: send failed reply for transaction 3481 to 8244:8245 [ 699.188883][ T8253] binder: 8244:8253 ioctl c018620b 0 returned -14 [ 699.198565][ T8255] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.218251][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:34:09 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = creat(&(0x7f0000000040)='./file0\x00', 0x10) getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(0xffffffffffffff9c, 0x84, 0x76, &(0x7f0000000080)={0x0, 0x3}, &(0x7f00000000c0)=0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000100)={r2, @in={{0x2, 0x4e24, @local}}, [0xffffffffffffffff, 0x2009, 0x100000000, 0x7, 0x9, 0x2, 0x18e, 0x2, 0x726, 0x4, 0x6, 0x776, 0x0, 0x7, 0x6]}, &(0x7f0000000200)=0x100) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) prctl$PR_SET_FPEMU(0xa, 0x1) madvise(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x4000000000001) mlock2(&(0x7f0000006000/0x4000)=nil, 0x4000, 0x0) [ 699.231216][ T8253] binder: 8244:8253 BC_INCREFS_DONE u0000000000000000 no match [ 699.249379][ T8255] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.304747][ T8255] GDTR: limit=0x00000000, base=0x0000000000000000 [ 699.326038][ T8255] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:09 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046207, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:09 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x800, 0x0) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f0000000180), &(0x7f0000000200)=0x4) r2 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x1f, 0xc4000) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$CAPI_NCCI_GETUNIT(r2, 0x80044327, &(0x7f0000000080)=0x401) ioctl$VIDIOC_QBUF(r2, 0xc058560f, &(0x7f00000000c0)={0x1, 0x9, 0x4, 0x2000, {0x0, 0x2710}, {0x6, 0xc, 0xfff, 0x4, 0x6, 0x56d1, '0F$^'}, 0xfe, 0x1, @userptr=0x551000000000000, 0x4}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) exit(0x3cb) [ 699.346392][ T8281] binder: 8272:8281 BC_INCREFS_DONE node 3490 has no pending increfs request [ 699.347938][ T8255] IDTR: limit=0x00000000, base=0x0000000000000000 [ 699.374703][ T8283] binder: 8277:8283 BC_INCREFS_DONE u0000000000000000 no match [ 699.393337][ T8255] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.415678][ T8285] binder: 8284:8285 ioctl c018620b 0 returned -14 [ 699.416238][ T8255] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 699.444339][ T8255] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 699.453643][ T8285] binder: BINDER_SET_CONTEXT_MGR already set [ 699.459251][ T8255] Interruptibility = 00000000 ActivityState = 00000000 [ 699.467974][ T8255] *** Host State *** [ 699.469898][ T8285] binder: 8284:8285 ioctl 40046207 20000140 returned -16 [ 699.472949][ T8255] RIP = 0xffffffff811b40b0 RSP = 0xffff88804fce78e0 [ 699.489806][ T8255] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 699.497118][ T8255] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 699.505839][ T8255] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 699.512476][ T8255] CR0=0000000080050033 CR3=00000000a0cbc000 CR4=00000000001426f0 [ 699.520531][ T8255] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 699.528234][ T8255] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 699.535392][ T8289] binder: 8284:8289 BC_INCREFS_DONE node 3494 has no pending increfs request [ 699.544364][ T8255] *** Control State *** [ 699.548836][ T8255] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 699.556429][ T8255] EntryControls=0000d1ff ExitControls=002fefff [ 699.563200][ T8255] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 699.571124][ T8255] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 699.578697][ T8255] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 699.586444][ T8255] reason=80000021 qualification=0000000000000000 [ 699.593633][ T8255] IDTVectoring: info=00000000 errcode=00000000 [ 699.599994][ T8255] TSC Offset = 0xfffffe87a9bd738c [ 699.605185][ T8255] EPT pointer = 0x0000000091d9a01e 17:34:09 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4c000000) [ 699.777560][ T8293] *** Guest State *** [ 699.781999][ T8293] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 699.797794][ T8293] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 699.810175][ T8293] CR3 = 0x0000000000000000 [ 699.815114][ T8293] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 699.822313][ T8293] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 699.848080][ T8293] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 699.860002][ T8296] binder: 8266:8296 ioctl c018620b 0 returned -14 [ 699.862838][ T8293] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.878380][ T8293] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.887519][ T8293] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 699.896746][ T8293] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.905797][ T8293] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.919632][ T8296] binder: 8266:8296 BC_INCREFS_DONE u0000000000000000 node 3497 cookie mismatch 002000146248fb9f != 0000000000000000 [ 699.933324][ T8293] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:10 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="08631040", @ANYRES64=0x0, @ANYBLOB="00000000000000003d46cfc1c7fcc82c190a6a901d76994b9960e7cd5916f73f0aa3a467caf30ab5434bb63ccc2fe7457fe449fa119aaada9cd67be0015612774174e0b2fd1990740978b1c9eee8c0c8e939f0435aa42cb1ac14b02b722d6f38bf504e709380faa91d4638102bbfbafa80cce19f009a3c3b86198fe0c03ac1cc814abd5d0d664360953b230d11dbbfc9c0"], 0x0, 0x0, 0x0}) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x2, 0x1) write$FUSE_POLL(r1, &(0x7f0000000280)={0x18, 0xfffffffffffffff5, 0x2, {0xfffffffffffffffa}}, 0x18) ioctl$SNDRV_TIMER_IOCTL_TREAD(r1, 0x40045402, &(0x7f00000001c0)=0x1) [ 699.943035][ T8293] GDTR: limit=0x00000000, base=0x0000000000000000 [ 699.949897][ T2986] binder: release 8266:8270 transaction 3496 out, still active [ 699.952830][ T8293] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 699.977639][ T8293] IDTR: limit=0x00000000, base=0x0000000000000000 [ 699.987042][ T8293] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 700.018684][ T8293] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 700.026364][ T8293] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 700.044360][ T8293] Interruptibility = 00000000 ActivityState = 00000000 [ 700.062545][ T8293] *** Host State *** [ 700.066751][ T8293] RIP = 0xffffffff811b40b0 RSP = 0xffff888053c7f8e0 [ 700.074104][ T8293] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 700.082460][ T8301] binder_alloc: 8272: binder_alloc_buf, no vma [ 700.082630][ T8281] binder: BINDER_SET_CONTEXT_MGR already set [ 700.088915][ T8301] binder_transaction: 10 callbacks suppressed [ 700.088969][ T8301] binder: 8272:8301 transaction failed 29189/-3, size 24-8 line 3147 [ 700.110895][ T8281] binder: 8272:8281 ioctl 40046207 0 returned -16 [ 700.127109][ T8302] binder: 8298:8302 ioctl c018620b 0 returned -14 [ 700.130656][ T7808] binder: release 8277:8283 transaction 3492 out, still active [ 700.141764][ T8293] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 700.150550][ T7808] binder: undelivered TRANSACTION_COMPLETE 17:34:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 700.163746][ T8293] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 700.182102][ T2986] binder: send failed reply for transaction 3489 to 8272:8273 [ 700.190579][ T8304] binder: 8298:8304 transaction failed 29189/-22, size 24-8 line 2994 [ 700.193857][ T2986] binder: send failed reply for transaction 3492, target dead [ 700.207254][ T8293] CR0=0000000080050033 CR3=000000001a45b000 CR4=00000000001426e0 [ 700.207277][ T8293] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 700.216870][ T8305] binder: 8284:8305 ioctl c018620b 0 returned -14 [ 700.230749][ T8289] binder: 8284:8289 got transaction to context manager from process owning it [ 700.246390][ T8305] binder: 8284:8305 BC_INCREFS_DONE node 3501 has no pending increfs request [ 700.248425][ T8308] binder: 8298:8308 BC_INCREFS_DONE u0000000000000000 no match [ 700.256172][ T2986] binder: send failed reply for transaction 3493 to 8284:8285 [ 700.263622][ T8289] binder: 8284:8289 transaction failed 29201/-22, size 24-8 line 2985 [ 700.280702][ T8293] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 700.293223][ T8311] binder_alloc: 8284: binder_alloc_buf, no vma [ 700.295673][ T8293] *** Control State *** [ 700.300811][ T2986] binder: send failed reply for transaction 3496, target dead 17:34:10 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) timer_create(0x2, &(0x7f0000000000)={0x0, 0x2, 0x2, @tid=0xffffffffffffffff}, &(0x7f0000000040)=0x0) timer_getoverrun(r1) [ 700.316922][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 700.319873][ T8293] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 700.323778][ T8311] binder: 8306:8311 transaction failed 29189/-3, size 24-0 line 3147 [ 700.349872][ T8293] EntryControls=0000d1ff ExitControls=002fefff [ 700.352569][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 17:34:10 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 700.371300][ T8293] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 700.401147][ T8293] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 17:34:10 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 700.433612][ T8293] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 700.465495][ T8293] reason=80000021 qualification=0000000000000000 17:34:10 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x40, 0x0) ioctl$UFFDIO_ZEROPAGE(r1, 0xc020aa04, &(0x7f0000000080)={{&(0x7f0000006000/0x4000)=nil, 0x4000}, 0x1}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 700.496091][ T8293] IDTVectoring: info=00000000 errcode=00000000 [ 700.512551][ T8293] TSC Offset = 0xfffffe87356849d5 [ 700.518119][ T8293] EPT pointer = 0x00000000a0f2301e [ 700.526224][ T8322] binder: 8321:8322 ioctl c018620b 0 returned -14 [ 700.550374][ T8319] binder: 8318:8319 ioctl c0306201 20000440 returned -11 [ 700.554875][ T8324] binder: 8321:8324 ioctl c018620b 0 returned -14 [ 700.580305][ T8319] binder: 8318:8319 BC_INCREFS_DONE node 3509 has no pending increfs request 17:34:10 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x60000000) [ 700.612447][ T7808] binder: release 8321:8322 transaction 3505 out, still active [ 700.625351][ T7808] binder: release 8321:8322 transaction 3511 out, still active 17:34:10 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:10 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu/syz1\x00', 0x200002, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 700.684932][ T8331] binder_alloc: 8318: binder_alloc_buf, no vma [ 700.687654][ T8319] binder: BINDER_SET_CONTEXT_MGR already set [ 700.691202][ T8331] binder: 8318:8331 transaction failed 29189/-3, size 24-8 line 3147 [ 700.766642][ T7808] binder: release 8318:8319 transaction 3508 out, still active [ 700.777101][ T8319] binder: 8318:8319 ioctl 40046207 0 returned -16 [ 700.789806][ T7808] binder: unexpected work type, 4, not freed [ 700.798291][ T8340] binder: 8337:8340 ioctl c018620b 0 returned -14 [ 700.808526][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 700.825567][ T7808] binder: send failed reply for transaction 3505, target dead [ 700.840469][ T8340] binder: 8337:8340 transaction failed 29189/-22, size 24-8 line 2994 [ 700.840664][ T7808] binder: send failed reply for transaction 3508, target dead [ 700.869564][ T8343] *** Guest State *** 17:34:10 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x5450, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:10 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000040)={0x0}, &(0x7f0000000080)=0xc) move_pages(r1, 0x1, &(0x7f00000000c0)=[&(0x7f0000006000/0x3000)=nil], &(0x7f0000000100)=[0x8, 0x1], &(0x7f0000000140)=[0x0, 0x0, 0x0], 0x2) madvise(&(0x7f0000007000/0x3000)=nil, 0x3000, 0x0) r2 = openat$vimc0(0xffffffffffffff9c, &(0x7f0000000200)='/dev/video0\x00', 0x2, 0x0) ioctl$VIDIOC_DECODER_CMD(r2, 0xc0485660, &(0x7f0000000240)={0x5, 0x3, @start={0x9}}) r3 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x0, 0x0) ioctl$VIDIOC_S_SELECTION(r3, 0xc040565f, &(0x7f00000001c0)={0x2, 0x100, 0x7, {0xff, 0x40, 0x80, 0x8}}) [ 700.869678][ T7808] binder: send failed reply for transaction 3511, target dead [ 700.880291][ T8304] binder: 8298:8304 ioctl c018620b 0 returned -14 [ 700.887901][ T8343] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 700.887926][ T8343] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 700.887934][ T8343] CR3 = 0x0000000000000000 [ 700.887950][ T8343] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 700.887961][ T8343] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 700.887983][ T8343] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 700.887999][ T8343] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 700.888034][ T8343] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 700.923098][ T8345] binder: 8337:8345 ioctl c018620b 0 returned -14 [ 700.954159][ T8308] binder: 8298:8308 transaction failed 29189/-22, size 24-8 line 2994 [ 700.986184][ T8343] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:34:11 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41000, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffff2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x20610}, 0x0, 0x0, 0xffffffffffffffff, 0x2) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) prctl$PR_GET_SECUREBITS(0x1b) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 701.028119][ T8340] binder: 8337:8340 transaction failed 29189/-22, size 24-8 line 2994 [ 701.030038][ T8343] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.058364][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 17:34:11 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x4001ff) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x440000, 0x0) ioctl$IOC_PR_CLEAR(r1, 0x401070cd, &(0x7f0000000080)={0x1000}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 701.116783][ T8343] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.149360][ T8343] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.158185][ T8343] GDTR: limit=0x00000000, base=0x0000000000000000 [ 701.194234][ T8360] binder: 8346:8360 BC_INCREFS_DONE node 3520 has no pending increfs request [ 701.222926][ T8343] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.233920][ T8362] binder: 8361:8362 ioctl c018620b 0 returned -14 17:34:11 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 701.236502][ T8343] IDTR: limit=0x00000000, base=0x0000000000000000 17:34:11 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)) r0 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x7, 0xa8000) r1 = syz_open_dev$radio(&(0x7f0000000080)='/dev/radio#\x00', 0x1, 0x2) r2 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x2, 0x2) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x1) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) ioctl$RTC_PLL_SET(r2, 0x40207012, &(0x7f0000000100)={0x1, 0xc1, 0x68c8, 0x5, 0x4, 0x401, 0xffffffff}) openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x400, 0x0) ioctl$UI_SET_FFBIT(r0, 0x4004556b, 0x25) setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000140)=0x7, 0x4) [ 701.279600][ T8343] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.307190][ T8343] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 701.331767][ T8343] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 701.345652][ T8343] Interruptibility = 00000000 ActivityState = 00000000 [ 701.345853][ T8371] binder: 8369:8371 ioctl c018620b 0 returned -14 [ 701.353433][ T8343] *** Host State *** [ 701.376741][ T8343] RIP = 0xffffffff811b40b0 RSP = 0xffff8880515d78e0 [ 701.383643][ T8371] binder: BINDER_SET_CONTEXT_MGR already set [ 701.383663][ T8371] binder: 8369:8371 ioctl 4018620d 20000140 returned -16 [ 701.410443][ T8343] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 701.418306][ T8343] FSBase=00007fe957ae9700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 17:34:11 executing program 1: r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x40000, 0x0) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000001c0)='TIPCv2\x00') sendmsg$TIPC_NL_MON_SET(r0, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000240)={&(0x7f0000000200)={0x3c, r1, 0x8, 0x70bd2b, 0x25dfdbff, {}, [@TIPC_NLA_NODE={0x28, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x7}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x406e475c}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0xc15d}, @TIPC_NLA_NODE_UP={0x4}]}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x8880) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) syz_open_dev$media(&(0x7f00000000c0)='/dev/media#\x00', 0x3, 0x10000) r2 = syz_open_dev$audion(&(0x7f0000000100)='/dev/audio#\x00', 0x4, 0x8000) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r3 = syz_open_dev$midi(&(0x7f0000000040)='/dev/midi#\x00', 0x4, 0x4000) syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) ioctl$SIOCX25SCUDMATCHLEN(r3, 0x89e7, &(0x7f0000000080)={0x4b}) [ 701.430690][ T8375] binder: 8369:8375 BC_INCREFS_DONE node 3527 has no pending increfs request [ 701.434799][ T8343] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 701.473623][ T8343] CR0=0000000080050033 CR3=000000001a456000 CR4=00000000001426f0 [ 701.493108][ T8343] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 701.501209][ T8343] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 701.508802][ T8343] *** Control State *** [ 701.513203][ T8343] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca 17:34:11 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) pipe(&(0x7f0000000040)) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 701.520789][ T8343] EntryControls=0000d1ff ExitControls=002fefff [ 701.527415][ T8343] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 701.535749][ T8343] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 701.543405][ T8343] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 701.559463][ T8343] reason=80000021 qualification=0000000000000000 [ 701.575118][ T8343] IDTVectoring: info=00000000 errcode=00000000 [ 701.591997][ T8343] TSC Offset = 0xfffffe86a5fd648f [ 701.608495][ T8343] EPT pointer = 0x00000000a422a01e 17:34:11 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x68000000) 17:34:11 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:11 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$sock_int(r0, 0x1, 0x7, &(0x7f0000000040)=0x7000000, 0x4) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 701.832922][ T8360] binder: BINDER_SET_CONTEXT_MGR already set [ 701.863282][ T8396] binder_alloc: 8346: binder_alloc_buf, no vma [ 701.865702][ T8360] binder: 8346:8360 ioctl 40046207 0 returned -16 [ 701.898781][ T8396] binder: 8346:8396 transaction failed 29189/-3, size 24-8 line 3147 [ 701.907509][ T7808] binder: release 8346:8348 transaction 3519 out, still active [ 701.916691][ T8360] binder_thread_write: 4 callbacks suppressed [ 701.917154][ T8360] binder: 8346:8360 BC_INCREFS_DONE u0000000000000000 no match [ 701.934460][ T7808] binder: send failed reply for transaction 3522 to 8357:8363 [ 701.943759][ T8397] *** Guest State *** [ 701.950152][ T8397] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 701.960388][ T7808] binder: send failed reply for transaction 3519, target dead [ 701.971791][ T7808] binder: send failed reply for transaction 3523 to 8361:8368 [ 701.979375][ T8397] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 701.979387][ T8397] CR3 = 0x0000000000000000 [ 701.979398][ T8397] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 701.979410][ T8397] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 701.979429][ T8397] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 701.979446][ T8397] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.979466][ T8397] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 701.979488][ T8397] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 701.979511][ T8397] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 702.011688][ T8397] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 702.023567][ T7808] binder: send failed reply for transaction 3526 to 8369:8371 [ 702.023679][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 702.023694][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 702.033378][ T8371] binder: 8369:8371 ioctl c018620b 0 returned -14 [ 702.042757][ T8401] binder: 8361:8401 ioctl c018620b 0 returned -14 [ 702.059389][ T8375] binder: 8369:8375 transaction failed 29189/-22, size 24-8 line 2994 [ 702.060150][ T8402] binder: 8369:8402 BC_INCREFS_DONE u0000000000000000 node 3531 cookie mismatch 0000000000000000 != 00000000200000c0 [ 702.118103][ T8403] binder: 8361:8403 BC_INCREFS_DONE u0000000000000000 no match [ 702.125840][ T8397] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 702.147785][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 702.166187][ T8397] GDTR: limit=0x00000000, base=0x0000000000000000 17:34:12 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x5451, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:12 executing program 1: socketpair$unix(0x1, 0x6, 0x0, &(0x7f0000000100)) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x200, 0x0) r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qat_adf_ctl\x00', 0x880, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0xcf3) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x9) 17:34:12 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) r2 = fcntl$getown(r0, 0x9) r3 = gettid() setpgid(r2, r3) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) getsockopt$inet_buf(r1, 0x0, 0x0, &(0x7f0000000000)=""/67, &(0x7f0000000080)=0x43) io_setup(0x3, &(0x7f0000000100)=0x0) io_destroy(r4) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:12 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 702.205111][ T8397] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 702.214794][ T8397] IDTR: limit=0x00000000, base=0x0000000000000000 [ 702.256598][ T8408] QAT: Invalid ioctl [ 702.268135][ T8413] binder: 8412:8413 ioctl c018620b 0 returned -14 [ 702.284368][ T8397] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 702.291919][ T8416] QAT: Invalid ioctl [ 702.305710][ T8413] binder: 8412:8413 BC_INCREFS_DONE u0000000000000000 no match [ 702.321442][ T8419] binder: 8414:8419 ioctl c018620b 0 returned -14 [ 702.328937][ T8420] binder: 8412:8420 ioctl c018620b 0 returned -14 [ 702.335740][ T8397] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 702.345247][ T8420] binder: 8412:8420 BC_INCREFS_DONE u0000000000000000 no match 17:34:12 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 702.353418][ T8397] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 702.374581][ T8397] Interruptibility = 00000000 ActivityState = 00000000 [ 702.390651][ T8397] *** Host State *** 17:34:12 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = gettid() sched_getparam(r1, &(0x7f0000000040)) r2 = pkey_alloc(0x0, 0x1a821b5559b5647) pkey_mprotect(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x2000000, r2) [ 702.406964][ T8397] RIP = 0xffffffff811b40b0 RSP = 0xffff888052dd78e0 [ 702.424726][ T8397] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 702.441412][ T8397] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 702.453789][ T8424] binder: 8407:8424 BC_INCREFS_DONE node 3541 has no pending increfs request [ 702.482198][ T8397] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 702.484990][ T8427] binder: 8426:8427 ioctl c018620b 0 returned -14 [ 702.489236][ T8397] CR0=0000000080050033 CR3=0000000087cc9000 CR4=00000000001426e0 [ 702.505513][ T8397] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 702.520264][ T8397] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 702.532360][ T8397] *** Control State *** [ 702.549514][ T8397] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca 17:34:12 executing program 1: r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(0xffffffffffffffff, 0x84, 0x7c, &(0x7f0000000080)={0x0, 0x6, 0xe0}, &(0x7f00000000c0)=0x8) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000100)={r1, @in6={{0xa, 0x4e22, 0x0, @loopback, 0x2}}}, &(0x7f00000001c0)=0x84) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000200)={r1, @in={{0x2, 0x4e21}}, 0xf7, 0x0, 0xd07, 0x30, 0x11}, &(0x7f00000002c0)=0x98) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x4000000010005) madvise(&(0x7f0000004000/0x3000)=nil, 0x3000, 0x13) r3 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vsock\x00', 0x2200, 0x0) getsockopt$inet_sctp6_SCTP_MAXSEG(r3, 0x84, 0xd, &(0x7f0000000340)=@assoc_id=r2, &(0x7f0000000380)=0x4) [ 702.557990][ T8397] EntryControls=0000d1ff ExitControls=002fefff [ 702.576857][ T8397] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 702.594820][ T8432] binder: 8426:8432 BC_INCREFS_DONE node 3544 has no pending increfs request [ 702.609777][ T8397] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 702.628271][ T8397] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 702.638978][ T8397] reason=80000021 qualification=0000000000000000 [ 702.651571][ T8397] IDTVectoring: info=00000000 errcode=00000000 17:34:12 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = syz_open_dev$adsp(&(0x7f0000000100)='/dev/adsp#\x00', 0x3f, 0x20000) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x406) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x2000000000064) r1 = syz_open_dev$usb(&(0x7f0000000080)='/dev/bus/usb/00#/00#\x00', 0x1, 0x400) timerfd_gettime(r1, &(0x7f00000000c0)) ioctl$PERF_EVENT_IOC_QUERY_BPF(r1, 0xc008240a, &(0x7f0000000180)=ANY=[@ANYBLOB="0000000000000040c8442595dc4d680a117c9ae3f316c709f3d8a35e76dd035e3230bcdf30dc250416bf2e09ebaddd8870c720632be2cac8ef5a7500000000000000000000000011ce19c551f8304d7edbad73e72a3ef725bd"]) [ 702.661696][ T8397] TSC Offset = 0xfffffe860f74eb27 [ 702.674781][ T8397] EPT pointer = 0x000000000d3ef01e 17:34:12 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6c000000) 17:34:12 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000fef000/0xe000)=nil, 0xe000, 0x7) 17:34:12 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x7fff) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) ioctl$TIOCMGET(r0, 0x5415, &(0x7f00000000c0)) r2 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x5, 0x0) ioctl$TCGETS(r2, 0x5401, &(0x7f0000000040)) ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000100)=0x0) move_pages(r3, 0x4, &(0x7f0000000140)=[&(0x7f0000005000/0x4000)=nil, &(0x7f0000005000/0x2000)=nil, &(0x7f0000007000/0x3000)=nil, &(0x7f0000006000/0x3000)=nil], &(0x7f0000000180)=[0xb765, 0x4, 0x2], &(0x7f00000001c0), 0x2) [ 702.943901][ T8449] *** Guest State *** [ 702.950292][ T8449] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 702.977584][ T8449] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 702.994116][ T8449] CR3 = 0x0000000000000000 [ 703.014977][ T8449] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 703.021955][ T8449] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 703.044388][ T8449] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 703.052177][ T8449] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.062730][ T8449] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.073435][ T8449] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 703.082376][ T8449] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.091402][ T8449] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.094867][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 703.101247][ T8449] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.113226][ T8422] binder: 8414:8422 ioctl c018620b 0 returned -14 [ 703.117599][ T8449] GDTR: limit=0x00000000, base=0x0000000000000000 [ 703.131985][ T8449] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 703.142786][ T8424] binder: BINDER_SET_CONTEXT_MGR already set [ 703.162737][ T8422] binder_alloc: 8407: binder_alloc_buf, no vma [ 703.173170][ T8424] binder: 8407:8424 ioctl 40046207 0 returned -16 [ 703.176570][ T8449] IDTR: limit=0x00000000, base=0x0000000000000000 [ 703.189050][ T8422] binder: 8414:8422 BC_INCREFS_DONE u0000000000000000 no match [ 703.198597][ T2986] binder: send failed reply for transaction 3537 to 8414:8422 [ 703.202871][ T8457] binder_alloc: 8407: binder_alloc_buf, no vma 17:34:13 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:13 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0xe20c061a678e0402, 0x0) r0 = syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0x1, 0x48080) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x4001fd) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) lstat(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)) [ 703.212017][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 703.220280][ T8427] binder: 8426:8427 ioctl c018620b 0 returned -14 [ 703.227965][ T8460] binder: 8426:8460 BC_INCREFS_DONE u0000000000000000 no match [ 703.228045][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 703.243005][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 703.250865][ T8449] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:13 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x3) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0) setsockopt$nfc_llcp_NFC_LLCP_RW(r1, 0x118, 0x0, &(0x7f0000000080)=0x5, 0x4) 17:34:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:13 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 703.284091][ T8449] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 703.319199][ T8449] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:13 executing program 1: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000040)={0xffffffffffffff9c}) getsockopt$bt_rfcomm_RFCOMM_LM(r0, 0x12, 0x3, &(0x7f0000000080), &(0x7f00000000c0)=0x4) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 703.401973][ T8449] Interruptibility = 00000000 ActivityState = 00000000 [ 703.403387][ T8472] binder: 8470:8472 ioctl c018620b 0 returned -14 [ 703.430390][ T8449] *** Host State *** [ 703.447764][ T8449] RIP = 0xffffffff811b40b0 RSP = 0xffff88808d7978e0 [ 703.478163][ T8476] binder: 8471:8476 BC_INCREFS_DONE node 3557 has no pending increfs request [ 703.483694][ T8449] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 703.494585][ T8479] binder: 8470:8479 ioctl c018620b 0 returned -14 [ 703.496942][ T8480] binder: 8464:8480 BC_INCREFS_DONE node 3551 has no pending increfs request [ 703.510411][ T8477] binder: 8474:8477 ioctl c018620b 0 returned -14 [ 703.534607][ T8449] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 703.552181][ T7808] binder: release 8470:8475 transaction 3559 out, still active [ 703.563639][ T8449] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 703.564131][ T7808] binder: release 8470:8475 transaction 3553 out, still active 17:34:13 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpu.stat\x00', 0x0, 0x0) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000140)={'lo\x00', &(0x7f00000000c0)=@ethtool_link_settings={0x4d, 0x0, 0x79a, 0x10000, 0x8, 0x2bda, 0xba53, 0x337, 0x4, 0x200, [0x0, 0x8, 0x6, 0x4, 0x5, 0xc7c, 0x8, 0x8000], [0x3d3b, 0x9, 0x7, 0xfff, 0x6, 0x1, 0xe5b, 0x4]}}) madvise(&(0x7f0000006000/0x3000)=nil, 0x3000, 0xb) sysfs$2(0x2, 0x8001, &(0x7f0000000040)=""/76) socket$unix(0x1, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0xfffffffffffff638) socket$kcm(0x29, 0x2, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:13 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 703.589521][ T8449] CR0=0000000080050033 CR3=000000009e0bb000 CR4=00000000001426f0 [ 703.601456][ T8449] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 703.618473][ T8449] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 703.650870][ T8449] *** Control State *** [ 703.665838][ T8495] binder: 8490:8495 ioctl c018620b 0 returned -14 [ 703.672479][ T8449] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 703.672489][ T8449] EntryControls=0000d1ff ExitControls=002fefff [ 703.672505][ T8449] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 17:34:13 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) syz_open_dev$sndpcmp(&(0x7f0000000040)='/dev/snd/pcmC#D#p\x00', 0x56c6, 0x100) r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snapshot\x00', 0x40000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0xfffffffffffffff8) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 703.672525][ T8449] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 703.757064][ T8449] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 703.764978][ T8499] binder: 8490:8499 BC_INCREFS_DONE node 3566 has no pending increfs request [ 703.788215][ T8449] reason=80000021 qualification=0000000000000000 [ 703.807124][ T8449] IDTVectoring: info=00000000 errcode=00000000 [ 703.844950][ T8449] TSC Offset = 0xfffffe8588f9d94a [ 703.850323][ T8449] EPT pointer = 0x000000009499e01e 17:34:13 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x74000000) 17:34:13 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = accept(r0, &(0x7f0000000040)=@nl=@proc, &(0x7f00000000c0)=0x80) sendmsg$nl_generic(r1, &(0x7f0000000280)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000002c0)=ANY=[@ANYBLOB="e00000001600000427bd7000fcdbdf2517000000285a3ebfa8331cede05aad78eb9e9bc3c7133c72c69e87a5e61f95c081cb9994803dc0d9f569f3c2ef0e9c2f4e556442e9a4de8c7c266e0c98847d420bd5c6549e4c44f740cdd661151a1f583dbda523d073fc9aedbd61c152ec494741ebbda2305577163e3180d035bb1f7affff000000250014002700ff02000000000000000000000000000112264b0fba4a6c5eb7ec15e02c02d61d19325b000000000000000f497318b94bb83e3cecc19cdb400fe6e4d98850b4cfcccd6c1abf0000000000000000000000000000000012ecd4b3baee0d7f26f91d46d43614"], 0xe0}, 0x1, 0x0, 0x0, 0x800}, 0x4) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000004000/0x3000)=nil, 0x3000, 0x0) 17:34:13 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) prctl$PR_SET_MM(0x23, 0xb, &(0x7f0000004000/0x2000)=nil) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 704.075049][ T8517] *** Guest State *** [ 704.079140][ T8517] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 704.096088][ T8517] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 704.113872][ T8517] CR3 = 0x0000000000000000 [ 704.118671][ T8517] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 704.125799][ T8517] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 704.132770][ T8517] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 704.140658][ T8517] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.153979][ T8517] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.169114][ T8480] binder: BINDER_SET_CONTEXT_MGR already set [ 704.184279][ T8517] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 704.186881][ T8480] binder: 8464:8480 ioctl 40046207 0 returned -16 [ 704.202597][ T8517] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.204492][ T7808] binder: release 8471:8476 transaction 3556 out, still active [ 704.230267][ T7808] binder: unexpected work type, 4, not freed [ 704.231743][ T8517] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.243510][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 704.256194][ T8487] binder: 8474:8487 ioctl c018620b 0 returned -14 [ 704.261618][ T8521] binder_alloc: 8464: binder_alloc_buf, no vma [ 704.272352][ T8523] binder_alloc: 8464: binder_alloc_buf, no vma [ 704.283222][ T8517] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.287640][ T7808] binder: release 8464:8467 transaction 3550 out, still active [ 704.292817][ T8487] binder: 8474:8487 BC_INCREFS_DONE u0000000000000000 no match [ 704.310599][ T7808] binder: send failed reply for transaction 3550, target dead [ 704.322815][ T7808] binder: send failed reply for transaction 3553, target dead 17:34:14 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x5460, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:14 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$vcsn(&(0x7f0000000100)='/dev/vcs#\x00', 0x7, 0x0) r2 = syz_open_dev$dspn(&(0x7f0000000140)='/dev/dsp#\x00', 0xffffffffffffffff, 0x40) ioctl$VHOST_NET_SET_BACKEND(r1, 0x4008af30, &(0x7f0000000180)={0x3, r2}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r3 = dup3(r0, r0, 0x80000) getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r3, 0x84, 0x72, &(0x7f0000000040)={0x0, 0x5, 0x30}, &(0x7f0000000080)=0xc) setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r3, 0x84, 0x77, &(0x7f00000000c0)={r4, 0x80000000, 0x9, [0x8, 0x200, 0x8, 0x5, 0x9, 0x925, 0x8, 0x0, 0x7]}, 0x1a) ioctl$DRM_IOCTL_SET_MASTER(r3, 0x641e) [ 704.328707][ T8517] GDTR: limit=0x00000000, base=0x0000000000000000 [ 704.334744][ T7808] binder: send failed reply for transaction 3556, target dead [ 704.351057][ T8517] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.356664][ T7808] binder: send failed reply for transaction 3559, target dead [ 704.361786][ T8517] IDTR: limit=0x00000000, base=0x0000000000000000 17:34:14 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$FIGETBSZ(r0, 0x2, &(0x7f0000000080)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000000)={0x0}, &(0x7f0000000040)=0xc) waitid(0x1, r1, &(0x7f0000000380), 0x20000004, &(0x7f0000000480)) 17:34:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 704.391472][ T7808] binder_send_failed_reply: 2 callbacks suppressed [ 704.391483][ T7808] binder: send failed reply for transaction 3562 to 8474:8487 [ 704.436561][ T8517] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 704.447217][ T7808] binder: send failed reply for transaction 3565 to 8490:8495 [ 704.455527][ T8495] binder: 8490:8495 ioctl c018620b 0 returned -14 [ 704.468839][ T8517] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 704.470953][ T8499] binder: 8490:8499 BC_INCREFS_DONE u0000000000000000 no match 17:34:14 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x40020000000004) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffff9c, 0x0, 0x9, &(0x7f0000000040)='(cpuset(\x00', 0xffffffffffffffff}, 0x30) ptrace$poke(0x5, r1, &(0x7f00000000c0), 0x0) [ 704.480547][ T8532] binder: 8531:8532 ioctl c018620b 0 returned -14 [ 704.497931][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 704.534294][ T8517] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:14 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 704.589269][ T8517] Interruptibility = 00000000 ActivityState = 00000000 [ 704.617558][ T8517] *** Host State *** [ 704.621797][ T8541] binder: 8527:8541 BC_INCREFS_DONE node 3574 has no pending increfs request [ 704.631462][ T8517] RIP = 0xffffffff811b40b0 RSP = 0xffff88805a5278e0 17:34:14 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) fsetxattr$trusted_overlay_redirect(r0, &(0x7f0000000180)='trusted.overlay.redirect\x00', &(0x7f00000001c0)='./file0\x00', 0x8, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vsock\x00', 0x41aa02, 0x0) write$P9_RAUTH(r2, &(0x7f0000000240)={0x14, 0x67, 0x1, {0x10, 0x0, 0x5}}, 0x14) socket$inet6_sctp(0xa, 0x1, 0x84) r3 = syz_open_dev$vbi(&(0x7f0000000080)='/dev/vbi#\x00', 0x3, 0x2) getsockopt$inet6_dccp_buf(r3, 0x21, 0xd, &(0x7f00000000c0)=""/54, &(0x7f0000000100)=0x36) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) mmap$binder(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x1, 0x101012, r3, 0x0) write$P9_RATTACH(r1, &(0x7f0000000040)={0x14, 0x69, 0x1, {0x40, 0x0, 0x7}}, 0x14) ioctl$KVM_CREATE_PIT2(r3, 0x4040ae77, &(0x7f0000000140)={0x8}) [ 704.645531][ T8517] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 704.659780][ T8517] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 704.669874][ T8517] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 704.677116][ T8517] CR0=0000000080050033 CR3=000000001abea000 CR4=00000000001426f0 [ 704.688406][ T8543] binder: 8542:8543 ioctl c018620b 0 returned -14 [ 704.700888][ T8517] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 704.715921][ T8517] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 704.723555][ T8517] *** Control State *** [ 704.729562][ T8517] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 704.737517][ T8517] EntryControls=0000d1ff ExitControls=002fefff 17:34:14 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0xa4040, 0x0) openat$full(0xffffffffffffff9c, &(0x7f0000000140)='/dev/full\x00', 0x101080, 0x0) r3 = mmap$binder(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x3922095a9da267be, 0x1012, 0xffffffffffffffff, 0x0) mount$9p_fd(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)='9p\x00', 0x20000, &(0x7f0000000380)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r0, @ANYBLOB="2c6163636573733d757365722c64656275673d3078303030303030303030303030303030352c6163636573733d757365722c63616368653d667363616368652c616669643d3078303030303030303030303030303830302c6e6f657874656e642c646f6e745f686173682c686173682c646f6e745f6d6561737572652c008d92a2bee88bf645e29b4d0ee438e327eea9fc1e5b786d1fb892c8daa95d6d06bbd030777d1204fc52e844cd8f81596eff14e034dd1d2f6d3267da0f3cd4d11de13451344d581e8669c15fe95ae79b689c38c788fed6404f6ca1e37ae24fc498830a0897c8b4fd272db55b53eee5903f750ed1e978fc44817a54bcd25f1d7ee2129e0a97937432f172af0b9c7a0a7817cc8de0"]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000100)={0x14, 0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="08631040", @ANYRES64=r3, @ANYBLOB="090019359b1969650000"], 0x24, 0x0, &(0x7f00000000c0)="3e19b19c8037fd0cb7499f9eb897dc6add5cd047a4e4b826e4dd5cd5d62a52d2709efd85"}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 704.745097][ T8547] binder: 8542:8547 BC_INCREFS_DONE node 3580 has no pending increfs request [ 704.768243][ T8517] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 704.782011][ T8517] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 704.789771][ T8517] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 704.797478][ T8517] reason=80000021 qualification=0000000000000000 [ 704.804834][ T8517] IDTVectoring: info=00000000 errcode=00000000 [ 704.813664][ T8517] TSC Offset = 0xfffffe84e6b1223b [ 704.824497][ T8517] EPT pointer = 0x000000009989e01e 17:34:14 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x7a000000) 17:34:14 executing program 1: r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock\x00', 0x20000, 0x0) ioctl$DRM_IOCTL_GEM_FLINK(0xffffffffffffffff, 0xc008640a, &(0x7f0000000080)={0x0}) r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f00000000c0)={r1, 0x80000, r2}) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 704.995464][ T8559] Unknown ioctl -1072929746 [ 705.004553][ T8559] Unknown ioctl -1072929746 [ 705.031130][ T8556] *** Guest State *** [ 705.035189][ T8556] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 17:34:15 executing program 1: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x8800, 0x0) recvfrom$inet(r0, &(0x7f0000000080)=""/4096, 0x1000, 0x0, &(0x7f0000001080)={0x2, 0x4e20, @local}, 0x10) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 705.045675][ T8556] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 705.065262][ T8556] CR3 = 0x0000000000000000 [ 705.081923][ T8556] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 705.097783][ T8556] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 705.109407][ T8556] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 705.122669][ T8556] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.132993][ T8556] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:15 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 705.143220][ T8556] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 705.160741][ T8556] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.187889][ T8556] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.204655][ T8556] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.214704][ T8556] GDTR: limit=0x00000000, base=0x0000000000000000 [ 705.230166][ T8556] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.242770][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 705.261474][ T8556] IDTR: limit=0x00000000, base=0x0000000000000000 [ 705.274235][ T8556] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 705.285517][ T8572] binder: 8531:8572 ioctl c018620b 0 returned -14 [ 705.294558][ T8556] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 705.302753][ T8541] binder: BINDER_SET_CONTEXT_MGR already set [ 705.312620][ T8575] binder_alloc: 8527: binder_alloc_buf, no vma [ 705.319464][ T8556] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 705.329954][ T8541] binder: 8527:8541 ioctl 40046207 0 returned -16 [ 705.336815][ T8556] Interruptibility = 00000000 ActivityState = 00000000 [ 705.345013][ T8577] binder: 8531:8577 BC_INCREFS_DONE node 3583 has no pending increfs request [ 705.354598][ T8575] binder_transaction: 11 callbacks suppressed [ 705.354620][ T8575] binder: 8527:8575 transaction failed 29189/-3, size 24-8 line 3147 [ 705.373896][ T8556] *** Host State *** [ 705.376581][ T8574] binder: 8527:8574 BC_INCREFS_DONE u0000000000000000 no match [ 705.378444][ T8556] RIP = 0xffffffff811b40b0 RSP = 0xffff888051b2f8e0 [ 705.387341][ T2986] binder: release 8531:8539 transaction 3582 out, still active [ 705.393689][ T8556] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 705.409244][ T8556] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 705.418744][ T8556] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 705.419432][ T2986] binder: unexpected work type, 4, not freed [ 705.426227][ T8556] CR0=0000000080050033 CR3=000000001abea000 CR4=00000000001426f0 [ 705.440612][ T8556] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 705.443473][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 705.449129][ T8556] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 705.461810][ T8556] *** Control State *** [ 705.462485][ T2986] binder: send failed reply for transaction 3573 to 8527:8533 [ 705.472000][ T8556] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 705.482984][ T8547] binder: 8542:8547 ioctl c018620b 0 returned -14 [ 705.490659][ T8547] binder: 8542:8547 transaction failed 29189/-22, size 24-8 line 2994 [ 705.490962][ T2986] binder: send failed reply for transaction 3576 to 8531:8539 [ 705.505137][ T8556] EntryControls=0000d1ff ExitControls=002fefff [ 705.514945][ T2986] binder: send failed reply for transaction 3579 to 8542:8543 [ 705.521255][ T8556] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 705.522501][ T2986] binder: send failed reply for transaction 3582, target dead [ 705.532129][ T8578] binder: 8542:8578 BC_INCREFS_DONE u0000000000000000 no match [ 705.546545][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 705.552808][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 705.554041][ T8556] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 705.575610][ T8556] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 705.582947][ T8556] reason=80000021 qualification=0000000000000000 [ 705.590191][ T8556] IDTVectoring: info=00000000 errcode=00000000 [ 705.596459][ T8556] TSC Offset = 0xfffffe8467a9c143 [ 705.596471][ T8556] EPT pointer = 0x000000008862101e 17:34:15 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:15 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) syncfs(r0) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x80400, 0x0) bind$bt_rfcomm(r1, &(0x7f0000000080)={0x1f, {0x8000, 0x80000001, 0x2, 0x2, 0x100000000, 0x3}, 0x20}, 0xa) 17:34:15 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r2 = gettid() perf_event_open(&(0x7f0000000000)={0x3, 0x70, 0x9, 0xffffffffffff3951, 0xfff, 0xffffffffffffff5d, 0x0, 0x6, 0x50026, 0xa, 0x100, 0x5, 0x1, 0x2, 0xd1, 0xf7a0, 0x9, 0xffffffffffff118d, 0xf37, 0xe868, 0x8, 0xb2, 0x9, 0x6, 0x6, 0x1000, 0x7f0b, 0x7, 0xd62, 0x8001, 0xfff, 0x4, 0x8, 0x1, 0x3, 0x8001, 0x3ff, 0x2, 0x0, 0x0, 0x1, @perf_config_ext={0x3f, 0x76ab}, 0x8000, 0x2, 0xfffffffffffffffd, 0x8, 0x7, 0x10000, 0xe2}, r2, 0xa, r0, 0x8) 17:34:15 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:15 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0xffff8000) [ 705.693251][ T8585] binder: 8583:8585 ioctl c018620b 0 returned -14 [ 705.703430][ T8586] binder: 8584:8586 ioctl c018620b 0 returned -14 [ 705.752135][ T8585] binder: 8583 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 705.752151][ T8585] binder: 8583:8585 ioctl c018620c 20000140 returned -22 [ 705.777753][ T8596] binder: 8581:8596 transaction failed 29189/-22, size 24-8 line 2994 [ 705.787313][ T8597] binder: 8584:8597 transaction failed 29189/-22, size 24-8 line 2994 17:34:15 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) setsockopt$sock_void(r1, 0x1, 0x1b, 0x0, 0x0) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000080)={0x2, &(0x7f0000000040)=[{0xbae8, 0x9, 0xffffffffffffffff, 0x7f}, {0x5915, 0x7, 0x20, 0x6071}]}, 0x10) [ 705.798043][ T8600] binder: 8583:8600 transaction failed 29189/-22, size 24-8 line 2994 [ 705.841305][ T8602] binder: 8583:8602 ioctl c018620b 0 returned -14 [ 705.857105][ T8585] binder: 8583 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 705.857125][ T8585] binder: 8583:8585 ioctl c018620c 20000140 returned -22 17:34:15 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x0) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 705.929447][ T8608] binder: 8594:8608 BC_INCREFS_DONE node 3592 has no pending increfs request [ 705.954362][ T2986] binder: release 8583:8585 transaction 3594 out, still active 17:34:16 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:16 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x8000000000) 17:34:16 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x400000, 0x0) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000080), &(0x7f00000000c0)=0x4) [ 706.083924][ T8616] binder: 8614:8616 ioctl c018620b 0 returned -14 17:34:16 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x408080, 0x0) ioctl$sock_bt_bnep_BNEPGETCONNLIST(r1, 0x800442d2, &(0x7f00000000c0)={0x1, &(0x7f0000000080)=[{0x0, 0x0, 0x0, @broadcast}]}) ioctl$DRM_IOCTL_AGP_ALLOC(r1, 0xc0206434, &(0x7f0000000100)={0x8, 0x0, 0x10003, 0x2}) ioctl$DRM_IOCTL_AGP_BIND(r1, 0x40106436, &(0x7f0000000140)={r2, 0x100000000}) [ 706.200939][ T8620] *** Guest State *** [ 706.206040][ T8620] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 706.218482][ T8620] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 706.243943][ T8620] CR3 = 0x0000000000000000 [ 706.248649][ T8620] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 706.271535][ T8620] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 706.296125][ T8620] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 706.306740][ T8620] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.316159][ T8620] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.326648][ T8620] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 706.336012][ T8620] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.345427][ T8620] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.355151][ T8620] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.364626][ T8620] GDTR: limit=0x00000000, base=0x0000000000000000 [ 706.374195][ T8620] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.383726][ T8620] IDTR: limit=0x00000000, base=0x0000000000000000 [ 706.393130][ T8620] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 706.402946][ T8620] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 706.415924][ T8620] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 706.425798][ T8620] Interruptibility = 00000000 ActivityState = 00000000 [ 706.433178][ T8620] *** Host State *** [ 706.437301][ T8620] RIP = 0xffffffff811b40b0 RSP = 0xffff8880582bf8e0 [ 706.452238][ T8620] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 706.460298][ T8620] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 706.469498][ T8620] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 706.476436][ T8620] CR0=0000000080050033 CR3=000000009507b000 CR4=00000000001426e0 [ 706.484824][ T8620] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 706.492478][ T8620] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 706.493412][ T8597] binder: 8584:8597 ioctl c018620b 0 returned -14 [ 706.499939][ T8620] *** Control State *** [ 706.510462][ T8620] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 706.518360][ T8620] EntryControls=0000d1ff ExitControls=002fefff [ 706.525425][ T8620] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 706.533667][ T8620] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 706.546871][ T2986] binder: release 8584:8632 transaction 3600 out, still active [ 706.553005][ T8620] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 706.573120][ T8620] reason=80000021 qualification=0000000000000000 [ 706.592341][ T8620] IDTVectoring: info=00000000 errcode=00000000 [ 706.598800][ T8620] TSC Offset = 0xfffffe83c5326729 [ 706.620083][ T8608] binder: BINDER_SET_CONTEXT_MGR already set [ 706.627563][ T8620] EPT pointer = 0x000000008d92901e [ 706.636451][ T8636] binder_alloc: 8594: binder_alloc_buf, no vma [ 706.643449][ T8636] binder: 8594:8636 transaction failed 29189/-3, size 24-8 line 3147 [ 706.670620][ T8608] binder: 8594:8608 ioctl 40046207 0 returned -16 [ 706.677693][ T2986] binder: send failed reply for transaction 3591 to 8594:8599 [ 706.689745][ T2986] binder: send failed reply for transaction 3594, target dead [ 706.706638][ T2986] binder: send failed reply for transaction 3597 to 8614:8616 [ 706.719590][ T8616] binder: 8614:8616 ioctl c018620b 0 returned -14 [ 706.745717][ T2986] binder: send failed reply for transaction 3600, target dead 17:34:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:16 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80800) write$P9_RUNLINKAT(r1, &(0x7f00000002c0)={0x7, 0x4d, 0x2}, 0x7) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, &(0x7f0000000100)={0x0, 0x9, 0x4, 0xfab, 0x37, 0xc52a, 0x8, 0x7fffffff, {0x0, @in6={{0xa, 0x4e20, 0x8001, @local, 0x200}}, 0x5, 0x54, 0x10000, 0x5, 0x9}}, &(0x7f00000001c0)=0xb0) getsockopt$inet_sctp_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000000200)={r3, 0x7ce7}, &(0x7f0000000240)=0x8) r4 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x131000, 0x0) setsockopt$inet_sctp_SCTP_AUTOCLOSE(r4, 0x84, 0x4, &(0x7f0000000080)=0x7f, 0x4) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:16 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000000000007ffb"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:16 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x80ffff00000000) 17:34:16 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x40046207, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:16 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 706.856254][ T8642] binder: 8641:8642 ioctl c018620b 0 returned -14 [ 706.882889][ T8650] binder: 8639:8650 ioctl c018620b 0 returned -14 17:34:16 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor\x00', 0x20000, 0x0) write$FUSE_NOTIFY_INVAL_ENTRY(r1, &(0x7f0000000100)={0x27, 0x3, 0x0, {0x4, 0x6, 0x0, ':loem0'}}, 0x27) r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x0, 0x0) ioctl$UFFDIO_ZEROPAGE(r2, 0xc020aa04, &(0x7f0000000080)={{&(0x7f0000006000/0x3000)=nil, 0x3000}, 0x1}) [ 706.924222][ T8653] binder: 8644:8653 transaction failed 29189/-22, size 24-8 line 2994 [ 706.925154][ T8650] binder: 8639:8650 transaction failed 29189/-22, size 24-8 line 2994 [ 706.940504][ T8654] binder_alloc: 8651: binder_alloc_buf, no vma [ 706.951070][ T8652] binder: BINDER_SET_CONTEXT_MGR already set [ 706.958224][ T8654] binder: 8641:8654 transaction failed 29189/-3, size 24-8 line 3147 [ 706.968452][ T8652] binder: 8651:8652 ioctl 40046207 0 returned -16 [ 706.982279][ T8654] binder_thread_write: 5 callbacks suppressed [ 706.982294][ T8654] binder: 8641:8654 BC_INCREFS_DONE u0000000000000000 no match [ 706.988915][ T8656] *** Guest State *** [ 707.004777][ T8652] binder: 8651:8652 got transaction to context manager from process owning it [ 707.021711][ T8662] binder: 8639:8662 BC_INCREFS_DONE u0000000000000000 no match [ 707.029468][ T8652] binder: 8651:8652 transaction failed 29201/-22, size 24-8 line 2985 [ 707.048899][ T8656] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 707.059608][ T8652] binder_thread_write: 1 callbacks suppressed 17:34:17 executing program 1: socketpair$unix(0x1, 0x7, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 707.059766][ T8652] binder: 8651:8652 BC_INCREFS_DONE node 3606 has no pending increfs request [ 707.066787][ T8662] binder: 8639:8662 ioctl c018620b 0 returned -14 [ 707.085108][ T8656] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 707.118342][ T8664] binder: BINDER_SET_CONTEXT_MGR already set [ 707.135192][ T8664] binder: 8651:8664 ioctl 40046207 20000140 returned -16 [ 707.154004][ T8650] binder_alloc: 8651: binder_alloc_buf, no vma [ 707.158822][ T8656] CR3 = 0x0000000000002000 [ 707.166739][ T8652] binder: BINDER_SET_CONTEXT_MGR already set [ 707.177374][ T8656] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 707.189583][ T8662] binder: 8639:8662 BC_INCREFS_DONE u0000000000000000 no match [ 707.197915][ T8652] binder: 8651:8652 ioctl 40046207 0 returned -16 [ 707.206898][ T8656] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 17:34:17 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f00, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:17 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r2 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x20000, 0x80) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x2400, 0xfffffffffffffff9) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000040)=0xa789) [ 707.215059][ T8652] binder: 8651:8652 BC_INCREFS_DONE u0000000000000000 no match [ 707.224061][ T8656] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 707.231635][ T8656] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 707.238806][ T8656] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 707.246645][ T8656] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 707.256051][ T8656] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:17 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x40046208, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 707.293432][ T8656] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 707.316724][ T8656] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 707.347550][ T8672] binder: 8671:8672 ioctl c018620b 0 returned -14 [ 707.386494][ T8656] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 707.407660][ T8656] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 707.419390][ T8656] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 707.430356][ T8656] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 707.439862][ T8679] binder: 8671:8679 BC_INCREFS_DONE u0000000000000000 no match [ 707.444557][ T8656] IDTR: limit=0x000001ff, base=0x0000000000003800 17:34:17 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x20000, 0x0) openat$cgroup_ro(r0, &(0x7f00000001c0)='rdma.current\x00', 0x0, 0x0) r1 = syz_open_dev$vbi(&(0x7f00000000c0)='/dev/vbi#\x00', 0x3, 0x2) ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r0, 0x40106614, &(0x7f0000000080)={0x0, @aes256}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x200001) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x6) [ 707.461384][ T8656] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 707.480881][ T8656] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 707.492165][ T8656] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 707.518115][ T8656] Interruptibility = 00000000 ActivityState = 00000000 [ 707.525613][ T8656] *** Host State *** [ 707.530007][ T8656] RIP = 0xffffffff811b40b0 RSP = 0xffff888085d778e0 [ 707.537566][ T8656] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 707.555609][ T8685] binder: BINDER_SET_CONTEXT_MGR already set [ 707.564235][ T8656] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 707.575687][ T8684] binder_alloc: 8676: binder_alloc_buf, no vma [ 707.585804][ T8656] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 707.593521][ T8685] binder: 8676:8685 ioctl 40046207 0 returned -16 [ 707.602629][ T8656] CR0=0000000080050033 CR3=0000000053f5a000 CR4=00000000001426e0 [ 707.612812][ T8678] binder: 8676:8678 BC_INCREFS_DONE u0000000000000000 no match [ 707.625676][ T8656] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 707.629361][ T2986] binder: release 8676:8678 transaction 3613 out, still active [ 707.649738][ T8687] binder: 8641:8687 ioctl c018620b 0 returned -14 17:34:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:17 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) syz_open_dev$usbmon(&(0x7f0000000100)='/dev/usbmon#\x00', 0x1f, 0x20000) openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm-monitor\x00', 0x15122320cd766a19, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000180)='/dev/vbi#\x00', 0x3, 0x2) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x2000000000) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) ioctl$VT_OPENQRY(r1, 0x5600, &(0x7f0000000340)) utime(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x5, 0x4}) r3 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qat_adf_ctl\x00', 0x400, 0x0) fanotify_mark(r3, 0x20, 0x21, r3, &(0x7f00000001c0)='./file0\x00') fcntl$getownex(r0, 0x10, &(0x7f0000000200)={0x0, 0x0}) ioctl$sock_SIOCSPGRP(r1, 0x8902, &(0x7f0000000240)=r4) ioctl$EVIOCGID(r3, 0x80084502, &(0x7f0000000280)=""/134) [ 707.671370][ T8656] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 707.691615][ T8687] binder_alloc: 8676: binder_alloc_buf, no vma [ 707.703250][ T2986] binder: send failed reply for transaction 3613, target dead [ 707.733621][ T8656] *** Control State *** [ 707.749962][ T8690] QAT: Invalid ioctl [ 707.753834][ T8656] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 707.757633][ T8654] binder: 8641:8654 BC_INCREFS_DONE u0000000000000000 no match [ 707.784599][ T8656] EntryControls=0000d1ff ExitControls=002fefff [ 707.808740][ T8656] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 707.831388][ T8696] QAT: Invalid ioctl [ 707.846989][ T8656] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 707.860909][ T8656] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 707.873648][ T8656] reason=80000021 qualification=0000000000000000 [ 707.886912][ T8656] IDTVectoring: info=00000000 errcode=00000000 [ 707.896674][ T8656] TSC Offset = 0xfffffe835b5ea13f [ 707.903963][ T8656] EPT pointer = 0x000000004feca01e 17:34:17 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x8, 0x40800) setsockopt$inet_sctp6_SCTP_RECVRCVINFO(r1, 0x84, 0x20, &(0x7f0000000080)=0xfffffffffffffff7, 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:17 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x40049409, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:17 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x100000000000000) 17:34:17 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x240801, 0x0) ioctl$EVIOCGABS20(r1, 0x80184560, &(0x7f0000000080)=""/13) [ 708.018418][ T8706] binder: 8704:8706 ioctl c018620b 0 returned -14 17:34:18 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = getpgid(0xffffffffffffffff) fcntl$setown(r0, 0x8, r1) r2 = syz_open_dev$usbmon(&(0x7f0000000040)='/dev/usbmon#\x00', 0xa60, 0x0) getsockopt$X25_QBITINCL(r2, 0x106, 0x1, &(0x7f0000000080), &(0x7f00000000c0)=0x4) [ 708.080067][ T8706] binder: 8704:8706 BC_INCREFS_DONE u0000000000000000 no match [ 708.117315][ T8709] binder: 8704:8709 ioctl c018620b 0 returned -14 [ 708.125795][ T2986] binder: release 8704:8709 transaction 3624 out, still active [ 708.149245][ T8679] binder: 8671:8679 ioctl c018620b 0 returned -14 [ 708.157864][ T8713] binder: 8700:8713 BC_INCREFS_DONE node 3622 has no pending increfs request 17:34:18 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuset.effective_cpus\x00', 0x0, 0x0) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000080)='/dev/null\x00', 0x1, 0x0) linkat(r1, &(0x7f0000000040)='./file0\x00', r2, &(0x7f0000000100)='./file0\x00', 0x1000) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 708.183072][ T7808] binder: release 8671:8715 transaction 3627 out, still active 17:34:18 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:18 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 708.272528][ T8721] binder: 8720:8721 ioctl c018620b 0 returned -14 [ 708.316624][ T8712] *** Guest State *** [ 708.321376][ T8712] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 708.350827][ T8712] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 17:34:18 executing program 1: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0xa) ioctl$KVM_RUN(r0, 0xae80, 0x0) [ 708.365077][ T8712] CR3 = 0x0000000000002000 [ 708.366572][ T8728] binder: 8727:8728 ioctl c018620b 0 returned -14 [ 708.386524][ T8712] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 708.405430][ T8712] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 708.432604][ T8712] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 708.446092][ T8712] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 708.457135][ T8712] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:34:18 executing program 1: socketpair$unix(0x1, 0x4, 0x0, &(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket(0x1b, 0x800, 0x0) setsockopt$inet6_MRT6_ADD_MFC(r1, 0x29, 0xcc, &(0x7f0000000040)={{0xa, 0x4e24, 0x401, @mcast1, 0x6}, {0xa, 0x4e20, 0x80, @mcast2, 0x3}, 0xfffffffffffffe00, [0x6, 0x8, 0x4, 0x5, 0x7, 0x7f, 0x4, 0x1ff]}, 0x5c) r2 = syz_genetlink_get_family_id$nbd(&(0x7f0000001780)='nbd\x00') r3 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ubi_ctrl\x00', 0x410100, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@mcast2, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in=@dev}}, &(0x7f00000002c0)=0xe8) r5 = getegid() mount$fuseblk(&(0x7f00000000c0)='/dev/loop0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='fuseblk\x00', 0x4, &(0x7f0000000500)=ANY=[@ANYBLOB="66643d9a98a7642bfc0a7db54825e62fac384562799d3c9e11f623215b8014825db1ce445179ee98fd1bb8d29301ba5429e243f13e0749cbdd57552354fc27f5df860fe6c03836142153ade2eac5899ccb8f49a936506b6f27d9b01c9609388fc9b34f724fe0e06cbe3587ab2902e5f627053583795ab2157156b7d3915beb99466453080bf96d2e4a073510d18440485ad383eb10b2444ef80be2f29951ab407c92bf25f45f461403292be33cf234298d560200c984702ec6729f714247cc3029db1f10", @ANYRESHEX=r3, @ANYBLOB=',rootmode=00000000000000000140000,user_id=', @ANYRESDEC=r4, @ANYBLOB=',group_id=', @ANYRESDEC=r5, @ANYBLOB=',blksize=0x0000000000000200,max_read=0x0000000000000007,blksize=0x0000000000000200,allow_other,blksize=0x0000000000000400,allow_other,permit_directio,\x00']) r6 = openat$vcs(0xffffffffffffff9c, &(0x7f00000017c0)='/dev/vcs\x00', 0x484000, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f0000001880)={&(0x7f0000001740)={0x10, 0x0, 0x0, 0x20040000}, 0xc, &(0x7f0000001840)={&(0x7f00000003c0)=ANY=[@ANYBLOB="2c0000c5b700", @ANYRES16=r2, @ANYBLOB="000b27bd7000fbdbdf25020000000c00080009000000000000000c00070008000100", @ANYRES32=r6], 0x2c}, 0x1, 0x0, 0x0, 0x20000000}, 0x20004010) uname(&(0x7f0000000300)=""/66) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) getsockopt$bt_sco_SCO_OPTIONS(r6, 0x11, 0x1, &(0x7f0000000000)=""/35, &(0x7f0000000380)=0x23) [ 708.475383][ T8712] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 708.493915][ T8712] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 708.520086][ T8712] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 708.530888][ T8712] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 708.540171][ T8712] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 708.549198][ T8712] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 708.558623][ T8712] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 708.572626][ T8712] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 17:34:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 708.591950][ T8712] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 708.606188][ T8712] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 708.618610][ T8712] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 708.630257][ T8712] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:18 executing program 1: r0 = openat$md(0xffffffffffffff9c, &(0x7f0000000040)='/dev/md0\x00', 0x200, 0x0) ioctl$BLKRRPART(r0, 0x125f, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 708.658044][ T8712] Interruptibility = 00000000 ActivityState = 00000000 [ 708.673930][ T8712] *** Host State *** [ 708.678263][ T8712] RIP = 0xffffffff811b40b0 RSP = 0xffff888052dd78e0 [ 708.685811][ T8712] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 708.697967][ T8712] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 708.720538][ T8746] binder: 8743:8746 ioctl c0306201 0 returned -14 [ 708.727663][ T8712] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 708.739138][ T8712] CR0=0000000080050033 CR3=00000000a125e000 CR4=00000000001426f0 17:34:18 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = syz_open_dev$cec(&(0x7f0000000080)='/dev/cec#\x00', 0x1, 0x2) r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/sys/net/ipv4/vs/secure_tcp\x00', 0x2, 0x0) ioctl$PERF_EVENT_IOC_SET_BPF(r2, 0x40042408, r3) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000ae3000/0x4000)=nil, 0x4000, 0xb) connect$bt_rfcomm(r0, &(0x7f0000000040)={0x1f, {0x7, 0x7539, 0x7ff, 0x6, 0x2, 0x9}, 0xffff}, 0xa) [ 708.771329][ T8712] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 708.779248][ T8712] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 708.792228][ T8712] *** Control State *** [ 708.796677][ T8712] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 708.833705][ T8713] binder: BINDER_SET_CONTEXT_MGR already set [ 708.848789][ T8755] binder_alloc: 8700: binder_alloc_buf, no vma [ 708.849001][ T8713] binder: 8700:8713 ioctl 40046207 0 returned -16 [ 708.862820][ T8712] EntryControls=0000d1ff ExitControls=002fefff [ 708.878702][ T8753] binder: 8700:8753 BC_INCREFS_DONE u0000000000000000 no match [ 708.883355][ T8712] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 708.898281][ T2986] binder: release 8700:8705 transaction 3621 out, still active [ 708.908722][ T2986] binder: send failed reply for transaction 3621, target dead [ 708.918588][ T8712] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 708.933667][ T8712] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 708.940498][ T2986] binder: send failed reply for transaction 3624, target dead [ 708.944940][ T8712] reason=80000021 qualification=0000000000000000 [ 708.967294][ T2986] binder: send failed reply for transaction 3630 to 8720:8729 [ 708.972274][ T8712] IDTVectoring: info=00000000 errcode=00000000 17:34:18 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x4018620d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 708.986199][ T8712] TSC Offset = 0xfffffe82a7770912 [ 708.996082][ T2986] binder: send failed reply for transaction 3633 to 8727:8731 [ 709.000857][ T8712] EPT pointer = 0x000000001a41401e [ 709.029428][ T2986] binder: send failed reply for transaction 3636 to 8743:8746 [ 709.062438][ T8729] binder: 8720:8729 ioctl c018620b 0 returned -14 17:34:19 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000) 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000004000/0x4000)=nil, 0x4000, 0x4) r1 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x100, 0x200000) r2 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_DISABLE_BEARER(r1, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80008}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x2c, r2, 0x100, 0x70bd27, 0x25dfdbfc, {{}, 0x0, 0x4102, 0x0, {0x10, 0x13, @l2={'eth', 0x3a, 'ip6tnl0\x00'}}}, [""]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000000) [ 709.091262][ T8760] binder: 8720:8760 BC_INCREFS_DONE u0000000000000000 no match [ 709.096969][ T8759] binder: BINDER_SET_CONTEXT_MGR already set 17:34:19 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$TUNGETFILTER(r1, 0x801054db, &(0x7f0000000040)=""/65) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r2 = dup3(r1, r0, 0x80000) getsockopt$IPT_SO_GET_ENTRIES(r2, 0x0, 0x41, &(0x7f0000000480)={'mangle\x00', 0xee, "cacddf2f5d0c432431144b981c7d3bd896a0a5fe68775466330496194fb3433f5fa07e883ba43471e0d48477bdaa444fe2543879caa054d97a1a92ae0fb118e05e0e3768fe0caf3fc448a76b6c74c9f238847456d25ac13c46e68a36ba95412b91850ee9e391d46d36b0dee77cb50af6f2fbb7fae32d242ee6fd37a9335e2b487b3867d089a274a1a7d24595c4ccae8bd34dd18134e8883701e6cb37a8b62eec5dd59ddcc884c5901d70b9bc42d7e22a373371599f1acccbbb9d81cb38a9ad9f3a31802b0638c8a6e4ffa3393c86983325ca874d11082e20cfdd9b5c17dd1f7ebd87d408ef0ca83509d72013271a"}, &(0x7f0000000000)=0x112) [ 709.135270][ T8759] binder: 8758:8759 ioctl 40046207 0 returned -16 [ 709.135721][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 709.173377][ T8731] binder: 8727:8731 ioctl c018620b 0 returned -14 [ 709.184371][ T8765] binder: 8758:8765 got transaction to context manager from process owning it [ 709.196156][ T8767] binder_alloc: 8758: binder_alloc_buf, no vma 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x4) syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0x3, 0x101000) [ 709.237153][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 709.243138][ T8759] binder: 8758:8759 BC_INCREFS_DONE u0000000000000000 node 3641 cookie mismatch 0000000000000000 != 00000000200000c0 [ 709.262014][ T8771] binder: 8770:8771 ioctl 801054db 20000040 returned -22 17:34:19 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x1000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 709.298216][ T8771] binder: 8770:8771 ioctl c018620b 0 returned -14 [ 709.322532][ T8776] binder: BINDER_SET_CONTEXT_MGR already set 17:34:19 executing program 1: r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000240)='/dev/zero\x00', 0x2000, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f0000000140)={0x0, 0x2, 0x7, 0x100, 0x0}, &(0x7f0000000180)=0x10) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f00000001c0)={r1, 0x5}, &(0x7f0000000200)=0x8) ioctl$DRM_IOCTL_ADD_MAP(r0, 0xc0286415, &(0x7f0000000040)={&(0x7f0000006000/0x2000)=nil, 0x3, 0x0, 0x87, &(0x7f0000007000/0x4000)=nil, 0x8}) setsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f00000000c0)={0x1, 0x2}, 0x8) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) ioctl$GIO_UNIMAP(r0, 0x4b66, &(0x7f0000000100)={0x1, &(0x7f0000000080)=[{}]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x1) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x6f) [ 709.349886][ T8776] binder: 8758:8776 ioctl 4018620d 20000140 returned -16 [ 709.359594][ T8778] binder_alloc: 8758: binder_alloc_buf, no vma [ 709.377343][ T8772] *** Guest State *** [ 709.381436][ T8772] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 709.425767][ T8759] binder: BINDER_SET_CONTEXT_MGR already set [ 709.439408][ T8783] binder: 8781:8783 ioctl c018620b 0 returned -14 [ 709.443014][ T8772] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 709.456632][ T8775] binder_alloc: 8758: binder_alloc_buf, no vma [ 709.463809][ T8759] binder: 8758:8759 ioctl 40046207 0 returned -16 [ 709.465840][ T8772] CR3 = 0x0000000000000000 [ 709.484417][ T8772] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 709.488104][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 709.492041][ T8772] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 709.506453][ T8772] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 709.514364][ T8772] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.523660][ T8772] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vfio/vfio\x00', 0x101000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) madvise(&(0x7f0000004000/0x2000)=nil, 0x2000, 0x4) [ 709.538924][ T8772] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 17:34:19 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0x4020940d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 709.601464][ T8772] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.646702][ T8772] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.689132][ T8772] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.724762][ T8800] binder: 8792:8800 ioctl c0306201 0 returned -14 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$vcsa(&(0x7f0000000040)='/dev/vcsa#\x00', 0x7fffffff, 0x105800) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00') sendmsg$IPVS_CMD_FLUSH(r1, &(0x7f0000000200)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x801000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000100)={0x8c, r2, 0x404, 0x70bd27, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x4}]}, @IPVS_CMD_ATTR_SERVICE={0x28, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@local}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e21}, @IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x3b}]}, @IPVS_CMD_ATTR_DEST={0x44, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x5dc}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x5}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x80000001}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x2223}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x7}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x7}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x9}]}]}, 0x8c}, 0x1, 0x0, 0x0, 0x40080}, 0x0) sendmsg$nl_crypto(r1, &(0x7f00000003c0)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x20008}, 0xc, &(0x7f0000000380)={&(0x7f0000000280)=@del={0xe8, 0x11, 0x20, 0x70bd2c, 0x25dfdbfc, {{'gcm(xeta)\x00'}, [], [], 0x2000, 0x2400}, [{0x8, 0x1, 0x8}]}, 0xe8}, 0x1, 0x0, 0x0, 0x4040080}, 0x4000000) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 709.730292][ T8772] GDTR: limit=0x00000000, base=0x0000000000000000 [ 709.776744][ T8772] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.818188][ T8772] IDTR: limit=0x00000000, base=0x0000000000000000 [ 709.843482][ T8804] binder: 8798:8804 BC_INCREFS_DONE node 3650 has no pending increfs request 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x2) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x400, 0x0) setsockopt$inet_mreq(r1, 0x0, 0x24, &(0x7f0000000080)={@loopback, @local}, 0x8) [ 709.861212][ T8772] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 709.899672][ T8772] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 709.929804][ T8772] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 709.941901][ T8772] Interruptibility = 00000000 ActivityState = 00000000 [ 709.955447][ T8772] *** Host State *** [ 709.964458][ T8772] RIP = 0xffffffff811b40b0 RSP = 0xffff8880a102f8e0 [ 709.979101][ T8772] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 709.994739][ T8772] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 17:34:19 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400204) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 710.013599][ T8772] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 710.031416][ T8778] binder: 8770:8778 ioctl 801054db 20000040 returned -22 [ 710.035426][ T8772] CR0=0000000080050033 CR3=00000000978cd000 CR4=00000000001426f0 [ 710.049184][ T8778] binder: 8770:8778 ioctl c018620b 0 returned -14 [ 710.078484][ T8812] binder: 8770:8812 BC_INCREFS_DONE node 3653 has no pending increfs request [ 710.089477][ T8772] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 710.111096][ T8772] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 710.128104][ T8772] *** Control State *** [ 710.138593][ T8772] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 710.152234][ T8772] EntryControls=0000d1ff ExitControls=002fefff [ 710.153458][ T7808] binder: release 8770:8810 transaction 3652 out, still active [ 710.163047][ T8772] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 710.183655][ T8772] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 710.191445][ T8772] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 710.196588][ T7808] binder: unexpected work type, 4, not freed [ 710.210254][ T8772] reason=80000021 qualification=0000000000000000 [ 710.232803][ T8789] binder: 8781:8789 ioctl c018620b 0 returned -14 [ 710.233405][ T8772] IDTVectoring: info=00000000 errcode=00000000 [ 710.245280][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 710.276909][ T7808] binder: release 8781:8816 transaction 3655 out, still active [ 710.301002][ T8772] TSC Offset = 0xfffffe821d014587 [ 710.320728][ T8772] EPT pointer = 0x00000000a0dab01e 17:34:20 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x300000000000000) 17:34:20 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:20 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) openat$mixer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mixer\x00', 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x501800, 0x0) openat$cachefiles(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cachefiles\x00', 0xa0000, 0x0) r0 = syz_open_dev$midi(&(0x7f0000000100)='/dev/midi#\x00', 0x0, 0x80100) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x180fc81) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:20 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x1, 0x460040) ioctl$EVIOCGABS2F(r1, 0x8018456f, &(0x7f0000000040)=""/73) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 710.487491][ T8824] binder: 8822:8824 ioctl c018620b 0 returned -14 [ 710.494748][ T8827] binder: 8823:8827 ioctl c018620b 0 returned -14 [ 710.519496][ T8804] binder: BINDER_SET_CONTEXT_MGR already set [ 710.525593][ T8804] binder: 8798:8804 ioctl 40046207 0 returned -16 [ 710.550356][ T8833] binder_alloc: 8798: binder_alloc_buf, no vma [ 710.563941][ T8834] binder: 8823:8834 unknown command 0 [ 710.577320][ T8833] binder_transaction: 15 callbacks suppressed [ 710.577343][ T8833] binder: 8822:8833 transaction failed 29189/-3, size 24-8 line 3147 [ 710.588660][ T8834] binder: 8823:8834 ioctl c0306201 20000140 returned -22 17:34:20 executing program 1: socketpair$unix(0x1, 0x7, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r2 = open(&(0x7f0000000000)='./file0\x00', 0x101000, 0x11) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x400440, 0x0) r4 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x3, 0x2) r5 = syz_open_dev$mouse(&(0x7f0000000100)='/dev/input/mouse#\x00', 0x9, 0x100) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000380)={0x5, &(0x7f0000000340)=[{0x5e40, 0x2, 0x400000000, 0x5}, {0x4, 0x5, 0xb320, 0x3}, {0x81, 0x720, 0x1, 0xfffffffffffffff9}, {0x6, 0x6, 0x2, 0x5}, {0xde15, 0x2, 0x401, 0x1f}]}, 0x10) r6 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm_plock\x00', 0x400, 0x0) r7 = dup3(r0, r0, 0x80000) r8 = syz_open_dev$cec(&(0x7f0000000180)='/dev/cec#\x00', 0x2, 0x2) r9 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000001c0)='/proc/self/net/pfkey\x00', 0x2000, 0x0) ioctl$sock_bt_cmtp_CMTPGETCONNLIST(r8, 0x800443d2, &(0x7f0000000440)={0x4, &(0x7f00000003c0)=[{}, {}, {}, {}]}) r10 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='cpuset.effective_cpus\x00', 0x0, 0x0) ioctl$UDMABUF_CREATE_LIST(r2, 0x40087543, &(0x7f0000000240)={0x0, 0x8, [{r3, 0x0, 0xfffffffffffff000}, {r4, 0x0, 0xfffffffffffff000, 0xfffffffffffff000}, {r5, 0x0, 0x0, 0x1008000}, {r6, 0x0, 0x100000000}, {r7, 0x0, 0x1000000}, {r8, 0x0, 0x1000000000000, 0x1000000}, {r9, 0x0, 0x1000, 0xfffffffff0002000}, {r10, 0x0, 0xc595b20e14387ee, 0xfffffffff0000000}]}) [ 710.610699][ T8827] binder_alloc: 8798: binder_alloc_buf, no vma [ 710.616984][ T8827] binder: 8823:8827 transaction failed 29189/-3, size 24-8 line 3147 [ 710.618236][ T8829] binder_alloc: 8798: binder_alloc_buf, no vma [ 710.674920][ T7808] binder: send failed reply for transaction 3649 to 8798:8799 [ 710.684784][ T8838] binder_alloc: 8798: binder_alloc_buf, no vma [ 710.688184][ T8840] *** Guest State *** [ 710.697988][ T8829] binder: 8798:8829 transaction failed 29189/-3, size 24-8 line 3147 [ 710.701484][ T7808] binder_send_failed_reply: 1 callbacks suppressed [ 710.701493][ T7808] binder: send failed reply for transaction 3652, target dead [ 710.716092][ T8838] binder: 8835:8838 transaction failed 29189/-3, size 24-8 line 3147 [ 710.723263][ T8840] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 17:34:20 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 710.778685][ T8844] binder: 8835:8844 ioctl c0306201 0 returned -14 [ 710.786501][ T7808] binder: send failed reply for transaction 3655, target dead [ 710.795837][ T8834] binder: 8823:8834 ioctl c018620b 0 returned -14 17:34:20 executing program 1: socketpair$unix(0x1, 0x4, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x4, 0x2c0200) r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control\x00', 0x240000, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r1, 0x2405, r2) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 710.828053][ T7808] binder: undelivered TRANSACTION_COMPLETE [ 710.837178][ T8827] binder: 8823:8827 unknown command 0 [ 710.852371][ T7808] binder: undelivered TRANSACTION_ERROR: 29189 [ 710.865663][ T8827] binder: 8823:8827 ioctl c0306201 20000140 returned -22 [ 710.892232][ T8840] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 710.913592][ T8848] binder: 8823:8848 transaction failed 29189/-22, size 24-8 line 2994 [ 710.949402][ T8840] CR3 = 0x0000000000002000 [ 710.969980][ T8840] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 711.002876][ T8840] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 17:34:21 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:21 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$full(0xffffffffffffff9c, &(0x7f0000000480)='/dev/full\x00', 0x101100, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="0c63d774"], 0x1, 0x0, &(0x7f0000000700)='+'}) r2 = dup2(r0, r1) r3 = semget(0x2, 0x3, 0x88) semctl$GETZCNT(r3, 0x3, 0xf, &(0x7f00000001c0)=""/30) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000080)={0x9, &(0x7f0000000000)=[{}, {}, {}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_GET_CTX(r2, 0xc0086423, &(0x7f0000000100)={r4, 0x2}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) connect$tipc(r2, &(0x7f0000000380)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x2, 0x2}}, 0x10) ioctl$TUNSETVNETBE(r2, 0x400454de, &(0x7f00000003c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 711.033273][ T8840] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 711.061968][ T8859] binder: 8852:8859 BC_INCREFS_DONE node 3665 has no pending increfs request [ 711.076276][ T8840] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 711.116103][ T8840] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 711.149321][ T8865] binder: 8864:8865 ioctl c018620b 0 returned -14 [ 711.160383][ T8840] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 711.182869][ T8865] binder: 8864:8865 unknown command 1960272652 [ 711.201899][ T8840] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:21 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r2 = accept4(r0, 0x0, &(0x7f0000000200), 0x80000) getsockopt$TIPC_NODE_RECVQ_DEPTH(r2, 0x10f, 0x83, &(0x7f0000000240), &(0x7f0000000280)=0x4) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x440000, 0x0) r4 = geteuid() getresgid(&(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000100)=0x0) write$FUSE_ENTRY(r3, &(0x7f0000000140)={0x90, 0x0, 0x8, {0x5, 0x2, 0x1, 0x8000, 0x0, 0xbb55, {0x2, 0x3f, 0x1cd5, 0x1, 0x6, 0x0, 0x5, 0x8, 0x189eba8c, 0x0, 0x1, r4, r5, 0x471, 0xff}}}, 0x90) [ 711.216259][ T8865] binder: 8864:8865 ioctl c0306201 20000140 returned -22 [ 711.246291][ T8840] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 711.258459][ T8867] binder: 8864:8867 unknown command 1960272652 [ 711.270229][ T8833] binder: 8822:8833 ioctl c018620b 0 returned -14 [ 711.288988][ T7809] binder: release 8822:8841 transaction 3667 out, still active [ 711.304190][ T8840] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 711.313564][ T8865] binder: 8864:8865 ioctl c018620b 0 returned -14 [ 711.322684][ T8840] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 711.341527][ T8867] binder: 8864:8867 ioctl c0306201 20000140 returned -22 [ 711.357469][ T8840] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:21 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x40000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 711.384060][ T8840] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 711.393014][ T8840] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 711.485004][ T8840] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 711.519159][ T8879] binder: 8878:8879 ioctl c018620b 0 returned -14 [ 711.550320][ T8840] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 711.561127][ T8840] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 711.577807][ T8840] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 711.595907][ T8840] Interruptibility = 00000000 ActivityState = 00000000 [ 711.603074][ T8840] *** Host State *** [ 711.609083][ T8840] RIP = 0xffffffff811b40b0 RSP = 0xffff888058c978e0 [ 711.616789][ T8840] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 711.624140][ T8840] FSBase=00007fe957ae9700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 711.633915][ T8840] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 711.641243][ T8840] CR0=0000000080050033 CR3=000000000cc12000 CR4=00000000001426e0 [ 711.649414][ T8840] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 711.658864][ T8840] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 711.667146][ T8840] *** Control State *** [ 711.671336][ T8840] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 711.679090][ T8840] EntryControls=0000d1ff ExitControls=002fefff [ 711.685279][ T8840] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 711.693530][ T8840] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 711.701051][ T8840] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 711.708477][ T8840] reason=80000021 qualification=0000000000000000 [ 711.715522][ T8840] IDTVectoring: info=00000000 errcode=00000000 [ 711.722541][ T8840] TSC Offset = 0xfffffe8163617734 [ 711.727688][ T8840] EPT pointer = 0x0000000097c4a01e 17:34:21 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x400000000000000) 17:34:21 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:21 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_dev$dri(&(0x7f0000000000)='/dev/dri/card#\x00', 0x7, 0x81) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x800, 0x0) ioctl$TIOCGLCKTRMIOS(r0, 0x5456, &(0x7f0000000080)={0x5, 0x9, 0x7, 0xffffffffffffb8d1, 0x7, 0x69, 0x2, 0xf52, 0x0, 0x80, 0x8, 0x3}) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) pipe2(&(0x7f0000000100)={0xffffffffffffffff}, 0x800) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000540)={[0x40, 0x7, 0x0, 0x4, 0x7, 0x5, 0x0, 0x6, 0x401, 0x8001, 0xb1e, 0x3, 0x7, 0x1, 0x9, 0xedf], 0x4, 0x200000}) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(0xffffffffffffffff, 0x84, 0x6c, &(0x7f0000000480)={0x0, 0xa2, "db0bc4e010afe63ecf8fdc2c9dc2e6e4f3d8634c2a0330b2f2433f6af264d01282f9c2a5ecd9ccd0ff0f855b0ea3a9894ef74dfa352390f5a0d9b8b7a30bd24b1dd4770372a0790c6b427ef0667762a2730b50d55a844e2699454eeb86f9f87ad1f9881b3c5e320eb76c20f7343dc1447792b02ffc7d9a4ff66fd54c59db36320e078a173b689ac0384b1245d69bbfa4a86357a9d6395437b7e2f5315a9bfc333a79"}, &(0x7f00000001c0)=0xaa) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000380)={r3}, &(0x7f00000003c0)=0x8) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) socket$inet_sctp(0x2, 0x0, 0x84) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 711.748419][ T8859] binder: BINDER_SET_CONTEXT_MGR already set [ 711.763289][ T8883] binder_alloc: 8852: binder_alloc_buf, no vma [ 711.776758][ T8859] binder: 8852:8859 ioctl 40046207 0 returned -16 [ 711.777752][ T8883] binder: 8852:8883 transaction failed 29189/-3, size 24-8 line 3147 [ 711.826817][ T8885] binder: 8884:8885 ioctl c018620b 0 returned -14 [ 711.826929][ T2986] binder: send failed reply for transaction 3664 to 8852:8855 17:34:21 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = accept4$x25(r0, &(0x7f0000000000)={0x9, @remote}, &(0x7f0000000080)=0x12, 0x80800) ioctl$SIOCX25SCAUSEDIAG(r2, 0x89ec, &(0x7f00000000c0)={0x9, 0x7}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) 17:34:21 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 711.871694][ T8893] binder: 8886:8893 transaction failed 29189/-22, size 24-8 line 2994 [ 711.878867][ T2986] binder: send failed reply for transaction 3667, target dead [ 711.928264][ T2986] binder: send failed reply for transaction 3670 to 8878:8881 [ 711.935832][ T8898] binder: 8884:8898 transaction failed 29189/-22, size 24-8 line 2994 17:34:21 executing program 1: socketpair$unix(0x1, 0x6, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x200100, 0x0) ioctl$EVIOCGNAME(r1, 0x80404506, &(0x7f0000000080)=""/236) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 711.980194][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 712.000014][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 712.042784][ T8904] *** Guest State *** [ 712.061642][ T8904] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 712.079669][ T8904] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 712.100161][ T8904] CR3 = 0x0000000000000000 [ 712.107341][ T8904] RSP = 0x0000000000000f80 RIP = 0x0000000000000000 [ 712.117601][ T8904] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 712.125359][ T8913] binder: 8905:8913 BC_INCREFS_DONE node 3678 has no pending increfs request [ 712.135886][ T8904] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 17:34:22 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) splice(r0, &(0x7f00000000c0), r0, &(0x7f0000000100), 0x7, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x4) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x300, 0x0) ioctl$UFFDIO_UNREGISTER(r2, 0x8010aa01, &(0x7f0000000080)={&(0x7f0000bfe000/0x400000)=nil, 0x400000}) [ 712.144955][ T8904] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 712.156751][ T8904] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 712.193905][ T8904] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 712.232990][ T8904] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:22 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x800, 0x101000) bind$rxrpc(r1, &(0x7f0000000080)=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x4e22, @loopback}}, 0x24) ioctl$ASHMEM_GET_SIZE(r1, 0x7704, 0x0) madvise(&(0x7f0000004000/0x2000)=nil, 0x2000, 0x4) [ 712.252279][ T8904] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 712.271089][ T8904] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 712.280394][ T8904] GDTR: limit=0x00000000, base=0x0000000000000000 [ 712.302479][ T8904] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 712.321546][ T8904] IDTR: limit=0x00000000, base=0x0000000000000000 [ 712.322242][ T8921] binder: 8878:8921 ioctl c018620b 0 returned -14 [ 712.336687][ T8904] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:22 executing program 1: socketpair$unix(0x1, 0x800000000003, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x40000, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/dsp\x00', 0x200, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r3, 0xc02c5341, &(0x7f0000000400)) ioctl$PERF_EVENT_IOC_SET_BPF(r2, 0x40042408, r3) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) sendmsg$unix(r0, &(0x7f0000000340)={&(0x7f00000000c0)=@abs={0x0, 0x0, 0x4e20}, 0x6e, &(0x7f0000000000)=[{&(0x7f0000000140)="8990bdac08c26e049306ce5ed0e06e81ae6fc6ddafad5b5ebfc1a91d26ee1faffecdfcf6b65618d714500684b36828221fe4d02074f757f4ed0bb9d27dad8682bc72a991bdfaa0e8b72c24cc65a6a4e3f6f21182381b2ab84d27d4f2914533d1271090f86c6ddba6b0443bd68843cd70f6dc05f723e3113a064f814e9c64d87351366821007fc0571d8ca6606fa01b2bf169d596ae782306b4bd0b0e7ccea795eb1a1ffdb6ac9cc43d8e9b2d8ecb0a653aa4fd371217bae3cbeef22ac23d7f1e14c1c79f4de69f2849ce49bb93e449", 0xcf}, {&(0x7f0000000240)="766518afc6702ad38fe36b35f5c04daa9f0eb4653325dffb338a7a0166560e979d8eb9a6eaa0617d3634668261e2b935dfb80a3c3a338b579a2ab385df51c4eb8658c024e6d874b6b31341811330ce2c08380dac083f04f5a7ad28043c297bac32fd181c2562e61997069cc5910ee171a83beb820b082265aaab03e249aa227ee4645a73d6393ed9d59248203b3440e16d891189554da77d9b90437961a488956c76e3ce754d0098e162619ee1bd509bafbae4faacbe6ce20004f50fbccb116ecb61d78f0ff3ecde68dfaafbc775dbbe52532401d1aae65740d95b4f3d92a18a0b85", 0xe2}], 0x2, 0x0, 0x0, 0x44050}, 0x20000000) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x0, 0x0) ioctl$EVIOCGVERSION(r2, 0x80044501, &(0x7f0000000480)=""/83) tee(r0, r0, 0x7, 0x8) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 712.354520][ T8904] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 712.363070][ T8904] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 712.372230][ T8904] Interruptibility = 00000000 ActivityState = 00000000 [ 712.377689][ T8921] binder: 8878:8921 BC_INCREFS_DONE node 3681 has no pending increfs request [ 712.379908][ T8904] *** Host State *** [ 712.397289][ T8904] RIP = 0xffffffff811b40b0 RSP = 0xffff888027f7f8e0 [ 712.410791][ T8904] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 712.419144][ T8904] FSBase=00007fe957b2b700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 712.430562][ T8904] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 712.438249][ T8904] CR0=0000000080050033 CR3=000000009da85000 CR4=00000000001426e0 [ 712.446567][ T7809] binder: release 8878:8881 transaction 3680 out, still active 17:34:22 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 712.458281][ T8904] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 712.469886][ T7809] binder: unexpected work type, 4, not freed [ 712.481580][ T8904] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 712.481867][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 712.494584][ T8904] *** Control State *** [ 712.505909][ T8904] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 712.508734][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 712.522790][ T8904] EntryControls=0000d1ff ExitControls=002fefff [ 712.542779][ T8904] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 17:34:22 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)) r0 = syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0x0, 0x8000) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$sock_inet_SIOCGIFNETMASK(r0, 0x891b, &(0x7f00000001c0)={'ip6_vti0\x00', {0x2, 0x4e22, @rand_addr=0x2}}) setsockopt$inet_group_source_req(r0, 0x0, 0x2f, &(0x7f0000000080)={0x80000001, {{0x2, 0x4e21, @multicast2}}, {{0x2, 0x4e23, @loopback}}}, 0x108) ioctl$EVIOCGPHYS(r0, 0x80404507, &(0x7f0000000080)) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 712.560831][ T8929] binder: 8928:8929 ioctl c018620b 0 returned -14 [ 712.568907][ T8904] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 712.594611][ T8904] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 712.602331][ T8904] reason=80000021 qualification=0000000000000000 [ 712.614586][ T8894] binder: 8884:8894 ioctl c018620b 0 returned -14 [ 712.648688][ T2986] binder: release 8884:8898 transaction 3686 out, still active [ 712.656104][ T8904] IDTVectoring: info=00000000 errcode=00000000 [ 712.690728][ T8904] TSC Offset = 0xfffffe80aae95f72 [ 712.710029][ T8904] EPT pointer = 0x000000008c09601e 17:34:22 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x500000000000000) 17:34:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:22 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x555d68e32dfa7562, 0x0) r2 = getuid() r3 = getegid() ioctl$KVM_S390_VCPU_FAULT(r1, 0x4008ae52, &(0x7f0000000100)=0x921) write$FUSE_ATTR(r1, &(0x7f0000000040)={0x78, 0x0, 0x4, {0x401, 0x0, 0x0, {0x1, 0x80000001, 0x2, 0x8, 0x5, 0x80000000, 0x100, 0x7, 0x6, 0x4, 0x0, r2, r3, 0x8000, 0x80000000}}}, 0x78) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:22 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_EVBIT(r1, 0x40045564, 0x3) [ 712.808236][ T8941] binder: 8939:8941 ioctl c018620b 0 returned -14 [ 712.832274][ T8913] binder: BINDER_SET_CONTEXT_MGR already set [ 712.845944][ T8913] binder: 8905:8913 ioctl 40046207 0 returned -16 [ 712.864767][ T8943] binder_alloc: 8905: binder_alloc_buf, no vma [ 712.874625][ T8943] binder: 8905:8943 transaction failed 29189/-3, size 24-8 line 3147 [ 712.883892][ T8950] binder_alloc: 8905: binder_alloc_buf, no vma [ 712.896486][ T8913] binder_thread_write: 7 callbacks suppressed [ 712.896511][ T8913] binder: 8905:8913 BC_INCREFS_DONE u0000000000000000 no match 17:34:22 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000080)=0x8) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 712.915962][ T8951] binder_alloc: 8905: binder_alloc_buf, no vma [ 712.915984][ T8950] binder: 8940:8950 transaction failed 29189/-3, size 24-8 line 3147 [ 712.924172][ T7809] binder: release 8905:8906 transaction 3677 out, still active [ 712.952585][ T8952] binder: 8939:8952 BC_INCREFS_DONE u0000000000000000 no match 17:34:22 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 712.978664][ T7809] binder: send failed reply for transaction 3677, target dead [ 713.014265][ T7809] binder: send failed reply for transaction 3680, target dead 17:34:23 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x6) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x4) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x2000, 0x0) clock_gettime(0x7, &(0x7f0000000000)) ioctl$ASHMEM_GET_PROT_MASK(r1, 0x7706, &(0x7f00000000c0)) ioctl$SG_SET_KEEP_ORPHAN(r1, 0x2287, &(0x7f0000000080)=0xfffffffffffffffa) [ 713.039441][ T7809] binder: send failed reply for transaction 3683 to 8928:8931 [ 713.056320][ T7809] binder: send failed reply for transaction 3686, target dead [ 713.058343][ T8954] *** Guest State *** [ 713.133746][ T8954] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 17:34:23 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x6, 0x408000) ioctl$KVM_CHECK_EXTENSION_VM(r1, 0xae03, 0x2) lsetxattr$trusted_overlay_opaque(&(0x7f00000000c0)='.\x00', &(0x7f0000000100)='trusted.overlay.opaque\x00', &(0x7f0000000140)='y\x00', 0x2, 0x1) ioctl$VIDIOC_TRY_ENCODER_CMD(r1, 0xc028564e, &(0x7f0000000080)={0x3, 0x1, [0x40, 0x1, 0x8, 0x1, 0x81, 0x1ed2, 0x1, 0xec1]}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 713.187336][ T8967] binder: 8959:8967 BC_INCREFS_DONE node 3694 has no pending increfs request [ 713.190028][ T8954] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 713.213419][ T8954] CR3 = 0x0000000000000000 [ 713.221615][ T8954] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 713.229584][ T8954] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 713.236930][ T8954] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 713.245716][ T8954] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 713.271905][ T8954] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:23 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) openat$capi20(0xffffffffffffff9c, &(0x7f0000000040)='/dev/capi20\x00', 0x204000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) r1 = semget$private(0x0, 0x1, 0x2000000000002b) creat(&(0x7f0000000080)='./file0\x00', 0x20) semctl$GETNCNT(r1, 0x5, 0xe, &(0x7f0000000440)=""/168) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x503000, 0x0) r3 = syz_genetlink_get_family_id$nbd(&(0x7f00000001c0)='nbd\x00') sendmsg$NBD_CMD_STATUS(r2, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000240)={&(0x7f0000000200)={0x2c, r3, 0x309, 0x70bd26, 0x25dfdbfd, {}, [@NBD_ATTR_DEAD_CONN_TIMEOUT={0xc, 0x8, 0x2}, @NBD_ATTR_DEAD_CONN_TIMEOUT={0xc, 0x8, 0x6}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000801}, 0x1) [ 713.292585][ T8954] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 713.317122][ T8954] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 713.328976][ T8954] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 713.338840][ T8954] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 713.349035][ T8954] GDTR: limit=0x00000000, base=0x0000000000000000 [ 713.367830][ T8954] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 713.377354][ T8931] binder: 8928:8931 ioctl c018620b 0 returned -14 [ 713.379843][ T8954] IDTR: limit=0x00000000, base=0x0000000000000000 [ 713.402862][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 713.411134][ T2986] binder: release 8928:8972 transaction 3696 out, still active [ 713.428872][ T8954] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:23 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfffffdfd, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 713.439610][ T8954] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 713.457574][ T8954] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 17:34:23 executing program 1: r0 = syz_open_dev$usbmon(&(0x7f0000000140)='/dev/usbmon#\x00', 0x100000000, 0x40100) r1 = gettid() write$P9_RGETLOCK(r0, &(0x7f0000000280)=ANY=[@ANYBLOB="2b0000003701000304000000000000007d01000000000000f7228bc830446a9f5810b86328693dc12e124297a9c0ba932333a7e229ae5d33521549388659bec637495e", @ANYRES32=r1, @ANYBLOB='\r\x00/dev/usbmon#\x00'], 0x2b) ioctl$VIDIOC_QBUF(r0, 0xc058560f, &(0x7f0000000180)={0x1000, 0x2, 0x4, 0x3000004, {0x0, 0x2710}, {0x3, 0x0, 0x5, 0x0, 0x8001, 0x3, "372fcbf0"}, 0x20, 0x3, @userptr=0x8000, 0x4}) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = dup2(r2, r3) ioctl$DRM_IOCTL_RM_MAP(r4, 0x4028641b, &(0x7f0000000040)={&(0x7f0000000000/0xc000)=nil, 0x3ff, 0x0, 0xd0, &(0x7f0000fff000/0x1000)=nil, 0x8000}) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r4, 0x84, 0xc, &(0x7f0000000080)=0x9, 0x4) getdents64(r4, &(0x7f00000000c0)=""/100, 0xffffffffffffff53) [ 713.490065][ T8954] Interruptibility = 00000000 ActivityState = 00000000 [ 713.499345][ T8954] *** Host State *** [ 713.516036][ T8954] RIP = 0xffffffff811b40b0 RSP = 0xffff888050da78e0 [ 713.530231][ T8981] binder: 8980:8981 ioctl c018620b 0 returned -14 [ 713.534068][ T8954] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 713.554679][ T8954] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 713.570154][ T8954] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 713.578139][ T8954] CR0=0000000080050033 CR3=00000000a87c5000 CR4=00000000001426f0 17:34:23 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) madvise(&(0x7f0000005000/0x3000)=nil, 0x3000, 0x9) [ 713.586748][ T8954] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 713.595456][ T8954] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 713.603417][ T8954] *** Control State *** [ 713.608783][ T8954] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 713.617452][ T8952] binder: 8939:8952 ioctl c018620b 0 returned -14 [ 713.641559][ T8954] EntryControls=0000d1ff ExitControls=002fefff [ 713.652574][ T8954] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 713.663129][ T2986] binder: release 8939:8952 transaction 3702 out, still active [ 713.670038][ T8954] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 713.690683][ T8954] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 713.743031][ T8954] reason=80000021 qualification=0000000000000000 [ 713.765064][ T8954] IDTVectoring: info=00000000 errcode=00000000 [ 713.782692][ T8954] TSC Offset = 0xfffffe801e9dc5d8 [ 713.788953][ T8954] EPT pointer = 0x000000009999f01e 17:34:23 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x600000000000000) 17:34:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) 17:34:23 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000000)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000040)={r1}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:23 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = request_key(&(0x7f00000000c0)='rxrpc\x00', &(0x7f0000000100)={'syz', 0x3}, &(0x7f0000000140)='\x00', 0xfffffffffffffffa) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000080)={'syz', 0x0}, 0x0, 0x0, r1) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 713.877510][ T9000] binder: 8996:9000 ioctl c018620b 0 returned -14 [ 713.890679][ T8967] binder: BINDER_SET_CONTEXT_MGR already set [ 713.915955][ T8967] binder: 8959:8967 ioctl 40046207 0 returned -16 17:34:23 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000040)=0x0) ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000000080)=0x0) rt_tgsigqueueinfo(r2, r3, 0x17, &(0x7f00000000c0)={0x2a, 0x8, 0x400001f6}) [ 713.923716][ T9003] binder_alloc: 8959: binder_alloc_buf, no vma [ 713.939711][ T9004] binder_alloc: 8959: binder_alloc_buf, no vma [ 713.949188][ T2986] binder: send failed reply for transaction 3693 to 8959:8961 [ 713.961122][ T9005] binder: 8996:9005 BC_INCREFS_DONE u0000000000000000 no match [ 713.969087][ T2986] binder: send failed reply for transaction 3696, target dead [ 713.984801][ T2986] binder: send failed reply for transaction 3699 to 8980:8984 [ 714.003988][ T2986] binder: send failed reply for transaction 3702, target dead 17:34:24 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc018620b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:24 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) madvise(&(0x7f0000005000/0x2000)=nil, 0x2000, 0x4) [ 714.036204][ T9008] *** Guest State *** [ 714.040254][ T9008] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 714.111580][ T9008] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 17:34:24 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x780, 0x0) ioctl$DRM_IOCTL_GET_MAGIC(r1, 0x80046402, &(0x7f0000000080)=0x100) [ 714.197055][ T9008] CR3 = 0x0000000000002000 [ 714.202189][ T9008] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 714.247430][ T9008] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 714.255263][ T9008] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 714.265063][ T9020] binder: 9014:9020 BC_INCREFS_DONE node 3710 has no pending increfs request [ 714.275036][ T9008] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 714.287206][ T9008] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 714.295879][ T9008] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 714.305559][ T9008] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 714.332180][ T9008] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:24 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 714.342877][ T9024] binder: 8980:9024 ioctl c018620b 0 returned -14 [ 714.349900][ T9008] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 714.374065][ T9024] binder: 8980:9024 BC_INCREFS_DONE node 3713 has no pending increfs request [ 714.374615][ T9008] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 714.401029][ T9008] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 714.405101][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 714.425583][ T7809] binder: release 8980:8984 transaction 3712 out, still active [ 714.433882][ T9008] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 714.443563][ T7809] binder: unexpected work type, 4, not freed [ 714.450694][ T9008] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 714.460768][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 714.467249][ T9008] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 714.477122][ T9008] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 714.486791][ T9008] EFER = 0x0000000000000001 PAT = 0x0007040600070406 17:34:24 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x100000000000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 714.495039][ T9008] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 714.507046][ T9027] binder: BINDER_SET_CONTEXT_MGR already set [ 714.525375][ T9027] binder: 9026:9027 ioctl 40046207 0 returned -16 [ 714.531265][ T9008] Interruptibility = 00000000 ActivityState = 00000000 [ 714.559210][ T9008] *** Host State *** [ 714.564910][ T9008] RIP = 0xffffffff811b40b0 RSP = 0xffff888027f7f8e0 [ 714.572441][ T9008] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 714.579960][ T9008] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 714.589582][ T9008] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 714.596748][ T9031] binder: 9026:9031 BC_INCREFS_DONE node 3716 has no pending increfs request [ 714.610724][ T9030] binder: 9029:9030 ioctl c018620b 0 returned -14 [ 714.619581][ T9008] CR0=0000000080050033 CR3=0000000053296000 CR4=00000000001426f0 [ 714.627672][ T9008] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 714.635419][ T9008] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 714.643833][ T9008] *** Control State *** [ 714.648148][ T9008] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 714.655789][ T9008] EntryControls=0000d1ff ExitControls=002fefff [ 714.662419][ T9008] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 714.672941][ T9008] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 714.680542][ T9033] binder: 8996:9033 ioctl c018620b 0 returned -14 [ 714.687594][ T9008] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 714.695584][ T9008] reason=80000021 qualification=0000000000000000 [ 714.703159][ T9008] IDTVectoring: info=00000000 errcode=00000000 17:34:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 714.709522][ T9008] TSC Offset = 0xfffffe7f96ad4b0a [ 714.716099][ T9008] EPT pointer = 0x0000000095a5901e 17:34:24 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000240)='/dev/btrfs-control\x00', 0x400000, 0x0) getsockopt$bt_BT_SNDMTU(r1, 0x112, 0xc, &(0x7f0000000280)=0x9, &(0x7f0000000300)=0x2) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) r2 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x8006, 0x0) getpeername$packet(0xffffffffffffff9c, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000080)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(r2, 0x8933, &(0x7f0000000100)={'team0\x00', r3}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x25f, 0x0, &(0x7f00000003c0)}) write$nbd(r1, &(0x7f0000000340)={0x67446698, 0x1, 0x3, 0x2, 0x4, "f916ed5e97bae4b964589d2d9766b52eceeee67bc8dc770fea0a2130f9fdd48e4311800b00a98488fc1439274908745544e1cec3ab22ef7f3c697b22e38cb52c487026742b942d22c52f2ae740833bbbf314031c4f0d51afc35cf2a5e683212b2bab105fa82ee1ab6697d1d4e9ff591636de4f1c2440082ef174db84ff042dc08a232ecf4a0d6693cf85790b82704ceb9e0ec5f41017514e514480e52323a54b6f6172804f1e45bf"}, 0xb8) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="086310408dd29961951fceb44c4e7e4276151055955e413110b60e6f335b09eb80593193f9f64969a76c93ff93c732f3182e48e10000e4de260cf7fec5f63e17cf84f386878ee5acf1ae0cc953ae8e723fac9796379ea9d05687c68abed1f0ec27b65d529ed8588a8a2503c80886655b28de1104b49dd04e6a80c5e8705280d3891d7b2d6ee662a7ab70424a057b428aad8496d582f69177fd7da22e9a11034569f90f021ca620746c2e26bd3b9aa30aef72689aadae4f9d82b277fe4fc5b5ed02d006094404aa361d11ab41", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) 17:34:24 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x620000000000000) [ 714.751896][ T2986] binder: release 8996:9033 transaction 3721 out, still active [ 714.766938][ T2986] binder: unexpected work type, 4, not freed [ 714.785395][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 714.852612][ T9039] binder: 9038:9039 ioctl c018620b 0 returned -14 [ 714.921404][ T9045] binder: 9038:9045 BC_INCREFS_DONE ub4ce1f956199d28d no match [ 714.944680][ T9020] binder: BINDER_SET_CONTEXT_MGR already set [ 714.952911][ T9020] binder: 9014:9020 ioctl 40046207 0 returned -16 [ 714.960393][ T7809] binder: send failed reply for transaction 3709 to 9014:9016 [ 714.960730][ T9047] binder: 9014:9047 BC_INCREFS_DONE u0000000000000000 no match [ 714.968682][ T9046] *** Guest State *** [ 714.982128][ T7809] binder: send failed reply for transaction 3712, target dead [ 714.990256][ T9046] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 715.000422][ T7809] binder: send failed reply for transaction 3715 to 9026:9027 17:34:24 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc018620c, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:25 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 715.020001][ T9046] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 715.034864][ T7809] binder: send failed reply for transaction 3718 to 9029:9032 [ 715.061972][ T7809] binder: send failed reply for transaction 3721, target dead [ 715.077584][ T7809] binder: send failed reply for transaction 3724 to 9035:9040 [ 715.098640][ T9046] CR3 = 0x0000000000002000 [ 715.104258][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 715.114995][ T9046] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 715.132672][ T9046] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 715.146941][ T9046] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 715.186104][ T9052] binder: 9050 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 715.186124][ T9052] binder: 9050:9052 ioctl c018620c 20000140 returned -22 [ 715.207681][ T9046] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 715.218169][ T9052] binder: BINDER_SET_CONTEXT_MGR already set [ 715.221627][ T9046] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 715.232069][ T9052] binder: 9050:9052 ioctl 40046207 0 returned -16 [ 715.232086][ T9046] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 715.232109][ T9046] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.256970][ T9046] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.266213][ T9046] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.275377][ T9046] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.285525][ T9055] binder: 9053:9055 BC_INCREFS_DONE node 3730 has no pending increfs request [ 715.295393][ T9046] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.304499][ T9046] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 715.313537][ T9056] binder: 9050:9056 BC_INCREFS_DONE node 3733 has no pending increfs request [ 715.322819][ T9046] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 715.339280][ T9046] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 715.353131][ T9046] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 715.365476][ T9046] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 715.376492][ T9032] binder: 9029:9032 ioctl c018620b 0 returned -14 [ 715.379176][ T9046] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 715.386195][ T7809] binder: release 9029:9057 transaction 3735 out, still active [ 715.400147][ T9046] Interruptibility = 00000000 ActivityState = 00000000 [ 715.402306][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 17:34:25 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f00000000000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 715.424406][ T9046] *** Host State *** [ 715.428536][ T9046] RIP = 0xffffffff811b40b0 RSP = 0xffff8880150378e0 [ 715.435253][ T9046] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 715.450075][ T9046] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 715.488206][ T9061] binder: 9060:9061 ioctl c018620b 0 returned -14 [ 715.494941][ T9046] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 715.508075][ T9046] CR0=0000000080050033 CR3=0000000091d8d000 CR4=00000000001426e0 [ 715.516336][ T9046] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 715.524485][ T9046] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 715.531633][ T9046] *** Control State *** [ 715.536031][ T9046] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 715.543755][ T9046] EntryControls=0000d1ff ExitControls=002fefff [ 715.550517][ T9046] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 715.559830][ T9046] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 715.567434][ T9046] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 715.574981][ T9046] reason=80000021 qualification=0000000000000000 [ 715.582331][ T9046] IDTVectoring: info=00000000 errcode=00000000 17:34:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 715.589092][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 715.598861][ T9046] TSC Offset = 0xfffffe7f12b93977 [ 715.605325][ T9046] EPT pointer = 0x000000001c9b101e [ 715.629113][ T9045] binder: 9038:9045 ioctl c018620b 0 returned -14 17:34:25 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x700000000000000) 17:34:25 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2d6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 715.792251][ T9073] binder: 9072:9073 ioctl c018620b 0 returned -14 [ 715.861215][ T9074] *** Guest State *** [ 715.865636][ T9074] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 715.876516][ T9074] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 715.887642][ T9074] CR3 = 0x0000000000002000 [ 715.892385][ T9074] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 715.899812][ T9074] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 715.907315][ T9074] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 715.914289][ T9074] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 715.921301][ T9074] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 715.941470][ T9077] binder: 9050 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 715.941486][ T9077] binder: 9050:9077 ioctl c018620c 20000140 returned -22 [ 715.957657][ T2986] binder: release 9053:9054 transaction 3729 out, still active [ 715.965598][ T9074] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 715.982645][ T9074] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 715.988745][ T9056] binder: BINDER_SET_CONTEXT_MGR already set [ 715.994239][ T9074] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:25 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 716.007389][ T9074] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 716.017965][ T9074] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 716.027231][ T9078] binder_alloc_new_buf_locked: 1 callbacks suppressed [ 716.027243][ T9078] binder_alloc: 9053: binder_alloc_buf, no vma [ 716.027352][ T7809] binder: send failed reply for transaction 3729, target dead [ 716.045370][ T7809] binder: send failed reply for transaction 3732 to 9050:9052 [ 716.049878][ T9074] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 716.057630][ T9056] binder: 9050:9056 ioctl 40046207 0 returned -16 [ 716.073037][ T9078] binder_transaction: 5 callbacks suppressed [ 716.073058][ T9078] binder: 9050:9078 transaction failed 29189/-3, size 24-8 line 3147 [ 716.089773][ T7809] binder: send failed reply for transaction 3735, target dead [ 716.109469][ T9074] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 716.109931][ T7809] binder: send failed reply for transaction 3738 to 9060:9062 [ 716.152507][ T9074] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 17:34:26 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0189436, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 716.183268][ T9074] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 716.194153][ T7809] binder: send failed reply for transaction 3741 to 9065:9068 [ 716.196724][ T9074] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 716.221095][ T9074] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 716.229322][ T9083] binder: 9079:9083 BC_INCREFS_DONE node 3750 has no pending increfs request [ 716.233002][ T7809] binder: send failed reply for transaction 3744 to 9072:9075 [ 716.238847][ T9074] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 716.273775][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 716.277510][ T9074] Interruptibility = 00000000 ActivityState = 00000000 [ 716.292665][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 716.300499][ T9086] binder: 9060:9086 ioctl c018620b 0 returned -14 [ 716.311420][ T9085] binder: BINDER_SET_CONTEXT_MGR already set [ 716.320153][ T9087] binder: 9060:9087 BC_INCREFS_DONE u0000000000000000 no match [ 716.320377][ T9074] *** Host State *** [ 716.333457][ T9085] binder: 9084:9085 ioctl 40046207 0 returned -16 [ 716.340251][ T7809] binder: release 9060:9086 transaction 3752 out, still active [ 716.341503][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 716.355470][ T9074] RIP = 0xffffffff811b40b0 RSP = 0xffff8880a15678e0 17:34:26 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4000000000000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 716.368448][ T9074] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 716.387747][ T9074] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 716.398930][ T9088] binder: 9084:9088 BC_INCREFS_DONE node 3756 has no pending increfs request [ 716.413169][ T9074] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 716.434365][ T9074] CR0=0000000080050033 CR3=000000008b5ac000 CR4=00000000001426f0 [ 716.445779][ T9074] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 716.453796][ T9074] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 716.466883][ T9091] binder: 9090:9091 ioctl c018620b 0 returned -14 [ 716.473755][ T9074] *** Control State *** 17:34:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 716.478711][ T9074] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 716.486390][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 716.496294][ T9074] EntryControls=0000d1ff ExitControls=002fefff [ 716.504289][ T9074] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 716.519809][ T9074] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 716.529367][ T9074] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 716.543572][ T9074] reason=80000021 qualification=0000000000000000 [ 716.551322][ T9074] IDTVectoring: info=00000000 errcode=00000000 [ 716.557977][ T9074] TSC Offset = 0xfffffe7e99937cd1 [ 716.563416][ T9074] EPT pointer = 0x00000000879db01e 17:34:26 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x800000000000000) 17:34:26 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x802) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000080)={&(0x7f0000000480)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xfc, 0x114, 0x1, {"75529610bc6ccdb34ce02cb32f3f4db99719635ed7da4a870ddd50d9b8308a84b8c11e626018dd408a043977a6810cea7c3751f50c91347f02b92e9072b580bd4b5a55237acb555076c10236110dd5b881efb1dfb0b00ec9917f409ce72f5f2464a8de19857a35fae09acc295de717180f97c62780aee0f39f231e0302ea81bcd427785c7f27492484922645d26c6a426e9dad725326a40743cb6d5441f00754ce1c442fe053702abc874eecc61e8adbdecc97e4c96a83a769612312ab0ee54eabb5df12b55675987ee3ab0fdc392cd50eedbef1494605d7c1c04aecdf58c0f6a58d88f25b1c32f0244d2d665736f27decd5c32b8123df7bda2863d2"}}, {0x0, '$F'}}, &(0x7f0000000000)=""/101, 0x118, 0x65, 0x1}, 0x20) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000004000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 716.583673][ T9075] binder: 9072:9075 ioctl c018620b 0 returned -14 [ 716.598191][ T7809] binder: release 9072:9096 transaction 3761 out, still active [ 716.606074][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 716.715701][ T9103] binder: 9102:9103 ioctl c018620b 0 returned -14 [ 716.726954][ T9103] binder: 9102:9103 ioctl c0306201 20000140 returned -11 [ 716.736835][ T9103] binder: 9102:9103 transaction failed 29189/-22, size 24-8 line 2994 [ 716.746507][ T9103] binder: 9102:9103 BC_INCREFS_DONE u0000000000000000 no match [ 716.757268][ T9104] binder: 9102:9104 ioctl c018620b 0 returned -14 [ 716.765515][ T9103] binder: 9102:9103 transaction failed 29189/-22, size 24-8 line 2994 [ 716.776211][ T9104] binder: 9102:9104 BC_INCREFS_DONE u0000000000000000 no match 17:34:26 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 716.809075][ T9106] *** Guest State *** [ 716.824328][ T9106] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 716.849315][ T9106] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 716.865211][ T9109] binder: 9108:9109 ioctl c018620b 0 returned -14 [ 716.889416][ T9106] CR3 = 0x0000000000002000 [ 716.903515][ T9106] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 716.910042][ T2986] binder: release 9079:9081 transaction 3749 out, still active [ 716.924525][ T2986] binder: unexpected work type, 4, not freed [ 716.925884][ T9106] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 716.938731][ T9106] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 716.947870][ T2986] binder: undelivered TRANSACTION_COMPLETE 17:34:26 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 716.958344][ T9106] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 716.959276][ T2986] binder: send failed reply for transaction 3749, target dead [ 716.966048][ T9106] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 716.980307][ T2986] binder: send failed reply for transaction 3752, target dead [ 716.988795][ T2986] binder: send failed reply for transaction 3755 to 9084:9085 [ 717.017076][ T2986] binder: send failed reply for transaction 3758 to 9090:9095 [ 717.031918][ T9106] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 717.039492][ T2986] binder: send failed reply for transaction 3761, target dead [ 717.049856][ T2986] binder: send failed reply for transaction 3764 to 9093:9097 [ 717.073042][ T9106] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.078507][ T2986] binder: send failed reply for transaction 3769 to 9108:9110 [ 717.091431][ T2986] binder: release 9084:9088 transaction 3773 out, still active [ 717.111678][ T9106] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.123309][ T9106] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.127502][ T7809] binder: send failed reply for transaction 3773, target dead [ 717.132944][ T9106] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.159560][ T9106] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:27 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 717.169410][ T9106] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 717.179657][ T9106] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 717.213354][ T9115] binder: 9112:9115 BC_INCREFS_DONE node 3778 has no pending increfs request [ 717.218751][ T9106] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 717.271789][ T9095] binder: 9090:9095 ioctl c018620b 0 returned -14 [ 717.286452][ T9106] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 717.294500][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 717.311521][ T9106] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 717.313227][ T7809] binder: release 9090:9118 transaction 3780 out, still active [ 717.322671][ T9106] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 717.333007][ T9117] binder: BINDER_SET_CONTEXT_MGR already set [ 717.354026][ T9117] binder: 9116:9117 ioctl 40046207 0 returned -16 [ 717.364527][ T9106] Interruptibility = 00000000 ActivityState = 00000000 17:34:27 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff00000000, &(0x7f00000000c0)=[@enter_looper], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x55, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001000000d17948eef3e15c8b3bf33e82f019d7c83ad733043deee864fb224aa511893fb83eb6893ab07182ce19c44ae01aa4a4a479dbbb8526044122f61b3d204d671480dc04a4d8b20c97ba092e6b5b87"], 0x0, 0x0, 0x0}) [ 717.368074][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 717.398684][ T9106] *** Host State *** [ 717.412212][ T9122] binder: 9116:9122 BC_INCREFS_DONE node 3784 has no pending increfs request [ 717.426369][ T9106] RIP = 0xffffffff811b40b0 RSP = 0xffff8880872678e0 [ 717.441663][ T9124] binder: 9123:9124 ioctl c018620b 0 returned -14 [ 717.448807][ T9106] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 717.457506][ T9106] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 717.467327][ T9106] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 717.474943][ T9106] CR0=0000000080050033 CR3=000000001abca000 CR4=00000000001426e0 [ 717.487439][ T9106] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 717.496381][ T9106] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 717.504122][ T9106] *** Control State *** [ 717.508946][ T9106] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 717.517316][ T9106] EntryControls=0000d1ff ExitControls=002fefff [ 717.523885][ T9106] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 717.532631][ T9106] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 717.540660][ T9106] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 717.548568][ T9106] reason=80000021 qualification=0000000000000000 [ 717.556138][ T9106] IDTVectoring: info=00000000 errcode=00000000 [ 717.562357][ T9106] TSC Offset = 0xfffffe7e17a4bbba [ 717.567910][ T9106] EPT pointer = 0x0000000084a1201e 17:34:27 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x1000000000000000) 17:34:27 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000000000000000000000000000e500000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 717.665004][ T9133] binder: 9108:9133 ioctl c018620b 0 returned -14 [ 717.688436][ T7809] binder: release 9108:9133 transaction 3792 out, still active [ 717.727062][ T9132] *** Guest State *** [ 717.733146][ T9132] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 717.742213][ T9137] binder: 9135:9137 ioctl c018620b 0 returned -14 [ 717.755180][ T9132] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 717.766863][ T9132] CR3 = 0x0000000000002000 [ 717.772310][ T9132] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 717.780227][ T9132] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 717.788127][ T9132] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 717.795208][ T9132] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 717.803137][ T9132] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 717.814766][ T9132] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 717.824043][ T9132] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.833768][ T9132] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.837325][ T7809] binder: unexpected work type, 4, not freed [ 717.852944][ T9132] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.854789][ T7809] binder: undelivered TRANSACTION_COMPLETE 17:34:27 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 717.872813][ T9132] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.878696][ T7809] binder: send failed reply for transaction 3777, target dead [ 717.889745][ T7809] binder: send failed reply for transaction 3780, target dead [ 717.897673][ T7809] binder: send failed reply for transaction 3783 to 9116:9117 17:34:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) [ 717.926150][ T9132] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 717.949328][ T7809] binder: send failed reply for transaction 3786 to 9123:9127 [ 717.974130][ T7809] binder: send failed reply for transaction 3792, target dead [ 717.984945][ T9132] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 718.009030][ T9132] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 17:34:27 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x1000000, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 718.023477][ T7809] binder: send failed reply for transaction 3799, target dead [ 718.054004][ T9132] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 718.069530][ T9132] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 718.083424][ T9132] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 718.091483][ T9132] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 718.100150][ T9132] Interruptibility = 00000000 ActivityState = 00000000 [ 718.107726][ T9132] *** Host State *** [ 718.115131][ T9132] RIP = 0xffffffff811b40b0 RSP = 0xffff888050da78e0 17:34:28 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 718.145568][ T9132] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 718.153205][ T9132] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 718.162989][ T9151] binder_alloc: 9140: binder_alloc_buf failed to map pages in userspace, no vma [ 718.172650][ T9151] binder: 9147:9151 transaction failed 29189/-3, size 24-8 line 3147 [ 718.188099][ T9132] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 718.231065][ T9155] binder: 9147:9155 BC_INCREFS_DONE u0000000000000000 no match [ 718.240128][ T9156] binder: 9123:9156 ioctl c018620b 0 returned -14 [ 718.240246][ T9132] CR0=0000000080050033 CR3=000000001abca000 CR4=00000000001426f0 [ 718.259545][ T9127] binder: 9123:9127 transaction failed 29189/-22, size 24-8 line 2994 [ 718.285248][ T9156] binder: 9123:9156 BC_INCREFS_DONE u0000000000000000 no match [ 718.292305][ T9154] binder: BINDER_SET_CONTEXT_MGR already set [ 718.299633][ T9132] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 718.311443][ T9154] binder: 9153:9154 ioctl 40046207 0 returned -16 [ 718.326483][ T9132] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 17:34:28 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 718.337608][ T9132] *** Control State *** [ 718.344228][ T9132] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 718.354257][ T9132] EntryControls=0000d1ff ExitControls=002fefff [ 718.369433][ T9132] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 718.377931][ T9132] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 718.386107][ T9132] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 718.394203][ T9132] reason=80000021 qualification=0000000000000000 [ 718.401590][ T9132] IDTVectoring: info=00000000 errcode=00000000 [ 718.414727][ T9160] binder: 9159:9160 ioctl c018620b 0 returned -14 [ 718.421773][ T9132] TSC Offset = 0xfffffe7d9906be66 [ 718.427646][ T9160] binder: 9159:9160 ERROR: BC_REGISTER_LOOPER called without request [ 718.436088][ T9132] EPT pointer = 0x00000000539bd01e 17:34:28 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x1100000000000000) 17:34:28 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x1f, 0x1) ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x1) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="09638000"], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 718.547659][ T9138] binder: 9135:9138 ioctl c018620b 0 returned -14 [ 718.624261][ T9168] *** Guest State *** [ 718.632429][ T9168] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 718.649733][ T9171] binder: 9170:9171 ioctl c018620b 0 returned -14 [ 718.657139][ T9171] binder: 9170:9171 unknown command 8413961 [ 718.659733][ T9168] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 718.663304][ T9171] binder: 9170:9171 ioctl c0306201 20000140 returned -22 [ 718.680741][ T9168] CR3 = 0x0000000000002000 [ 718.694938][ T9168] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 718.703184][ T9168] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 718.717243][ T9168] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 718.724325][ T9168] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 718.736359][ T9168] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 718.744257][ T9172] binder: 9170:9172 BC_INCREFS_DONE node 3819 has no pending increfs request [ 718.754028][ T9168] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 718.763524][ T9168] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 718.772658][ T9168] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 718.781919][ T9168] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 718.790969][ T9168] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 718.800118][ T9168] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 718.809137][ T9168] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 718.818158][ T9168] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 718.827237][ T9168] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 718.836206][ T9168] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 718.845104][ T9168] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 718.852641][ T9168] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 718.861462][ T9168] Interruptibility = 00000000 ActivityState = 00000000 [ 718.868881][ T9168] *** Host State *** [ 718.872997][ T9168] RIP = 0xffffffff811b40b0 RSP = 0xffff888057dbf8e0 [ 718.880126][ T9168] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 718.887492][ T9168] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 718.909821][ T9168] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 17:34:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) [ 718.919091][ T9168] CR0=0000000080050033 CR3=000000001abca000 CR4=00000000001426f0 [ 718.936606][ T9168] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 718.944073][ T9168] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 718.951278][ T9168] *** Control State *** [ 718.955644][ T9168] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 718.977909][ T9174] binder: BINDER_SET_CONTEXT_MGR already set [ 718.979787][ T9168] EntryControls=0000d1ff ExitControls=002fefff [ 718.996661][ T9168] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 719.004572][ T9168] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 719.006318][ T9174] binder: 9149:9174 ioctl 40046207 0 returned -16 [ 719.013344][ T9178] binder_alloc: 9149: binder_alloc_buf, no vma [ 719.025342][ T9168] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 719.034350][ T9178] binder: 9149:9178 transaction failed 29189/-3, size 24-8 line 3147 [ 719.037110][ T2986] binder: unexpected work type, 4, not freed [ 719.049152][ T9180] binder_alloc: 9149: binder_alloc_buf, no vma [ 719.052428][ T9168] reason=80000021 qualification=0000000000000000 [ 719.063939][ T9168] IDTVectoring: info=00000000 errcode=00000000 [ 719.071812][ T9168] TSC Offset = 0xfffffe7d1f32d9de 17:34:29 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 719.075324][ T9180] binder: 9176:9180 transaction failed 29189/-3, size 24-8 line 3147 [ 719.077038][ T9168] EPT pointer = 0x000000009542201e [ 719.089321][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 719.091798][ T9181] binder: 9176:9181 BC_INCREFS_DONE u0000000000000000 no match [ 719.101449][ T9160] binder: 9159:9160 ioctl c018620b 0 returned -14 [ 719.111509][ T9172] binder: 9170:9172 ioctl c018620b 0 returned -14 [ 719.138195][ T9171] binder: 9170:9171 unknown command 8413961 [ 719.146692][ T9161] binder: 9159:9161 transaction failed 29189/-22, size 24-8 line 2994 [ 719.162228][ T9172] binder: 9170:9172 transaction failed 29189/-22, size 24-8 line 2994 17:34:29 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x100000000000000, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 719.182463][ T9160] binder: 9159:9160 ERROR: BC_REGISTER_LOOPER called without request 17:34:29 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x2000000000000000) [ 719.216896][ T9171] binder: 9170:9171 ioctl c0306201 20000140 returned -22 [ 719.243796][ T9185] binder: 9170:9185 BC_INCREFS_DONE u0000000000000000 no match [ 719.262178][ T9183] binder: 9159:9183 BC_INCREFS_DONE u0000000000000000 no match 17:34:29 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x2) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:29 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630d}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 719.416836][ T9196] binder: BINDER_SET_CONTEXT_MGR already set [ 719.423900][ T9196] binder: 9188:9196 ioctl 40046207 0 returned -16 [ 719.446959][ T9200] binder: 9198:9200 ioctl c018620b 0 returned -14 [ 719.455519][ T9195] *** Guest State *** [ 719.460330][ T9195] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 719.471480][ T9201] binder: 9199:9201 ioctl c018620b 0 returned -14 [ 719.478794][ T9195] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 719.489418][ T9195] CR3 = 0x0000000000000000 [ 719.494305][ T9195] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 719.511273][ T9195] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 719.531479][ T9195] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 719.539943][ T9195] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.549093][ T9195] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.558771][ T9195] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 719.568015][ T9195] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.577058][ T9195] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.586055][ T9195] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.595388][ T9195] GDTR: limit=0x00000000, base=0x0000000000000000 [ 719.604763][ T9195] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.613721][ T9195] IDTR: limit=0x00000000, base=0x0000000000000000 [ 719.622708][ T9195] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 719.631598][ T9195] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 719.639011][ T9195] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 719.647450][ T9195] Interruptibility = 00000000 ActivityState = 00000000 [ 719.654597][ T9195] *** Host State *** [ 719.658637][ T9195] RIP = 0xffffffff811b40b0 RSP = 0xffff8880872678e0 [ 719.665796][ T9195] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 719.673431][ T9195] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 719.682126][ T9195] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 719.689013][ T9195] CR0=0000000080050033 CR3=0000000090967000 CR4=00000000001426e0 [ 719.697115][ T9195] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 719.704753][ T9195] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 719.712109][ T9195] *** Control State *** [ 719.718400][ T9195] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 719.726001][ T9195] EntryControls=0000d1ff ExitControls=002fefff [ 719.732433][ T9195] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 719.740628][ T9195] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 719.748473][ T9195] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 719.756064][ T9195] reason=80000021 qualification=0000000000000000 [ 719.763216][ T9195] IDTVectoring: info=00000000 errcode=00000000 [ 719.769913][ T9195] TSC Offset = 0xfffffe7cae698390 [ 719.775314][ T9195] EPT pointer = 0x000000001a45e01e 17:34:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x11, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) 17:34:29 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000) [ 719.965214][ T9211] *** Guest State *** [ 719.969399][ T9211] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 719.986200][ T9211] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 719.996510][ T9211] CR3 = 0x0000000000002000 [ 720.001179][ T9211] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 720.009142][ T9211] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 720.017030][ T9211] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 720.023945][ T9211] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 720.031059][ T9211] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 720.045541][ T2986] binder_thread_release: 4 callbacks suppressed [ 720.045553][ T2986] binder: release 9184:9187 transaction 3826 out, still active 17:34:30 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 720.060556][ T2986] binder: unexpected work type, 4, not freed [ 720.067168][ T2986] binder: undelivered TRANSACTION_COMPLETE [ 720.069293][ T9211] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 720.110239][ T2986] binder_release_work: 6 callbacks suppressed [ 720.110250][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 720.136317][ T9211] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 720.145263][ T9211] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 17:34:30 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 720.172337][ T9211] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 720.195084][ T9211] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 720.202642][ T9196] binder: 9188:9196 BC_INCREFS_DONE node 3843 has no pending increfs request [ 720.227025][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 720.233525][ T7809] binder: release 9188:9214 transaction 3842 out, still active [ 720.250923][ T9203] binder: 9198:9203 ioctl c018620b 0 returned -14 [ 720.256638][ T9218] binder: BINDER_SET_CONTEXT_MGR already set [ 720.258456][ T9204] binder: 9199:9204 ioctl c018620b 0 returned -14 [ 720.272812][ T7809] binder: unexpected work type, 4, not freed [ 720.279123][ T9211] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 720.280631][ T9222] binder: 9198:9222 BC_INCREFS_DONE u0000000000000000 no match [ 720.296375][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 720.303583][ T9218] binder: 9216:9218 ioctl 40046207 0 returned -16 [ 720.317080][ T7809] binder: release 9199:9224 transaction 3848 out, still active 17:34:30 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 720.329066][ T9211] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 720.338811][ T9223] binder_alloc: 9188: binder_alloc_buf, no vma [ 720.345064][ T9223] binder: 9216:9223 transaction failed 29189/-3, size 24-8 line 3147 [ 720.358785][ T7809] binder: release 9198:9221 transaction 3845 out, still active [ 720.366454][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 17:34:30 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="08631040", @ANYRES64=0x0, @ANYBLOB="0000000000000000dccbb5efeccbb712c853e63c932f27b3bb4d9cc8d309188cb5c880d0d4df6d7fecf191503ed69161003b4512327a99"], 0x0, 0x0, 0x0}) [ 720.374092][ T9211] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 720.383619][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 720.400295][ T9211] IDTR: limit=0x000001ff, base=0x0000000000003800 17:34:30 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x6312}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:30 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 720.438890][ T9211] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 720.447804][ T9211] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 720.473692][ T9229] binder: 9219:9229 BC_INCREFS_DONE node 3854 has no pending increfs request [ 720.520940][ T9227] binder: 9226:9227 ERROR: BC_REGISTER_LOOPER called without request [ 720.539617][ T9211] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 720.566898][ T9235] binder: BINDER_SET_CONTEXT_MGR already set [ 720.567116][ T9211] Interruptibility = 00000000 ActivityState = 00000000 [ 720.578632][ T9234] binder: 9232:9234 ioctl c018620b 0 returned -14 [ 720.591457][ T9234] binder: 9232:9234 unknown command 25362 [ 720.592413][ T9211] *** Host State *** [ 720.602340][ T9235] binder: 9226:9235 ioctl 40046207 0 returned -16 [ 720.611224][ T9236] binder: 9233:9236 ioctl c018620b 0 returned -14 [ 720.615167][ T9234] binder: 9232:9234 ioctl c0306201 20000140 returned -22 [ 720.622652][ T9211] RIP = 0xffffffff811b40b0 RSP = 0xffff888050dff8e0 [ 720.642691][ T9211] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 720.650121][ T9211] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 720.668500][ T9211] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 720.675438][ T9211] CR0=0000000080050033 CR3=000000002847f000 CR4=00000000001426f0 [ 720.678578][ T9239] binder: BINDER_SET_CONTEXT_MGR already set [ 720.690812][ T9239] binder: 9237:9239 ioctl 40046207 0 returned -16 [ 720.693290][ T9211] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 720.705391][ T9240] binder: 9232:9240 BC_INCREFS_DONE node 3860 has no pending increfs request [ 720.724377][ T9211] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 720.736977][ T9211] *** Control State *** [ 720.742447][ T9211] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 720.749863][ T9211] EntryControls=0000d1ff ExitControls=002fefff [ 720.762533][ T9211] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 720.770221][ T9211] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 720.781687][ T9211] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 720.789608][ T9211] reason=80000021 qualification=0000000000000000 [ 720.797713][ T9211] IDTVectoring: info=00000000 errcode=00000000 [ 720.804787][ T9211] TSC Offset = 0xfffffe7c648f1c38 [ 720.810197][ T9211] EPT pointer = 0x000000004f56d01e 17:34:30 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4800000000000000) [ 721.003925][ T9245] *** Guest State *** [ 721.008895][ T9245] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 721.019235][ T9245] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 721.029690][ T9245] CR3 = 0x0000000000002000 [ 721.034570][ T9245] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 721.042065][ T9245] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 17:34:30 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 721.049570][ T9245] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 721.051236][ T7809] binder: release 9219:9220 transaction 3853 out, still active [ 721.077038][ T9245] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 721.077443][ T7809] binder: unexpected work type, 4, not freed [ 721.090153][ T9245] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 721.117837][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 721.136893][ T7809] binder_send_failed_reply: 6 callbacks suppressed [ 721.136903][ T7809] binder: send failed reply for transaction 3853, target dead [ 721.140516][ T9245] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 721.153169][ T7809] binder_send_failed_reply: 9 callbacks suppressed [ 721.153180][ T7809] binder: send failed reply for transaction 3856 to 9226:9238 [ 721.178096][ T9235] binder: 9226:9235 ERROR: BC_REGISTER_LOOPER called without request [ 721.178119][ T9245] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 721.208497][ T9245] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 721.222274][ T7809] binder: send failed reply for transaction 3859 to 9232:9234 [ 721.230105][ T9245] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 721.230127][ T9245] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 721.249454][ T9234] binder: 9232:9234 ioctl c018620b 0 returned -14 [ 721.257842][ T9249] binder: BINDER_SET_CONTEXT_MGR already set [ 721.265133][ T7809] binder: send failed reply for transaction 3862 to 9233:9241 [ 721.268613][ T9234] binder: 9232:9234 unknown command 25362 [ 721.275900][ T9250] binder: 9232:9250 BC_INCREFS_DONE u0000000000000000 no match [ 721.288990][ T9245] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 721.292014][ T9249] binder: 9248:9249 ioctl 40046207 0 returned -16 [ 721.306299][ T9234] binder: 9232:9234 ioctl c0306201 20000140 returned -22 [ 721.311768][ T7809] binder: send failed reply for transaction 3865 to 9237:9239 17:34:31 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630d}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 721.316688][ T9245] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 721.329946][ T7809] binder: send failed reply for transaction 3869 to 9226:9235 [ 721.351494][ T9251] binder: 9248:9251 transaction failed 29189/-22, size 24-8 line 2994 [ 721.359766][ T7809] binder: send failed reply for transaction 3872 to 9232:9240 [ 721.359936][ T7809] binder: undelivered TRANSACTION_COMPLETE 17:34:31 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046302}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:31 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 721.402938][ T9245] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 721.407757][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 721.413333][ T9241] binder: 9233:9241 ioctl c018620b 0 returned -14 [ 721.429238][ T9255] binder: 9233:9255 transaction failed 29189/-22, size 24-8 line 2994 [ 721.464088][ T9241] binder: 9233:9241 BC_INCREFS_DONE u0000000000000000 no match [ 721.477528][ T9245] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 721.479872][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 17:34:31 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) r1 = socket(0x1, 0x3, 0x400) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000040)={{{@in=@initdev, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in6=@mcast1}}, &(0x7f00000001c0)=0xe8) setsockopt$inet6_IPV6_PKTINFO(r1, 0x29, 0x32, &(0x7f0000000380)={@initdev={0xfe, 0x88, [], 0x1, 0x0}, r2}, 0x14) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x8, 0x0, &(0x7f0000000000)=[@increfs={0x40046304, 0x2}], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 721.512255][ T9249] binder: 9248:9249 BC_INCREFS_DONE u0000000000000000 no match [ 721.533569][ T9245] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 721.552385][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 721.565745][ T9259] binder: 9258:9259 ioctl c018620b 0 returned -14 [ 721.576430][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 17:34:31 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 721.611741][ T9259] binder: BC_ACQUIRE_RESULT not supported [ 721.618232][ T9245] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 721.638927][ T9259] binder: 9258:9259 ioctl c0306201 20000140 returned -22 [ 721.641810][ T9245] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 721.655976][ T9261] binder: BINDER_SET_CONTEXT_MGR already set [ 721.669437][ T9265] binder: 9264:9265 ioctl c018620b 0 returned -14 [ 721.678816][ T9261] binder: 9260:9261 ioctl 40046207 0 returned -16 [ 721.694199][ T9265] binder: 9264:9265 IncRefs 0 refcount change on invalid ref 2 ret -22 [ 721.698506][ T9245] Interruptibility = 00000000 ActivityState = 00000000 [ 721.711079][ T9269] binder: 9258:9269 BC_INCREFS_DONE node 3882 has no pending increfs request [ 721.723903][ T9245] *** Host State *** [ 721.728001][ T9245] RIP = 0xffffffff811b40b0 RSP = 0xffff888050dff8e0 [ 721.735079][ T9245] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 721.742485][ T9245] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 721.752260][ T9245] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 721.759121][ T9245] CR0=0000000080050033 CR3=000000009e301000 CR4=00000000001426f0 [ 721.767316][ T9245] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 721.776436][ T9245] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 721.783608][ T9245] *** Control State *** [ 721.788074][ T9245] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 721.790706][ T9268] binder: BINDER_SET_CONTEXT_MGR already set [ 721.804087][ T9268] binder: 9267:9268 ioctl 40046207 0 returned -16 [ 721.805154][ T9245] EntryControls=0000d1ff ExitControls=002fefff [ 721.823854][ T9245] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 721.835572][ T9245] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 721.846648][ T9245] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 721.857868][ T9245] reason=80000021 qualification=0000000000000000 [ 721.867724][ T9245] IDTVectoring: info=00000000 errcode=00000000 [ 721.877794][ T9245] TSC Offset = 0xfffffe7bd9d7877b [ 721.885881][ T9245] EPT pointer = 0x000000001a49801e 17:34:31 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x4c00000000000000) [ 722.083000][ T9275] *** Guest State *** [ 722.087650][ T9275] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 722.098429][ T9275] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 722.108983][ T9275] CR3 = 0x0000000000000000 [ 722.114161][ T9275] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 722.121364][ T9275] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 722.128580][ T9275] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 722.136756][ T9275] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.146247][ T9275] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.161808][ T9275] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 722.171556][ T9275] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.181928][ T9275] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.191576][ T9275] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.200707][ T9275] GDTR: limit=0x00000000, base=0x0000000000000000 [ 722.210418][ T9275] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.219576][ T9275] IDTR: limit=0x00000000, base=0x0000000000000000 [ 722.232673][ T9275] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 722.250307][ T9275] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 722.259337][ T9275] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 722.269959][ T9263] binder: BINDER_SET_CONTEXT_MGR already set [ 722.276815][ T9275] Interruptibility = 00000000 ActivityState = 00000000 [ 722.276824][ T9275] *** Host State *** [ 722.276837][ T9275] RIP = 0xffffffff811b40b0 RSP = 0xffff8880566cf8e0 [ 722.276866][ T9275] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 722.276878][ T9275] FSBase=00007fe957b0a700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 722.276889][ T9275] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 722.276903][ T9275] CR0=0000000080050033 CR3=0000000084128000 CR4=00000000001426e0 [ 722.286817][ T9263] binder: 9253:9263 ioctl 40046207 0 returned -16 [ 722.294209][ T9278] binder_alloc: 9253: binder_alloc_buf, no vma [ 722.328339][ T2986] binder: release 9253:9263 transaction 3878 out, still active [ 722.338740][ T9275] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 722.341577][ T9278] binder: 9253:9278 transaction failed 29189/-3, size 24-8 line 3147 [ 722.354307][ T9275] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 722.358132][ T9279] binder: 9258:9279 ioctl c018620b 0 returned -14 [ 722.373460][ T9275] *** Control State *** [ 722.382980][ T9275] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 722.385810][ T2986] binder: release 9260:9261 transaction 3884 out, still active [ 722.398530][ T9275] EntryControls=0000d1ff ExitControls=002fefff [ 722.409291][ T2986] binder: unexpected work type, 4, not freed [ 722.411056][ T9275] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 722.421496][ T2986] binder: undelivered TRANSACTION_COMPLETE 17:34:32 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 722.432036][ T9275] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 722.432503][ T9269] binder: BC_ACQUIRE_RESULT not supported [ 722.440603][ T9280] binder_alloc: 9253: binder_alloc_buf, no vma [ 722.446859][ T9270] binder: 9264:9270 ioctl c018620b 0 returned -14 [ 722.455746][ T9281] binder: 9258:9281 BC_INCREFS_DONE u0000000000000000 no match [ 722.462375][ T9282] binder: 9264:9282 IncRefs 0 refcount change on invalid ref 2 ret -22 [ 722.479590][ T2986] binder: release 9264:9270 transaction 3887 out, still active [ 722.487870][ T9275] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 722.489479][ T9269] binder: 9258:9269 ioctl c0306201 20000140 returned -22 [ 722.495218][ T9275] reason=80000021 qualification=0000000000000000 [ 722.495227][ T9275] IDTVectoring: info=00000000 errcode=00000000 [ 722.495234][ T9275] TSC Offset = 0xfffffe7b43cda38c [ 722.495244][ T9275] EPT pointer = 0x000000001abec01e [ 722.536512][ T7809] binder: release 9267:9268 transaction 3890 out, still active [ 722.544247][ T7809] binder: unexpected work type, 4, not freed [ 722.556724][ T9280] binder: 9258:9280 transaction failed 29189/-3, size 24-8 line 3147 [ 722.569205][ T9270] binder_alloc: 9253: binder_alloc_buf, no vma [ 722.574432][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 722.584247][ T7809] binder: release 9258:9259 transaction 3881 out, still active [ 722.586091][ T9270] binder: 9264:9270 transaction failed 29189/-3, size 24-8 line 3147 17:34:32 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 722.632442][ T7809] binder: unexpected work type, 4, not freed [ 722.668556][ T7809] binder: undelivered TRANSACTION_COMPLETE [ 722.716123][ T7809] binder: send failed reply for transaction 3878, target dead [ 722.765605][ T7809] binder: send failed reply for transaction 3881, target dead [ 722.819998][ T7809] binder: send failed reply for transaction 3884, target dead 17:34:32 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x6312}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 17:34:32 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:32 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6000000000000000) 17:34:32 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) pipe(&(0x7f0000000040)={0xffffffffffffffff}) write$P9_RREADDIR(r1, &(0x7f0000000080)={0x2a, 0x29, 0x1, {0x9, [{{0x20, 0x4, 0x7}, 0x8b, 0x9, 0x7, './file0'}]}}, 0x2a) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x9e739f63a4f23eae, 0x0) ioctl$PPPIOCGL2TPSTATS(r2, 0x80487436, &(0x7f0000000480)="4eaf6a9ef3ff576a63ebd2f1c842f05df03c4a78bf88f1c2f6cd152e89fc87e82a1ee7577967ce42dcdb9270ced7c5a4f6d09a2b3f6fba0be32483ec40217080821dff92e32c3800f4f6af0fdd40516308ed7198d4ef65c294801f9a3c1944cfabd4ead6ecb25c021fee4fa79fc856c0d65ebb67ce9d7bc6dc5ad326d97b5e86b720f57be259844e8695624cfa32c68498fb895878bf857155a0df641534651a2d6ecb98f8212d12372da7971c41a29e2170d209e69b0d74628e85e2e64fa474fa0f4d8c564065810106282473bbf8607660c4901329da34bf62c3957e4a7035fbdc733721cb25915c60704994f5ed454ffdcc64784550ebc8") prctl$PR_GET_NO_NEW_PRIVS(0x27) [ 722.900404][ T7809] binder: send failed reply for transaction 3887, target dead [ 722.921534][ T7809] binder: send failed reply for transaction 3890, target dead [ 723.026675][ T9295] binder: 9294:9295 ioctl c018620b 0 returned -14 [ 723.062931][ T9288] binder: BINDER_SET_CONTEXT_MGR already set [ 723.086048][ T9288] binder: 9286:9288 ioctl 40046207 0 returned -16 [ 723.096272][ T9296] binder: 9293:9296 unknown command 25362 [ 723.110251][ T9301] binder: 9298:9301 ioctl c018620b 0 returned -14 [ 723.121719][ T9296] binder: 9293:9296 ioctl c0306201 20000140 returned -22 [ 723.143278][ T9300] binder: 9294:9300 BC_INCREFS_DONE node 3902 has no pending increfs request [ 723.143805][ T9305] binder: BINDER_SET_CONTEXT_MGR already set [ 723.166468][ T9305] binder: 9293:9305 ioctl 40046207 0 returned -16 [ 723.191870][ T9304] *** Guest State *** [ 723.196127][ T9304] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 723.212765][ T9304] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 723.225070][ T9305] binder: 9293:9305 BC_INCREFS_DONE node 3911 has no pending increfs request [ 723.229742][ T9304] CR3 = 0x0000000000002000 [ 723.239437][ T9304] PDPTR0 = 0x00000000316db001 PDPTR1 = 0x00000000316dc001 [ 723.252526][ T9304] PDPTR2 = 0x00000000316dd001 PDPTR3 = 0x0000000001a3d001 [ 723.260285][ T9304] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 723.268011][ T9304] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 723.275539][ T9304] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 723.283864][ T9304] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 723.293293][ T9304] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 723.302558][ T9304] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 723.311633][ T9304] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 723.321534][ T9304] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 723.330613][ T9304] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 723.339691][ T9304] GDTR: limit=0x000007ff, base=0x0000000000001000 [ 723.348834][ T9304] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 723.357982][ T9304] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 723.367007][ T9304] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 723.376051][ T9304] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 723.383456][ T9304] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 723.391994][ T9304] Interruptibility = 00000000 ActivityState = 00000000 [ 723.394235][ T2986] binder: unexpected work type, 4, not freed [ 723.399266][ T9304] *** Host State *** [ 723.409287][ T9304] RIP = 0xffffffff811b40b0 RSP = 0xffff88804f5778e0 [ 723.416291][ T9304] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 723.423856][ T9304] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 723.427151][ T2986] binder: undelivered TRANSACTION_COMPLETE 17:34:33 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 723.432614][ T9304] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 723.445395][ T9304] CR0=0000000080050033 CR3=000000009d4a4000 CR4=00000000001426f0 [ 723.453353][ T9304] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 723.461357][ T9304] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 723.484235][ T9304] *** Control State *** [ 723.487857][ T2986] binder: send failed reply for transaction 3897, target dead [ 723.491251][ T9304] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 723.512445][ T9304] EntryControls=0000d1ff ExitControls=002fefff [ 723.519609][ T2986] binder: send failed reply for transaction 3901 to 9294:9295 [ 723.524513][ T9304] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 723.538845][ T9300] binder: 9294:9300 ioctl c018620b 0 returned -14 [ 723.545955][ T2986] binder: send failed reply for transaction 3904 to 9286:9288 [ 723.554073][ T9295] binder: 9294:9295 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 723.563160][ T2986] binder: send failed reply for transaction 3907 to 9298:9306 [ 723.572374][ T9300] binder: 9294:9300 transaction failed 29189/-22, size 24-8 line 2994 [ 723.581644][ T9304] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 723.581737][ T2986] binder: send failed reply for transaction 3910 to 9293:9296 [ 723.604858][ T9310] binder_thread_write: 2 callbacks suppressed [ 723.604876][ T9310] binder: 9294:9310 BC_INCREFS_DONE u0000000000000000 no match [ 723.621423][ T9309] binder: 9308:9309 transaction failed 29189/-22, size 24-8 line 2994 [ 723.624886][ T9311] binder: 9293:9311 unknown command 25362 [ 723.638642][ T9304] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 17:34:33 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 723.647001][ T9311] binder: 9293:9311 ioctl c0306201 20000140 returned -22 [ 723.664935][ T9304] reason=80000021 qualification=0000000000000000 17:34:33 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046307}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 17:34:33 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 723.693695][ T9304] IDTVectoring: info=00000000 errcode=00000000 [ 723.713115][ T9304] TSC Offset = 0xfffffe7aaaf12e36 [ 723.731653][ T9304] EPT pointer = 0x0000000056ab801e 17:34:33 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6800000000000000) 17:34:33 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046302}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 723.863227][ T2986] binder: send failed reply for transaction 3916, target dead [ 723.880936][ T9321] binder: 9319:9321 ioctl c018620b 0 returned -14 [ 723.882231][ T9314] binder: 9313:9314 ERROR: BC_REGISTER_LOOPER called without request [ 723.920617][ T9306] binder: 9298:9306 ioctl c018620b 0 returned -14 [ 723.947707][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 723.954429][ T9330] binder: 9319:9330 DecRefs 0 refcount change on invalid ref 0 ret -22 17:34:33 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) inotify_init() ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x0, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000000480)={0xa4, "59a9458e2fe5ecd5996cd4350c8d48b0a397d50a131be019ded47ef71ebb273f6a194c0847ed646b3c953961dbeab4630af72ef70590419f3f53478ffa926d78c03c66cf78c3c52ca2c29a040cf0f85dfbfc1d515038bedfda6c2c06d403d7c14b85f36522edabaf370328a5f0a69fdd975de0085f7e6ad760bfd59eaed6c848ca19110de360c297d721966ecd1a4981d6fd03e03be45207b10367a48bdbef0475f51018"}) [ 724.036217][ T9331] binder: BC_ACQUIRE_RESULT not supported [ 724.043199][ T9330] binder: 9319:9330 BC_INCREFS_DONE node 3927 has no pending increfs request [ 724.049085][ T9331] binder: 9328:9331 ioctl c0306201 20000140 returned -22 [ 724.069257][ T9333] *** Guest State *** [ 724.076967][ T9333] CR0: actual=0x0000000000000021, shadow=0x0000000000000001, gh_mask=fffffffffffffff7 [ 724.098640][ T9331] binder: BINDER_SET_CONTEXT_MGR already set [ 724.110708][ T9333] CR4: actual=0x0000000000002060, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 [ 724.128885][ T9336] binder: 9335:9336 ioctl c018620b 0 returned -14 [ 724.138500][ T9333] CR3 = 0x0000000000002000 [ 724.143104][ T9331] binder: 9328:9331 ioctl 40046207 0 returned -16 [ 724.151306][ T9333] PDPTR0 = 0x0000000000067001 PDPTR1 = 0x0000000000f61001 [ 724.161295][ T9333] PDPTR2 = 0x0000000000f21001 PDPTR3 = 0x0000000001a3d001 [ 724.172846][ T9333] RSP = 0x0000000000000f92 RIP = 0x0000000000000000 [ 724.182252][ T9333] RFLAGS=0x00000002 DR7 = 0x0000000000000400 [ 724.183828][ T9338] binder: BC_ACQUIRE_RESULT not supported [ 724.193655][ T9333] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 724.203954][ T9333] CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000 [ 724.213385][ T9333] DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 724.215570][ T9338] binder: 9328:9338 ioctl c0306201 20000140 returned -22 [ 724.223097][ T9333] SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 724.239076][ T9331] binder: BINDER_SET_CONTEXT_MGR already set [ 724.239114][ T9333] ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 724.254971][ T9333] FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 724.258084][ T9331] binder: 9328:9331 ioctl 40046207 0 returned -16 [ 724.273970][ T9333] GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000 [ 724.283554][ T9333] GDTR: limit=0x000007ff, base=0x0000000000001000 17:34:34 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 724.293132][ T9333] LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 [ 724.302679][ T9333] IDTR: limit=0x000001ff, base=0x0000000000003800 [ 724.313763][ T9333] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 724.327096][ T9333] EFER = 0x0000000000000001 PAT = 0x0007040600070406 [ 724.340687][ T9333] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 724.349931][ T9333] Interruptibility = 00000000 ActivityState = 00000000 [ 724.363793][ T9333] *** Host State *** [ 724.373194][ T9333] RIP = 0xffffffff811b40b0 RSP = 0xffff88809417f8e0 [ 724.391260][ T9333] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 724.423720][ T9333] FSBase=00007fe957b0a700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 724.433093][ T9333] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 724.439718][ T9333] CR0=0000000080050033 CR3=000000008c268000 CR4=00000000001426f0 [ 724.448907][ T9333] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 724.456626][ T9333] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 724.463688][ T9333] *** Control State *** [ 724.467872][ T9333] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 724.476139][ T9344] binder: BINDER_SET_CONTEXT_MGR already set [ 724.476489][ T9333] EntryControls=0000d1ff ExitControls=002fefff [ 724.487626][ T9344] binder: 9342:9344 ioctl 40046207 0 returned -16 [ 724.488923][ T9333] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 724.503522][ T9333] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 724.511095][ T9333] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 724.518933][ T9333] reason=80000021 qualification=0000000000000000 [ 724.527866][ T9333] IDTVectoring: info=00000000 errcode=00000000 [ 724.543723][ T9333] TSC Offset = 0xfffffe7a32268244 [ 724.553643][ T9333] EPT pointer = 0x000000008428201e [ 724.565236][ T2986] binder: send failed reply for transaction 3921, target dead 17:34:34 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 724.572879][ T2986] binder: send failed reply for transaction 3920, target dead [ 724.600788][ T9330] binder: 9319:9330 ioctl c018620b 0 returned -14 [ 724.632334][ T9321] binder: 9319:9321 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 724.671815][ T9330] binder: 9319:9330 transaction failed 29189/-22, size 24-8 line 2994 17:34:34 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(0xffffffffffffffff, 0x4030ae7b, &(0x7f0000000000)={0x10000000000ec2}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f000002f000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f00000002c0)={{}, {}, {}, {}, {}, {0x0, 0x0, 0x0, 0x4, 0x80000003f}}) ioctl$KVM_RUN(r2, 0xae80, 0x6c00000000000000) 17:34:34 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 724.671872][ T9349] binder: 9319:9349 BC_INCREFS_DONE u0000000000000000 no match [ 724.765265][ T9348] binder: 9347:9348 ERROR: BC_REGISTER_LOOPER called without request 17:34:34 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 724.806073][ T9353] binder: 9352:9353 transaction failed 29189/-22, size 24-8 line 2994 17:34:34 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 724.896246][ T9358] *** Guest State *** [ 724.900397][ T9358] CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 [ 724.920035][ T9365] binder: 9335:9365 ioctl c018620b 0 returned -14 [ 724.929225][ T9364] binder: 9362:9364 ioctl c018620b 0 returned -14 [ 724.934473][ T9358] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 724.947309][ T9365] binder: 9335:9365 BC_INCREFS_DONE u0000000000000000 no match [ 724.950421][ T9364] binder: 9362:9364 BC_FREE_BUFFER u0000000000000000 no match [ 724.960644][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 725.026834][ T9358] CR3 = 0x0000000000000000 [ 725.029636][ T9369] binder: BINDER_SET_CONTEXT_MGR already set [ 725.031493][ T9358] RSP = 0x0000000000002006 RIP = 0x0000000000000000 [ 725.031511][ T9358] RFLAGS=0x00010002 DR7 = 0x0000000000000400 [ 725.031531][ T9358] Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810 [ 725.031549][ T9358] CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 17:34:34 executing program 5: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="0000000029ff0648"]], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r2 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor\x00', 0x12000, 0x0) ioctl$GIO_UNIMAP(r2, 0x4b66, &(0x7f00000001c0)={0x2, &(0x7f0000000100)=[{}, {}]}) r3 = getpgid(0xffffffffffffffff) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x80000000, 0x1ff, 0x6, 0x956, 0x0, 0x5, 0x0, 0x1, 0x7fffffff, 0x3, 0x6, 0x68, 0x1, 0x10000, 0x9, 0x56d4, 0x3, 0x2, 0x1, 0x161, 0x4, 0x0, 0x380000000, 0x400, 0x2, 0x8000, 0x0, 0x8, 0x7f, 0x100, 0x4, 0x7, 0x20, 0xfff, 0x9, 0x5, 0x0, 0x100, 0x2, @perf_config_ext={0x6, 0x3}, 0x8000, 0x0, 0x5, 0x4, 0xb, 0x1f, 0xf0d}, r3, 0x10, r0, 0xa) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x2, 0x0, &(0x7f0000000280)=[@increfs_done], 0xffa4, 0x0, 0x0}) [ 725.031573][ T9358] DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.031594][ T9358] SS: sel=0x0000, attr=0x00085, limit=0x00000000, base=0x0000000000000000 [ 725.031627][ T9358] ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.047672][ T9369] binder: 9368:9369 ioctl 40046207 0 returned -16 [ 725.067275][ T9358] FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.118511][ T9358] GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.127254][ T9358] GDTR: limit=0x00000000, base=0x0000000000000000 [ 725.153515][ T2986] binder_thread_release: 7 callbacks suppressed [ 725.153527][ T2986] binder: release 9368:9374 transaction 3957 out, still active [ 725.158873][ T9373] binder: 9371:9373 ioctl c018620b 0 returned -14 17:34:35 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 725.186633][ T9358] LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.197318][ T9358] IDTR: limit=0x00000000, base=0x0000000000000000 [ 725.224104][ T9358] TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 [ 725.233972][ T9345] binder: BINDER_SET_CONTEXT_MGR already set [ 725.246452][ T9378] ------------[ cut here ]------------ [ 725.251987][ T9378] kernel BUG at drivers/android/binder_alloc.c:1141! [ 725.258965][ T9345] binder: 9342:9345 ioctl 40046207 0 returned -16 [ 725.266095][ T9358] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 725.275960][ T2986] binder: undelivered TRANSACTION_ERROR: 29189 [ 725.289317][ T2986] binder: release 9342:9379 transaction 3962 out, still active [ 725.297162][ T9358] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 725.318711][ T9378] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 725.322937][ T9380] binder: BINDER_SET_CONTEXT_MGR already set [ 725.324933][ T9378] CPU: 0 PID: 9378 Comm: syz-executor.5 Not tainted 5.1.0-rc2+ #37 [ 725.324946][ T9378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 725.324975][ T9378] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 725.324997][ T9378] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 725.325009][ T9378] RSP: 0018:ffff88804fb17550 EFLAGS: 00010212 [ 725.325035][ T9378] RAX: 0000000000040000 RBX: 0000000020001080 RCX: ffffc90010a85000 [ 725.325045][ T9378] RDX: 0000000000000447 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 725.325066][ T9378] RBP: ffff88804fb175d0 R08: ffff888050b980c0 R09: 0000000000000028 [ 725.335601][ T9380] binder: 9377:9380 ioctl 40046207 0 returned -16 [ 725.338971][ T9378] R10: ffffed1009f62f01 R11: ffff88804fb1780f R12: 0000000000000020 [ 725.338981][ T9378] R13: 0000000000000028 R14: ffff88808c9046d0 R15: 0000000000000000 [ 725.338993][ T9378] FS: 00007fe7407f0700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 725.339001][ T9378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 725.339010][ T9378] CR2: 00007fbc1bc18db8 CR3: 000000009c08a000 CR4: 00000000001426f0 [ 725.339030][ T9378] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 725.339039][ T9378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 725.339046][ T9378] Call Trace: [ 725.339076][ T9378] ? memcpy+0x46/0x50 [ 725.339101][ T9378] binder_alloc_copy_from_buffer+0x37/0x42 [ 725.339121][ T9378] binder_get_object+0xc3/0x200 [ 725.339144][ T9378] binder_transaction+0x2b4a/0x6690 [ 725.339185][ T9378] ? binder_thread_read+0x3d50/0x3d50 [ 725.497512][ T9378] ? __might_fault+0x12b/0x1e0 [ 725.502424][ T9378] ? lock_downgrade+0x880/0x880 [ 725.507300][ T9378] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 725.513569][ T9378] ? _copy_from_user+0xdd/0x150 [ 725.518435][ T9378] binder_thread_write+0x64a/0x2820 [ 725.523652][ T9378] ? __lockdep_free_key_range+0x120/0x120 [ 725.529409][ T9378] ? binder_transaction+0x6690/0x6690 [ 725.534808][ T9378] ? __might_fault+0x12b/0x1e0 [ 725.539606][ T9378] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 725.545866][ T9378] ? _copy_from_user+0xdd/0x150 [ 725.550735][ T9378] binder_ioctl+0x1033/0x183b [ 725.555430][ T9378] ? binder_thread_write+0x2820/0x2820 [ 725.560910][ T9378] ? tomoyo_path_number_perm+0x263/0x520 [ 725.566557][ T9378] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 725.572379][ T9378] ? __lockdep_free_key_range+0x120/0x120 [ 725.578230][ T9378] ? binder_thread_write+0x2820/0x2820 [ 725.583699][ T9378] do_vfs_ioctl+0xd6e/0x1390 [ 725.588297][ T9378] ? ioctl_preallocate+0x210/0x210 [ 725.593562][ T9378] ? __fget+0x381/0x550 [ 725.597826][ T9378] ? ksys_dup3+0x3e0/0x3e0 [ 725.602341][ T9378] ? nsecs_to_jiffies+0x30/0x30 [ 725.607216][ T9378] ? tomoyo_file_ioctl+0x23/0x30 [ 725.612411][ T9378] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 725.618665][ T9378] ? security_file_ioctl+0x93/0xc0 [ 725.623798][ T9378] ksys_ioctl+0xab/0xd0 [ 725.627983][ T9378] __x64_sys_ioctl+0x73/0xb0 [ 725.632607][ T9378] do_syscall_64+0x103/0x610 [ 725.637216][ T9378] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 725.643123][ T9378] RIP: 0033:0x458209 [ 725.647157][ T9378] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 725.666789][ T9378] RSP: 002b:00007fe7407efc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 725.675219][ T9378] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 725.683236][ T9378] RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000004 [ 725.691321][ T9378] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 725.699327][ T9378] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe7407f06d4 [ 725.707501][ T9378] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff [ 725.715755][ T9378] Modules linked in: [ 725.720668][ T9358] Interruptibility = 00000000 ActivityState = 00000000 [ 725.732907][ T3876] kobject: 'loop0' (00000000930152dd): kobject_uevent_env 17:34:35 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046307}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 725.740184][ T3876] kobject: 'loop0' (00000000930152dd): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 725.742966][ T7809] binder: release 9347:9357 transaction 3948 out, still active [ 725.758421][ T9378] ---[ end trace 162cf0b359b1d882 ]--- [ 725.758569][ T9381] binder: 9371:9381 BC_INCREFS_DONE u0000000000000000 no match [ 725.764220][ T9383] binder: 9362:9383 ioctl c018620b 0 returned -14 [ 725.774517][ T9381] binder: 9371:9381 ioctl c0306201 200002c0 returned -14 [ 725.785987][ T9370] binder: 9362:9370 BC_FREE_BUFFER u0000000000000000 no match [ 725.787082][ T9358] *** Host State *** [ 725.800519][ T9378] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 725.810393][ T9358] RIP = 0xffffffff811b40b0 RSP = 0xffff8880507ef8e0 [ 725.824585][ T9358] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 725.832250][ T9370] binder: 9362:9370 transaction failed 29189/-22, size 24-8 line 2994 17:34:35 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 725.841249][ T3876] kobject: 'loop4' (00000000f15f3e9a): kobject_uevent_env [ 725.850369][ T9378] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 725.857473][ T3876] kobject: 'loop4' (00000000f15f3e9a): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 725.881595][ T9388] binder: 9362:9388 BC_INCREFS_DONE u0000000000000000 no match 17:34:35 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 725.890826][ T9387] binder: 9386:9387 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 725.909829][ T9358] FSBase=00007fe957b2b700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 725.914664][ T9378] RSP: 0018:ffff88804fb17550 EFLAGS: 00010212 [ 725.943063][ T3876] kobject: 'loop1' (00000000aa8b211b): kobject_uevent_env [ 725.944953][ T7809] binder: undelivered TRANSACTION_ERROR: 29189 [ 725.958117][ T9382] binder: 9371:9382 ioctl c018620b 0 returned -14 [ 725.965618][ T9358] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 725.967418][ T3876] kobject: 'loop1' (00000000aa8b211b): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 725.980066][ T9358] CR0=0000000080050033 CR3=00000000a87c5000 CR4=00000000001426f0 17:34:35 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x4008630a}], 0x12, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d45"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 725.998264][ T9358] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 726.003720][ T9382] ------------[ cut here ]------------ [ 726.007533][ T9358] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 726.011161][ T9382] kernel BUG at drivers/android/binder_alloc.c:1141! [ 726.029005][ T9392] binder: 9389:9392 ERROR: BC_REGISTER_LOOPER called without request [ 726.038829][ T9378] RAX: 0000000000040000 RBX: 0000000020001080 RCX: ffffc90010a85000 [ 726.047653][ T9358] *** Control State *** [ 726.053827][ T9394] binder: BINDER_SET_CONTEXT_MGR already set [ 726.054440][ T3876] kobject: 'loop3' (0000000036e49ddd): kobject_uevent_env [ 726.070119][ T9382] invalid opcode: 0000 [#2] PREEMPT SMP KASAN [ 726.076234][ T9382] CPU: 0 PID: 9382 Comm: syz-executor.5 Tainted: G D 5.1.0-rc2+ #37 [ 726.080310][ T9358] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ca [ 726.085611][ T9382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 726.085636][ T9382] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 726.085650][ T9382] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 726.085657][ T9382] RSP: 0018:ffff888057ec7550 EFLAGS: 00010212 [ 726.085669][ T9382] RAX: 0000000000040000 RBX: 0000000020001020 RCX: ffffc90010e87000 [ 726.085676][ T9382] RDX: 0000000000000302 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 726.085684][ T9382] RBP: ffff888057ec75d0 R08: ffff88804ff1a140 R09: 0000000000000028 [ 726.085692][ T9382] R10: ffffed100afd8f01 R11: ffff888057ec780f R12: 0000000000000020 [ 726.085711][ T9382] R13: 0000000000000028 R14: ffff8880a460c210 R15: 0000000000000000 [ 726.102248][ T9394] binder: 9393:9394 ioctl 40046207 0 returned -16 [ 726.103761][ T9382] FS: 00007fe7407ae700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 726.103771][ T9382] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 726.103781][ T9382] CR2: 00007fe74078cdb8 CR3: 000000009c08a000 CR4: 00000000001426f0 [ 726.103793][ T9382] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 726.103802][ T9382] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 726.103808][ T9382] Call Trace: [ 726.103846][ T9382] ? memcpy+0x46/0x50 [ 726.114981][ T9358] EntryControls=0000d1ff ExitControls=002fefff [ 726.134630][ T9382] binder_alloc_copy_from_buffer+0x37/0x42 17:34:36 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 726.134649][ T9382] binder_get_object+0xc3/0x200 [ 726.134667][ T9382] binder_transaction+0x2b4a/0x6690 [ 726.134699][ T9382] ? binder_thread_read+0x3d50/0x3d50 [ 726.134726][ T9382] ? debug_smp_processor_id+0x3c/0x280 [ 726.143253][ T9400] binder: 9396:9400 ioctl c018620b 0 returned -14 [ 726.149325][ T9382] ? mark_held_locks+0xf0/0xf0 [ 726.149340][ T9382] ? perf_trace_lock+0x510/0x510 [ 726.149364][ T9382] ? __might_fault+0x12b/0x1e0 [ 726.149382][ T9382] ? lock_downgrade+0x880/0x880 [ 726.149406][ T9382] ? __might_fault+0xfb/0x1e0 [ 726.159850][ T9358] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 726.166239][ T9382] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 726.166258][ T9382] ? _copy_from_user+0xdd/0x150 [ 726.166277][ T9382] binder_thread_write+0x64a/0x2820 [ 726.166296][ T9382] ? __lockdep_free_key_range+0x120/0x120 [ 726.166320][ T9382] ? binder_transaction+0x6690/0x6690 [ 726.177891][ T9400] binder: BC_ATTEMPT_ACQUIRE not supported [ 726.182458][ T9382] ? __might_fault+0x12b/0x1e0 [ 726.182484][ T9382] ? __might_fault+0xfb/0x1e0 [ 726.189058][ T9358] VMEntry: intr_info=8000030d errcode=00000000 ilen=00000000 [ 726.197880][ T9382] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 726.197898][ T9382] ? _copy_from_user+0xdd/0x150 [ 726.197918][ T9382] binder_ioctl+0x1033/0x183b [ 726.197950][ T9382] ? binder_thread_write+0x2820/0x2820 [ 726.205344][ T7809] binder: release 9393:9401 transaction 3974 out, still active [ 726.213065][ T9382] ? tomoyo_path_number_perm+0x263/0x520 [ 726.213080][ T9382] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 726.213095][ T9382] ? __lockdep_free_key_range+0x120/0x120 [ 726.213128][ T9382] ? binder_thread_write+0x2820/0x2820 [ 726.213152][ T9382] do_vfs_ioctl+0xd6e/0x1390 [ 726.236749][ T9358] VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 [ 726.236906][ T9382] ? ioctl_preallocate+0x210/0x210 [ 726.243063][ T9358] reason=80000021 qualification=0000000000000000 [ 726.248870][ T9382] ? __fget+0x381/0x550 [ 726.248887][ T9382] ? ksys_dup3+0x3e0/0x3e0 [ 726.248903][ T9382] ? nsecs_to_jiffies+0x30/0x30 [ 726.248923][ T9382] ? tomoyo_file_ioctl+0x23/0x30 [ 726.248946][ T9382] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 726.254468][ T9400] binder: 9396:9400 ioctl c0306201 20000140 returned -22 [ 726.258983][ T9382] ? security_file_ioctl+0x93/0xc0 [ 726.259002][ T9382] ksys_ioctl+0xab/0xd0 [ 726.259029][ T9382] __x64_sys_ioctl+0x73/0xb0 [ 726.259049][ T9382] do_syscall_64+0x103/0x610 [ 726.259072][ T9382] entry_SYSCALL_64_after_hwframe+0x49/0xbe 17:34:36 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000640)='./file0\x00', 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0045878, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) [ 726.265099][ T9358] IDTVectoring: info=00000000 errcode=00000000 [ 726.270038][ T9382] RIP: 0033:0x458209 [ 726.270053][ T9382] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 726.270061][ T9382] RSP: 002b:00007fe7407adc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 726.270074][ T9382] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 726.270081][ T9382] RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000006 [ 726.270088][ T9382] RBP: 000000000073c0e0 R08: 0000000000000000 R09: 0000000000000000 [ 726.270095][ T9382] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe7407ae6d4 [ 726.270103][ T9382] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff [ 726.270120][ T9382] Modules linked in: [ 726.277237][ T9358] TSC Offset = 0xfffffe79c23593c6 [ 726.292040][ T9403] binder: BINDER_SET_CONTEXT_MGR already set [ 726.310361][ T9358] EPT pointer = 0x00000000989b801e [ 726.320697][ T3876] kobject: 'loop3' (0000000036e49ddd): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 726.322668][ T9398] binder: 9396:9398 ioctl c018620b 0 returned -14 [ 726.334654][ T3876] kobject: 'loop1' (00000000aa8b211b): kobject_uevent_env [ 726.348502][ T9358] kobject: 'kvm' (000000004e9d1f83): kobject_uevent_env [ 726.372476][ T3876] kobject: 'loop1' (00000000aa8b211b): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 726.387793][ T9400] binder: BC_ATTEMPT_ACQUIRE not supported [ 726.409075][ T9406] binder: BINDER_SET_CONTEXT_MGR already set [ 726.428243][ T9358] kobject: 'kvm' (000000004e9d1f83): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 726.431971][ T9403] binder: 9389:9403 ioctl 40046207 0 returned -16 [ 726.441202][ T9409] binder: 9396:9409 BC_INCREFS_DONE u0000000000000000 no match [ 726.443452][ T9406] binder: 9405:9406 ioctl 40046207 0 returned -16 [ 726.447246][ T7809] binder: release 9396:9402 transaction 3977 out, still active [ 726.487107][ T9378] RDX: 0000000000000447 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 726.495615][ T9400] binder: 9396:9400 ioctl c0306201 20000140 returned -22 [ 726.502627][ T3876] kobject: 'loop1' (00000000aa8b211b): kobject_uevent_env [ 726.506165][ T9382] ---[ end trace 162cf0b359b1d883 ]--- [ 726.513182][ T3876] kobject: 'loop1' (00000000aa8b211b): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 726.554997][ T9382] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 726.576364][ T9378] RBP: ffff88804fb175d0 R08: ffff888050b980c0 R09: 0000000000000028 [ 726.585570][ T7809] binder: release 9396:9402 transaction 3980 out, still active [ 726.615089][ T9412] binder: BINDER_SET_CONTEXT_MGR already set [ 726.631709][ T9382] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 726.652405][ T9390] binder: 9386:9390 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 726.701364][ T9382] RSP: 0018:ffff88804fb17550 EFLAGS: 00010212 [ 726.701381][ T9382] RAX: 0000000000040000 RBX: 0000000020001080 RCX: ffffc90010a85000 [ 726.701391][ T9382] RDX: 0000000000000447 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 726.701411][ T9382] RBP: ffff88804fb175d0 R08: ffff888050b980c0 R09: 0000000000000028 [ 726.709397][ T9378] R10: ffffed1009f62f01 R11: ffff88804fb1780f R12: 0000000000000020 [ 726.720954][ T9412] binder: 9411:9412 ioctl 40046207 0 returned -16 [ 726.739057][ T9413] binder_alloc: 9386: binder_alloc_buf, no vma [ 726.747167][ T7809] binder: release 9405:9410 transaction 3986 out, still active [ 726.771612][ T9378] R13: 0000000000000028 R14: ffff88808c9046d0 R15: 0000000000000000 [ 726.794178][ T3876] kobject: 'loop3' (0000000036e49ddd): kobject_uevent_env [ 726.795847][ T9413] binder: 9411:9413 transaction failed 29189/-3, size 24-8 line 3147 [ 726.819199][ T3876] kobject: 'loop3' (0000000036e49ddd): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 726.834493][ T9378] FS: 00007fe7407f0700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 726.834504][ T9378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 726.834513][ T9378] CR2: 000000000073c000 CR3: 000000009c08a000 CR4: 00000000001426f0 [ 726.834538][ T9378] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 726.876426][ T3876] kobject: 'loop4' (00000000f15f3e9a): kobject_uevent_env [ 726.885409][ T9418] binder_alloc: 9386: binder_alloc_buf, no vma [ 726.893576][ T9415] binder: BINDER_SET_CONTEXT_MGR already set [ 726.906537][ T9418] binder: 9386:9418 transaction failed 29189/-3, size 24-8 line 3147 [ 726.923545][ T9378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 726.941414][ T9416] binder: 9386:9416 BC_INCREFS_DONE u0000000000000000 no match [ 726.952000][ T3876] kobject: 'loop4' (00000000f15f3e9a): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 726.983463][ T9415] binder: 9386:9415 ioctl 40046207 0 returned -16 [ 726.983575][ T7809] binder_send_failed_reply: 6 callbacks suppressed [ 726.983585][ T7809] binder: send failed reply for transaction 3970 to 9386:9390 [ 727.012061][ T7809] binder_send_failed_reply: 6 callbacks suppressed [ 727.012070][ T7809] binder: send failed reply for transaction 3974, target dead [ 727.018807][ T9382] R10: ffffed1009f62f01 R11: ffff88804fb1780f R12: 0000000000000020 [ 727.039408][ T3876] kobject: 'loop1' (00000000aa8b211b): kobject_uevent_env [ 727.046932][ T7809] binder: send failed reply for transaction 3977, target dead [ 727.056570][ T3876] kobject: 'loop1' (00000000aa8b211b): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 727.069513][ T7809] binder: send failed reply for transaction 3980, target dead [ 727.076185][ T9382] R13: 0000000000000028 R14: ffff88808c9046d0 R15: 0000000000000000 [ 727.086009][ T3876] kobject: 'loop0' (00000000930152dd): kobject_uevent_env [ 727.093267][ T7809] binder: send failed reply for transaction 3981 to 9389:9408 [ 727.095124][ T9378] Kernel panic - not syncing: Fatal exception [ 727.107568][ T3876] kobject: 'loop0' (00000000930152dd): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 727.119571][ T9378] Kernel Offset: disabled [ 727.124097][ T9378] Rebooting in 86400 seconds..